Edit tour

Windows Analysis Report
file.exe

Overview

General Information

Sample name:	file.exe
Analysis ID:	1545722
MD5:	a5c626cb978c8d7070f00e5eeeac13f9
SHA1:	929fb15c8986ace36982084caa8920ef468bc2d9
SHA256:	771b92aa0caa8192579d931ee8dbfc2a3b01a2b7cc21daba7714d7d8c3bad91a
Tags:	exeuser-Bitsight
Infos:

Detection

Credential Flusher

Score:	72
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

Yara detected Credential Flusher

AI detected suspicious sample

Binary is likely a compiled AutoIt script file

Found API chain indicative of sandbox detection

Machine Learning detection for sample

Connects to many different domains

Contains functionality for execution timing, often used to detect debuggers

Contains functionality for read data from the clipboard

Contains functionality to block mouse and keyboard input (often used to hinder debugging)

Contains functionality to call native functions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Contains functionality to communicate with device drivers

Contains functionality to dynamically determine API calls

Contains functionality to execute programs as a different user

Contains functionality to launch a process as a different user

Contains functionality to launch a program with higher privileges

Contains functionality to modify clipboard data

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to query CPU information (cpuid)

Contains functionality to read the PEB

Contains functionality to read the clipboard data

Contains functionality to retrieve information about pressed keystrokes

Contains functionality to shutdown / reboot the system

Contains functionality to simulate keystroke presses

Contains functionality to simulate mouse events

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Detected potential crypto function

Drops PE files

Enables debug privileges

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

OS version to string mapping found (often used in BOTs)

PE file contains sections with non-standard names

Potential key logger detected (key state polling based)

Sample execution stops while process was sleeping (likely an evasion)

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Uses taskkill to terminate processes

Classification

Process Tree

System is w10x64

file.exe (PID: 6320 cmdline: "C:\Users\user\Desktop\file.exe" MD5: A5C626CB978C8D7070F00E5EEEAC13F9)

taskkill.exe (PID: 1220 cmdline: taskkill /F /IM firefox.exe /T MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD)

conhost.exe (PID: 2052 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

taskkill.exe (PID: 5924 cmdline: taskkill /F /IM chrome.exe /T MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD)

conhost.exe (PID: 2100 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

taskkill.exe (PID: 3784 cmdline: taskkill /F /IM msedge.exe /T MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD)

conhost.exe (PID: 1764 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

taskkill.exe (PID: 6052 cmdline: taskkill /F /IM opera.exe /T MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD)

conhost.exe (PID: 6088 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

taskkill.exe (PID: 4832 cmdline: taskkill /F /IM brave.exe /T MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD)

conhost.exe (PID: 5972 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

firefox.exe (PID: 1948 cmdline: "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

firefox.exe (PID: 800 cmdline: "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking --attempting-deelevation MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

firefox.exe (PID: 3196 cmdline: "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

firefox.exe (PID: 1112 cmdline: "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2304 -parentBuildID 20230927232528 -prefsHandle 2224 -prefMapHandle 2216 -prefsLen 25250 -prefMapSize 238690 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {9e3ee68f-9cdf-464b-bcc4-bfcae5e827a3} 3196 "\\.\pipe\gecko-crash-server-pipe.3196" 230a1e6d710 socket MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

firefox.exe (PID: 7624 cmdline: "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3904 -parentBuildID 20230927232528 -prefsHandle 3912 -prefMapHandle 3908 -prefsLen 26265 -prefMapSize 238690 -appDir "C:\Program Files\Mozilla Firefox\browser" - {85363194-8cc0-4802-91a8-e213973fd8be} 3196 "\\.\pipe\gecko-crash-server-pipe.3196" 230b43aee10 rdd MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

firefox.exe (PID: 1136 cmdline: "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4948 -parentBuildID 20230927232528 -sandboxingKind 0 -prefsHandle 4972 -prefMapHandle 4740 -prefsLen 33076 -prefMapSize 238690 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {be7d4054-5c38-4189-9f83-6f293799c454} 3196 "\\.\pipe\gecko-crash-server-pipe.3196" 230bc211b10 utility MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

cleanup

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000000.00000003.2201583150.000000000124F000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialFlusher	Yara detected Credential Flusher	Joe Security
Process Memory Space: file.exe PID: 6320	JoeSecurity_CredentialFlusher	Yara detected Credential Flusher	Joe Security

Code function: 0_2_00EFEAFF OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,

0_2_00EFEAFF

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00EFED6A OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,

0_2_00EFED6A

Source: C:\Users\user\Desktop\file.exe

0_2_00EFEAFF

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00EEAA57 GetKeyboardState,SetKeyboardState,PostMessageW,SendInput,

0_2_00EEAA57

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00F19576 DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,

0_2_00F19576

System Summary

Binary is likely a compiled AutoIt script file

Source: file.exe	String found in binary or memory: This is a third-party compiled AutoIt script.
Source: file.exe, 00000000.00000000.2137193054.0000000000F42000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_26963f6b-a
Source: file.exe, 00000000.00000000.2137193054.0000000000F42000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_b1fe6b3a-b
Source: file.exe	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_9d1db378-2
Source: file.exe	String found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_e4b8619a-b

Source: C:\Program Files\Mozilla Firefox\firefox.exe	Code function: 18_2_000001F24EB52377 NtQuerySystemInformation,		18_2_000001F24EB52377
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Code function: 18_2_000001F24EB75C32 NtQuerySystemInformation,		18_2_000001F24EB75C32

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00EED5EB: CreateFileW,DeviceIoControl,CloseHandle,

0_2_00EED5EB

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00EE1201 LogonUserW,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcslen,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,GetProcessHeap,HeapFree,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,

0_2_00EE1201

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00EEE8F6 ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,

0_2_00EEE8F6

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00E88060	0_2_00E88060
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00EF2046	0_2_00EF2046
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00EE8298	0_2_00EE8298
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00EBE4FF	0_2_00EBE4FF
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00EB676B	0_2_00EB676B
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00F14873	0_2_00F14873
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00E8CAF0	0_2_00E8CAF0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00EACAA0	0_2_00EACAA0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00E9CC39	0_2_00E9CC39
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00EB6DD9	0_2_00EB6DD9
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00E9D063	0_2_00E9D063
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00E891C0	0_2_00E891C0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00E9B119	0_2_00E9B119
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00EA1394	0_2_00EA1394
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00EA781B	0_2_00EA781B
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00E9997D	0_2_00E9997D
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00E87920	0_2_00E87920
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00EA7A4A	0_2_00EA7A4A
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00EA7CA7	0_2_00EA7CA7
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00EB9EEE	0_2_00EB9EEE
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00F0BE44	0_2_00F0BE44
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Code function: 18_2_000001F24EB52377	18_2_000001F24EB52377
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Code function: 18_2_000001F24EB75C32	18_2_000001F24EB75C32
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Code function: 18_2_000001F24EB75C72	18_2_000001F24EB75C72
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Code function: 18_2_000001F24EB7635C	18_2_000001F24EB7635C

Source: C:\Users\user\Desktop\file.exe	Code function: String function: 00EA0A30 appears 46 times
Source: C:\Users\user\Desktop\file.exe	Code function: String function: 00E9F9F2 appears 40 times
Source: C:\Users\user\Desktop\file.exe	Code function: String function: 00E89CB3 appears 31 times

Source: file.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source: classification engine

Classification label: mal72.troj.evad.winEXE@34/34@67/12

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00EF37B5 GetLastError,FormatMessageW,

0_2_00EF37B5

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00EE10BF AdjustTokenPrivileges,CloseHandle,		0_2_00EE10BF
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00EE16C3 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,		0_2_00EE16C3

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00EF51CD SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode,

0_2_00EF51CD

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00EED4DC CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,

0_2_00EED4DC

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00EF648E _wcslen,CoInitialize,CoCreateInstance,CoUninitialize,

0_2_00EF648E

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00E842A2 CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource,

0_2_00E842A2

Source: C:\Program Files\Mozilla Firefox\firefox.exe

File created: C:\Users\user\AppData\Local\Mozilla\Firefox\SkeletonUILock-c388d246

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1764:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5972:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6088:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2052:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2100:120:WilError_03

Source: C:\Program Files\Mozilla Firefox\firefox.exe

File created: C:\Users\user\AppData\Local\Temp\firefox

Jump to behavior

Source: file.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Windows\SysWOW64\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process

Source: C:\Program Files\Mozilla Firefox\firefox.exe

File read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: firefox.exe, 0000000E.00000003.2384710308.00000230BDC55000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2289712975.00000230BC064000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SELECT * FROM events WHERE timestamp BETWEEN date(:dateFrom) AND date(:dateTo);
Source: firefox.exe, 0000000E.00000003.2384710308.00000230BDC55000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE events (id INTEGER PRIMARY KEY, type INTEGER NOT NULL, count INTEGER NOT NULL, timestamp DATE );
Source: firefox.exe, 0000000E.00000003.2384710308.00000230BDC55000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: INSERT INTO events (type, count, timestamp) VALUES (:type, 1, date(:date));
Source: firefox.exe, 0000000E.00000003.2384710308.00000230BDC55000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SELECT timestamp FROM events ORDER BY timestamp ASC LIMIT 1;;
Source: firefox.exe, 0000000E.00000003.2286884214.00000230BDDC3000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SELECT sum(count) FROM events;
Source: firefox.exe, 0000000E.00000003.2384710308.00000230BDC55000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SELECT timestamp FROM events ORDER BY timestamp ASC LIMIT 1;;Fy6
Source: firefox.exe, 0000000E.00000003.2384710308.00000230BDC55000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: UPDATE events SET count = count + 1 WHERE id = :id;-
Source: firefox.exe, 0000000E.00000003.2384710308.00000230BDC55000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SELECT sum(count) FROM events;9'
Source: firefox.exe, 0000000E.00000003.2384710308.00000230BDC55000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SELECT sum(count) FROM events;9
Source: firefox.exe, 0000000E.00000003.2384710308.00000230BDC55000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SELECT * FROM events WHERE type = :type AND timestamp = date(:date);

Source: file.exe

ReversingLabs: Detection: 47%

Source: unknown	Process created: C:\Users\user\Desktop\file.exe "C:\Users\user\Desktop\file.exe"
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM firefox.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM chrome.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM msedge.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM opera.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM brave.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking
Source: unknown	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking --attempting-deelevation
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2304 -parentBuildID 20230927232528 -prefsHandle 2224 -prefMapHandle 2216 -prefsLen 25250 -prefMapSize 238690 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {9e3ee68f-9cdf-464b-bcc4-bfcae5e827a3} 3196 "\\.\pipe\gecko-crash-server-pipe.3196" 230a1e6d710 socket
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3904 -parentBuildID 20230927232528 -prefsHandle 3912 -prefMapHandle 3908 -prefsLen 26265 -prefMapSize 238690 -appDir "C:\Program Files\Mozilla Firefox\browser" - {85363194-8cc0-4802-91a8-e213973fd8be} 3196 "\\.\pipe\gecko-crash-server-pipe.3196" 230b43aee10 rdd
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4948 -parentBuildID 20230927232528 -sandboxingKind 0 -prefsHandle 4972 -prefMapHandle 4740 -prefsLen 33076 -prefMapSize 238690 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {be7d4054-5c38-4189-9f83-6f293799c454} 3196 "\\.\pipe\gecko-crash-server-pipe.3196" 230bc211b10 utility
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM firefox.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM chrome.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM msedge.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM opera.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM brave.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2304 -parentBuildID 20230927232528 -prefsHandle 2224 -prefMapHandle 2216 -prefsLen 25250 -prefMapSize 238690 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {9e3ee68f-9cdf-464b-bcc4-bfcae5e827a3} 3196 "\\.\pipe\gecko-crash-server-pipe.3196" 230a1e6d710 socket	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3904 -parentBuildID 20230927232528 -prefsHandle 3912 -prefMapHandle 3908 -prefsLen 26265 -prefMapSize 238690 -appDir "C:\Program Files\Mozilla Firefox\browser" - {85363194-8cc0-4802-91a8-e213973fd8be} 3196 "\\.\pipe\gecko-crash-server-pipe.3196" 230b43aee10 rdd	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4948 -parentBuildID 20230927232528 -sandboxingKind 0 -prefsHandle 4972 -prefMapHandle 4740 -prefsLen 33076 -prefMapSize 238690 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {be7d4054-5c38-4189-9f83-6f293799c454} 3196 "\\.\pipe\gecko-crash-server-pipe.3196" 230bc211b10 utility	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown	Jump to behavior

Source: C:\Users\user\Desktop\file.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: profapi.dll	Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: file.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: freebl3.pdb source: firefox.exe, 0000000E.00000003.2388119169.00000230BA60A000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: UMPDC.pdb source: firefox.exe, 0000000E.00000003.2388119169.00000230BA60A000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: wininet.pdb source: firefox.exe, 0000000E.00000003.2388119169.00000230BA60A000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: sspicli.pdb source: firefox.exe, 0000000E.00000003.2388119169.00000230BA60A000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: avrt.pdb source: firefox.exe, 0000000E.00000003.2387594399.00000230BA6C3000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2372378638.00000230BA6B1000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: winsta.pdb source: firefox.exe, 0000000E.00000003.2393705643.00000230B4661000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2393164280.00000230B46AF000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2364309315.00000230B46AF000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: pnrpnsp.pdb source: firefox.exe, 0000000E.00000003.2402716713.00000230AFA86000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: WscApi.pdb source: firefox.exe, 0000000E.00000003.2388839982.00000230BA54B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2362366157.00000230BA523000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2373684965.00000230BA526000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2388972677.00000230BA523000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2373767586.00000230BA523000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: npmproxy.pdbUGP source: firefox.exe, 0000000E.00000003.2404601583.00000230AFA86000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: sspicli.pdbP source: firefox.exe, 0000000E.00000003.2388119169.00000230BA60A000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: z:\task_1551543573\build\openh264\gmpopenh264.pdb source: gmpopenh264.dll.tmp.14.dr
Source:	Binary string: npmproxy.pdb source: firefox.exe, 0000000E.00000003.2404601583.00000230AFA86000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: nssckbi.pdb source: firefox.exe, 0000000E.00000003.2388119169.00000230BA60A000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: dcomp.pdb source: firefox.exe, 0000000E.00000003.2378759103.00000230B4AA9000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2390759589.00000230B4AA9000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2376414997.00000230B4AA9000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: cryptsp.pdb source: firefox.exe, 0000000E.00000003.2371893670.00000230BA82A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2387372173.00000230BA82B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2361806862.00000230BA82A000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: mscms.pdb source: firefox.exe, 0000000E.00000003.2378759103.00000230B4AA9000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2390759589.00000230B4AA9000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2376414997.00000230B4AA9000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: winhttp.pdbp%J source: firefox.exe, 0000000E.00000003.2372378638.00000230BA6DE000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2387520768.00000230BA6DE000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: twinapi.pdb source: firefox.exe, 0000000E.00000003.2395072030.00000230B43A4000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: urlmon.pdb source: firefox.exe, 0000000E.00000003.2388839982.00000230BA54B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2373684965.00000230BA526000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: z:\task_1551543573\build\openh264\gmpopenh264.pdbV source: gmpopenh264.dll.tmp.14.dr
Source:	Binary string: freebl3.pdbfxa-menu-send-tab-to-device source: firefox.exe, 0000000E.00000003.2388119169.00000230BA60A000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: userenv.pdb source: firefox.exe, 0000000E.00000003.2376414997.00000230B4AC4000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2378759103.00000230B4AC4000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2390759589.00000230B4ABF000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: msimg32.pdbmetrics#fog.max_pings_per_minute source: firefox.exe, 0000000E.00000003.2387594399.00000230BA6C3000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2372378638.00000230BA6B1000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: winhttp.pdbrgba(12, 12, 13, 0.5) source: firefox.exe, 0000000E.00000003.2372378638.00000230BA6DE000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2387520768.00000230BA6DE000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: userenv.pdbP4 source: firefox.exe, 0000000E.00000003.2378759103.00000230B4AA9000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2390759589.00000230B4AA9000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2376414997.00000230B4AA9000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: netprofm.pdb source: firefox.exe, 0000000E.00000003.2399044741.00000230AFA7D000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: pnrpnsp.pdbUGP source: firefox.exe, 0000000E.00000003.2402716713.00000230AFA86000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: dxgi.pdb source: firefox.exe, 0000000E.00000003.2378759103.00000230B4AA9000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2390759589.00000230B4A63000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2390759589.00000230B4AA9000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2376414997.00000230B4A63000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2378759103.00000230B4A63000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2376414997.00000230B4AA9000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: msimg32.pdbX source: firefox.exe, 0000000E.00000003.2388119169.00000230BA60A000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: ncrypt.pdb source: firefox.exe, 0000000E.00000003.2388119169.00000230BA60A000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: ntasn1.pdb source: firefox.exe, 0000000E.00000003.2388119169.00000230BA60A000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: d3d11.pdb source: firefox.exe, 0000000E.00000003.2389726431.00000230B5940000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: netprofm.pdbUGP source: firefox.exe, 0000000E.00000003.2399044741.00000230AFA7D000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: dwmapi.pdb source: firefox.exe, 0000000E.00000003.2394410146.00000230B456E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2364823214.00000230B456E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2394623517.00000230B4556000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2365310267.00000230B4556000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: srvcli.pdb source: firefox.exe, 0000000E.00000003.2373023415.00000230BA5F6000.00000004.00000800.00020000.00000000.sdmp

Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00E842DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_00E842DE

Source: gmpopenh264.dll.tmp.14.dr

Static PE information: section name: .rodata

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00EA0A76 push ecx; ret

0_2_00EA0A89

Source: C:\Program Files\Mozilla Firefox\firefox.exe	File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll (copy)			Jump to dropped file
Source: C:\Program Files\Mozilla Firefox\firefox.exe	File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll.tmp			Jump to dropped file

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00E9F98E GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,		0_2_00E9F98E
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00F11C41 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,		0_2_00F11C41

Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Found API chain indicative of sandbox detection

Source: C:\Users\user\Desktop\file.exe

Sandbox detection routine: GetForegroundWindow, DecisionNode, Sleep

graph_0-95357

Source: C:\Program Files\Mozilla Firefox\firefox.exe

Code function: 18_2_000001F24EB52377 rdtsc

18_2_000001F24EB52377

Source: C:\Users\user\Desktop\file.exe

API coverage: 3.7 %

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00EEDBBE lstrlenW,GetFileAttributesW,FindFirstFileW,FindClose,	0_2_00EEDBBE
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00EBC2A2 FindFirstFileExW,	0_2_00EBC2A2
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00EF68EE FindFirstFileW,FindClose,	0_2_00EF68EE
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00EF698F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToSystemTime,FileTimeToSystemTime,	0_2_00EF698F
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00EED076 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_00EED076
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00EED3A9 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_00EED3A9
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00EF9642 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_00EF9642
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00EF979D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_00EF979D
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00EF9B2B FindFirstFileW,Sleep,FindNextFileW,FindClose,	0_2_00EF9B2B
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00EF5C97 FindFirstFileW,FindNextFileW,FindClose,	0_2_00EF5C97

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00E842DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_00E842DE

Source: firefox.exe, 00000010.00000002.3403692566.0000024B5C93A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWP
Source: firefox.exe, 00000010.00000002.3409163873.0000024B5CF10000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll?V=
Source: firefox.exe, 00000013.00000002.3403484637.0000021A8371A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWp*
Source: firefox.exe, 00000010.00000002.3403692566.0000024B5C93A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW](M
Source: firefox.exe, 00000012.00000002.3403111735.000001F24E37A000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000012.00000002.3409080757.000001F24EC50000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000013.00000002.3408017203.0000021A83A00000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: firefox.exe, 00000010.00000002.3408567561.0000024B5CE17000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW : 2 : 34 : 1 : 1 : 0x20026 : 0x8 : %SystemRoot%\system32\mswsock.dll : : 1234191b-4bf7-4ca7-86e0-dfd7c32b5445
Source: firefox.exe, 00000012.00000002.3409080757.000001F24EC50000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllI
Source: firefox.exe, 00000010.00000002.3409163873.0000024B5CF10000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000012.00000002.3409080757.000001F24EC50000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: firefox.exe, 00000012.00000002.3409080757.000001F24EC50000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllHH

Source: C:\Users\user\Desktop\file.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Program Files\Mozilla Firefox\firefox.exe

Code function: 18_2_000001F24EB52377 rdtsc

18_2_000001F24EB52377

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00EFEAA2 BlockInput,

0_2_00EFEAA2

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00EB2622 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

0_2_00EB2622

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00E842DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_00E842DE

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00EA4CE8 mov eax, dword ptr fs:[00000030h]

0_2_00EA4CE8

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00EE0B62 GetSecurityDescriptorDacl,GetAclInformation,GetLengthSid,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,

0_2_00EE0B62

Source: C:\Windows\SysWOW64\taskkill.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process token adjusted: Debug	Jump to behavior

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00EB2622 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00EB2622
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00EA083F IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00EA083F
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00EA09D5 SetUnhandledExceptionFilter,	0_2_00EA09D5
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00EA0C21 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_00EA0C21

Source: C:\Users\user\Desktop\file.exe

0_2_00EE1201

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00EC2BA5 KiUserCallbackDispatcher,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

0_2_00EC2BA5

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00EEB226 SendInput,keybd_event,

0_2_00EEB226

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00F022DA GetForegroundWindow,GetDesktopWindow,GetWindowRect,mouse_event,GetCursorPos,mouse_event,

0_2_00F022DA

Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM firefox.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM chrome.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM msedge.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM opera.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM brave.exe /T	Jump to behavior

Source: C:\Users\user\Desktop\file.exe

0_2_00EE0B62

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00EE1663 AllocateAndInitializeSid,CheckTokenMembership,FreeSid,

0_2_00EE1663

Source: file.exe	Binary or memory string: Run Script:AutoIt script files (.au3, .a3x).au3;.a3xAll files (.).au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
Source: file.exe	Binary or memory string: Shell_TrayWnd
Source: firefox.exe, 0000000E.00000003.2367456806.00000230B6701000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: hSoftware\Policies\Microsoft\Windows\PersonalizationNoChangingStartMenuBackgroundPersonalColors_BackgroundWilStaging_02RtlDisownModuleHeapAllocationRtlQueryFeatureConfigurationRtlRegisterFeatureConfigurationChangeNotificationRtlSubscribeWnfStateChangeNotificationRtlDllShutdownInProgressntdll.dllNtQueryWnfStateDataLocal\SM0:%d:%d:%hs_p0Local\SessionImmersiveColorPreferenceBEGINTHMthmfile\Sessions\%d\Windows\ThemeSectionMessageWindowendthemewndThemeApiConnectionRequest\ThemeApiPortwinsta0SOFTWARE\Microsoft\Windows\CurrentVersion\Themes\PersonalizeAppsUseLightThemeSystemUsesLightThemedefaultshell\themes\uxtheme\render.cppCompositedWindow::WindowdeletedrcacheMDIClientSoftware\Microsoft\Windows\DWMColorPrevalenceSoftware\Microsoft\Windows\CurrentVersion\ImmersiveShellTabletModeMENUAccentColorSoftware\Microsoft\Windows\CurrentVersion\Explorer\AccentDefaultStartColorControl Panel\DesktopAutoColorizationAccentColorMenuStartColorMenuAutoColorSoftware\Microsoft\Windows\CurrentVersion\Themes\History\ColorsSoftware\Microsoft\Windows\CurrentVersion\Themes\HistoryAccentPaletteTab$Shell_TrayWndLocal\SessionImmersiveColorMutex

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00EA0698 cpuid

0_2_00EA0698

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00EF8195 GetLocalTime,SystemTimeToFileTime,LocalFileTimeToFileTime,GetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,

0_2_00EF8195

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00EDD27A GetUserNameW,

0_2_00EDD27A

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00EBB952 _free,_free,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,_free,

0_2_00EBB952

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00E842DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_00E842DE

Stealing of Sensitive Information

Yara detected Credential Flusher

Source: Yara match	File source: 00000000.00000003.2201583150.000000000124F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: file.exe PID: 6320, type: MEMORYSTR

Source: file.exe	Binary or memory string: WIN_81
Source: file.exe	Binary or memory string: WIN_XP
Source: file.exe	Binary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_11WIN_10WIN_2022WIN_2019WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\AppearanceUSERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte64HKEY_LOCAL_MACHINEHKLMHKEY_CLASSES_ROOTHKCRHKEY_CURRENT_CONFIGHKCCHKEY_CURRENT_USERHKCUHKEY_USERSHKUREG_EXPAND_SZREG_SZREG_MULTI_SZREG_DWORDREG_QWORDREG_BINARYRegDeleteKeyExWadvapi32.dll+.-.\\[\\nrt]\|%%\|%[-+ 0#]?([0-9]\|\)?(\.[0-9]\|\.\)?[hlL]?[diouxXeEfgGs](*UCP)\XISVISIBLEISENABLEDTABLEFTTABRIGHTCURRENTTABSHOWDROPDOWNHIDEDROPDOWNADDSTRINGDELSTRINGFINDSTRINGGETCOUNTSETCURRENTSELECTIONGETCURRENTSELECTIONSELECTSTRINGISCHECKEDCHECKUNCHECKGETSELECTEDGETLINECOUNTGETCURRENTLINEGETCURRENTCOLEDITPASTEGETLINESENDCOMMANDIDGETITEMCOUNTGETSUBITEMCOUNTGETTEXTGETSELECTEDCOUNTISSELECTEDSELECTALLSELECTCLEARSELECTINVERTDESELECTFINDITEMVIEWCHANGEGETTOTALCOUNTCOLLAPSEEXPANDmsctls_statusbar321tooltips_class32%d/%02d/%02dbuttonComboboxListboxSysDateTimePick32SysMonthCal32.icl.exe.dllMsctls_Progress32msctls_trackbar32SysAnimate32msctls_updown32SysTabControl32SysTreeView32SysListView32-----@GUI_DRAGID@GUI_DROPID@GUI_DRAGFILEError text not found (please report)Q\EDEFINEUTF16)UTF)UCP)NO_AUTO_POSSESS)NO_START_OPT)LIMIT_MATCH=LIMIT_RECURSION=CR)LF)CRLF)ANY)ANYCRLF)BSR_ANYCRLF)BSR_UNICODE)argument is not a compiled regular expressionargument not compiled in 16 bit modeinternal error: opcode not recognizedinternal error: missing capturing bracketfailed to get memory
Source: file.exe	Binary or memory string: WIN_XPe
Source: file.exe	Binary or memory string: WIN_VISTA
Source: file.exe	Binary or memory string: WIN_7
Source: file.exe	Binary or memory string: WIN_8

Remote Access Functionality

Yara detected Credential Flusher

Source: Yara match	File source: 00000000.00000003.2201583150.000000000124F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: file.exe PID: 6320, type: MEMORYSTR

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00F01204 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,listen,WSAGetLastError,closesocket,		0_2_00F01204
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00F01806 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,		0_2_00F01806

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	2 Valid Accounts	1 Windows Management Instrumentation	1 DLL Side-Loading	1 Exploitation for Privilege Escalation	2 Disable or Modify Tools	21 Input Capture	2 System Time Discovery	Remote Services	1 Archive Collected Data	2 Ingress Tool Transfer	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	1 Native API	2 Valid Accounts	1 DLL Side-Loading	1 Deobfuscate/Decode Files or Information	LSASS Memory	1 Account Discovery	Remote Desktop Protocol	21 Input Capture	12 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	1 Extra Window Memory Injection	2 Obfuscated Files or Information	Security Account Manager	2 File and Directory Discovery	SMB/Windows Admin Shares	3 Clipboard Data	2 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	2 Valid Accounts	1 DLL Side-Loading	NTDS	16 System Information Discovery	Distributed Component Object Model	Input Capture	3 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	21 Access Token Manipulation	1 Extra Window Memory Injection	LSA Secrets	131 Security Software Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	2 Process Injection	1 Masquerading	Cached Domain Credentials	1 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	2 Valid Accounts	DCSync	3 Process Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 Virtualization/Sandbox Evasion	Proc Filesystem	1 Application Window Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	21 Access Token Manipulation	/etc/passwd and /etc/shadow	1 System Owner/User Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement
IP Addresses	Compromise Infrastructure	Supply Chain Compromise	PowerShell	Cron	Cron	2 Process Injection	Network Sniffing	Network Service Discovery	Shared Webroot	Local Data Staging	File Transfer Protocols	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	External Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
file.exe	47%	ReversingLabs	Win32.Trojan.CredentialFlusher
file.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll (copy)	0%	ReversingLabs
C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll.tmp	0%	ReversingLabs

Source	Detection	Scanner	Label
https://getpocket.cdn.mozilla.net/v3/firefox/trending-topics?version=2&consumer_key=$apiKey&locale_l	0%	URL Reputation	safe
http://detectportal.firefox.com/	0%	URL Reputation	safe
https://services.addons.mozilla.org/api/v5/addons/browser-mappings/?browser=%BROWSER%	0%	URL Reputation	safe
http://www.mozilla.com0	0%	URL Reputation	safe
https://developer.mozilla.org/en-US/docs/Web/Web_Components/Using_custom_elements#using_the_lifecycl	0%	URL Reputation	safe
https://merino.services.mozilla.com/api/v1/suggest	0%	URL Reputation	safe
https://monitor.firefox.com/oauth/init?entrypoint=protection_report_monitor&utm_source=about-protect	0%	URL Reputation	safe
https://www.leboncoin.fr/	0%	URL Reputation	safe
https://spocs.getpocket.com/spocs	0%	URL Reputation	safe
https://completion.amazon.com/search/complete?q=	0%	URL Reputation	safe
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/social-media-tracking-report	0%	URL Reputation	safe
https://ads.stickyadstv.com/firefox-etp	0%	URL Reputation	safe
https://identity.mozilla.com/ids/ecosystem_telemetryU	0%	URL Reputation	safe
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/send-tab	0%	URL Reputation	safe
https://monitor.firefox.com/breach-details/	0%	URL Reputation	safe
https://versioncheck-bg.addons.mozilla.org/update/VersionCheck.php?reqVersion=%REQ_VERSION%&id=%ITEM	0%	URL Reputation	safe
https://xhr.spec.whatwg.org/#sync-warning	0%	URL Reputation	safe
https://services.addons.mozilla.org/api/v4/addons/addon/	0%	URL Reputation	safe
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/switching-devices?utm_source=panel-def	0%	URL Reputation	safe
https://tracking-protection-issues.herokuapp.com/new	0%	URL Reputation	safe
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/password-manager-report	0%	URL Reputation	safe
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/fingerprinters-report	0%	URL Reputation	safe
https://api.accounts.firefox.com/v1	0%	URL Reputation	safe
https://shavar.services.mozilla.com/downloads?client=SAFEBROWSING_ID&appver=118.0&pver=2.2	0%	URL Reputation	safe
https://developer.mozilla.org/docs/Mozilla/Add-ons/WebExtensions/API/tabs/captureTabMozRequestFullSc	0%	URL Reputation	safe
https://monitor.firefox.com/?entrypoint=protection_report_monitor&utm_source=about-protections	0%	URL Reputation	safe
https://bugzilla.mozilla.org/show_bug.cgi?id=1283601	0%	URL Reputation	safe
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/shield	0%	URL Reputation	safe
https://getpocket.cdn.mozilla.net/v3/firefox/global-recs?version=3&consumer_key=$apiKey&locale_lang=	0%	URL Reputation	safe
https://bugzilla.mozilla.org/show_bug.cgi?id=1266220	0%	URL Reputation	safe
https://searchfox.org/mozilla-central/source/toolkit/components/search/SearchUtils.jsm#145-152	0%	URL Reputation	safe
https://bugzilla.mo	0%	URL Reputation	safe
https://mitmdetection.services.mozilla.com/	0%	URL Reputation	safe
https://static.adsafeprotected.com/firefox-etp-js	0%	URL Reputation	safe
https://developer.mozilla.org/docs/Web/API/Element/releasePointerCapture	0%	URL Reputation	safe
https://spocs.getpocket.com/	0%	URL Reputation	safe
https://services.addons.mozilla.org/api/v4/abuse/report/addon/	0%	URL Reputation	safe
https://services.addons.mozilla.org/api/v4/addons/search/?guid=%IDS%&lang=%LOCALE%	0%	URL Reputation	safe
https://color.firefox.com/?utm_source=firefox-browser&utm_medium=firefox-browser&utm_content=theme-f	0%	URL Reputation	safe
https://monitor.firefox.com/user/breach-stats?includeResolved=true	0%	URL Reputation	safe
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/cross-site-tracking-report	0%	URL Reputation	safe
http://a9.com/-/spec/opensearch/1.0/	0%	URL Reputation	safe
https://safebrowsing.google.com/safebrowsing/diagnostic?site=	0%	URL Reputation	safe
https://monitor.firefox.com/user/dashboard	0%	URL Reputation	safe
https://versioncheck.addons.mozilla.org/update/VersionCheck.php?reqVersion=%REQ_VERSION%&id=%ITEM_ID	0%	URL Reputation	safe
https://monitor.firefox.com/about	0%	URL Reputation	safe
https://coverage.mozilla.org	0%	URL Reputation	safe
http://crl.thawte.com/ThawteTimestampingCA.crl0	0%	URL Reputation	safe
https://firefox-settings-attachments.cdn.mozilla.net/main-workspace/ms-images/f0f51715-7f5e-48de-839	0%	URL Reputation	safe
http://x1.c.lencr.org/0	0%	URL Reputation	safe
http://x1.i.lencr.org/0	0%	URL Reputation	safe
http://a9.com/-/spec/opensearch/1.1/	0%	URL Reputation	safe
https://infra.spec.whatwg.org/#ascii-whitespace	0%	URL Reputation	safe
https://blocked.cdn.mozilla.net/	0%	URL Reputation	safe
https://developer.mozilla.org/en-US/docs/Glossary/speculative_parsingDocumentWriteIgnored	0%	URL Reputation	safe
https://json-schema.org/draft/2019-09/schema	0%	URL Reputation	safe
http://developer.mozilla.org/en/docs/DOM:element.addEventListener	0%	URL Reputation	safe
https://profiler.firefox.com	0%	URL Reputation	safe
https://mozilla.cloudflare-dns.com/dns-query	0%	URL Reputation	safe
https://support.mozilla.org/kb/refresh-firefox-reset-add-ons-and-settings2	0%	URL Reputation	safe
https://bugzilla.mozilla.org/show_bug.cgi?id=1678448	0%	URL Reputation	safe
https://contile.services.mozilla.com/v1/tiles	0%	URL Reputation	safe
https://firefox.settings.services.mozilla.com/v1/buckets/main/collections/ms-language-packs/records/	0%	URL Reputation	safe
https://monitor.firefox.com/user/preferences	0%	URL Reputation	safe
https://screenshots.firefox.com/	0%	URL Reputation	safe
https://truecolors.firefox.com/	0%	URL Reputation	safe
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/tracking-content-report	0%	URL Reputation	safe
https://www.olx.pl/	0%	URL Reputation	safe
https://www.t-mobile.com/cell-phones/brand/apple?cmpid=MGPO_PAM_P_EVGRNIPHN_	0%	URL Reputation	safe
https://support.mozilla.org/	0%	URL Reputation	safe
https://tools.ietf.org/html/draft-ietf-httpbis-encryption-encoding-02#section-4	0%	URL Reputation	safe
https://tools.ietf.org/html/draft-ietf-httpbis-encryption-encoding-02#section-2	0%	URL Reputation	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
example.org	93.184.215.14	true	false	unknown
star-mini.c10r.facebook.com	157.240.253.35	true	false	unknown
prod.classify-client.prod.webservices.mozgcp.net	35.190.72.216	true	false	unknown
prod.balrog.prod.cloudops.mozgcp.net	35.244.181.201	true	false	unknown
twitter.com	104.244.42.193	true	false	unknown
prod.detectportal.prod.cloudops.mozgcp.net	34.107.221.82	true	false	unknown
services.addons.mozilla.org	151.101.193.91	true	false	unknown
dyna.wikimedia.org	185.15.59.224	true	false	unknown
prod.remote-settings.prod.webservices.mozgcp.net	34.149.100.209	true	false	unknown
contile.services.mozilla.com	34.117.188.166	true	false	unknown
youtube.com	142.250.185.238	true	false	unknown
prod.content-signature-chains.prod.webservices.mozgcp.net	34.160.144.191	true	false	unknown
youtube-ui.l.google.com	142.250.185.110	true	false	unknown
us-west1.prod.sumo.prod.webservices.mozgcp.net	34.149.128.2	true	false	unknown
reddit.map.fastly.net	151.101.1.140	true	false	unknown
ipv4only.arpa	192.0.0.171	true	false	unknown
prod.ads.prod.webservices.mozgcp.net	34.117.188.166	true	false	unknown
push.services.mozilla.com	34.107.243.93	true	false	unknown
normandy-cdn.services.mozilla.com	35.201.103.21	true	false	unknown
telemetry-incoming.r53-2.services.mozilla.com	34.120.208.123	true	false	unknown
www.reddit.com	unknown	unknown	false	unknown
spocs.getpocket.com	unknown	unknown	false	unknown
content-signature-2.cdn.mozilla.net	unknown	unknown	false	unknown
support.mozilla.org	unknown	unknown	false	unknown
firefox.settings.services.mozilla.com	unknown	unknown	false	unknown
www.youtube.com	unknown	unknown	false	unknown
www.facebook.com	unknown	unknown	false	unknown
detectportal.firefox.com	unknown	unknown	false	unknown
normandy.cdn.mozilla.net	unknown	unknown	false	unknown
shavar.services.mozilla.com	unknown	unknown	false	unknown
www.wikipedia.org	unknown	unknown	false	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://play.google.com/store/apps/details?id=org.mozilla.firefox.vpn&referrer=utm_source%3Dfirefox-	firefox.exe, 00000010.00000002.3408343721.0000024B5CD30000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3407915409.000001F24E660000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.3408093152.0000021A83B00000.00000002.10000000.00040000.00000000.sdmp	false		unknown
https://getpocket.cdn.mozilla.net/v3/firefox/trending-topics?version=2&consumer_key=$apiKey&locale_l	firefox.exe, 00000012.00000002.3403864633.000001F24E5C7000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000013.00000002.3404758331.0000021A839C3000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://detectportal.firefox.com/	firefox.exe, 0000000E.00000003.2363671396.00000230B46FA000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://services.addons.mozilla.org/api/v5/addons/browser-mappings/?browser=%BROWSER%	firefox.exe, 00000010.00000002.3408343721.0000024B5CD30000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3407915409.000001F24E660000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.3408093152.0000021A83B00000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.mozilla.com0	gmpopenh264.dll.tmp.14.dr	false	URL Reputation: safe	unknown
https://developer.mozilla.org/en-US/docs/Web/Web_Components/Using_custom_elements#using_the_lifecycl	firefox.exe, 0000000E.00000003.2213403675.00000230BA786000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2319044246.00000230BA784000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://merino.services.mozilla.com/api/v1/suggest	firefox.exe, 00000013.00000002.3404758331.0000021A8398E000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://monitor.firefox.com/oauth/init?entrypoint=protection_report_monitor&utm_source=about-protect	firefox.exe, 00000010.00000002.3408343721.0000024B5CD30000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3407915409.000001F24E660000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.3408093152.0000021A83B00000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.leboncoin.fr/	firefox.exe, 0000000E.00000003.2217536608.00000230B336A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2218574130.00000230B2764000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://spocs.getpocket.com/spocs	firefox.exe, 0000000E.00000003.2291710380.00000230BA8DC000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2374273735.00000230B59C2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://completion.amazon.com/search/complete?q=	firefox.exe, 0000000E.00000003.2186886620.00000230B1F10000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2187065451.00000230B1F32000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2187246638.00000230B1F53000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2186663792.00000230B1D00000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/social-media-tracking-report	firefox.exe, 00000010.00000002.3408343721.0000024B5CD30000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3407915409.000001F24E660000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.3408093152.0000021A83B00000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://ads.stickyadstv.com/firefox-etp	firefox.exe, 0000000E.00000003.2216771346.00000230B3470000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2216771346.00000230B34B9000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2216771346.00000230B34CF000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://identity.mozilla.com/ids/ecosystem_telemetryU	firefox.exe, 0000000E.00000003.2384776695.00000230BDC49000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/send-tab	firefox.exe, 00000010.00000002.3408343721.0000024B5CD30000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3407915409.000001F24E660000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.3408093152.0000021A83B00000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://monitor.firefox.com/breach-details/	firefox.exe, 00000010.00000002.3408343721.0000024B5CD30000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3407915409.000001F24E660000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.3408093152.0000021A83B00000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://versioncheck-bg.addons.mozilla.org/update/VersionCheck.php?reqVersion=%REQ_VERSION%&id=%ITEM	firefox.exe, 00000010.00000002.3408343721.0000024B5CD30000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3407915409.000001F24E660000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.3408093152.0000021A83B00000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://xhr.spec.whatwg.org/#sync-warning	firefox.exe, 0000000E.00000003.2387679448.00000230BA6B1000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2292329861.00000230BA6B1000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2372378638.00000230BA6B1000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.amazon.com/exec/obidos/external-search/	firefox.exe, 0000000E.00000003.2217834686.00000230B332C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2186886620.00000230B1F10000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2321559040.00000230B37E0000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2187065451.00000230B1F32000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2187246638.00000230B1F53000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2186663792.00000230B1D00000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://github.com/mozilla-services/screenshots	firefox.exe, 0000000E.00000003.2186886620.00000230B1F10000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2187065451.00000230B1F32000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2186663792.00000230B1D00000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://services.addons.mozilla.org/api/v4/addons/addon/	firefox.exe, 00000010.00000002.3408343721.0000024B5CD30000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3407915409.000001F24E660000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.3408093152.0000021A83B00000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/switching-devices?utm_source=panel-def	firefox.exe, 0000000E.00000003.2220045017.00000230BABBF000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://tracking-protection-issues.herokuapp.com/new	firefox.exe, 00000010.00000002.3408343721.0000024B5CD30000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3407915409.000001F24E660000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.3408093152.0000021A83B00000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/password-manager-report	firefox.exe, 00000010.00000002.3408343721.0000024B5CD30000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3407915409.000001F24E660000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.3408093152.0000021A83B00000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://youtube.com/	firefox.exe, 0000000E.00000003.2374371012.00000230B5985000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2362366157.00000230BA523000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2364823214.00000230B45D0000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2388972677.00000230BA523000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2390759589.00000230B4AA9000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2373767586.00000230BA523000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2215832213.00000230B4AA9000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2376414997.00000230B4AA9000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://youtube.com/account?=https://ac	firefox.exe, 00000013.00000002.3403864384.0000021A83790000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://www.instagram.com/	firefox.exe, 0000000E.00000003.2234514650.00000230B3FDB000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2229405612.00000230B3FDE000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/fingerprinters-report	firefox.exe, 00000010.00000002.3408343721.0000024B5CD30000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3407915409.000001F24E660000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.3408093152.0000021A83B00000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://youtube.com/account?=https://accounts.googlH	firefox.exe, 00000013.00000002.3403484637.0000021A8371A000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://api.accounts.firefox.com/v1	firefox.exe, 00000010.00000002.3408343721.0000024B5CD30000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3407915409.000001F24E660000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.3408093152.0000021A83B00000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4Qqm4pLk4pqk4pbW1pbWfpbW7ReNxR3UIG8zInwYIFIVs9eYi	prefs-1.js.14.dr	false		unknown
https://www.amazon.com/	firefox.exe, 0000000E.00000003.2292329861.00000230BA6B1000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://addons.mozilla.org/%LOCALE%/%APP%/blocked-addon/%addonID%/%addonVersion%/	firefox.exe, 00000010.00000002.3408343721.0000024B5CD30000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3407915409.000001F24E660000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.3408093152.0000021A83B00000.00000002.10000000.00040000.00000000.sdmp	false		unknown
https://shavar.services.mozilla.com/downloads?client=SAFEBROWSING_ID&appver=118.0&pver=2.2	firefox.exe, 0000000E.00000003.2290315632.00000230BA947000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://developer.mozilla.org/docs/Mozilla/Add-ons/WebExtensions/API/tabs/captureTabMozRequestFullSc	firefox.exe, 0000000E.00000003.2288376347.00000230BC438000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://monitor.firefox.com/?entrypoint=protection_report_monitor&utm_source=about-protections	firefox.exe, 00000010.00000002.3408343721.0000024B5CD30000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3407915409.000001F24E660000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.3408093152.0000021A83B00000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
http://ocsp.rootca1.amazontrust.com0:	firefox.exe, 0000000E.00000003.2217536608.00000230B33F3000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://www.youtube.com/	firefox.exe, 0000000E.00000003.2361806862.00000230BA84A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000002.3403864633.000001F24E50A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000013.00000002.3404758331.0000021A8390C000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://bugzilla.mozilla.org/show_bug.cgi?id=1283601	firefox.exe, 0000000E.00000003.2275001331.00000230B351D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2242990217.00000230B351D000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/shield	firefox.exe, 00000010.00000002.3408343721.0000024B5CD30000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3407915409.000001F24E660000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.3408093152.0000021A83B00000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.bbc.co.uk/	firefox.exe, 0000000E.00000003.2217536608.00000230B336A000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://getpocket.cdn.mozilla.net/v3/firefox/global-recs?version=3&consumer_key=$apiKey&locale_lang=	firefox.exe, 00000012.00000002.3403864633.000001F24E5C7000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000013.00000002.3404758331.0000021A839C3000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://127.0.0.1:	firefox.exe, 00000010.00000002.3408343721.0000024B5CD30000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3407915409.000001F24E660000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.3408093152.0000021A83B00000.00000002.10000000.00040000.00000000.sdmp	false		unknown
https://bugzilla.mozilla.org/show_bug.cgi?id=1266220	firefox.exe, 0000000E.00000003.2242990217.00000230B350E000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://searchfox.org/mozilla-central/source/toolkit/components/search/SearchUtils.jsm#145-152	firefox.exe, 0000000E.00000003.2226336525.00000230B39CE000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://bugzilla.mo	firefox.exe, 0000000E.00000003.2384710308.00000230BDC55000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2383139659.00000230BC0D0000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2361364419.00000230BC0D0000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://mitmdetection.services.mozilla.com/	firefox.exe, 00000010.00000002.3408343721.0000024B5CD30000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3407915409.000001F24E660000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.3408093152.0000021A83B00000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://static.adsafeprotected.com/firefox-etp-js	firefox.exe, 0000000E.00000003.2216771346.00000230B34CF000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://youtube.com/account?=	recovery.jsonlz4.tmp.14.dr	false		unknown
https://developer.mozilla.org/docs/Web/API/Element/releasePointerCapture	firefox.exe, 0000000E.00000003.2288376347.00000230BC430000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://spocs.getpocket.com/	firefox.exe, 00000013.00000002.3404758331.0000021A83913000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://services.addons.mozilla.org/api/v4/abuse/report/addon/	firefox.exe, 00000010.00000002.3408343721.0000024B5CD30000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3407915409.000001F24E660000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.3408093152.0000021A83B00000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://services.addons.mozilla.org/api/v4/addons/search/?guid=%IDS%&lang=%LOCALE%	firefox.exe, 00000010.00000002.3408343721.0000024B5CD30000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3407915409.000001F24E660000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.3408093152.0000021A83B00000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://color.firefox.com/?utm_source=firefox-browser&utm_medium=firefox-browser&utm_content=theme-f	firefox.exe, 00000010.00000002.3408343721.0000024B5CD30000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3407915409.000001F24E660000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.3408093152.0000021A83B00000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.iqiyi.com/	firefox.exe, 0000000E.00000003.2217536608.00000230B336A000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://play.google.com/store/apps/details?id=org.mozilla.firefox&referrer=utm_source%3Dprotection_r	firefox.exe, 00000010.00000002.3408343721.0000024B5CD30000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3407915409.000001F24E660000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.3408093152.0000021A83B00000.00000002.10000000.00040000.00000000.sdmp	false		unknown
https://monitor.firefox.com/user/breach-stats?includeResolved=true	firefox.exe, 00000010.00000002.3408343721.0000024B5CD30000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3407915409.000001F24E660000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.3408093152.0000021A83B00000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/cross-site-tracking-report	firefox.exe, 00000010.00000002.3408343721.0000024B5CD30000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3407915409.000001F24E660000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.3408093152.0000021A83B00000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://addons.mozilla.org/	firefox.exe, 0000000E.00000003.2296328978.00000230B41EF000.00000004.00000800.00020000.00000000.sdmp	false		unknown
http://a9.com/-/spec/opensearch/1.0/	firefox.exe, 0000000E.00000003.2290315632.00000230BA9D1000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://safebrowsing.google.com/safebrowsing/diagnostic?site=	firefox.exe, 00000010.00000002.3408343721.0000024B5CD30000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3407915409.000001F24E660000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.3408093152.0000021A83B00000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://monitor.firefox.com/user/dashboard	firefox.exe, 00000010.00000002.3408343721.0000024B5CD30000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3407915409.000001F24E660000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.3408093152.0000021A83B00000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://versioncheck.addons.mozilla.org/update/VersionCheck.php?reqVersion=%REQ_VERSION%&id=%ITEM_ID	firefox.exe, 00000010.00000002.3408343721.0000024B5CD30000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3407915409.000001F24E660000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.3408093152.0000021A83B00000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://monitor.firefox.com/about	firefox.exe, 00000010.00000002.3408343721.0000024B5CD30000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3407915409.000001F24E660000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.3408093152.0000021A83B00000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
http://mozilla.org/MPL/2.0/.	firefox.exe, 0000000E.00000003.2215832213.00000230B4ADA000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2300155621.00000230B2297000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2368942434.00000230B3F36000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2356544254.00000230B37E2000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2380690193.00000230B2E13000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2375585817.00000230B54F0000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2415596905.00000230B3F38000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2415798701.00000230B2E15000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2415940482.00000230B22F8000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2234514650.00000230B3FCD000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2215215396.00000230BA8A7000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2387520768.00000230BA6DE000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2187967232.00000230B201F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2215832213.00000230B4A3A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2229405612.00000230B3FF2000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2321559040.00000230B37E0000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2411584792.00000230B2297000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2414932417.00000230B201A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2195072329.00000230B22D9000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2190965440.00000230B2E13000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2319044246.00000230BA7D1000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://coverage.mozilla.org	firefox.exe, 00000010.00000002.3408343721.0000024B5CD30000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3407915409.000001F24E660000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.3408093152.0000021A83B00000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
http://crl.thawte.com/ThawteTimestampingCA.crl0	gmpopenh264.dll.tmp.14.dr	false	URL Reputation: safe	unknown
https://firefox-settings-attachments.cdn.mozilla.net/main-workspace/ms-images/f0f51715-7f5e-48de-839	firefox.exe, 0000000E.00000003.2220045017.00000230BABBF000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://x1.c.lencr.org/0	firefox.exe, 0000000E.00000003.2215215396.00000230BA86E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2217536608.00000230B33F3000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2291940200.00000230BA86E000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://x1.i.lencr.org/0	firefox.exe, 0000000E.00000003.2215215396.00000230BA86E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2217536608.00000230B33F3000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2291940200.00000230BA86E000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://a9.com/-/spec/opensearch/1.1/	firefox.exe, 0000000E.00000003.2290315632.00000230BA9D1000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://infra.spec.whatwg.org/#ascii-whitespace	firefox.exe, 0000000E.00000003.2319044246.00000230BA784000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://blocked.cdn.mozilla.net/	firefox.exe, 00000010.00000002.3408343721.0000024B5CD30000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3407915409.000001F24E660000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.3408093152.0000021A83B00000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://developer.mozilla.org/en-US/docs/Glossary/speculative_parsingDocumentWriteIgnored	firefox.exe, 0000000E.00000003.2387679448.00000230BA6B1000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2292329861.00000230BA6B1000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2372378638.00000230BA6B1000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://json-schema.org/draft/2019-09/schema	firefox.exe, 0000000E.00000003.2218574130.00000230B2764000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2385867475.00000230BA972000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2290315632.00000230BA972000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://developer.mozilla.org/en/docs/DOM:element.addEventListener	firefox.exe, 0000000E.00000003.2387679448.00000230BA6B1000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2292329861.00000230BA6B1000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2372378638.00000230BA6B1000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://profiler.firefox.com	firefox.exe, 00000010.00000002.3408343721.0000024B5CD30000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3407915409.000001F24E660000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.3408093152.0000021A83B00000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://youtube.com/account?=https://acv	firefox.exe, 00000012.00000002.3408197095.000001F24E6B0000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://mozilla.cloudflare-dns.com/dns-query	firefox.exe, 00000010.00000002.3408343721.0000024B5CD30000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3407915409.000001F24E660000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.3408093152.0000021A83B00000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://support.mozilla.org/kb/refresh-firefox-reset-add-ons-and-settings2	firefox.exe, 0000000E.00000003.2295128280.00000230B5557000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2374770447.00000230B5557000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://bugzilla.mozilla.org/show_bug.cgi?id=1678448	firefox.exe, 0000000E.00000003.2275001331.00000230B351D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2242990217.00000230B351D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2242990217.00000230B3515000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2275733639.00000230B325D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2244314776.00000230B3525000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://contile.services.mozilla.com/v1/tiles	firefox.exe, 0000000E.00000003.2291710380.00000230BA8DC000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2374273735.00000230B59C2000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000002.3408343721.0000024B5CD30000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3407915409.000001F24E660000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.3408093152.0000021A83B00000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.amazon.co.uk/	firefox.exe, 0000000E.00000003.2217536608.00000230B336A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2218574130.00000230B2764000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://firefox.settings.services.mozilla.com/v1/buckets/main/collections/ms-language-packs/records/	firefox.exe, 0000000E.00000003.2287666354.00000230BDCF2000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2287017952.00000230BDDB5000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://monitor.firefox.com/user/preferences	firefox.exe, 00000010.00000002.3408343721.0000024B5CD30000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3407915409.000001F24E660000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.3408093152.0000021A83B00000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://screenshots.firefox.com/	firefox.exe, 0000000E.00000003.2186663792.00000230B1D00000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://truecolors.firefox.com/	firefox.exe, 0000000E.00000003.2296328978.00000230B41EF000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.google.com/search	firefox.exe, 0000000E.00000003.2217834686.00000230B332C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2186886620.00000230B1F10000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2321559040.00000230B37E0000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2187065451.00000230B1F32000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2187246638.00000230B1F53000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2186663792.00000230B1D00000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://relay.firefox.com/api/v1/	firefox.exe, 00000010.00000002.3408343721.0000024B5CD30000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3407915409.000001F24E660000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.3408093152.0000021A83B00000.00000002.10000000.00040000.00000000.sdmp	false		unknown
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/tracking-content-report	firefox.exe, 00000010.00000002.3408343721.0000024B5CD30000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3407915409.000001F24E660000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.3408093152.0000021A83B00000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://topsites.services.mozilla.com/cid/	firefox.exe, 00000010.00000002.3408343721.0000024B5CD30000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3407915409.000001F24E660000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.3408093152.0000021A83B00000.00000002.10000000.00040000.00000000.sdmp	false		unknown
https://developer.mozilla.org/docs/Web/API/Element/releasePointerCaptureWebExtensionUncheckedLastErr	firefox.exe, 0000000E.00000003.2288376347.00000230BC430000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://www.leboncoin.fr/Could	firefox.exe, 0000000E.00000003.2218574130.00000230B2764000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://www.olx.pl/	firefox.exe, 0000000E.00000003.2217536608.00000230B336A000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://bugzilla.mozilla.org/show_bug.cgi?id=1193802	firefox.exe, 0000000E.00000003.2275001331.00000230B351D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2242990217.00000230B351D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2244314776.00000230B3525000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://www.t-mobile.com/cell-phones/brand/apple?cmpid=MGPO_PAM_P_EVGRNIPHN_	firefox.exe, 00000010.00000002.3405131463.0000024B5CCCB000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000002.3403864633.000001F24E5EC000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000013.00000002.3408322155.0000021A83C03000.00000004.00000800.00020000.00000000.sdmp, prefs-1.js.14.dr	false	URL Reputation: safe	unknown
https://support.mozilla.org/	firefox.exe, 0000000E.00000003.2296328978.00000230B41EF000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://tools.ietf.org/html/draft-ietf-httpbis-encryption-encoding-02#section-4	firefox.exe, 0000000E.00000003.2288376347.00000230BC430000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.google.com/complete/search	firefox.exe, 0000000E.00000003.2213254058.00000230BA781000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2213531840.00000230BAA9D000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://tools.ietf.org/html/draft-ietf-httpbis-encryption-encoding-02#section-2	firefox.exe, 0000000E.00000003.2288376347.00000230BC430000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
34.149.100.209	prod.remote-settings.prod.webservices.mozgcp.net	United States	2686	ATGS-MMD-ASUS	false
34.107.243.93	push.services.mozilla.com	United States	15169	GOOGLEUS	false
142.250.185.238	youtube.com	United States	15169	GOOGLEUS	false
34.107.221.82	prod.detectportal.prod.cloudops.mozgcp.net	United States	15169	GOOGLEUS	false
35.244.181.201	prod.balrog.prod.cloudops.mozgcp.net	United States	15169	GOOGLEUS	false
34.117.188.166	contile.services.mozilla.com	United States	139070	GOOGLE-AS-APGoogleAsiaPacificPteLtdSG	false
151.101.193.91	services.addons.mozilla.org	United States	54113	FASTLYUS	false
35.201.103.21	normandy-cdn.services.mozilla.com	United States	15169	GOOGLEUS	false
35.190.72.216	prod.classify-client.prod.webservices.mozgcp.net	United States	15169	GOOGLEUS	false
34.160.144.191	prod.content-signature-chains.prod.webservices.mozgcp.net	United States	2686	ATGS-MMD-ASUS	false
34.120.208.123	telemetry-incoming.r53-2.services.mozilla.com	United States	15169	GOOGLEUS	false

Private

IP
127.0.0.1

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1545722
Start date and time:	2024-10-30 21:54:12 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 6m 48s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	22
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	file.exe
Detection:	MAL
Classification:	mal72.troj.evad.winEXE@34/34@67/12
EGA Information:	Successful, ratio: 50%
HCA Information:	Successful, ratio: 95% Number of executed functions: 42 Number of non-executed functions: 310
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 52.11.191.138, 35.160.212.113, 54.185.230.140, 184.28.90.27, 142.250.186.174, 2.22.61.56, 2.22.61.59, 142.250.186.42, 142.250.186.74, 142.250.184.206
Excluded domains from analysis (whitelisted): client.wns.windows.com, shavar.prod.mozaws.net, fs.microsoft.com, ciscobinary.openh264.org, otelrules.azureedge.net, slscr.update.microsoft.com, incoming.telemetry.mozilla.org, ctldl.windowsupdate.com, a17.rackcdn.com.mdc.edgesuite.net, detectportal.prod.mozaws.net, aus5.mozilla.org, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, fe3cr.delivery.mp.microsoft.com, a19.dscg10.akamai.net, ocsp.digicert.com, redirector.gvt1.com, e16604.g.akamaiedge.net, safebrowsing.googleapis.com, prod.fs.microsoft.com.akadns.net, location.services.mozilla.com
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtCreateFile calls found.
Report size getting too big, too many NtOpenFile calls found.
VT rate limit hit for: file.exe

Simulations

Behavior and APIs

Time	Type	Description
16:55:18	API Interceptor	1x Sleep call for process: firefox.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
34.117.188.166	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
151.101.193.91	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
34.149.100.209	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
34.160.144.191	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
services.addons.mozilla.org	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.1.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.193.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.129.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.65.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.1.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.65.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.65.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.1.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.193.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.65.91
example.org	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
twitter.com	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.193
	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.129
	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.129
	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.1
	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.193
	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.193
	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.193
	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.65
	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.65
	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.129
star-mini.c10r.facebook.com	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.251.35
	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.0.35
	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.251.35
	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.253.35
	Reminders for Msp-partner_ Server Alert.eml	Get hash	malicious	HTMLPhisher	Browse	157.240.253.35
	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.253.35
	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.0.35
	https://wetransfer.com/downloads/bd15c1f671ae60c5a56e558eb8cc43bf20241030150256/3b30cd5b9ce1ffb29d79c9118153941c20241030150256/70baef?t_exp=1730559776&t_lsid=6bd545a9-d09b-4abd-a317-124dbe9fe64d&t_network=email&t_rid=YXV0aDB8NjZlYWI0YTExODhmYzc1OGMzMmNiODIx&t_s=download_link&t_ts=1730300576&utm_campaign=TRN_TDL_01&utm	Get hash	malicious	HTMLPhisher	Browse	157.240.251.35
	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.251.35
	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.253.35

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
GOOGLE-AS-APGoogleAsiaPacificPteLtdSG	Paiement.eml	Get hash	malicious	HTMLPhisher	Browse	34.117.59.81
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.117.188.166
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.117.188.166
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.117.188.166
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.117.188.166
	FormulariomillasbonusLATAM_GsqrekXCVBmUf.cmd	Get hash	malicious	Unknown	Browse	34.117.59.81
	172.104.150.66.ps1	Get hash	malicious	Unknown	Browse	34.117.59.81
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.117.188.166
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.117.188.166
	https://www.mediafire.com/file/oyfycncwen0a3ue/DSP_Plan_Set.zip/file	Get hash	malicious	Unknown	Browse	34.117.239.71
FASTLYUS	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.1.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.193.91
	https://pub-6838e3dd185d4df89d3bb3eabe6469a4.r2.dev/index.html#	Get hash	malicious	Unknown	Browse	151.101.2.137
	https:/click.mailchimp.com/track/click/30010842/docsend.com?p=eyJzIjoiT2RaN0hwNHlyY2E3VXl5TWcwMlA2eFpHVlN3IiwidiI6MSwicCI6IntcInVcIjozMDAxMDg0MixcInZcIjoxLFwidXJsXCI6XCJodHRwczpcXFwvXFxcL2RvY3NlbmQuY29tXFxcL3ZpZXdcXFwvZzZnYzZjazdtNHlkYTRpa1wiLFwiaWRcIjpcImNhZDg3NzI1Y2UzMjRiMzI4Yzk1ZGVkYWUyMzc4ZTZjXCIsXCJ1cmxfaWRzXCI6W1wiYzE5ZWU5NGJiMzA5YmZhOGQ2MDU3OGI1Mjk5NTFmOWE4NDQ0ODNhYVwiXX0ifQ#steven.davis@tu.edu	Get hash	malicious	HTMLPhisher	Browse	151.101.66.137
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.129.91
	Access Audits -System #6878.msg	Get hash	malicious	HTMLPhisher	Browse	151.101.1.229
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.65.91
	(No subject) (100).eml	Get hash	malicious	Tycoon2FA	Browse	151.101.2.137
	Reminders for Msp-partner_ Server Alert.eml	Get hash	malicious	HTMLPhisher	Browse	151.101.2.137
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.1.91
ATGS-MMD-ASUS	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	https://www.mediafire.com/file/oyfycncwen0a3ue/DSP_Plan_Set.zip/file	Get hash	malicious	Unknown	Browse	34.1.246.194
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
ATGS-MMD-ASUS	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	https://www.mediafire.com/file/oyfycncwen0a3ue/DSP_Plan_Set.zip/file	Get hash	malicious	Unknown	Browse	34.1.246.194
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
fb0aa01abe9d8e4037eb3473ca6e2dca	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.193.91 35.244.181.201 34.149.100.209 34.160.144.191 34.120.208.123
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.193.91 35.244.181.201 34.149.100.209 34.160.144.191 34.120.208.123
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.193.91 35.244.181.201 34.149.100.209 34.160.144.191 34.120.208.123
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.193.91 35.244.181.201 34.149.100.209 34.160.144.191 34.120.208.123
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.193.91 35.244.181.201 34.149.100.209 34.160.144.191 34.120.208.123
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.193.91 35.244.181.201 34.149.100.209 34.160.144.191 34.120.208.123
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.193.91 35.244.181.201 34.149.100.209 34.160.144.191 34.120.208.123
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.193.91 35.244.181.201 34.149.100.209 34.160.144.191 34.120.208.123
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.193.91 35.244.181.201 34.149.100.209 34.160.144.191 34.120.208.123
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.193.91 35.244.181.201 34.149.100.209 34.160.144.191 34.120.208.123

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll (copy)	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll.tmp	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse

Created / dropped Files

C:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\uninstall_ping_308046B0AF4A39CB_98b256db-8edc-4665-a906-46cc0b924b85.json (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	7946
Entropy (8bit):	5.183998946877313
Encrypted:	false
SSDEEP:	192:4BMXc+xcbhbVbTbfbRbObtbyEl7nYrUJA6unSrDtTkdxSofy:4i1cNhnzFSJ4rn1nSrDhkdx+
MD5:	D701F2B050A3015034D49D993B2CA401
SHA1:	BCCA772FCAB0D87F70C2C7ED94BEFBD1390D4361
SHA-256:	4FD04F711952692BF01FDB3DEEEC9637BF46A1072D4F1C346245248E583FBA94
SHA-512:	54E27F82E21406C79A4CE838F1880B56439787975C0CBAD6DE6C1BAB3BC7BB4CD8E7EB1BB7A9F134F53CB8D45DB9C57D6DCFD6F3CB203751D75CD768476BCA18
Malicious:	false
Preview:	{"type":"uninstall","id":"98b256db-8edc-4665-a906-46cc0b924b85","creationDate":"2024-10-30T22:35:44.743Z","version":4,"application":{"architecture":"x86-64","buildId":"20230927232528","name":"Firefox","version":"118.0.1","displayVersion":"118.0.1","vendor":"Mozilla","platformVersion":"118.0.1","xpcomAbi":"x86_64-msvc","channel":"release"},"payload":{"otherInstalls":0},"clientId":"7340e351-fad3-4a0f-b554-971fbfafe8fb","environment":{"build":{"applicationId":"{ec8030f7-c20a-464f-9b0e-13a3a9e97384}","applicationName":"Firefox","architecture":"x86-64","buildId":"20230927232528","version":"118.0.1","vendor":"Mozilla","displayVersion":"118.0.1","platformVersion":"118.0.1","xpcomAbi":"x86_64-msvc","updaterAvailable":true},"partner":{"distributionId":null,"distributionVersion":null,"partnerId":null,"distributor":null,"distributorChannel":null,"partnerNames":[]},"system":{"memoryMB":8191,"virtualMaxMB":134217728,"cpu":{"isWindowsSMode":false,"count":4,"cores":2,"vendor":"GenuineIntel","name":"I

C:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\uninstall_ping_308046B0AF4A39CB_98b256db-8edc-4665-a906-46cc0b924b85.json.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	7946
Entropy (8bit):	5.183998946877313
Encrypted:	false
SSDEEP:	192:4BMXc+xcbhbVbTbfbRbObtbyEl7nYrUJA6unSrDtTkdxSofy:4i1cNhnzFSJ4rn1nSrDhkdx+
MD5:	D701F2B050A3015034D49D993B2CA401
SHA1:	BCCA772FCAB0D87F70C2C7ED94BEFBD1390D4361
SHA-256:	4FD04F711952692BF01FDB3DEEEC9637BF46A1072D4F1C346245248E583FBA94
SHA-512:	54E27F82E21406C79A4CE838F1880B56439787975C0CBAD6DE6C1BAB3BC7BB4CD8E7EB1BB7A9F134F53CB8D45DB9C57D6DCFD6F3CB203751D75CD768476BCA18
Malicious:	false
Preview:	{"type":"uninstall","id":"98b256db-8edc-4665-a906-46cc0b924b85","creationDate":"2024-10-30T22:35:44.743Z","version":4,"application":{"architecture":"x86-64","buildId":"20230927232528","name":"Firefox","version":"118.0.1","displayVersion":"118.0.1","vendor":"Mozilla","platformVersion":"118.0.1","xpcomAbi":"x86_64-msvc","channel":"release"},"payload":{"otherInstalls":0},"clientId":"7340e351-fad3-4a0f-b554-971fbfafe8fb","environment":{"build":{"applicationId":"{ec8030f7-c20a-464f-9b0e-13a3a9e97384}","applicationName":"Firefox","architecture":"x86-64","buildId":"20230927232528","version":"118.0.1","vendor":"Mozilla","displayVersion":"118.0.1","platformVersion":"118.0.1","xpcomAbi":"x86_64-msvc","updaterAvailable":true},"partner":{"distributionId":null,"distributionVersion":null,"partnerId":null,"distributor":null,"distributorChannel":null,"partnerNames":[]},"system":{"memoryMB":8191,"virtualMaxMB":134217728,"cpu":{"isWindowsSMode":false,"count":4,"cores":2,"vendor":"GenuineIntel","name":"I

C:\Users\user\AppData\Local\Temp\mozilla-temp-files\mozilla-temp-41

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	ISO Media, MP4 Base Media v1 [ISO 14496-12:2003]
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	0.4593089050301797
Encrypted:	false
SSDEEP:	48:9SP0nUgwyZXYI65yFRX2D3GNTTfyn0Mk1iA:9SDKaIjo3UzyE1L
MD5:	D910AD167F0217587501FDCDB33CC544
SHA1:	2F57441CEFDC781011B53C1C5D29AC54835AFC1D
SHA-256:	E3699D9404A3FFC1AFF0CA8A3972DC0EF38BDAB927741E9F627C7C55CEA42E81
SHA-512:	F1871BF28FF25EE52BDB99C7A80AB715C7CAC164DCD2FD87E681168EE927FD2C5E80E03C91BB638D955A4627213BF575FF4D9EECAEDA7718C128CF2CE8F7CB3D
Malicious:	false
Preview:	... ftypisom....isomiso2avc1mp41....free....mdat..........E...H..,. .#..x264 - core 152 r2851 ba24899 - H.264/MPEG-4 AVC codec - Copyleft 2003-2017 - http://www.videolan.org/x264.html - options: cabac=1 ref=3 deblock=1:0:0 analyse=0x3:0x113 me=hex subme=7 psy=1 psy_rd=1.00:0.00 mixed_ref=1 me_range=16 chroma_me=1 trellis=1 8x8dct=1 cqm=0 deadzone=21,11 fast_pskip=1 chroma_qp_offset=-2 threads=4 lookahead_threads=1 sliced_threads=0 nr=0 decimate=1 interlaced=0 bluray_compat=0 constrained_intra=0 bframes=3 b_pyramid=2 b_adapt=1 b_bias=0 direct=1 weightb=1 open_gop=0 weightp=2 keyint=250 keyint_min=25 scenecut=40 intra_refresh=0 rc_lookahead=40 rc=crf mbtree=1 crf=23.0 qcomp=0.60 qpmin=0 qpmax=69 qpstep=4 ip_ratio=1.40 aq=1:1.00......e...+...s\|.kG3...'.u.."...,J.w.~.d\..(K....!.+..;....h....(.T.*...M......0..~L..8..B..A.y..R..,.zBP.';j.@.].w..........c......C=.'f....gI.$^.......m5V.L...{U..%V[....8......B..i..^,....:...,..5.m.%dA....moov...lmvhd...................(...........

C:\Users\user\AppData\Local\Temp\tmpaddon

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Zip archive data, at least v2.0 to extract, compression method=deflate
Category:	dropped
Size (bytes):	453023
Entropy (8bit):	7.997718157581587
Encrypted:	true
SSDEEP:	12288:tESTeqTI2r4ZbCgUKWKNeRcPMb6qlV7hVZe3:tEsed2Xh9/bdzZe3
MD5:	85430BAED3398695717B0263807CF97C
SHA1:	FFFBEE923CEA216F50FCE5D54219A188A5100F41
SHA-256:	A9F4281F82B3579581C389E8583DC9F477C7FD0E20C9DFC91A2E611E21E3407E
SHA-512:	06511F1F6C6D44D076B3C593528C26A602348D9C41689DBF5FF716B671C3CA5756B12CB2E5869F836DEDCE27B1A5CFE79B93C707FD01F8E84B620923BB61B5F1
Malicious:	false
Preview:	PK.........bN...R..........gmpopenh264.dll..\|.E.0.=..I.....1....4f1q.`.........q.....'+....hm{.z..o_.{w........$..($A!...\|L...B&A2.s.{..Dd......c.U.U..9u.S...K.l`...../.d.-....\|.....&....9......wn..x......i.#O.+.Y.l......+....,3.3f..\..c.SSS,............N...GG...F.'.&.:'.K.Z&.>.@.g..M...M.`............ZR....^jg.G.Kb.o~va.....<Z..1.#.O.e.....D..X..i..$imBW..Q&.......P.....,M.,..:.c...-...\...........-i.K.I..4.a..6.....Ov=...W..F.CH.>...a.'.x...#@f...d..u.1....OV.1o}....g.5.._.3.J.Hi.Z.ipM....b.Z....%.G..F................/..3.q..J.....o...%.g.N..}..).3.N%.!..q........^I.m..~...6.#.~+.....A...I]r...x...<IYj....p0..`S.M@.E..f.=.;!.@.....E..E....... .0.n....Jd..d......uM.-.qI.lR..z..=}..r.D.XLZ....x.$..\|c.1.cUkM.&.Qn]..a]t.h...!.6 7..Jd.DvKJ"Wgd*%n...w...Jni.inmr.@M.$'Z.s....#)%..Rs..:.h....R....\..t.6..'.g.........Uj+F.cr:\|..!..K.W.Y...17......,....r.....>.N..3.R.Y.._\...Ir.DNJdM... .k...&V-....z.%...-...D..i..&...6....7.2T).>..0..%.&.

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\ExperimentStoreData.json (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	4419
Entropy (8bit):	4.93194605247476
Encrypted:	false
SSDEEP:	96:gXiNFS+OcPUFEOdwNIOdwBjvYVbsL0K8P:gXiNFS+OcUGOdwiOdwBjkYL0K8P
MD5:	852DB5333BF3AE1AC895B2BD8B7BD707
SHA1:	36A9642C0CB12F9C932350F25DA2273509B51F81
SHA-256:	B12FD99E77A154F2D08E9FA2092A93ED22C99DD42E6AB81124F9BC7F60CB014A
SHA-512:	98596E75D7A35A5F94E05466F0A7251E8DBCA24EFB446B3D3C902AFF8CE98C5DB644FAF8ECB676C206930CBD8B5F24A6F6B52050C845880D3A98108B35E6C6E1
Malicious:	false
Preview:	{"bookmarks-toolbar-default-on":{"slug":"bookmarks-toolbar-default-on","branch":{"slug":"treatment-a","ratio":1,"feature":{"value":{},"enabled":false,"featureId":"this-is-included-for-desktop-pre-95-support"},"features":[{"value":{"enableBookmarksToolbar":"always"},"enabled":true,"featureId":"bookmarks"}]},"active":true,"enrollmentId":"d48f64a8-a4ab-4cdd-a650-4b386e41a201","experimentType":"nimbus","source":"rs-loader","userFacingName":"Bookmarks Toolbar Default On","userFacingDescription":"An experiment that turns the bookmarks toolbar on by default.","lastSeen":"2023-10-05T06:20:35.557Z","featureIds":["bookmarks"],"prefs":[{"name":"browser.toolbars.bookmarks.visibility","branch":"user","featureId":"bookmarks","variable":"enableBookmarksToolbar","originalValue":null}],"isRollout":false},"csv-import-release-rollout":{"slug":"csv-import-release-rollout","branch":{"slug":"enable-csv-import","ratio":1,"feature":{"value":{},"enabled":false,"featureId":"this-is-included-for-desktop-pre-95-s

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\ExperimentStoreData.json.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	4419
Entropy (8bit):	4.93194605247476
Encrypted:	false
SSDEEP:	96:gXiNFS+OcPUFEOdwNIOdwBjvYVbsL0K8P:gXiNFS+OcUGOdwiOdwBjkYL0K8P
MD5:	852DB5333BF3AE1AC895B2BD8B7BD707
SHA1:	36A9642C0CB12F9C932350F25DA2273509B51F81
SHA-256:	B12FD99E77A154F2D08E9FA2092A93ED22C99DD42E6AB81124F9BC7F60CB014A
SHA-512:	98596E75D7A35A5F94E05466F0A7251E8DBCA24EFB446B3D3C902AFF8CE98C5DB644FAF8ECB676C206930CBD8B5F24A6F6B52050C845880D3A98108B35E6C6E1
Malicious:	false
Preview:	{"bookmarks-toolbar-default-on":{"slug":"bookmarks-toolbar-default-on","branch":{"slug":"treatment-a","ratio":1,"feature":{"value":{},"enabled":false,"featureId":"this-is-included-for-desktop-pre-95-support"},"features":[{"value":{"enableBookmarksToolbar":"always"},"enabled":true,"featureId":"bookmarks"}]},"active":true,"enrollmentId":"d48f64a8-a4ab-4cdd-a650-4b386e41a201","experimentType":"nimbus","source":"rs-loader","userFacingName":"Bookmarks Toolbar Default On","userFacingDescription":"An experiment that turns the bookmarks toolbar on by default.","lastSeen":"2023-10-05T06:20:35.557Z","featureIds":["bookmarks"],"prefs":[{"name":"browser.toolbars.bookmarks.visibility","branch":"user","featureId":"bookmarks","variable":"enableBookmarksToolbar","originalValue":null}],"isRollout":false},"csv-import-release-rollout":{"slug":"csv-import-release-rollout","branch":{"slug":"enable-csv-import","ratio":1,"feature":{"value":{},"enabled":false,"featureId":"this-is-included-for-desktop-pre-95-s

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\addonStartup.json.lz4 (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Mozilla lz4 compressed data, originally 22422 bytes
Category:	dropped
Size (bytes):	5308
Entropy (8bit):	6.599374203470186
Encrypted:	false
SSDEEP:	96:z2YbKsKNU2xWrp327tGmD4wBON6h6cHAHJVauvjZHjkTymdS1/qTMg6Uhm:zTx2x2t0FDJ4NpkuvjdeplTMohm
MD5:	EB56C2F4DA9435F3D5574161F414CD17
SHA1:	74A8FC3EC0559740FD9D835B638354985E2DEAB6
SHA-256:	394E803D5FF8E156DFA7D15E96B51A683F4624A1BCF88EAA532399AC2C9B0966
SHA-512:	DF90568D191C757392FB85BDDA5333C7FE7E3BB370C5DE8C50DD810B938D732E39B5608FB4494CAADAE99E1601989FDFC0FEBDCF70F27FFE581F904170A81E0F
Malicious:	false
Preview:	mozLz40..W....{"app-system-defaults":{"addon....formautofill@mozilla.org&..Gdependencies":[],"enabled":true,"lastModifiedTime":1695865283000,"loader":null,"path":s.....xpi","recommendationStateA...rootURI":"jar:file:///C:/Program%20Files/M.......refox/browser/features/...... !/...unInSafeMode..wsignedD...telemetryKey..7%40R...:1.0.1","version":"..`},"pic..#in.....T.n..w...........S.......(.[......0....0"},"screenshots..T.r.....[.......(.V....-39.......},"webcompat-reporter...Ofals..&.z.....[.......(.]....=1.5.............<.)....p....d......1.z.!18...5.....startupData...pX.astentL..!er...webRequest%..onBefore...[[{"incognitoi.UtabId..!yp...."main_frame"],"url...."://login.microsoftonline.com/","..@us/L.dwindows...},["blocking"]],...Iimag...https://smartT.".f.....etp/facebook.svg",...Aplay....8`script...P.....-....-testbed.herokuapp\.`shims_..3.jsh.bexampl\|.......Pexten{..Q../?..s...S.J/_2..@&_3U..s7.addthis . ic...officialK......-angularjs/current/dist(..t.min.js...track.adB...net/s

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\addonStartup.json.lz4.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Mozilla lz4 compressed data, originally 22422 bytes
Category:	dropped
Size (bytes):	5308
Entropy (8bit):	6.599374203470186
Encrypted:	false
SSDEEP:	96:z2YbKsKNU2xWrp327tGmD4wBON6h6cHAHJVauvjZHjkTymdS1/qTMg6Uhm:zTx2x2t0FDJ4NpkuvjdeplTMohm
MD5:	EB56C2F4DA9435F3D5574161F414CD17
SHA1:	74A8FC3EC0559740FD9D835B638354985E2DEAB6
SHA-256:	394E803D5FF8E156DFA7D15E96B51A683F4624A1BCF88EAA532399AC2C9B0966
SHA-512:	DF90568D191C757392FB85BDDA5333C7FE7E3BB370C5DE8C50DD810B938D732E39B5608FB4494CAADAE99E1601989FDFC0FEBDCF70F27FFE581F904170A81E0F
Malicious:	false
Preview:	mozLz40..W....{"app-system-defaults":{"addon....formautofill@mozilla.org&..Gdependencies":[],"enabled":true,"lastModifiedTime":1695865283000,"loader":null,"path":s.....xpi","recommendationStateA...rootURI":"jar:file:///C:/Program%20Files/M.......refox/browser/features/...... !/...unInSafeMode..wsignedD...telemetryKey..7%40R...:1.0.1","version":"..`},"pic..#in.....T.n..w...........S.......(.[......0....0"},"screenshots..T.r.....[.......(.V....-39.......},"webcompat-reporter...Ofals..&.z.....[.......(.]....=1.5.............<.)....p....d......1.z.!18...5.....startupData...pX.astentL..!er...webRequest%..onBefore...[[{"incognitoi.UtabId..!yp...."main_frame"],"url...."://login.microsoftonline.com/","..@us/L.dwindows...},["blocking"]],...Iimag...https://smartT.".f.....etp/facebook.svg",...Aplay....8`script...P.....-....-testbed.herokuapp\.`shims_..3.jsh.bexampl\|.......Pexten{..Q../?..s...S.J/_2..@&_3U..s7.addthis . ic...officialK......-angularjs/current/dist(..t.min.js...track.adB...net/s

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\addons.json (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	24
Entropy (8bit):	3.91829583405449
Encrypted:	false
SSDEEP:	3:YWGifTJE6iHQ:YWGif9EE
MD5:	3088F0272D29FAA42ED452C5E8120B08
SHA1:	C72AA542EF60AFA3DF5DFE1F9FCC06C0B135BE23
SHA-256:	D587CEC944023447DC91BC5F71E2291711BA5ADD337464837909A26F34BC5A06
SHA-512:	B662414EDD6DEF8589304904263584847586ECCA0B0E6296FB3ADB2192D92FB48697C99BD27C4375D192150E3F99102702AF2391117FFF50A9763C74C193D798
Malicious:	false
Preview:	{"schema":6,"addons":[]}

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\addons.json.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	24
Entropy (8bit):	3.91829583405449
Encrypted:	false
SSDEEP:	3:YWGifTJE6iHQ:YWGif9EE
MD5:	3088F0272D29FAA42ED452C5E8120B08
SHA1:	C72AA542EF60AFA3DF5DFE1F9FCC06C0B135BE23
SHA-256:	D587CEC944023447DC91BC5F71E2291711BA5ADD337464837909A26F34BC5A06
SHA-512:	B662414EDD6DEF8589304904263584847586ECCA0B0E6296FB3ADB2192D92FB48697C99BD27C4375D192150E3F99102702AF2391117FFF50A9763C74C193D798
Malicious:	false
Preview:	{"schema":6,"addons":[]}

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\content-prefs.sqlite

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	SQLite 3.x database, user version 5, last written using SQLite version 3042000, page size 32768, file counter 4, database pages 8, cookie 0x6, schema 4, largest root page 8, UTF-8, vacuum mode 1, version-valid-for 4
Category:	dropped
Size (bytes):	262144
Entropy (8bit):	0.04905141882491872
Encrypted:	false
SSDEEP:	24:DLSvwae+Q8Uu50xj0aWe9LxYkKA25Q5tvAA:DKwae+QtMImelekKDa5
MD5:	8736A542C5564A922C47B19D9CC5E0F2
SHA1:	CE9D58967DA9B5356D6C1D8A482F9CE74DA9097A
SHA-256:	97CE5D8AFBB0AA610219C4FAC3927E32C91BFFD9FD971AF68C718E7B27E40077
SHA-512:	99777325893DC7A95FD49B2DA18D32D65F97CC7A8E482D78EDC32F63245457FA5A52750800C074D552D20B6A215604161FDC88763D93C76A8703470C3064196B
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j......\|....~.}.}z}-\|.................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\crashes\store.json.mozlz4 (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Mozilla lz4 compressed data, originally 56 bytes
Category:	dropped
Size (bytes):	66
Entropy (8bit):	4.837595020998689
Encrypted:	false
SSDEEP:	3:3fX/xH8IXl/I3v0lb7iioW:vXpH1RPXt
MD5:	A6338865EB252D0EF8FCF11FA9AF3F0D
SHA1:	CECDD4C4DCAE10C2FFC8EB938121B6231DE48CD3
SHA-256:	078648C042B9B08483CE246B7F01371072541A2E90D1BEB0C8009A6118CBD965
SHA-512:	D950227AC83F4E8246D73F9F35C19E88CE65D0CA5F1EF8CCBB02ED6EFC66B1B7E683E2BA0200279D7CA4B49831FD8C3CEB0584265B10ACCFF2611EC1CA8C0C6C
Malicious:	false
Preview:	mozLz40.8.....{"v":1,"crashes":{},"countsByDay....rruptDate":null}

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\crashes\store.json.mozlz4.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Mozilla lz4 compressed data, originally 56 bytes
Category:	dropped
Size (bytes):	66
Entropy (8bit):	4.837595020998689
Encrypted:	false
SSDEEP:	3:3fX/xH8IXl/I3v0lb7iioW:vXpH1RPXt
MD5:	A6338865EB252D0EF8FCF11FA9AF3F0D
SHA1:	CECDD4C4DCAE10C2FFC8EB938121B6231DE48CD3
SHA-256:	078648C042B9B08483CE246B7F01371072541A2E90D1BEB0C8009A6118CBD965
SHA-512:	D950227AC83F4E8246D73F9F35C19E88CE65D0CA5F1EF8CCBB02ED6EFC66B1B7E683E2BA0200279D7CA4B49831FD8C3CEB0584265B10ACCFF2611EC1CA8C0C6C
Malicious:	false
Preview:	mozLz40.8.....{"v":1,"crashes":{},"countsByDay....rruptDate":null}

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\extensions.json (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	36830
Entropy (8bit):	5.185052013683835
Encrypted:	false
SSDEEP:	768:AI4wvfCXh496G4C4U1W4z4xuHhvp4N4Tc4Z4S4t24U:AruBv3
MD5:	10E2D85FEF0DB266E519048D63617FA8
SHA1:	EBB307C44EBEFFA271AC58FDDE5C3A1BA52AE7B0
SHA-256:	92143A48F55639B5BD01385D0E4E78EDED4F84401A91C12AC06251EE188CFE0E
SHA-512:	164CBE725B44020AD40D165A1B1C242A7016ED8933AB9502D0D38E6CD99887D9DF49533DE54068AA4E5D8476C7791B52518A8477B8961475B7CB2C3AF54B81B1
Malicious:	false
Preview:	{"schemaVersion":35,"addons":[{"id":"formautofill@mozilla.org","syncGUID":"{87ef1fa3-cb84-4bbf-a615-45a1d14b629d}","version":"1.0.1","type":"extension","loader":null,"updateURL":null,"installOrigins":null,"manifestVersion":2,"optionsURL":null,"optionsType":null,"optionsBrowserStyle":true,"aboutURL":null,"defaultLocale":{"name":"Form Autofill","creator":null,"developers":null,"translators":null,"contributors":null},"visible":true,"active":true,"userDisabled":false,"appDisabled":false,"embedderDisabled":false,"installDate":1695865283000,"updateDate":1695865283000,"applyBackgroundUpdates":1,"path":"C:\\Program Files\\Mozilla Firefox\\browser\\features\\formautofill@mozilla.org.xpi","skinnable":false,"sourceURI":null,"releaseNotesURI":null,"softDisabled":false,"foreignInstall":false,"strictCompatibility":true,"locales":[],"targetApplications":[{"id":"toolkit@mozilla.org","minVersion":null,"maxVersion":null}],"targetPlatforms":[],"signedDate":null,"seen":true,"dependencies":[],"incognito":"

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\extensions.json.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	36830
Entropy (8bit):	5.185052013683835
Encrypted:	false
SSDEEP:	768:AI4wvfCXh496G4C4U1W4z4xuHhvp4N4Tc4Z4S4t24U:AruBv3
MD5:	10E2D85FEF0DB266E519048D63617FA8
SHA1:	EBB307C44EBEFFA271AC58FDDE5C3A1BA52AE7B0
SHA-256:	92143A48F55639B5BD01385D0E4E78EDED4F84401A91C12AC06251EE188CFE0E
SHA-512:	164CBE725B44020AD40D165A1B1C242A7016ED8933AB9502D0D38E6CD99887D9DF49533DE54068AA4E5D8476C7791B52518A8477B8961475B7CB2C3AF54B81B1
Malicious:	false
Preview:	{"schemaVersion":35,"addons":[{"id":"formautofill@mozilla.org","syncGUID":"{87ef1fa3-cb84-4bbf-a615-45a1d14b629d}","version":"1.0.1","type":"extension","loader":null,"updateURL":null,"installOrigins":null,"manifestVersion":2,"optionsURL":null,"optionsType":null,"optionsBrowserStyle":true,"aboutURL":null,"defaultLocale":{"name":"Form Autofill","creator":null,"developers":null,"translators":null,"contributors":null},"visible":true,"active":true,"userDisabled":false,"appDisabled":false,"embedderDisabled":false,"installDate":1695865283000,"updateDate":1695865283000,"applyBackgroundUpdates":1,"path":"C:\\Program Files\\Mozilla Firefox\\browser\\features\\formautofill@mozilla.org.xpi","skinnable":false,"sourceURI":null,"releaseNotesURI":null,"softDisabled":false,"foreignInstall":false,"strictCompatibility":true,"locales":[],"targetApplications":[{"id":"toolkit@mozilla.org","minVersion":null,"maxVersion":null}],"targetPlatforms":[],"signedDate":null,"seen":true,"dependencies":[],"incognito":"

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\favicons.sqlite-shm

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	data
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	0.017262956703125623
Encrypted:	false
SSDEEP:	3:G8lQs2TSlElQs2TtPRp//:G0QjSaQjrpX
MD5:	B7C14EC6110FA820CA6B65F5AEC85911
SHA1:	608EEB7488042453C9CA40F7E1398FC1A270F3F4
SHA-256:	FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB
SHA-512:	D8D75760F29B1E27AC9430BC4F4FFCEC39F1590BE5AEF2BFB5A535850302E067C288EF59CF3B2C5751009A22A6957733F9F80FA18F2B0D33D90C068A3F08F3B0
Malicious:	false
Preview:	..-.....................................8...5.....-.....................................8...5...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1021904
Entropy (8bit):	6.648417932394748
Encrypted:	false
SSDEEP:	12288:vYLdTfFKbNSjv92eFN+3wH+NYriA0Iq6lh6VawYIpAvwHN/Uf1h47HAfg1oet:vYLdTZ923NYrjwNpgwef1hzfg1x
MD5:	FE3355639648C417E8307C6D051E3E37
SHA1:	F54602D4B4778DA21BC97C7238FC66AA68C8EE34
SHA-256:	1ED7877024BE63A049DA98733FD282C16BD620530A4FB580DACEC3A78ACE914E
SHA-512:	8F4030BB2464B98ECCBEA6F06EB186D7216932702D94F6B84C56419E9CF65A18309711AB342D1513BF85AED402BC3535A70DB4395874828F0D35C278DD2EAC9C
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......NH...)...)...)..eM...)..eM...)..eM..)..eM...)...)..i)..XA...)..XA..;)..XA...)...)..g)..cA...)..cA...)..Rich.)..........PE..d....z\.........." .....t................................................................`.........................................P...,...\|...(............P...H...z.................T...........................0...................p............................text...$s.......t.................. ..`.rdata...~...........x..............@..@.data....3..........................@....pdata...H...P...J..................@..@.rodata..............^..............@..@.reloc...............j..............@..B........................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1021904
Entropy (8bit):	6.648417932394748
Encrypted:	false
SSDEEP:	12288:vYLdTfFKbNSjv92eFN+3wH+NYriA0Iq6lh6VawYIpAvwHN/Uf1h47HAfg1oet:vYLdTZ923NYrjwNpgwef1hzfg1x
MD5:	FE3355639648C417E8307C6D051E3E37
SHA1:	F54602D4B4778DA21BC97C7238FC66AA68C8EE34
SHA-256:	1ED7877024BE63A049DA98733FD282C16BD620530A4FB580DACEC3A78ACE914E
SHA-512:	8F4030BB2464B98ECCBEA6F06EB186D7216932702D94F6B84C56419E9CF65A18309711AB342D1513BF85AED402BC3535A70DB4395874828F0D35C278DD2EAC9C
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......NH...)...)...)..eM...)..eM...)..eM..)..eM...)...)..i)..XA...)..XA..;)..XA...)...)..g)..cA...)..cA...)..Rich.)..........PE..d....z\.........." .....t................................................................`.........................................P...,...\|...(............P...H...z.................T...........................0...................p............................text...$s.......t.................. ..`.rdata...~...........x..............@..@.data....3..........................@....pdata...H...P...J..................@..@.rodata..............^..............@..@.reloc...............j..............@..B........................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.info (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	116
Entropy (8bit):	4.968220104601006
Encrypted:	false
SSDEEP:	3:C3OuN9RAM7VDXcEzq+rEakOvTMBv+FdBAIABv+FEn:0BDUmHlvAWeWEn
MD5:	3D33CDC0B3D281E67DD52E14435DD04F
SHA1:	4DB88689282FD4F9E9E6AB95FCBB23DF6E6485DB
SHA-256:	F526E9F98841D987606EFEAFF7F3E017BA9FD516C4BE83890C7F9A093EA4C47B
SHA-512:	A4A96743332CC8EF0F86BC2E6122618BFC75ED46781DADBAC9E580CD73DF89E74738638A2CCCB4CAA4CBBF393D771D7F2C73F825737CDB247362450A0D4A4BC1
Malicious:	false
Preview:	Name: gmpopenh264.Description: GMP Plugin for OpenH264..Version: 1.8.1.APIs: encode-video[h264], decode-video[h264].

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.info.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	116
Entropy (8bit):	4.968220104601006
Encrypted:	false
SSDEEP:	3:C3OuN9RAM7VDXcEzq+rEakOvTMBv+FdBAIABv+FEn:0BDUmHlvAWeWEn
MD5:	3D33CDC0B3D281E67DD52E14435DD04F
SHA1:	4DB88689282FD4F9E9E6AB95FCBB23DF6E6485DB
SHA-256:	F526E9F98841D987606EFEAFF7F3E017BA9FD516C4BE83890C7F9A093EA4C47B
SHA-512:	A4A96743332CC8EF0F86BC2E6122618BFC75ED46781DADBAC9E580CD73DF89E74738638A2CCCB4CAA4CBBF393D771D7F2C73F825737CDB247362450A0D4A4BC1
Malicious:	false
Preview:	Name: gmpopenh264.Description: GMP Plugin for OpenH264..Version: 1.8.1.APIs: encode-video[h264], decode-video[h264].

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\permissions.sqlite

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	SQLite 3.x database, user version 12, last written using SQLite version 3042000, page size 32768, file counter 4, database pages 3, cookie 0x2, schema 4, UTF-8, version-valid-for 4
Category:	dropped
Size (bytes):	98304
Entropy (8bit):	0.07332447509741269
Encrypted:	false
SSDEEP:	12:DBl/A0OWla0mwPxRymgObsCVR45wcYR4fmnsCVR4zki4X:DLhesh7Owd4+ji4
MD5:	D553AFE43D861CBD6D15B0075A8A1351
SHA1:	21E226AC29CB6C41515FFF2F74DEDD8E2FD08CA7
SHA-256:	2AC207E1F7018AD8DEEA2C5C80B431FF43BF26630532BB3DC75C7DC8E5646425
SHA-512:	F6E60521B58D8ED0EE62CA3C5A05E24C438860EB4B4D00E857D4CA91F62A3D3D048F258351938A6F5AEEB37022EE007A1B3D8C57AB7D381DA4E12A522E1C3D25
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j......~s..F~s........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\places.sqlite-shm

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	data
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	0.035577876577226504
Encrypted:	false
SSDEEP:	3:GtlstFu6YZX9HYlstFu6YZXll/llT89//alEl:GtWts6C1YWts6Cv/lJ89XuM
MD5:	FDDE371D741CB389DDA9B1D90B38E1B3
SHA1:	285DF3D1E06D71F51493DBD164F19775D4900C15
SHA-256:	22D372A0B7077141AC5B22E3321136846423883F0F581C21757FA8E6EB14D403
SHA-512:	59B9FF4DD37861E4E40F52492CCCB39920C4E15230945B6AF51C7A33CAC7372D4CB47EB72F51B56A6661226C8D6C6456EBDA24E52A4C51FB28C846CA5B295AC0
Malicious:	false
Preview:	..-.......................J..\..if."...t.u.g..-.......................J..\..if."...t.u.g........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\places.sqlite-wal

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	SQLite Write-Ahead Log, version 3007000
Category:	dropped
Size (bytes):	32824
Entropy (8bit):	0.034939093074797145
Encrypted:	false
SSDEEP:	3:Ol19cyZA5fB2NFTN0SE/lhSrV//mwl8XW3R2:KTZArWTNglEpuw93w
MD5:	FBEA217D098F8BD377E72A78E3FED5CE
SHA1:	E98B6F193DA0EE724E4209243D5C832D47B852AA
SHA-256:	BA66B5B49F231E08410496F242DC6B1BA39270DB13FED18A1948204DC59D5FF8
SHA-512:	8DF9EC3C78F446DEC5435589478060B7CF604FBC879DF1D878408B121CCF1F64DF4B73284187305EAA5A7E0F1C0B53EEDCFAC1CD475624FCA0B0C3B7BDB03A59
Malicious:	false
Preview:	7....-...........if.".<0..z.}.........if."..J...\..................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\prefs-1.js

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	ASCII text, with very long lines (1717), with CRLF line terminators
Category:	dropped
Size (bytes):	14081
Entropy (8bit):	5.467213532247643
Encrypted:	false
SSDEEP:	192:8nTFTRRUYbBp6sLZNMGaXI6qU4ttzy+/3/7kV5RYiNBw8djSl:eKeVFNMv25yC0dwA0
MD5:	404C4317C1D952A07B8F79086A54309C
SHA1:	508217A60191615B27F087F06B22A07FE262168A
SHA-256:	6E510F8314FF317DE5A559B6C7EFBFA9A3DF6D5F3C2D17EF4CEBE2CFF0514DFF
SHA-512:	11D711964E82D1033E5D1AE63901A81B6EDDDAF609CAF39B62319CE6AF8D020CD1D85D9E2D53A60F16E4B0CDC5D20B9F9C8602A9CB39087B4548F7EB0671FA5C
Malicious:	false
Preview:	// Mozilla User Preferences....// DO NOT EDIT THIS FILE...//..// If you make changes to this file while the application is running,..// the changes will be overwritten when the application exits...//..// To change a preference value, you can either:..// - modify it via the UI (e.g. via about:config in the browser); or..// - set it within a user.js file in your profile.....user_pref("app.normandy.first_run", false);..user_pref("app.normandy.migrationsApplied", 12);..user_pref("app.normandy.user_id", "a24b7aae-efcd-4433-83ad-3649b8231e2d");..user_pref("app.update.auto.migrated", true);..user_pref("app.update.background.rolledout", true);..user_pref("app.update.backgroundErrors", 2);..user_pref("app.update.lastUpdateTime.addon-background-update-timer", 1730327715);..user_pref("app.update.lastUpdateTime.background-update-timer", 1730327715);..user_pref("app.update.lastUpdateTime.browser-cleanup-thumbnails", 1730327715);..user_pref("app.update.lastUpdateTime.recipe-client-addon-run", 173032

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\prefs.js (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	ASCII text, with very long lines (1717), with CRLF line terminators
Category:	dropped
Size (bytes):	14081
Entropy (8bit):	5.467213532247643
Encrypted:	false
SSDEEP:	192:8nTFTRRUYbBp6sLZNMGaXI6qU4ttzy+/3/7kV5RYiNBw8djSl:eKeVFNMv25yC0dwA0
MD5:	404C4317C1D952A07B8F79086A54309C
SHA1:	508217A60191615B27F087F06B22A07FE262168A
SHA-256:	6E510F8314FF317DE5A559B6C7EFBFA9A3DF6D5F3C2D17EF4CEBE2CFF0514DFF
SHA-512:	11D711964E82D1033E5D1AE63901A81B6EDDDAF609CAF39B62319CE6AF8D020CD1D85D9E2D53A60F16E4B0CDC5D20B9F9C8602A9CB39087B4548F7EB0671FA5C
Malicious:	false
Preview:	// Mozilla User Preferences....// DO NOT EDIT THIS FILE...//..// If you make changes to this file while the application is running,..// the changes will be overwritten when the application exits...//..// To change a preference value, you can either:..// - modify it via the UI (e.g. via about:config in the browser); or..// - set it within a user.js file in your profile.....user_pref("app.normandy.first_run", false);..user_pref("app.normandy.migrationsApplied", 12);..user_pref("app.normandy.user_id", "a24b7aae-efcd-4433-83ad-3649b8231e2d");..user_pref("app.update.auto.migrated", true);..user_pref("app.update.background.rolledout", true);..user_pref("app.update.backgroundErrors", 2);..user_pref("app.update.lastUpdateTime.addon-background-update-timer", 1730327715);..user_pref("app.update.lastUpdateTime.background-update-timer", 1730327715);..user_pref("app.update.lastUpdateTime.browser-cleanup-thumbnails", 1730327715);..user_pref("app.update.lastUpdateTime.recipe-client-addon-run", 173032

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\protections.sqlite

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	SQLite 3.x database, user version 1, last written using SQLite version 3042000, page size 32768, file counter 4, database pages 2, cookie 0x1, schema 4, UTF-8, version-valid-for 4
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.04062825861060003
Encrypted:	false
SSDEEP:	3:lSGBl/l/zl9l/AltllPltlnKollzvulJOlzALRWemFxu7TuRjBFbrl58lcV+wgn8:ltBl/lqN1K4BEJYqWvLue3FMOrMZ0l
MD5:	60C09456D6362C6FBED48C69AA342C3C
SHA1:	58B6E22DAA48C75958B429F662DEC1C011AE74D3
SHA-256:	FE1A432A2CD096B7EEA870D46D07F5197E34B4D10666E6E1C357FAA3F2FE2389
SHA-512:	936DBC887276EF07732783B50EAFE450A8598B0492B8F6C838B337EF3E8A6EA595E7C7A2FA4B3E881887FAAE2D207B953A4C65ED8C964D93118E00D3E03882BD
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.......x..x..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\sessionCheckpoints.json (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	90
Entropy (8bit):	4.194538242412464
Encrypted:	false
SSDEEP:	3:YVXKQJAyiVLQwJtJDBA+AJ2LKZXJ3YFwHY:Y9KQOy6Lb1BA+m2L69Yr
MD5:	C4AB2EE59CA41B6D6A6EA911F35BDC00
SHA1:	5942CD6505FC8A9DABA403B082067E1CDEFDFBC4
SHA-256:	00AD9799527C3FD21F3A85012565EAE817490F3E0D417413BF9567BB5909F6A2
SHA-512:	71EA16900479E6AF161E0AAD08C8D1E9DED5868A8D848E7647272F3002E2F2013E16382B677ABE3C6F17792A26293B9E27EC78E16F00BD24BA3D21072BD1CAE2
Malicious:	false
Preview:	{"profile-after-change":true,"final-ui-startup":true,"sessionstore-windows-restored":true}

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\sessionCheckpoints.json.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	90
Entropy (8bit):	4.194538242412464
Encrypted:	false
SSDEEP:	3:YVXKQJAyiVLQwJtJDBA+AJ2LKZXJ3YFwHY:Y9KQOy6Lb1BA+m2L69Yr
MD5:	C4AB2EE59CA41B6D6A6EA911F35BDC00
SHA1:	5942CD6505FC8A9DABA403B082067E1CDEFDFBC4
SHA-256:	00AD9799527C3FD21F3A85012565EAE817490F3E0D417413BF9567BB5909F6A2
SHA-512:	71EA16900479E6AF161E0AAD08C8D1E9DED5868A8D848E7647272F3002E2F2013E16382B677ABE3C6F17792A26293B9E27EC78E16F00BD24BA3D21072BD1CAE2
Malicious:	false
Preview:	{"profile-after-change":true,"final-ui-startup":true,"sessionstore-windows-restored":true}

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\sessionstore-backups\recovery.baklz4 (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Mozilla lz4 compressed data, originally 5861 bytes
Category:	dropped
Size (bytes):	1576
Entropy (8bit):	6.3269624375618125
Encrypted:	false
SSDEEP:	24:v+USUGlcAxSFrLXnIgWcJx/pnxQwRlszT5sKLPm3eHVvwKXTOamhujJmyOOxmD6x:GUpOxArjJLnR6K3eNwCTO4JNGbRh4
MD5:	4322E5DA45CEAC6084CEF8167CA59F46
SHA1:	C4044CDB0235FFA8028B3AE132091639A2C084B5
SHA-256:	96DE4D304B2EFB155A8C3333D136B2C20975F19AB6E2CFCD42C383AF145E3DE0
SHA-512:	90090F00E1D6F6B68C6E01541AE22733B9A68378D976DA773434A6926006338A8731C084A5934EF20115EA8FDF4D4726EBCB9DEF187ACBCD2A0CDF3AF13468AF
Malicious:	false
Preview:	mozLz40.......{"version":["ses....restore",1],"windows":[{"tab..bentrie....url":"https://youtube.com/account?=.....rs.googl%...v3/signin/challenge/pwd","title[.C..cacheKey":0,"ID":6,"docshellUU...D"{a2d8a66f-83d7-4182-9eb0-c7e1ec35e83d}","resultPrincipalURI":null,"hasUserInteracte...true,"triggering8.p_base64z..\"3\":{}^...docIdentifier":7,"persistK..+}],"lastAccessed":1730327721029,"hidden":false,"searchMode...userContextId...attribut...{},"index":1...questedI..p0,"imag....chrome://global/skin/icons/warning.svg"..aselect...,"_closedTZ.@],"_...C..`GroupCF..":-1,"busy...t...Flags":2167541758....dth":1164,"height":891,"screenX":4...Y..Aizem..."maximize......BeforeMin...&..workspace9...46f3a197-db49-410a-81b3-94975c835573","zD..1...Wm..l........j..:....1":{..iUpdate...30,"startTim..`684539...centCrash..B0},".....Dcook.. hoc..."addons.mozilla.org","valu...Abfc0b67c202aaf415a5b7a51708a5c3270bb6f2f7664428a48797f00afbef6fc","path":"/","na..a"taarI\|.Recure...,`.Donly..eexpiry....688401,"origin

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\sessionstore-backups\recovery.jsonlz4 (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Mozilla lz4 compressed data, originally 5861 bytes
Category:	dropped
Size (bytes):	1576
Entropy (8bit):	6.3269624375618125
Encrypted:	false
SSDEEP:	24:v+USUGlcAxSFrLXnIgWcJx/pnxQwRlszT5sKLPm3eHVvwKXTOamhujJmyOOxmD6x:GUpOxArjJLnR6K3eNwCTO4JNGbRh4
MD5:	4322E5DA45CEAC6084CEF8167CA59F46
SHA1:	C4044CDB0235FFA8028B3AE132091639A2C084B5
SHA-256:	96DE4D304B2EFB155A8C3333D136B2C20975F19AB6E2CFCD42C383AF145E3DE0
SHA-512:	90090F00E1D6F6B68C6E01541AE22733B9A68378D976DA773434A6926006338A8731C084A5934EF20115EA8FDF4D4726EBCB9DEF187ACBCD2A0CDF3AF13468AF
Malicious:	false
Preview:	mozLz40.......{"version":["ses....restore",1],"windows":[{"tab..bentrie....url":"https://youtube.com/account?=.....rs.googl%...v3/signin/challenge/pwd","title[.C..cacheKey":0,"ID":6,"docshellUU...D"{a2d8a66f-83d7-4182-9eb0-c7e1ec35e83d}","resultPrincipalURI":null,"hasUserInteracte...true,"triggering8.p_base64z..\"3\":{}^...docIdentifier":7,"persistK..+}],"lastAccessed":1730327721029,"hidden":false,"searchMode...userContextId...attribut...{},"index":1...questedI..p0,"imag....chrome://global/skin/icons/warning.svg"..aselect...,"_closedTZ.@],"_...C..`GroupCF..":-1,"busy...t...Flags":2167541758....dth":1164,"height":891,"screenX":4...Y..Aizem..."maximize......BeforeMin...&..workspace9...46f3a197-db49-410a-81b3-94975c835573","zD..1...Wm..l........j..:....1":{..iUpdate...30,"startTim..`684539...centCrash..B0},".....Dcook.. hoc..."addons.mozilla.org","valu...Abfc0b67c202aaf415a5b7a51708a5c3270bb6f2f7664428a48797f00afbef6fc","path":"/","na..a"taarI\|.Recure...,`.Donly..eexpiry....688401,"origin

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\sessionstore-backups\recovery.jsonlz4.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Mozilla lz4 compressed data, originally 5861 bytes
Category:	dropped
Size (bytes):	1576
Entropy (8bit):	6.3269624375618125
Encrypted:	false
SSDEEP:	24:v+USUGlcAxSFrLXnIgWcJx/pnxQwRlszT5sKLPm3eHVvwKXTOamhujJmyOOxmD6x:GUpOxArjJLnR6K3eNwCTO4JNGbRh4
MD5:	4322E5DA45CEAC6084CEF8167CA59F46
SHA1:	C4044CDB0235FFA8028B3AE132091639A2C084B5
SHA-256:	96DE4D304B2EFB155A8C3333D136B2C20975F19AB6E2CFCD42C383AF145E3DE0
SHA-512:	90090F00E1D6F6B68C6E01541AE22733B9A68378D976DA773434A6926006338A8731C084A5934EF20115EA8FDF4D4726EBCB9DEF187ACBCD2A0CDF3AF13468AF
Malicious:	false
Preview:	mozLz40.......{"version":["ses....restore",1],"windows":[{"tab..bentrie....url":"https://youtube.com/account?=.....rs.googl%...v3/signin/challenge/pwd","title[.C..cacheKey":0,"ID":6,"docshellUU...D"{a2d8a66f-83d7-4182-9eb0-c7e1ec35e83d}","resultPrincipalURI":null,"hasUserInteracte...true,"triggering8.p_base64z..\"3\":{}^...docIdentifier":7,"persistK..+}],"lastAccessed":1730327721029,"hidden":false,"searchMode...userContextId...attribut...{},"index":1...questedI..p0,"imag....chrome://global/skin/icons/warning.svg"..aselect...,"_closedTZ.@],"_...C..`GroupCF..":-1,"busy...t...Flags":2167541758....dth":1164,"height":891,"screenX":4...Y..Aizem..."maximize......BeforeMin...&..workspace9...46f3a197-db49-410a-81b3-94975c835573","zD..1...Wm..l........j..:....1":{..iUpdate...30,"startTim..`684539...centCrash..B0},".....Dcook.. hoc..."addons.mozilla.org","valu...Abfc0b67c202aaf415a5b7a51708a5c3270bb6f2f7664428a48797f00afbef6fc","path":"/","na..a"taarI\|.Recure...,`.Donly..eexpiry....688401,"origin

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\storage.sqlite

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	SQLite 3.x database, user version 131075, last written using SQLite version 3042000, page size 512, file counter 4, database pages 8, cookie 0x4, schema 4, UTF-8, version-valid-for 4
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	2.042811512334329
Encrypted:	false
SSDEEP:	24:JBkSldh/cEUcR9PzNFPFHx/GJRBdkOrDcRB1trwDeAq2gRMyxr3:jkSWEUo9LXtR+JdkOnohYsl
MD5:	21235938025E2102017AC8C9748948A4
SHA1:	A1EED1C4588724A8396C95FC9923C0A33B360FF8
SHA-256:	E34B06B180E3F73DC8E441650BB7FE694A9D58E927412D6ED40B0852B784824E
SHA-512:	D334B419A2A75179C17D7F53BF65FCC132ADE03B21059F0007ACDBB08284A281D8CE1C1CC598E6A070024D0DAE158E2E9618E121342BE068E87A051FE33D6061
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\targeting.snapshot.json (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	4411
Entropy (8bit):	5.0086201437321325
Encrypted:	false
SSDEEP:	48:YrSAYntHqUQZpExB1+anOdW6VhOGVpWJzzcsYMsku7f86SLAVL775FtsfAcbyJF4:yctCTEr5NfJzzcBvbw6Kkvrc2Rn27
MD5:	842A778989BCBCAE1768F5672D73C885
SHA1:	367F5D4E75A1BA35011052B31CAF2107D76B19E2
SHA-256:	09FEA79EF1EAB83DFBAC2B7AF48420EDFEA26C86B8C0A66C120B9CC09970BA73
SHA-512:	97071FF92A2FDEB6FD36ACC8178E7E88F63A82E9E9D0FFC77D1999E156D40DE5D5B4854C26A2C90F0A314EC29DEA6AFBB27794E06C7DDB92454F49CD0E8F9794
Malicious:	false
Preview:	{"environment":{"locale":"en-US","localeLanguageCode":"en","browserSettings":{"update":{"channel":"release","enabled":true,"autoDownload":true,"background":true}},"attributionData":{"campaign":"%2528not%2Bset%2529","content":"%2528not%2Bset%2529","dlsource":"mozorg","dltoken":"cd09ae95-e2cf-4b8b-8929-791b0dd48cdd","experiment":"%2528not%2Bset%2529","medium":"referral","source":"www.google.com","ua":"chrome","variation":"%2528not%2Bset%2529"},"currentDate":"2024-10-30T22:35:01.957Z","profileAgeCreated":1696486829272,"usesFirefoxSync":false,"isFxAEnabled":true,"isFxASignedIn":false,"sync":{"desktopDevices":0,"mobileDevices":0,"totalDevices":0},"xpinstallEnabled":true,"addonsInfo":{"addons":{"formautofill@mozilla.org":{"version":"1.0.1","type":"extension","isSystem":true,"isWebExtension":true,"name":"Form Autofill","userDisabled":false,"installDate":"2023-09-28T01:41:23.000Z"},"pictureinpicture@mozilla.org":{"version":"1.0.0","type":"extension","isSystem":true,"isWebExtension":true,"name"

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\targeting.snapshot.json.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	4411
Entropy (8bit):	5.0086201437321325
Encrypted:	false
SSDEEP:	48:YrSAYntHqUQZpExB1+anOdW6VhOGVpWJzzcsYMsku7f86SLAVL775FtsfAcbyJF4:yctCTEr5NfJzzcBvbw6Kkvrc2Rn27
MD5:	842A778989BCBCAE1768F5672D73C885
SHA1:	367F5D4E75A1BA35011052B31CAF2107D76B19E2
SHA-256:	09FEA79EF1EAB83DFBAC2B7AF48420EDFEA26C86B8C0A66C120B9CC09970BA73
SHA-512:	97071FF92A2FDEB6FD36ACC8178E7E88F63A82E9E9D0FFC77D1999E156D40DE5D5B4854C26A2C90F0A314EC29DEA6AFBB27794E06C7DDB92454F49CD0E8F9794
Malicious:	false
Preview:	{"environment":{"locale":"en-US","localeLanguageCode":"en","browserSettings":{"update":{"channel":"release","enabled":true,"autoDownload":true,"background":true}},"attributionData":{"campaign":"%2528not%2Bset%2529","content":"%2528not%2Bset%2529","dlsource":"mozorg","dltoken":"cd09ae95-e2cf-4b8b-8929-791b0dd48cdd","experiment":"%2528not%2Bset%2529","medium":"referral","source":"www.google.com","ua":"chrome","variation":"%2528not%2Bset%2529"},"currentDate":"2024-10-30T22:35:01.957Z","profileAgeCreated":1696486829272,"usesFirefoxSync":false,"isFxAEnabled":true,"isFxASignedIn":false,"sync":{"desktopDevices":0,"mobileDevices":0,"totalDevices":0},"xpinstallEnabled":true,"addonsInfo":{"addons":{"formautofill@mozilla.org":{"version":"1.0.1","type":"extension","isSystem":true,"isWebExtension":true,"name":"Form Autofill","userDisabled":false,"installDate":"2023-09-28T01:41:23.000Z"},"pictureinpicture@mozilla.org":{"version":"1.0.0","type":"extension","isSystem":true,"isWebExtension":true,"name"

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	6.584677562301592
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	file.exe
File size:	919'552 bytes
MD5:	a5c626cb978c8d7070f00e5eeeac13f9
SHA1:	929fb15c8986ace36982084caa8920ef468bc2d9
SHA256:	771b92aa0caa8192579d931ee8dbfc2a3b01a2b7cc21daba7714d7d8c3bad91a
SHA512:	ec2a7bd3eb61135a34d4ab512c30029f8de592f57f7a451369cf8e9bb82c4683061e193855fdd79ad5ec84c20fd49428923ff11fdcff5673f04887e3104a4056
SSDEEP:	12288:JqDEvFo+yo4DdbbMWu/jrQu4M9lBAlKhQcDGB3cuBNGE6iOrpfe4JdaDga/Tr:JqDEvCTbMWu7rQYlBQcBiT6rprG8abr
TLSH:	D0159E0273D1C062FFAB92334B5AF6515BBC69260123E61F13981DB9BE701B1563E7A3
File Content Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......................j:......j:..C...j:......@.*...............................n.......~.............{.......{.......{.........z....

File Icon


Icon Hash:	aaf3e3e3938382a0

Static PE Info

General

Entrypoint:	0x420577
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, TERMINAL_SERVER_AWARE
Time Stamp:	0x67229A4B [Wed Oct 30 20:42:51 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	1
File Version Major:	5
File Version Minor:	1
Subsystem Version Major:	5
Subsystem Version Minor:	1
Import Hash:	948cc502fe9226992dce9417f952fce3

Entrypoint Preview

Instruction
call 00007F7ED8E0A793h
jmp 00007F7ED8E0A09Fh
push ebp
mov ebp, esp
push esi
push dword ptr [ebp+08h]
mov esi, ecx
call 00007F7ED8E0A27Dh
mov dword ptr [esi], 0049FDF0h
mov eax, esi
pop esi
pop ebp
retn 0004h
and dword ptr [ecx+04h], 00000000h
mov eax, ecx
and dword ptr [ecx+08h], 00000000h
mov dword ptr [ecx+04h], 0049FDF8h
mov dword ptr [ecx], 0049FDF0h
ret
push ebp
mov ebp, esp
push esi
push dword ptr [ebp+08h]
mov esi, ecx
call 00007F7ED8E0A24Ah
mov dword ptr [esi], 0049FE0Ch
mov eax, esi
pop esi
pop ebp
retn 0004h
and dword ptr [ecx+04h], 00000000h
mov eax, ecx
and dword ptr [ecx+08h], 00000000h
mov dword ptr [ecx+04h], 0049FE14h
mov dword ptr [ecx], 0049FE0Ch
ret
push ebp
mov ebp, esp
push esi
mov esi, ecx
lea eax, dword ptr [esi+04h]
mov dword ptr [esi], 0049FDD0h
and dword ptr [eax], 00000000h
and dword ptr [eax+04h], 00000000h
push eax
mov eax, dword ptr [ebp+08h]
add eax, 04h
push eax
call 00007F7ED8E0CE3Dh
pop ecx
pop ecx
mov eax, esi
pop esi
pop ebp
retn 0004h
lea eax, dword ptr [ecx+04h]
mov dword ptr [ecx], 0049FDD0h
push eax
call 00007F7ED8E0CE88h
pop ecx
ret
push ebp
mov ebp, esp
push esi
mov esi, ecx
lea eax, dword ptr [esi+04h]
mov dword ptr [esi], 0049FDD0h
push eax
call 00007F7ED8E0CE71h
test byte ptr [ebp+08h], 00000001h
pop ecx

Rich Headers

Programming Language:

[ C ] VS2008 SP1 build 30729
[IMP] VS2008 SP1 build 30729

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xc8e64	0x17c	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xd4000	0x9c28	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xde000	0x7594	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0xb0ff0	0x1c	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0xc3400	0x18	.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0xb1010	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x9c000	0x894	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x9ab1d	0x9ac00	0a1473f3064dcbc32ef93c5c8a90f3a6	False	0.565500681542811	data	6.668273581389308	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x9c000	0x2fb82	0x2fc00	c9cf2468b60bf4f80f136ed54b3989fb	False	0.35289185209424084	data	5.691811547483722	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0xcc000	0x706c	0x4800	53b9025d545d65e23295e30afdbd16d9	False	0.04356553819444445	DOS executable (block device driver @\273\)	0.5846666986982398	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0xd4000	0x9c28	0x9e00	0b597e475413bc5d9d8d3cdfdec35901	False	0.3155162183544304	data	5.373687914761335	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0xde000	0x7594	0x7600	c68ee8931a32d45eb82dc450ee40efc3	False	0.7628111758474576	data	6.7972128181359786	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0xd45a8	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain	0.7466216216216216
RT_ICON	0xd46d0	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 128, 16 important colors	English	Great Britain	0.3277027027027027
RT_ICON	0xd47f8	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain	0.3885135135135135
RT_ICON	0xd4920	0x2e8	Device independent bitmap graphic, 32 x 64 x 4, image size 0	English	Great Britain	0.3333333333333333
RT_ICON	0xd4c08	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 0	English	Great Britain	0.5
RT_ICON	0xd4d30	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 0	English	Great Britain	0.2835820895522388
RT_ICON	0xd5bd8	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 0	English	Great Britain	0.37906137184115524
RT_ICON	0xd6480	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 0	English	Great Britain	0.23699421965317918
RT_ICON	0xd69e8	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0	English	Great Britain	0.13858921161825727
RT_ICON	0xd8f90	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 0	English	Great Britain	0.25070356472795496
RT_ICON	0xda038	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	English	Great Britain	0.3173758865248227
RT_MENU	0xda4a0	0x50	data	English	Great Britain	0.9
RT_STRING	0xda4f0	0x594	data	English	Great Britain	0.3333333333333333
RT_STRING	0xdaa84	0x68a	data	English	Great Britain	0.2735961768219833
RT_STRING	0xdb110	0x490	data	English	Great Britain	0.3715753424657534
RT_STRING	0xdb5a0	0x5fc	data	English	Great Britain	0.3087467362924282
RT_STRING	0xdbb9c	0x65c	data	English	Great Britain	0.34336609336609336
RT_STRING	0xdc1f8	0x466	data	English	Great Britain	0.3605683836589698
RT_STRING	0xdc660	0x158	Matlab v4 mat-file (little endian) n, numeric, rows 0, columns 0	English	Great Britain	0.502906976744186
RT_RCDATA	0xdc7b8	0xef0	data			1.0028765690376569
RT_GROUP_ICON	0xdd6a8	0x76	data	English	Great Britain	0.6610169491525424
RT_GROUP_ICON	0xdd720	0x14	data	English	Great Britain	1.25
RT_GROUP_ICON	0xdd734	0x14	data	English	Great Britain	1.15
RT_GROUP_ICON	0xdd748	0x14	data	English	Great Britain	1.25
RT_VERSION	0xdd75c	0xdc	data	English	Great Britain	0.6181818181818182
RT_MANIFEST	0xdd838	0x3ef	ASCII text, with CRLF line terminators	English	Great Britain	0.5074478649453823

Imports

DLL	Import
WSOCK32.dll	gethostbyname, recv, send, socket, inet_ntoa, setsockopt, ntohs, WSACleanup, WSAStartup, sendto, htons, __WSAFDIsSet, select, accept, listen, bind, inet_addr, ioctlsocket, recvfrom, WSAGetLastError, closesocket, gethostname, connect
VERSION.dll	GetFileVersionInfoW, VerQueryValueW, GetFileVersionInfoSizeW
WINMM.dll	timeGetTime, waveOutSetVolume, mciSendStringW
COMCTL32.dll	ImageList_ReplaceIcon, ImageList_Destroy, ImageList_Remove, ImageList_SetDragCursorImage, ImageList_BeginDrag, ImageList_DragEnter, ImageList_DragLeave, ImageList_EndDrag, ImageList_DragMove, InitCommonControlsEx, ImageList_Create
MPR.dll	WNetGetConnectionW, WNetCancelConnection2W, WNetUseConnectionW, WNetAddConnection2W
WININET.dll	HttpOpenRequestW, InternetCloseHandle, InternetOpenW, InternetSetOptionW, InternetCrackUrlW, HttpQueryInfoW, InternetQueryOptionW, InternetConnectW, HttpSendRequestW, FtpOpenFileW, FtpGetFileSize, InternetOpenUrlW, InternetReadFile, InternetQueryDataAvailable
PSAPI.DLL	GetProcessMemoryInfo
IPHLPAPI.DLL	IcmpSendEcho, IcmpCloseHandle, IcmpCreateFile
USERENV.dll	DestroyEnvironmentBlock, LoadUserProfileW, CreateEnvironmentBlock, UnloadUserProfile
UxTheme.dll	IsThemeActive
KERNEL32.dll	DuplicateHandle, CreateThread, WaitForSingleObject, HeapAlloc, GetProcessHeap, HeapFree, Sleep, GetCurrentThreadId, MultiByteToWideChar, MulDiv, GetVersionExW, IsWow64Process, GetSystemInfo, FreeLibrary, LoadLibraryA, GetProcAddress, SetErrorMode, GetModuleFileNameW, WideCharToMultiByte, lstrcpyW, lstrlenW, GetModuleHandleW, QueryPerformanceCounter, VirtualFreeEx, OpenProcess, VirtualAllocEx, WriteProcessMemory, ReadProcessMemory, CreateFileW, SetFilePointerEx, SetEndOfFile, ReadFile, WriteFile, FlushFileBuffers, TerminateProcess, CreateToolhelp32Snapshot, Process32FirstW, Process32NextW, SetFileTime, GetFileAttributesW, FindFirstFileW, FindClose, GetLongPathNameW, GetShortPathNameW, DeleteFileW, IsDebuggerPresent, CopyFileExW, MoveFileW, CreateDirectoryW, RemoveDirectoryW, SetSystemPowerState, QueryPerformanceFrequency, LoadResource, LockResource, SizeofResource, OutputDebugStringW, GetTempPathW, GetTempFileNameW, DeviceIoControl, LoadLibraryW, GetLocalTime, CompareStringW, GetCurrentThread, EnterCriticalSection, LeaveCriticalSection, GetStdHandle, CreatePipe, InterlockedExchange, TerminateThread, LoadLibraryExW, FindResourceExW, CopyFileW, VirtualFree, FormatMessageW, GetExitCodeProcess, GetPrivateProfileStringW, WritePrivateProfileStringW, GetPrivateProfileSectionW, WritePrivateProfileSectionW, GetPrivateProfileSectionNamesW, FileTimeToLocalFileTime, FileTimeToSystemTime, SystemTimeToFileTime, LocalFileTimeToFileTime, GetDriveTypeW, GetDiskFreeSpaceExW, GetDiskFreeSpaceW, GetVolumeInformationW, SetVolumeLabelW, CreateHardLinkW, SetFileAttributesW, CreateEventW, SetEvent, GetEnvironmentVariableW, SetEnvironmentVariableW, GlobalLock, GlobalUnlock, GlobalAlloc, GetFileSize, GlobalFree, GlobalMemoryStatusEx, Beep, GetSystemDirectoryW, HeapReAlloc, HeapSize, GetComputerNameW, GetWindowsDirectoryW, GetCurrentProcessId, GetProcessIoCounters, CreateProcessW, GetProcessId, SetPriorityClass, VirtualAlloc, GetCurrentDirectoryW, lstrcmpiW, DecodePointer, GetLastError, RaiseException, InitializeCriticalSectionAndSpinCount, DeleteCriticalSection, InterlockedDecrement, InterlockedIncrement, ResetEvent, WaitForSingleObjectEx, IsProcessorFeaturePresent, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetCurrentProcess, CloseHandle, GetFullPathNameW, GetStartupInfoW, GetSystemTimeAsFileTime, InitializeSListHead, RtlUnwind, SetLastError, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, EncodePointer, ExitProcess, GetModuleHandleExW, ExitThread, ResumeThread, FreeLibraryAndExitThread, GetACP, GetDateFormatW, GetTimeFormatW, LCMapStringW, GetStringTypeW, GetFileType, SetStdHandle, GetConsoleCP, GetConsoleMode, ReadConsoleW, GetTimeZoneInformation, FindFirstFileExW, IsValidCodePage, GetOEMCP, GetCPInfo, GetCommandLineA, GetCommandLineW, GetEnvironmentStringsW, FreeEnvironmentStringsW, SetEnvironmentVariableA, SetCurrentDirectoryW, FindNextFileW, WriteConsoleW
USER32.dll	GetKeyboardLayoutNameW, IsCharAlphaW, IsCharAlphaNumericW, IsCharLowerW, IsCharUpperW, GetMenuStringW, GetSubMenu, GetCaretPos, IsZoomed, GetMonitorInfoW, SetWindowLongW, SetLayeredWindowAttributes, FlashWindow, GetClassLongW, TranslateAcceleratorW, IsDialogMessageW, GetSysColor, InflateRect, DrawFocusRect, DrawTextW, FrameRect, DrawFrameControl, FillRect, PtInRect, DestroyAcceleratorTable, CreateAcceleratorTableW, SetCursor, GetWindowDC, GetSystemMetrics, GetActiveWindow, CharNextW, wsprintfW, RedrawWindow, DrawMenuBar, DestroyMenu, SetMenu, GetWindowTextLengthW, CreateMenu, IsDlgButtonChecked, DefDlgProcW, CallWindowProcW, ReleaseCapture, SetCapture, PeekMessageW, GetInputState, UnregisterHotKey, CharLowerBuffW, MonitorFromPoint, MonitorFromRect, LoadImageW, mouse_event, ExitWindowsEx, SetActiveWindow, FindWindowExW, EnumThreadWindows, SetMenuDefaultItem, InsertMenuItemW, IsMenu, ClientToScreen, GetCursorPos, DeleteMenu, CheckMenuRadioItem, GetMenuItemID, GetMenuItemCount, SetMenuItemInfoW, GetMenuItemInfoW, SetForegroundWindow, IsIconic, FindWindowW, SystemParametersInfoW, LockWindowUpdate, SendInput, GetAsyncKeyState, SetKeyboardState, GetKeyboardState, GetKeyState, VkKeyScanW, LoadStringW, DialogBoxParamW, MessageBeep, EndDialog, SendDlgItemMessageW, GetDlgItem, SetWindowTextW, CopyRect, ReleaseDC, GetDC, EndPaint, BeginPaint, GetClientRect, GetMenu, DestroyWindow, EnumWindows, GetDesktopWindow, IsWindow, IsWindowEnabled, IsWindowVisible, EnableWindow, InvalidateRect, GetWindowLongW, GetWindowThreadProcessId, AttachThreadInput, GetFocus, GetWindowTextW, SendMessageTimeoutW, EnumChildWindows, CharUpperBuffW, GetClassNameW, GetParent, GetDlgCtrlID, SendMessageW, MapVirtualKeyW, PostMessageW, GetWindowRect, SetUserObjectSecurity, CloseDesktop, CloseWindowStation, OpenDesktopW, RegisterHotKey, GetCursorInfo, SetWindowPos, CopyImage, AdjustWindowRectEx, SetRect, SetClipboardData, EmptyClipboard, CountClipboardFormats, CloseClipboard, GetClipboardData, IsClipboardFormatAvailable, OpenClipboard, BlockInput, TrackPopupMenuEx, GetMessageW, SetProcessWindowStation, GetProcessWindowStation, OpenWindowStationW, GetUserObjectSecurity, MessageBoxW, DefWindowProcW, MoveWindow, SetFocus, PostQuitMessage, KillTimer, CreatePopupMenu, RegisterWindowMessageW, SetTimer, ShowWindow, CreateWindowExW, RegisterClassExW, LoadIconW, LoadCursorW, GetSysColorBrush, GetForegroundWindow, MessageBoxA, DestroyIcon, DispatchMessageW, keybd_event, TranslateMessage, ScreenToClient
GDI32.dll	EndPath, DeleteObject, GetTextExtentPoint32W, ExtCreatePen, StrokeAndFillPath, GetDeviceCaps, SetPixel, CloseFigure, LineTo, AngleArc, MoveToEx, Ellipse, CreateCompatibleBitmap, CreateCompatibleDC, PolyDraw, BeginPath, Rectangle, SetViewportOrgEx, GetObjectW, SetBkMode, RoundRect, SetBkColor, CreatePen, SelectObject, StretchBlt, CreateSolidBrush, SetTextColor, CreateFontW, GetTextFaceW, GetStockObject, CreateDCW, GetPixel, DeleteDC, GetDIBits, StrokePath
COMDLG32.dll	GetSaveFileNameW, GetOpenFileNameW
ADVAPI32.dll	GetAce, RegEnumValueW, RegDeleteValueW, RegDeleteKeyW, RegEnumKeyExW, RegSetValueExW, RegOpenKeyExW, RegCloseKey, RegQueryValueExW, RegConnectRegistryW, InitializeSecurityDescriptor, InitializeAcl, AdjustTokenPrivileges, OpenThreadToken, OpenProcessToken, LookupPrivilegeValueW, DuplicateTokenEx, CreateProcessAsUserW, CreateProcessWithLogonW, GetLengthSid, CopySid, LogonUserW, AllocateAndInitializeSid, CheckTokenMembership, FreeSid, GetTokenInformation, RegCreateKeyExW, GetSecurityDescriptorDacl, GetAclInformation, GetUserNameW, AddAce, SetSecurityDescriptorDacl, InitiateSystemShutdownExW
SHELL32.dll	DragFinish, DragQueryPoint, ShellExecuteExW, DragQueryFileW, SHEmptyRecycleBinW, SHGetPathFromIDListW, SHBrowseForFolderW, SHCreateShellItem, SHGetDesktopFolder, SHGetSpecialFolderLocation, SHGetFolderPathW, SHFileOperationW, ExtractIconExW, Shell_NotifyIconW, ShellExecuteW
ole32.dll	CoTaskMemAlloc, CoTaskMemFree, CLSIDFromString, ProgIDFromCLSID, CLSIDFromProgID, OleSetMenuDescriptor, MkParseDisplayName, OleSetContainedObject, CoCreateInstance, IIDFromString, StringFromGUID2, CreateStreamOnHGlobal, OleInitialize, OleUninitialize, CoInitialize, CoUninitialize, GetRunningObjectTable, CoGetInstanceFromFile, CoGetObject, CoInitializeSecurity, CoCreateInstanceEx, CoSetProxyBlanket
OLEAUT32.dll	CreateStdDispatch, CreateDispTypeInfo, UnRegisterTypeLib, UnRegisterTypeLibForUser, RegisterTypeLibForUser, RegisterTypeLib, LoadTypeLibEx, VariantCopyInd, SysReAllocString, SysFreeString, VariantChangeType, SafeArrayDestroyData, SafeArrayUnaccessData, SafeArrayAccessData, SafeArrayAllocData, SafeArrayAllocDescriptorEx, SafeArrayCreateVector, SysStringLen, QueryPathOfRegTypeLib, SysAllocString, VariantInit, VariantClear, DispCallFunc, VariantTimeToSystemTime, VarR8FromDec, SafeArrayGetVartype, SafeArrayDestroyDescriptor, VariantCopy, OleLoadPicture

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	Great Britain

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 30, 2024 21:55:17.007184029 CET	49718	443	192.168.2.6	35.190.72.216
Oct 30, 2024 21:55:17.007237911 CET	443	49718	35.190.72.216	192.168.2.6
Oct 30, 2024 21:55:17.008492947 CET	49719	80	192.168.2.6	34.107.221.82
Oct 30, 2024 21:55:17.010617971 CET	49720	443	192.168.2.6	142.250.185.238
Oct 30, 2024 21:55:17.010684013 CET	443	49720	142.250.185.238	192.168.2.6
Oct 30, 2024 21:55:17.012897015 CET	49718	443	192.168.2.6	35.190.72.216
Oct 30, 2024 21:55:17.012897015 CET	49720	443	192.168.2.6	142.250.185.238
Oct 30, 2024 21:55:17.014395952 CET	80	49719	34.107.221.82	192.168.2.6
Oct 30, 2024 21:55:17.014467001 CET	49719	80	192.168.2.6	34.107.221.82
Oct 30, 2024 21:55:17.027549982 CET	49718	443	192.168.2.6	35.190.72.216
Oct 30, 2024 21:55:17.027579069 CET	443	49718	35.190.72.216	192.168.2.6
Oct 30, 2024 21:55:17.029256105 CET	49720	443	192.168.2.6	142.250.185.238
Oct 30, 2024 21:55:17.029268026 CET	443	49720	142.250.185.238	192.168.2.6
Oct 30, 2024 21:55:17.029324055 CET	49719	80	192.168.2.6	34.107.221.82
Oct 30, 2024 21:55:17.035149097 CET	80	49719	34.107.221.82	192.168.2.6
Oct 30, 2024 21:55:17.249700069 CET	49721	443	192.168.2.6	142.250.185.238
Oct 30, 2024 21:55:17.249794006 CET	443	49721	142.250.185.238	192.168.2.6
Oct 30, 2024 21:55:17.254338026 CET	49721	443	192.168.2.6	142.250.185.238
Oct 30, 2024 21:55:17.255788088 CET	49721	443	192.168.2.6	142.250.185.238
Oct 30, 2024 21:55:17.255824089 CET	443	49721	142.250.185.238	192.168.2.6
Oct 30, 2024 21:55:17.291924953 CET	49722	443	192.168.2.6	34.117.188.166
Oct 30, 2024 21:55:17.291958094 CET	443	49722	34.117.188.166	192.168.2.6
Oct 30, 2024 21:55:17.293093920 CET	49722	443	192.168.2.6	34.117.188.166
Oct 30, 2024 21:55:17.294806957 CET	49722	443	192.168.2.6	34.117.188.166
Oct 30, 2024 21:55:17.294825077 CET	443	49722	34.117.188.166	192.168.2.6
Oct 30, 2024 21:55:17.380425930 CET	49723	443	192.168.2.6	34.117.188.166
Oct 30, 2024 21:55:17.380466938 CET	443	49723	34.117.188.166	192.168.2.6
Oct 30, 2024 21:55:17.381108999 CET	49723	443	192.168.2.6	34.117.188.166
Oct 30, 2024 21:55:17.382539988 CET	49723	443	192.168.2.6	34.117.188.166
Oct 30, 2024 21:55:17.382551908 CET	443	49723	34.117.188.166	192.168.2.6
Oct 30, 2024 21:55:17.610349894 CET	80	49719	34.107.221.82	192.168.2.6
Oct 30, 2024 21:55:17.642736912 CET	443	49718	35.190.72.216	192.168.2.6
Oct 30, 2024 21:55:17.642910957 CET	49718	443	192.168.2.6	35.190.72.216
Oct 30, 2024 21:55:17.657618046 CET	49719	80	192.168.2.6	34.107.221.82
Oct 30, 2024 21:55:17.751838923 CET	49718	443	192.168.2.6	35.190.72.216
Oct 30, 2024 21:55:17.751866102 CET	443	49718	35.190.72.216	192.168.2.6
Oct 30, 2024 21:55:17.752005100 CET	49718	443	192.168.2.6	35.190.72.216
Oct 30, 2024 21:55:17.752146959 CET	443	49718	35.190.72.216	192.168.2.6
Oct 30, 2024 21:55:17.752454042 CET	49724	443	192.168.2.6	35.190.72.216
Oct 30, 2024 21:55:17.752491951 CET	443	49724	35.190.72.216	192.168.2.6
Oct 30, 2024 21:55:17.752505064 CET	49718	443	192.168.2.6	35.190.72.216
Oct 30, 2024 21:55:17.752546072 CET	49724	443	192.168.2.6	35.190.72.216
Oct 30, 2024 21:55:17.753894091 CET	49724	443	192.168.2.6	35.190.72.216
Oct 30, 2024 21:55:17.753914118 CET	443	49724	35.190.72.216	192.168.2.6
Oct 30, 2024 21:55:17.772419930 CET	49725	443	192.168.2.6	35.244.181.201
Oct 30, 2024 21:55:17.772475958 CET	443	49725	35.244.181.201	192.168.2.6
Oct 30, 2024 21:55:17.772542953 CET	49725	443	192.168.2.6	35.244.181.201
Oct 30, 2024 21:55:17.772644043 CET	49725	443	192.168.2.6	35.244.181.201
Oct 30, 2024 21:55:17.772661924 CET	443	49725	35.244.181.201	192.168.2.6
Oct 30, 2024 21:55:17.838105917 CET	49726	80	192.168.2.6	34.107.221.82
Oct 30, 2024 21:55:17.843950033 CET	80	49726	34.107.221.82	192.168.2.6
Oct 30, 2024 21:55:17.844017982 CET	49726	80	192.168.2.6	34.107.221.82
Oct 30, 2024 21:55:17.844127893 CET	49726	80	192.168.2.6	34.107.221.82
Oct 30, 2024 21:55:17.844969988 CET	49727	443	192.168.2.6	34.160.144.191
Oct 30, 2024 21:55:17.844983101 CET	443	49727	34.160.144.191	192.168.2.6
Oct 30, 2024 21:55:17.846098900 CET	49727	443	192.168.2.6	34.160.144.191
Oct 30, 2024 21:55:17.846237898 CET	49727	443	192.168.2.6	34.160.144.191
Oct 30, 2024 21:55:17.846256971 CET	443	49727	34.160.144.191	192.168.2.6
Oct 30, 2024 21:55:17.849999905 CET	80	49726	34.107.221.82	192.168.2.6
Oct 30, 2024 21:55:17.890777111 CET	443	49720	142.250.185.238	192.168.2.6
Oct 30, 2024 21:55:17.891509056 CET	443	49720	142.250.185.238	192.168.2.6
Oct 30, 2024 21:55:17.900259018 CET	49720	443	192.168.2.6	142.250.185.238
Oct 30, 2024 21:55:17.900279045 CET	443	49720	142.250.185.238	192.168.2.6
Oct 30, 2024 21:55:17.904853106 CET	49720	443	192.168.2.6	142.250.185.238
Oct 30, 2024 21:55:17.904870033 CET	443	49720	142.250.185.238	192.168.2.6
Oct 30, 2024 21:55:17.905009031 CET	49720	443	192.168.2.6	142.250.185.238
Oct 30, 2024 21:55:17.905071974 CET	443	49720	142.250.185.238	192.168.2.6
Oct 30, 2024 21:55:17.905277967 CET	49720	443	192.168.2.6	142.250.185.238
Oct 30, 2024 21:55:17.920305014 CET	443	49722	34.117.188.166	192.168.2.6
Oct 30, 2024 21:55:17.920439005 CET	49722	443	192.168.2.6	34.117.188.166
Oct 30, 2024 21:55:17.924550056 CET	49722	443	192.168.2.6	34.117.188.166
Oct 30, 2024 21:55:17.924561024 CET	443	49722	34.117.188.166	192.168.2.6
Oct 30, 2024 21:55:17.924660921 CET	49722	443	192.168.2.6	34.117.188.166
Oct 30, 2024 21:55:17.924788952 CET	443	49722	34.117.188.166	192.168.2.6
Oct 30, 2024 21:55:17.924835920 CET	49722	443	192.168.2.6	34.117.188.166
Oct 30, 2024 21:55:17.924988985 CET	49728	443	192.168.2.6	34.117.188.166
Oct 30, 2024 21:55:17.925018072 CET	443	49728	34.117.188.166	192.168.2.6
Oct 30, 2024 21:55:17.925072908 CET	49728	443	192.168.2.6	34.117.188.166
Oct 30, 2024 21:55:17.926378965 CET	49728	443	192.168.2.6	34.117.188.166
Oct 30, 2024 21:55:17.926389933 CET	443	49728	34.117.188.166	192.168.2.6
Oct 30, 2024 21:55:18.005448103 CET	443	49723	34.117.188.166	192.168.2.6
Oct 30, 2024 21:55:18.005526066 CET	49723	443	192.168.2.6	34.117.188.166
Oct 30, 2024 21:55:18.010636091 CET	49723	443	192.168.2.6	34.117.188.166
Oct 30, 2024 21:55:18.010648012 CET	443	49723	34.117.188.166	192.168.2.6
Oct 30, 2024 21:55:18.010756016 CET	49723	443	192.168.2.6	34.117.188.166
Oct 30, 2024 21:55:18.010962009 CET	443	49723	34.117.188.166	192.168.2.6
Oct 30, 2024 21:55:18.011022091 CET	49723	443	192.168.2.6	34.117.188.166
Oct 30, 2024 21:55:18.011152983 CET	49729	443	192.168.2.6	34.117.188.166
Oct 30, 2024 21:55:18.011204004 CET	443	49729	34.117.188.166	192.168.2.6
Oct 30, 2024 21:55:18.011281013 CET	49729	443	192.168.2.6	34.117.188.166
Oct 30, 2024 21:55:18.012912989 CET	49729	443	192.168.2.6	34.117.188.166
Oct 30, 2024 21:55:18.012944937 CET	443	49729	34.117.188.166	192.168.2.6
Oct 30, 2024 21:55:18.122347116 CET	443	49721	142.250.185.238	192.168.2.6
Oct 30, 2024 21:55:18.122850895 CET	49721	443	192.168.2.6	142.250.185.238
Oct 30, 2024 21:55:18.123372078 CET	443	49721	142.250.185.238	192.168.2.6
Oct 30, 2024 21:55:18.123801947 CET	49721	443	192.168.2.6	142.250.185.238
Oct 30, 2024 21:55:18.126930952 CET	49721	443	192.168.2.6	142.250.185.238
Oct 30, 2024 21:55:18.126946926 CET	443	49721	142.250.185.238	192.168.2.6
Oct 30, 2024 21:55:18.127054930 CET	49721	443	192.168.2.6	142.250.185.238
Oct 30, 2024 21:55:18.127331018 CET	443	49721	142.250.185.238	192.168.2.6
Oct 30, 2024 21:55:18.127464056 CET	49730	443	192.168.2.6	142.250.185.238
Oct 30, 2024 21:55:18.127495050 CET	443	49730	142.250.185.238	192.168.2.6
Oct 30, 2024 21:55:18.127593994 CET	49721	443	192.168.2.6	142.250.185.238
Oct 30, 2024 21:55:18.127625942 CET	49730	443	192.168.2.6	142.250.185.238
Oct 30, 2024 21:55:18.129077911 CET	49730	443	192.168.2.6	142.250.185.238
Oct 30, 2024 21:55:18.129091978 CET	443	49730	142.250.185.238	192.168.2.6
Oct 30, 2024 21:55:18.395239115 CET	443	49725	35.244.181.201	192.168.2.6
Oct 30, 2024 21:55:18.397452116 CET	49725	443	192.168.2.6	35.244.181.201
Oct 30, 2024 21:55:18.397600889 CET	443	49724	35.190.72.216	192.168.2.6
Oct 30, 2024 21:55:18.401407957 CET	49725	443	192.168.2.6	35.244.181.201
Oct 30, 2024 21:55:18.401426077 CET	443	49725	35.244.181.201	192.168.2.6
Oct 30, 2024 21:55:18.401597023 CET	49724	443	192.168.2.6	35.190.72.216
Oct 30, 2024 21:55:18.401838064 CET	443	49725	35.244.181.201	192.168.2.6
Oct 30, 2024 21:55:18.405846119 CET	49725	443	192.168.2.6	35.244.181.201
Oct 30, 2024 21:55:18.406022072 CET	443	49725	35.244.181.201	192.168.2.6
Oct 30, 2024 21:55:18.406090975 CET	49725	443	192.168.2.6	35.244.181.201
Oct 30, 2024 21:55:18.406106949 CET	443	49725	35.244.181.201	192.168.2.6
Oct 30, 2024 21:55:18.407847881 CET	49724	443	192.168.2.6	35.190.72.216
Oct 30, 2024 21:55:18.407864094 CET	443	49724	35.190.72.216	192.168.2.6
Oct 30, 2024 21:55:18.407943964 CET	49724	443	192.168.2.6	35.190.72.216
Oct 30, 2024 21:55:18.408025026 CET	443	49724	35.190.72.216	192.168.2.6
Oct 30, 2024 21:55:18.409193993 CET	49724	443	192.168.2.6	35.190.72.216
Oct 30, 2024 21:55:18.472644091 CET	80	49726	34.107.221.82	192.168.2.6
Oct 30, 2024 21:55:18.484250069 CET	49726	80	192.168.2.6	34.107.221.82
Oct 30, 2024 21:55:18.484286070 CET	49719	80	192.168.2.6	34.107.221.82
Oct 30, 2024 21:55:18.485411882 CET	443	49727	34.160.144.191	192.168.2.6
Oct 30, 2024 21:55:18.487412930 CET	49727	443	192.168.2.6	34.160.144.191
Oct 30, 2024 21:55:18.490268946 CET	49727	443	192.168.2.6	34.160.144.191
Oct 30, 2024 21:55:18.490273952 CET	443	49727	34.160.144.191	192.168.2.6
Oct 30, 2024 21:55:18.490683079 CET	80	49726	34.107.221.82	192.168.2.6
Oct 30, 2024 21:55:18.490689993 CET	443	49727	34.160.144.191	192.168.2.6
Oct 30, 2024 21:55:18.490741968 CET	80	49719	34.107.221.82	192.168.2.6
Oct 30, 2024 21:55:18.493911982 CET	49726	80	192.168.2.6	34.107.221.82
Oct 30, 2024 21:55:18.493944883 CET	49719	80	192.168.2.6	34.107.221.82
Oct 30, 2024 21:55:18.494179010 CET	49727	443	192.168.2.6	34.160.144.191
Oct 30, 2024 21:55:18.494277000 CET	49727	443	192.168.2.6	34.160.144.191
Oct 30, 2024 21:55:18.494365931 CET	443	49727	34.160.144.191	192.168.2.6
Oct 30, 2024 21:55:18.494645119 CET	49732	443	192.168.2.6	34.160.144.191
Oct 30, 2024 21:55:18.494668961 CET	443	49732	34.160.144.191	192.168.2.6
Oct 30, 2024 21:55:18.495157003 CET	49727	443	192.168.2.6	34.160.144.191
Oct 30, 2024 21:55:18.495208025 CET	49732	443	192.168.2.6	34.160.144.191
Oct 30, 2024 21:55:18.495348930 CET	49732	443	192.168.2.6	34.160.144.191
Oct 30, 2024 21:55:18.495362043 CET	443	49732	34.160.144.191	192.168.2.6
Oct 30, 2024 21:55:18.540060043 CET	443	49728	34.117.188.166	192.168.2.6
Oct 30, 2024 21:55:18.540121078 CET	49728	443	192.168.2.6	34.117.188.166
Oct 30, 2024 21:55:18.544934988 CET	49728	443	192.168.2.6	34.117.188.166
Oct 30, 2024 21:55:18.544944048 CET	443	49728	34.117.188.166	192.168.2.6
Oct 30, 2024 21:55:18.544998884 CET	49728	443	192.168.2.6	34.117.188.166
Oct 30, 2024 21:55:18.545100927 CET	443	49728	34.117.188.166	192.168.2.6
Oct 30, 2024 21:55:18.545207024 CET	49728	443	192.168.2.6	34.117.188.166
Oct 30, 2024 21:55:18.611354113 CET	443	49725	35.244.181.201	192.168.2.6
Oct 30, 2024 21:55:18.611435890 CET	49725	443	192.168.2.6	35.244.181.201
Oct 30, 2024 21:55:18.626089096 CET	443	49729	34.117.188.166	192.168.2.6
Oct 30, 2024 21:55:18.629276037 CET	49729	443	192.168.2.6	34.117.188.166
Oct 30, 2024 21:55:18.633249998 CET	49738	80	192.168.2.6	34.107.221.82
Oct 30, 2024 21:55:18.635287046 CET	49729	443	192.168.2.6	34.117.188.166
Oct 30, 2024 21:55:18.635345936 CET	443	49729	34.117.188.166	192.168.2.6
Oct 30, 2024 21:55:18.635385036 CET	49729	443	192.168.2.6	34.117.188.166
Oct 30, 2024 21:55:18.635535955 CET	443	49729	34.117.188.166	192.168.2.6
Oct 30, 2024 21:55:18.639029026 CET	80	49738	34.107.221.82	192.168.2.6
Oct 30, 2024 21:55:18.644900084 CET	49729	443	192.168.2.6	34.117.188.166
Oct 30, 2024 21:55:18.644952059 CET	49738	80	192.168.2.6	34.107.221.82
Oct 30, 2024 21:55:18.645287991 CET	49738	80	192.168.2.6	34.107.221.82
Oct 30, 2024 21:55:18.651127100 CET	80	49738	34.107.221.82	192.168.2.6
Oct 30, 2024 21:55:18.683334112 CET	49739	443	192.168.2.6	34.117.188.166
Oct 30, 2024 21:55:18.683357000 CET	443	49739	34.117.188.166	192.168.2.6
Oct 30, 2024 21:55:18.684412003 CET	49739	443	192.168.2.6	34.117.188.166
Oct 30, 2024 21:55:18.685822010 CET	49739	443	192.168.2.6	34.117.188.166
Oct 30, 2024 21:55:18.685839891 CET	443	49739	34.117.188.166	192.168.2.6
Oct 30, 2024 21:55:19.021810055 CET	443	49730	142.250.185.238	192.168.2.6
Oct 30, 2024 21:55:19.022816896 CET	443	49730	142.250.185.238	192.168.2.6
Oct 30, 2024 21:55:19.027348995 CET	443	49730	142.250.185.238	192.168.2.6
Oct 30, 2024 21:55:19.042718887 CET	49730	443	192.168.2.6	142.250.185.238
Oct 30, 2024 21:55:19.054872990 CET	49730	443	192.168.2.6	142.250.185.238
Oct 30, 2024 21:55:19.054878950 CET	443	49730	142.250.185.238	192.168.2.6
Oct 30, 2024 21:55:19.054986954 CET	49730	443	192.168.2.6	142.250.185.238
Oct 30, 2024 21:55:19.055408001 CET	443	49730	142.250.185.238	192.168.2.6
Oct 30, 2024 21:55:19.061260939 CET	49730	443	192.168.2.6	142.250.185.238
Oct 30, 2024 21:55:19.118751049 CET	443	49732	34.160.144.191	192.168.2.6
Oct 30, 2024 21:55:19.127335072 CET	443	49732	34.160.144.191	192.168.2.6
Oct 30, 2024 21:55:19.130296946 CET	49732	443	192.168.2.6	34.160.144.191
Oct 30, 2024 21:55:19.139841080 CET	49732	443	192.168.2.6	34.160.144.191
Oct 30, 2024 21:55:19.139853001 CET	443	49732	34.160.144.191	192.168.2.6
Oct 30, 2024 21:55:19.140100002 CET	443	49732	34.160.144.191	192.168.2.6
Oct 30, 2024 21:55:19.144632101 CET	49732	443	192.168.2.6	34.160.144.191
Oct 30, 2024 21:55:19.144717932 CET	49732	443	192.168.2.6	34.160.144.191
Oct 30, 2024 21:55:19.144783020 CET	443	49732	34.160.144.191	192.168.2.6
Oct 30, 2024 21:55:19.144912004 CET	49732	443	192.168.2.6	34.160.144.191
Oct 30, 2024 21:55:19.270859003 CET	80	49738	34.107.221.82	192.168.2.6
Oct 30, 2024 21:55:19.302087069 CET	443	49739	34.117.188.166	192.168.2.6
Oct 30, 2024 21:55:19.311364889 CET	443	49739	34.117.188.166	192.168.2.6
Oct 30, 2024 21:55:19.314611912 CET	49738	80	192.168.2.6	34.107.221.82
Oct 30, 2024 21:55:19.314613104 CET	49739	443	192.168.2.6	34.117.188.166
Oct 30, 2024 21:55:19.332540989 CET	49739	443	192.168.2.6	34.117.188.166
Oct 30, 2024 21:55:19.332556963 CET	443	49739	34.117.188.166	192.168.2.6
Oct 30, 2024 21:55:19.332657099 CET	49739	443	192.168.2.6	34.117.188.166
Oct 30, 2024 21:55:19.333054066 CET	49741	443	192.168.2.6	34.117.188.166
Oct 30, 2024 21:55:19.333091974 CET	443	49741	34.117.188.166	192.168.2.6
Oct 30, 2024 21:55:19.333138943 CET	443	49739	34.117.188.166	192.168.2.6
Oct 30, 2024 21:55:19.334902048 CET	49739	443	192.168.2.6	34.117.188.166
Oct 30, 2024 21:55:19.336113930 CET	49741	443	192.168.2.6	34.117.188.166
Oct 30, 2024 21:55:19.342219114 CET	49741	443	192.168.2.6	34.117.188.166
Oct 30, 2024 21:55:19.342240095 CET	443	49741	34.117.188.166	192.168.2.6
Oct 30, 2024 21:55:19.534399986 CET	49747	80	192.168.2.6	34.107.221.82
Oct 30, 2024 21:55:19.540313005 CET	80	49747	34.107.221.82	192.168.2.6
Oct 30, 2024 21:55:19.543204069 CET	49747	80	192.168.2.6	34.107.221.82
Oct 30, 2024 21:55:19.543340921 CET	49747	80	192.168.2.6	34.107.221.82
Oct 30, 2024 21:55:19.549118996 CET	80	49747	34.107.221.82	192.168.2.6
Oct 30, 2024 21:55:19.556731939 CET	49738	80	192.168.2.6	34.107.221.82
Oct 30, 2024 21:55:19.562622070 CET	80	49738	34.107.221.82	192.168.2.6
Oct 30, 2024 21:55:19.686866999 CET	80	49738	34.107.221.82	192.168.2.6
Oct 30, 2024 21:55:19.733067036 CET	49738	80	192.168.2.6	34.107.221.82
Oct 30, 2024 21:55:19.817387104 CET	49747	80	192.168.2.6	34.107.221.82
Oct 30, 2024 21:55:19.865376949 CET	80	49747	34.107.221.82	192.168.2.6
Oct 30, 2024 21:55:19.959342957 CET	49748	80	192.168.2.6	34.107.221.82
Oct 30, 2024 21:55:19.964612961 CET	443	49741	34.117.188.166	192.168.2.6
Oct 30, 2024 21:55:19.964903116 CET	49741	443	192.168.2.6	34.117.188.166
Oct 30, 2024 21:55:19.965267897 CET	80	49748	34.107.221.82	192.168.2.6
Oct 30, 2024 21:55:19.969930887 CET	49741	443	192.168.2.6	34.117.188.166
Oct 30, 2024 21:55:19.969945908 CET	443	49741	34.117.188.166	192.168.2.6
Oct 30, 2024 21:55:19.970022917 CET	49741	443	192.168.2.6	34.117.188.166
Oct 30, 2024 21:55:19.970387936 CET	49748	80	192.168.2.6	34.107.221.82
Oct 30, 2024 21:55:19.970419884 CET	443	49741	34.117.188.166	192.168.2.6
Oct 30, 2024 21:55:19.970679998 CET	49748	80	192.168.2.6	34.107.221.82
Oct 30, 2024 21:55:19.970808983 CET	49741	443	192.168.2.6	34.117.188.166
Oct 30, 2024 21:55:19.976620913 CET	80	49748	34.107.221.82	192.168.2.6
Oct 30, 2024 21:55:20.025227070 CET	80	49747	34.107.221.82	192.168.2.6
Oct 30, 2024 21:55:20.025960922 CET	49747	80	192.168.2.6	34.107.221.82
Oct 30, 2024 21:55:20.207565069 CET	49738	80	192.168.2.6	34.107.221.82
Oct 30, 2024 21:55:20.213502884 CET	80	49738	34.107.221.82	192.168.2.6
Oct 30, 2024 21:55:20.217988968 CET	49750	443	192.168.2.6	34.107.243.93
Oct 30, 2024 21:55:20.218027115 CET	443	49750	34.107.243.93	192.168.2.6
Oct 30, 2024 21:55:20.218900919 CET	49750	443	192.168.2.6	34.107.243.93
Oct 30, 2024 21:55:20.220417976 CET	49750	443	192.168.2.6	34.107.243.93
Oct 30, 2024 21:55:20.220434904 CET	443	49750	34.107.243.93	192.168.2.6
Oct 30, 2024 21:55:20.352660894 CET	80	49738	34.107.221.82	192.168.2.6
Oct 30, 2024 21:55:20.403789043 CET	49738	80	192.168.2.6	34.107.221.82
Oct 30, 2024 21:55:20.594187975 CET	80	49748	34.107.221.82	192.168.2.6
Oct 30, 2024 21:55:20.635595083 CET	49748	80	192.168.2.6	34.107.221.82
Oct 30, 2024 21:55:20.830713987 CET	443	49750	34.107.243.93	192.168.2.6
Oct 30, 2024 21:55:20.834728003 CET	49750	443	192.168.2.6	34.107.243.93
Oct 30, 2024 21:55:20.844383955 CET	49750	443	192.168.2.6	34.107.243.93
Oct 30, 2024 21:55:20.844420910 CET	443	49750	34.107.243.93	192.168.2.6
Oct 30, 2024 21:55:20.844471931 CET	49750	443	192.168.2.6	34.107.243.93
Oct 30, 2024 21:55:20.844615936 CET	443	49750	34.107.243.93	192.168.2.6
Oct 30, 2024 21:55:20.844733000 CET	49750	443	192.168.2.6	34.107.243.93
Oct 30, 2024 21:55:23.711463928 CET	49772	443	192.168.2.6	35.244.181.201
Oct 30, 2024 21:55:23.711497068 CET	443	49772	35.244.181.201	192.168.2.6
Oct 30, 2024 21:55:23.713732958 CET	49772	443	192.168.2.6	35.244.181.201
Oct 30, 2024 21:55:23.714085102 CET	49772	443	192.168.2.6	35.244.181.201
Oct 30, 2024 21:55:23.714097023 CET	443	49772	35.244.181.201	192.168.2.6
Oct 30, 2024 21:55:23.722342968 CET	49773	443	192.168.2.6	34.120.208.123
Oct 30, 2024 21:55:23.722363949 CET	443	49773	34.120.208.123	192.168.2.6
Oct 30, 2024 21:55:23.722930908 CET	49773	443	192.168.2.6	34.120.208.123
Oct 30, 2024 21:55:23.725004911 CET	49773	443	192.168.2.6	34.120.208.123
Oct 30, 2024 21:55:23.725019932 CET	443	49773	34.120.208.123	192.168.2.6
Oct 30, 2024 21:55:23.748186111 CET	49748	80	192.168.2.6	34.107.221.82
Oct 30, 2024 21:55:23.748863935 CET	49738	80	192.168.2.6	34.107.221.82
Oct 30, 2024 21:55:23.754121065 CET	80	49748	34.107.221.82	192.168.2.6
Oct 30, 2024 21:55:23.754626036 CET	80	49738	34.107.221.82	192.168.2.6
Oct 30, 2024 21:55:23.761347055 CET	49774	443	192.168.2.6	34.149.100.209
Oct 30, 2024 21:55:23.761377096 CET	443	49774	34.149.100.209	192.168.2.6
Oct 30, 2024 21:55:23.773192883 CET	49774	443	192.168.2.6	34.149.100.209
Oct 30, 2024 21:55:23.774519920 CET	49774	443	192.168.2.6	34.149.100.209
Oct 30, 2024 21:55:23.774532080 CET	443	49774	34.149.100.209	192.168.2.6
Oct 30, 2024 21:55:23.877276897 CET	80	49748	34.107.221.82	192.168.2.6
Oct 30, 2024 21:55:23.878442049 CET	80	49738	34.107.221.82	192.168.2.6
Oct 30, 2024 21:55:23.928906918 CET	49738	80	192.168.2.6	34.107.221.82
Oct 30, 2024 21:55:23.929003954 CET	49748	80	192.168.2.6	34.107.221.82
Oct 30, 2024 21:55:24.354233027 CET	443	49772	35.244.181.201	192.168.2.6
Oct 30, 2024 21:55:24.354470015 CET	49772	443	192.168.2.6	35.244.181.201
Oct 30, 2024 21:55:24.364701986 CET	443	49773	34.120.208.123	192.168.2.6
Oct 30, 2024 21:55:24.371383905 CET	443	49773	34.120.208.123	192.168.2.6
Oct 30, 2024 21:55:24.374710083 CET	49773	443	192.168.2.6	34.120.208.123
Oct 30, 2024 21:55:24.393670082 CET	49772	443	192.168.2.6	35.244.181.201
Oct 30, 2024 21:55:24.393685102 CET	443	49772	35.244.181.201	192.168.2.6
Oct 30, 2024 21:55:24.394045115 CET	443	49772	35.244.181.201	192.168.2.6
Oct 30, 2024 21:55:24.396277905 CET	443	49774	34.149.100.209	192.168.2.6
Oct 30, 2024 21:55:24.396291018 CET	443	49774	34.149.100.209	192.168.2.6
Oct 30, 2024 21:55:24.414972067 CET	49774	443	192.168.2.6	34.149.100.209
Oct 30, 2024 21:55:24.437212944 CET	49772	443	192.168.2.6	35.244.181.201
Oct 30, 2024 21:55:24.441642046 CET	49772	443	192.168.2.6	35.244.181.201
Oct 30, 2024 21:55:24.441719055 CET	49772	443	192.168.2.6	35.244.181.201
Oct 30, 2024 21:55:24.442102909 CET	443	49772	35.244.181.201	192.168.2.6
Oct 30, 2024 21:55:24.442219019 CET	49773	443	192.168.2.6	34.120.208.123
Oct 30, 2024 21:55:24.442239046 CET	443	49773	34.120.208.123	192.168.2.6
Oct 30, 2024 21:55:24.442289114 CET	49773	443	192.168.2.6	34.120.208.123
Oct 30, 2024 21:55:24.442761898 CET	443	49773	34.120.208.123	192.168.2.6
Oct 30, 2024 21:55:24.444381952 CET	49774	443	192.168.2.6	34.149.100.209
Oct 30, 2024 21:55:24.444407940 CET	443	49774	34.149.100.209	192.168.2.6
Oct 30, 2024 21:55:24.444438934 CET	49774	443	192.168.2.6	34.149.100.209
Oct 30, 2024 21:55:24.444701910 CET	443	49774	34.149.100.209	192.168.2.6
Oct 30, 2024 21:55:24.455363035 CET	49772	443	192.168.2.6	35.244.181.201
Oct 30, 2024 21:55:24.455562115 CET	49774	443	192.168.2.6	34.149.100.209
Oct 30, 2024 21:55:24.455563068 CET	49773	443	192.168.2.6	34.120.208.123
Oct 30, 2024 21:55:30.321474075 CET	49748	80	192.168.2.6	34.107.221.82
Oct 30, 2024 21:55:30.327279091 CET	80	49748	34.107.221.82	192.168.2.6
Oct 30, 2024 21:55:30.355679989 CET	49738	80	192.168.2.6	34.107.221.82
Oct 30, 2024 21:55:30.361615896 CET	80	49738	34.107.221.82	192.168.2.6
Oct 30, 2024 21:55:30.368865013 CET	49816	443	192.168.2.6	34.120.208.123
Oct 30, 2024 21:55:30.368916988 CET	443	49816	34.120.208.123	192.168.2.6
Oct 30, 2024 21:55:30.371076107 CET	49817	443	192.168.2.6	34.107.243.93
Oct 30, 2024 21:55:30.371088028 CET	443	49817	34.107.243.93	192.168.2.6
Oct 30, 2024 21:55:30.374866962 CET	49816	443	192.168.2.6	34.120.208.123
Oct 30, 2024 21:55:30.374994993 CET	49817	443	192.168.2.6	34.107.243.93
Oct 30, 2024 21:55:30.376463890 CET	49816	443	192.168.2.6	34.120.208.123
Oct 30, 2024 21:55:30.376482010 CET	443	49816	34.120.208.123	192.168.2.6
Oct 30, 2024 21:55:30.377871037 CET	49817	443	192.168.2.6	34.107.243.93
Oct 30, 2024 21:55:30.377883911 CET	443	49817	34.107.243.93	192.168.2.6
Oct 30, 2024 21:55:30.449565887 CET	80	49748	34.107.221.82	192.168.2.6
Oct 30, 2024 21:55:30.485512972 CET	80	49738	34.107.221.82	192.168.2.6
Oct 30, 2024 21:55:30.512965918 CET	49748	80	192.168.2.6	34.107.221.82
Oct 30, 2024 21:55:30.544151068 CET	49738	80	192.168.2.6	34.107.221.82
Oct 30, 2024 21:55:30.655411959 CET	49821	443	192.168.2.6	34.120.208.123
Oct 30, 2024 21:55:30.655447960 CET	443	49821	34.120.208.123	192.168.2.6
Oct 30, 2024 21:55:30.655766010 CET	49822	443	192.168.2.6	34.120.208.123
Oct 30, 2024 21:55:30.655828953 CET	443	49822	34.120.208.123	192.168.2.6
Oct 30, 2024 21:55:30.657803059 CET	49821	443	192.168.2.6	34.120.208.123
Oct 30, 2024 21:55:30.657993078 CET	49821	443	192.168.2.6	34.120.208.123
Oct 30, 2024 21:55:30.658004999 CET	443	49821	34.120.208.123	192.168.2.6
Oct 30, 2024 21:55:30.658013105 CET	49822	443	192.168.2.6	34.120.208.123
Oct 30, 2024 21:55:30.658102989 CET	49822	443	192.168.2.6	34.120.208.123
Oct 30, 2024 21:55:30.658118010 CET	443	49822	34.120.208.123	192.168.2.6
Oct 30, 2024 21:55:30.997236967 CET	443	49816	34.120.208.123	192.168.2.6
Oct 30, 2024 21:55:30.997387886 CET	49816	443	192.168.2.6	34.120.208.123
Oct 30, 2024 21:55:31.002332926 CET	49816	443	192.168.2.6	34.120.208.123
Oct 30, 2024 21:55:31.002346039 CET	443	49816	34.120.208.123	192.168.2.6
Oct 30, 2024 21:55:31.002394915 CET	49816	443	192.168.2.6	34.120.208.123
Oct 30, 2024 21:55:31.002567053 CET	443	49816	34.120.208.123	192.168.2.6
Oct 30, 2024 21:55:31.003202915 CET	49816	443	192.168.2.6	34.120.208.123
Oct 30, 2024 21:55:31.024183989 CET	443	49817	34.107.243.93	192.168.2.6
Oct 30, 2024 21:55:31.024287939 CET	49817	443	192.168.2.6	34.107.243.93
Oct 30, 2024 21:55:31.029346943 CET	49817	443	192.168.2.6	34.107.243.93
Oct 30, 2024 21:55:31.029355049 CET	443	49817	34.107.243.93	192.168.2.6
Oct 30, 2024 21:55:31.029441118 CET	49817	443	192.168.2.6	34.107.243.93
Oct 30, 2024 21:55:31.029901028 CET	443	49817	34.107.243.93	192.168.2.6
Oct 30, 2024 21:55:31.029988050 CET	49817	443	192.168.2.6	34.107.243.93
Oct 30, 2024 21:55:31.084300041 CET	49748	80	192.168.2.6	34.107.221.82
Oct 30, 2024 21:55:31.087975979 CET	49738	80	192.168.2.6	34.107.221.82
Oct 30, 2024 21:55:31.090684891 CET	80	49748	34.107.221.82	192.168.2.6
Oct 30, 2024 21:55:31.091557026 CET	49824	443	192.168.2.6	34.120.208.123
Oct 30, 2024 21:55:31.091614008 CET	443	49824	34.120.208.123	192.168.2.6
Oct 30, 2024 21:55:31.091790915 CET	49824	443	192.168.2.6	34.120.208.123
Oct 30, 2024 21:55:31.093533993 CET	49824	443	192.168.2.6	34.120.208.123
Oct 30, 2024 21:55:31.093550920 CET	443	49824	34.120.208.123	192.168.2.6
Oct 30, 2024 21:55:31.093921900 CET	80	49738	34.107.221.82	192.168.2.6
Oct 30, 2024 21:55:31.243377924 CET	80	49748	34.107.221.82	192.168.2.6
Oct 30, 2024 21:55:31.243989944 CET	80	49738	34.107.221.82	192.168.2.6
Oct 30, 2024 21:55:31.266654968 CET	443	49822	34.120.208.123	192.168.2.6
Oct 30, 2024 21:55:31.266769886 CET	49822	443	192.168.2.6	34.120.208.123
Oct 30, 2024 21:55:31.269746065 CET	49822	443	192.168.2.6	34.120.208.123
Oct 30, 2024 21:55:31.269756079 CET	443	49822	34.120.208.123	192.168.2.6
Oct 30, 2024 21:55:31.269956112 CET	443	49822	34.120.208.123	192.168.2.6
Oct 30, 2024 21:55:31.272203922 CET	49822	443	192.168.2.6	34.120.208.123
Oct 30, 2024 21:55:31.272319078 CET	443	49822	34.120.208.123	192.168.2.6
Oct 30, 2024 21:55:31.272329092 CET	49822	443	192.168.2.6	34.120.208.123
Oct 30, 2024 21:55:31.272340059 CET	443	49822	34.120.208.123	192.168.2.6
Oct 30, 2024 21:55:31.276654005 CET	443	49821	34.120.208.123	192.168.2.6
Oct 30, 2024 21:55:31.276741982 CET	49821	443	192.168.2.6	34.120.208.123
Oct 30, 2024 21:55:31.279995918 CET	49821	443	192.168.2.6	34.120.208.123
Oct 30, 2024 21:55:31.280006886 CET	443	49821	34.120.208.123	192.168.2.6
Oct 30, 2024 21:55:31.280282974 CET	443	49821	34.120.208.123	192.168.2.6
Oct 30, 2024 21:55:31.282418966 CET	49821	443	192.168.2.6	34.120.208.123
Oct 30, 2024 21:55:31.282501936 CET	49821	443	192.168.2.6	34.120.208.123
Oct 30, 2024 21:55:31.282589912 CET	443	49821	34.120.208.123	192.168.2.6
Oct 30, 2024 21:55:31.283135891 CET	49821	443	192.168.2.6	34.120.208.123
Oct 30, 2024 21:55:31.283153057 CET	49821	443	192.168.2.6	34.120.208.123
Oct 30, 2024 21:55:31.293159962 CET	49748	80	192.168.2.6	34.107.221.82
Oct 30, 2024 21:55:31.293188095 CET	49738	80	192.168.2.6	34.107.221.82
Oct 30, 2024 21:55:31.483330011 CET	443	49822	34.120.208.123	192.168.2.6
Oct 30, 2024 21:55:31.483411074 CET	49822	443	192.168.2.6	34.120.208.123
Oct 30, 2024 21:55:31.727806091 CET	443	49824	34.120.208.123	192.168.2.6
Oct 30, 2024 21:55:31.727889061 CET	49824	443	192.168.2.6	34.120.208.123
Oct 30, 2024 21:55:31.731683016 CET	49824	443	192.168.2.6	34.120.208.123
Oct 30, 2024 21:55:31.731695890 CET	443	49824	34.120.208.123	192.168.2.6
Oct 30, 2024 21:55:31.731770039 CET	49824	443	192.168.2.6	34.120.208.123
Oct 30, 2024 21:55:31.731931925 CET	443	49824	34.120.208.123	192.168.2.6
Oct 30, 2024 21:55:31.732114077 CET	49824	443	192.168.2.6	34.120.208.123
Oct 30, 2024 21:55:31.746133089 CET	49748	80	192.168.2.6	34.107.221.82
Oct 30, 2024 21:55:31.751960993 CET	80	49748	34.107.221.82	192.168.2.6
Oct 30, 2024 21:55:31.793018103 CET	49738	80	192.168.2.6	34.107.221.82
Oct 30, 2024 21:55:31.799205065 CET	80	49738	34.107.221.82	192.168.2.6
Oct 30, 2024 21:55:31.874456882 CET	80	49748	34.107.221.82	192.168.2.6
Oct 30, 2024 21:55:31.922640085 CET	80	49738	34.107.221.82	192.168.2.6
Oct 30, 2024 21:55:31.932785034 CET	49748	80	192.168.2.6	34.107.221.82
Oct 30, 2024 21:55:31.964044094 CET	49738	80	192.168.2.6	34.107.221.82
Oct 30, 2024 21:55:32.577058077 CET	49748	80	192.168.2.6	34.107.221.82
Oct 30, 2024 21:55:32.583707094 CET	80	49748	34.107.221.82	192.168.2.6
Oct 30, 2024 21:55:32.706324100 CET	80	49748	34.107.221.82	192.168.2.6
Oct 30, 2024 21:55:32.765444040 CET	49748	80	192.168.2.6	34.107.221.82
Oct 30, 2024 21:55:41.097089052 CET	49883	443	192.168.2.6	34.107.243.93
Oct 30, 2024 21:55:41.097106934 CET	443	49883	34.107.243.93	192.168.2.6
Oct 30, 2024 21:55:41.097176075 CET	49883	443	192.168.2.6	34.107.243.93
Oct 30, 2024 21:55:41.098572016 CET	49883	443	192.168.2.6	34.107.243.93
Oct 30, 2024 21:55:41.098582983 CET	443	49883	34.107.243.93	192.168.2.6
Oct 30, 2024 21:55:41.721273899 CET	443	49883	34.107.243.93	192.168.2.6
Oct 30, 2024 21:55:41.721347094 CET	49883	443	192.168.2.6	34.107.243.93
Oct 30, 2024 21:55:41.725774050 CET	49883	443	192.168.2.6	34.107.243.93
Oct 30, 2024 21:55:41.725784063 CET	443	49883	34.107.243.93	192.168.2.6
Oct 30, 2024 21:55:41.725866079 CET	49883	443	192.168.2.6	34.107.243.93
Oct 30, 2024 21:55:41.725985050 CET	443	49883	34.107.243.93	192.168.2.6
Oct 30, 2024 21:55:41.727145910 CET	49883	443	192.168.2.6	34.107.243.93
Oct 30, 2024 21:55:41.728866100 CET	49738	80	192.168.2.6	34.107.221.82
Oct 30, 2024 21:55:41.734668016 CET	80	49738	34.107.221.82	192.168.2.6
Oct 30, 2024 21:55:41.857917070 CET	80	49738	34.107.221.82	192.168.2.6
Oct 30, 2024 21:55:41.861216068 CET	49748	80	192.168.2.6	34.107.221.82
Oct 30, 2024 21:55:41.866988897 CET	80	49748	34.107.221.82	192.168.2.6
Oct 30, 2024 21:55:41.909152985 CET	49738	80	192.168.2.6	34.107.221.82
Oct 30, 2024 21:55:41.989662886 CET	80	49748	34.107.221.82	192.168.2.6
Oct 30, 2024 21:55:42.047238111 CET	49748	80	192.168.2.6	34.107.221.82
Oct 30, 2024 21:55:44.507662058 CET	49901	443	192.168.2.6	34.149.100.209
Oct 30, 2024 21:55:44.507678032 CET	443	49901	34.149.100.209	192.168.2.6
Oct 30, 2024 21:55:44.508523941 CET	49901	443	192.168.2.6	34.149.100.209
Oct 30, 2024 21:55:44.508651018 CET	49901	443	192.168.2.6	34.149.100.209
Oct 30, 2024 21:55:44.508662939 CET	443	49901	34.149.100.209	192.168.2.6
Oct 30, 2024 21:55:44.512204885 CET	49902	443	192.168.2.6	35.244.181.201
Oct 30, 2024 21:55:44.512223005 CET	443	49902	35.244.181.201	192.168.2.6
Oct 30, 2024 21:55:44.512413979 CET	49902	443	192.168.2.6	35.244.181.201
Oct 30, 2024 21:55:44.512505054 CET	49902	443	192.168.2.6	35.244.181.201
Oct 30, 2024 21:55:44.512510061 CET	443	49902	35.244.181.201	192.168.2.6
Oct 30, 2024 21:55:44.513107061 CET	49903	443	192.168.2.6	151.101.193.91
Oct 30, 2024 21:55:44.513118982 CET	443	49903	151.101.193.91	192.168.2.6
Oct 30, 2024 21:55:44.513478041 CET	49903	443	192.168.2.6	151.101.193.91
Oct 30, 2024 21:55:44.513555050 CET	49903	443	192.168.2.6	151.101.193.91
Oct 30, 2024 21:55:44.513567924 CET	443	49903	151.101.193.91	192.168.2.6
Oct 30, 2024 21:55:44.562604904 CET	49904	443	192.168.2.6	35.190.72.216
Oct 30, 2024 21:55:44.562645912 CET	443	49904	35.190.72.216	192.168.2.6
Oct 30, 2024 21:55:44.568895102 CET	49904	443	192.168.2.6	35.190.72.216
Oct 30, 2024 21:55:44.570508003 CET	49904	443	192.168.2.6	35.190.72.216
Oct 30, 2024 21:55:44.570519924 CET	443	49904	35.190.72.216	192.168.2.6
Oct 30, 2024 21:55:44.581650019 CET	49906	443	192.168.2.6	35.201.103.21
Oct 30, 2024 21:55:44.581685066 CET	443	49906	35.201.103.21	192.168.2.6
Oct 30, 2024 21:55:44.585616112 CET	49906	443	192.168.2.6	35.201.103.21
Oct 30, 2024 21:55:44.587146997 CET	49906	443	192.168.2.6	35.201.103.21
Oct 30, 2024 21:55:44.587160110 CET	443	49906	35.201.103.21	192.168.2.6
Oct 30, 2024 21:55:45.111758947 CET	443	49901	34.149.100.209	192.168.2.6
Oct 30, 2024 21:55:45.111843109 CET	49901	443	192.168.2.6	34.149.100.209
Oct 30, 2024 21:55:45.115156889 CET	49901	443	192.168.2.6	34.149.100.209
Oct 30, 2024 21:55:45.115163088 CET	443	49901	34.149.100.209	192.168.2.6
Oct 30, 2024 21:55:45.115442038 CET	443	49901	34.149.100.209	192.168.2.6
Oct 30, 2024 21:55:45.118011951 CET	49901	443	192.168.2.6	34.149.100.209
Oct 30, 2024 21:55:45.118100882 CET	49901	443	192.168.2.6	34.149.100.209
Oct 30, 2024 21:55:45.118196964 CET	443	49901	34.149.100.209	192.168.2.6
Oct 30, 2024 21:55:45.118268013 CET	49901	443	192.168.2.6	34.149.100.209
Oct 30, 2024 21:55:45.123090029 CET	49738	80	192.168.2.6	34.107.221.82
Oct 30, 2024 21:55:45.128896952 CET	80	49738	34.107.221.82	192.168.2.6
Oct 30, 2024 21:55:45.131647110 CET	443	49902	35.244.181.201	192.168.2.6
Oct 30, 2024 21:55:45.131733894 CET	49902	443	192.168.2.6	35.244.181.201
Oct 30, 2024 21:55:45.135082006 CET	49902	443	192.168.2.6	35.244.181.201
Oct 30, 2024 21:55:45.135093927 CET	443	49902	35.244.181.201	192.168.2.6
Oct 30, 2024 21:55:45.136157990 CET	443	49902	35.244.181.201	192.168.2.6
Oct 30, 2024 21:55:45.137778997 CET	49902	443	192.168.2.6	35.244.181.201
Oct 30, 2024 21:55:45.137859106 CET	49902	443	192.168.2.6	35.244.181.201
Oct 30, 2024 21:55:45.138315916 CET	443	49902	35.244.181.201	192.168.2.6
Oct 30, 2024 21:55:45.138489008 CET	49902	443	192.168.2.6	35.244.181.201
Oct 30, 2024 21:55:45.139199018 CET	443	49903	151.101.193.91	192.168.2.6
Oct 30, 2024 21:55:45.140120983 CET	49903	443	192.168.2.6	151.101.193.91
Oct 30, 2024 21:55:45.143275023 CET	49903	443	192.168.2.6	151.101.193.91
Oct 30, 2024 21:55:45.143279076 CET	443	49903	151.101.193.91	192.168.2.6
Oct 30, 2024 21:55:45.143521070 CET	443	49903	151.101.193.91	192.168.2.6
Oct 30, 2024 21:55:45.146128893 CET	49903	443	192.168.2.6	151.101.193.91
Oct 30, 2024 21:55:45.146197081 CET	49903	443	192.168.2.6	151.101.193.91
Oct 30, 2024 21:55:45.146272898 CET	443	49903	151.101.193.91	192.168.2.6
Oct 30, 2024 21:55:45.146437883 CET	49903	443	192.168.2.6	151.101.193.91
Oct 30, 2024 21:55:45.153600931 CET	49909	443	192.168.2.6	35.244.181.201
Oct 30, 2024 21:55:45.153631926 CET	443	49909	35.244.181.201	192.168.2.6
Oct 30, 2024 21:55:45.153717041 CET	49909	443	192.168.2.6	35.244.181.201
Oct 30, 2024 21:55:45.153806925 CET	49909	443	192.168.2.6	35.244.181.201
Oct 30, 2024 21:55:45.153820038 CET	443	49909	35.244.181.201	192.168.2.6
Oct 30, 2024 21:55:45.155694962 CET	49910	443	192.168.2.6	35.244.181.201
Oct 30, 2024 21:55:45.155719995 CET	443	49910	35.244.181.201	192.168.2.6
Oct 30, 2024 21:55:45.155939102 CET	49910	443	192.168.2.6	35.244.181.201
Oct 30, 2024 21:55:45.156143904 CET	49910	443	192.168.2.6	35.244.181.201
Oct 30, 2024 21:55:45.156157017 CET	443	49910	35.244.181.201	192.168.2.6
Oct 30, 2024 21:55:45.158035994 CET	49911	443	192.168.2.6	35.244.181.201
Oct 30, 2024 21:55:45.158046007 CET	443	49911	35.244.181.201	192.168.2.6
Oct 30, 2024 21:55:45.158409119 CET	49911	443	192.168.2.6	35.244.181.201
Oct 30, 2024 21:55:45.158500910 CET	49911	443	192.168.2.6	35.244.181.201
Oct 30, 2024 21:55:45.158514977 CET	443	49911	35.244.181.201	192.168.2.6
Oct 30, 2024 21:55:45.193866014 CET	443	49904	35.190.72.216	192.168.2.6
Oct 30, 2024 21:55:45.193953037 CET	49904	443	192.168.2.6	35.190.72.216
Oct 30, 2024 21:55:45.198791027 CET	49904	443	192.168.2.6	35.190.72.216
Oct 30, 2024 21:55:45.198798895 CET	443	49904	35.190.72.216	192.168.2.6
Oct 30, 2024 21:55:45.198867083 CET	49904	443	192.168.2.6	35.190.72.216
Oct 30, 2024 21:55:45.199404955 CET	443	49904	35.190.72.216	192.168.2.6
Oct 30, 2024 21:55:45.199467897 CET	49904	443	192.168.2.6	35.190.72.216
Oct 30, 2024 21:55:45.216269016 CET	443	49906	35.201.103.21	192.168.2.6
Oct 30, 2024 21:55:45.216348886 CET	49906	443	192.168.2.6	35.201.103.21
Oct 30, 2024 21:55:45.221247911 CET	49906	443	192.168.2.6	35.201.103.21
Oct 30, 2024 21:55:45.221256018 CET	443	49906	35.201.103.21	192.168.2.6
Oct 30, 2024 21:55:45.221322060 CET	49906	443	192.168.2.6	35.201.103.21
Oct 30, 2024 21:55:45.221421957 CET	443	49906	35.201.103.21	192.168.2.6
Oct 30, 2024 21:55:45.221865892 CET	49906	443	192.168.2.6	35.201.103.21
Oct 30, 2024 21:55:45.231929064 CET	49912	443	192.168.2.6	34.149.100.209
Oct 30, 2024 21:55:45.231944084 CET	443	49912	34.149.100.209	192.168.2.6
Oct 30, 2024 21:55:45.232059956 CET	49912	443	192.168.2.6	34.149.100.209
Oct 30, 2024 21:55:45.232166052 CET	49912	443	192.168.2.6	34.149.100.209
Oct 30, 2024 21:55:45.232177019 CET	443	49912	34.149.100.209	192.168.2.6
Oct 30, 2024 21:55:45.251925945 CET	80	49738	34.107.221.82	192.168.2.6
Oct 30, 2024 21:55:45.260163069 CET	49748	80	192.168.2.6	34.107.221.82
Oct 30, 2024 21:55:45.265966892 CET	80	49748	34.107.221.82	192.168.2.6
Oct 30, 2024 21:55:45.303225994 CET	49738	80	192.168.2.6	34.107.221.82
Oct 30, 2024 21:55:45.592418909 CET	80	49748	34.107.221.82	192.168.2.6
Oct 30, 2024 21:55:45.633346081 CET	80	49748	34.107.221.82	192.168.2.6
Oct 30, 2024 21:55:45.633408070 CET	49748	80	192.168.2.6	34.107.221.82
Oct 30, 2024 21:55:45.773670912 CET	443	49910	35.244.181.201	192.168.2.6
Oct 30, 2024 21:55:45.773785114 CET	49910	443	192.168.2.6	35.244.181.201
Oct 30, 2024 21:55:45.774357080 CET	443	49911	35.244.181.201	192.168.2.6
Oct 30, 2024 21:55:45.774427891 CET	49911	443	192.168.2.6	35.244.181.201
Oct 30, 2024 21:55:45.776770115 CET	49910	443	192.168.2.6	35.244.181.201
Oct 30, 2024 21:55:45.776779890 CET	443	49910	35.244.181.201	192.168.2.6
Oct 30, 2024 21:55:45.777652979 CET	443	49910	35.244.181.201	192.168.2.6
Oct 30, 2024 21:55:45.777877092 CET	443	49909	35.244.181.201	192.168.2.6
Oct 30, 2024 21:55:45.777946949 CET	49909	443	192.168.2.6	35.244.181.201
Oct 30, 2024 21:55:45.779212952 CET	49911	443	192.168.2.6	35.244.181.201
Oct 30, 2024 21:55:45.779220104 CET	443	49911	35.244.181.201	192.168.2.6
Oct 30, 2024 21:55:45.779495001 CET	443	49911	35.244.181.201	192.168.2.6
Oct 30, 2024 21:55:45.781841993 CET	49909	443	192.168.2.6	35.244.181.201
Oct 30, 2024 21:55:45.781847954 CET	443	49909	35.244.181.201	192.168.2.6
Oct 30, 2024 21:55:45.782116890 CET	443	49909	35.244.181.201	192.168.2.6
Oct 30, 2024 21:55:45.784843922 CET	49910	443	192.168.2.6	35.244.181.201
Oct 30, 2024 21:55:45.785008907 CET	443	49910	35.244.181.201	192.168.2.6
Oct 30, 2024 21:55:45.785058975 CET	49910	443	192.168.2.6	35.244.181.201
Oct 30, 2024 21:55:45.785067081 CET	443	49910	35.244.181.201	192.168.2.6
Oct 30, 2024 21:55:45.785640955 CET	49911	443	192.168.2.6	35.244.181.201
Oct 30, 2024 21:55:45.785697937 CET	49911	443	192.168.2.6	35.244.181.201
Oct 30, 2024 21:55:45.785793066 CET	443	49911	35.244.181.201	192.168.2.6
Oct 30, 2024 21:55:45.786433935 CET	49909	443	192.168.2.6	35.244.181.201
Oct 30, 2024 21:55:45.786513090 CET	49909	443	192.168.2.6	35.244.181.201
Oct 30, 2024 21:55:45.786608934 CET	443	49909	35.244.181.201	192.168.2.6
Oct 30, 2024 21:55:45.788341999 CET	49911	443	192.168.2.6	35.244.181.201
Oct 30, 2024 21:55:45.788357019 CET	49909	443	192.168.2.6	35.244.181.201
Oct 30, 2024 21:55:45.788631916 CET	49910	443	192.168.2.6	35.244.181.201
Oct 30, 2024 21:55:45.792006969 CET	49738	80	192.168.2.6	34.107.221.82
Oct 30, 2024 21:55:45.797828913 CET	80	49738	34.107.221.82	192.168.2.6
Oct 30, 2024 21:55:45.852746010 CET	443	49912	34.149.100.209	192.168.2.6
Oct 30, 2024 21:55:45.852818012 CET	49912	443	192.168.2.6	34.149.100.209
Oct 30, 2024 21:55:45.855817080 CET	49912	443	192.168.2.6	34.149.100.209
Oct 30, 2024 21:55:45.855823994 CET	443	49912	34.149.100.209	192.168.2.6
Oct 30, 2024 21:55:45.856060982 CET	443	49912	34.149.100.209	192.168.2.6
Oct 30, 2024 21:55:45.858366013 CET	49912	443	192.168.2.6	34.149.100.209
Oct 30, 2024 21:55:45.858436108 CET	49912	443	192.168.2.6	34.149.100.209
Oct 30, 2024 21:55:45.858522892 CET	443	49912	34.149.100.209	192.168.2.6
Oct 30, 2024 21:55:45.858885050 CET	49912	443	192.168.2.6	34.149.100.209
Oct 30, 2024 21:55:45.921947956 CET	80	49738	34.107.221.82	192.168.2.6
Oct 30, 2024 21:55:45.935455084 CET	49748	80	192.168.2.6	34.107.221.82
Oct 30, 2024 21:55:45.941426992 CET	80	49748	34.107.221.82	192.168.2.6
Oct 30, 2024 21:55:45.973993063 CET	49738	80	192.168.2.6	34.107.221.82
Oct 30, 2024 21:55:46.063493013 CET	80	49748	34.107.221.82	192.168.2.6
Oct 30, 2024 21:55:46.105520964 CET	49748	80	192.168.2.6	34.107.221.82
Oct 30, 2024 21:55:53.804960012 CET	49738	80	192.168.2.6	34.107.221.82
Oct 30, 2024 21:55:53.810858965 CET	80	49738	34.107.221.82	192.168.2.6
Oct 30, 2024 21:55:53.933931112 CET	80	49738	34.107.221.82	192.168.2.6
Oct 30, 2024 21:55:53.937165022 CET	49748	80	192.168.2.6	34.107.221.82
Oct 30, 2024 21:55:53.942955017 CET	80	49748	34.107.221.82	192.168.2.6
Oct 30, 2024 21:55:53.981604099 CET	49738	80	192.168.2.6	34.107.221.82
Oct 30, 2024 21:55:54.065474987 CET	80	49748	34.107.221.82	192.168.2.6
Oct 30, 2024 21:55:54.113138914 CET	49748	80	192.168.2.6	34.107.221.82
Oct 30, 2024 21:56:01.876068115 CET	50002	443	192.168.2.6	34.107.243.93
Oct 30, 2024 21:56:01.876094103 CET	443	50002	34.107.243.93	192.168.2.6
Oct 30, 2024 21:56:01.876842976 CET	50002	443	192.168.2.6	34.107.243.93
Oct 30, 2024 21:56:01.878287077 CET	50002	443	192.168.2.6	34.107.243.93
Oct 30, 2024 21:56:01.878298998 CET	443	50002	34.107.243.93	192.168.2.6
Oct 30, 2024 21:56:02.497486115 CET	443	50002	34.107.243.93	192.168.2.6
Oct 30, 2024 21:56:02.497664928 CET	50002	443	192.168.2.6	34.107.243.93
Oct 30, 2024 21:56:02.502635956 CET	50002	443	192.168.2.6	34.107.243.93
Oct 30, 2024 21:56:02.502641916 CET	443	50002	34.107.243.93	192.168.2.6
Oct 30, 2024 21:56:02.502741098 CET	50002	443	192.168.2.6	34.107.243.93
Oct 30, 2024 21:56:02.502897024 CET	443	50002	34.107.243.93	192.168.2.6
Oct 30, 2024 21:56:02.503591061 CET	50002	443	192.168.2.6	34.107.243.93
Oct 30, 2024 21:56:02.505974054 CET	49738	80	192.168.2.6	34.107.221.82
Oct 30, 2024 21:56:02.511823893 CET	80	49738	34.107.221.82	192.168.2.6
Oct 30, 2024 21:56:02.634835005 CET	80	49738	34.107.221.82	192.168.2.6
Oct 30, 2024 21:56:02.638665915 CET	49748	80	192.168.2.6	34.107.221.82
Oct 30, 2024 21:56:02.644438982 CET	80	49748	34.107.221.82	192.168.2.6
Oct 30, 2024 21:56:02.684484005 CET	49738	80	192.168.2.6	34.107.221.82
Oct 30, 2024 21:56:02.766778946 CET	80	49748	34.107.221.82	192.168.2.6
Oct 30, 2024 21:56:02.822609901 CET	49748	80	192.168.2.6	34.107.221.82
Oct 30, 2024 21:56:12.636154890 CET	49738	80	192.168.2.6	34.107.221.82
Oct 30, 2024 21:56:12.641918898 CET	80	49738	34.107.221.82	192.168.2.6
Oct 30, 2024 21:56:12.783282042 CET	49748	80	192.168.2.6	34.107.221.82
Oct 30, 2024 21:56:12.789057016 CET	80	49748	34.107.221.82	192.168.2.6
Oct 30, 2024 21:56:14.484571934 CET	50035	443	192.168.2.6	34.120.208.123
Oct 30, 2024 21:56:14.484617949 CET	443	50035	34.120.208.123	192.168.2.6
Oct 30, 2024 21:56:14.484875917 CET	50036	443	192.168.2.6	34.120.208.123
Oct 30, 2024 21:56:14.484920979 CET	443	50036	34.120.208.123	192.168.2.6
Oct 30, 2024 21:56:14.485137939 CET	50037	443	192.168.2.6	34.120.208.123
Oct 30, 2024 21:56:14.485191107 CET	443	50037	34.120.208.123	192.168.2.6
Oct 30, 2024 21:56:14.485486031 CET	50038	443	192.168.2.6	34.120.208.123
Oct 30, 2024 21:56:14.485496044 CET	443	50038	34.120.208.123	192.168.2.6
Oct 30, 2024 21:56:14.485609055 CET	50039	443	192.168.2.6	34.120.208.123
Oct 30, 2024 21:56:14.485618114 CET	443	50039	34.120.208.123	192.168.2.6
Oct 30, 2024 21:56:14.485723019 CET	50040	443	192.168.2.6	34.120.208.123
Oct 30, 2024 21:56:14.485764027 CET	443	50040	34.120.208.123	192.168.2.6
Oct 30, 2024 21:56:14.488313913 CET	50035	443	192.168.2.6	34.120.208.123
Oct 30, 2024 21:56:14.488334894 CET	50036	443	192.168.2.6	34.120.208.123
Oct 30, 2024 21:56:14.488334894 CET	50038	443	192.168.2.6	34.120.208.123
Oct 30, 2024 21:56:14.488336086 CET	50037	443	192.168.2.6	34.120.208.123
Oct 30, 2024 21:56:14.488496065 CET	50039	443	192.168.2.6	34.120.208.123
Oct 30, 2024 21:56:14.488497972 CET	50035	443	192.168.2.6	34.120.208.123
Oct 30, 2024 21:56:14.488506079 CET	50040	443	192.168.2.6	34.120.208.123
Oct 30, 2024 21:56:14.488514900 CET	443	50035	34.120.208.123	192.168.2.6
Oct 30, 2024 21:56:14.488735914 CET	50036	443	192.168.2.6	34.120.208.123
Oct 30, 2024 21:56:14.488754988 CET	443	50036	34.120.208.123	192.168.2.6
Oct 30, 2024 21:56:14.488836050 CET	50037	443	192.168.2.6	34.120.208.123
Oct 30, 2024 21:56:14.488848925 CET	443	50037	34.120.208.123	192.168.2.6
Oct 30, 2024 21:56:14.488923073 CET	50040	443	192.168.2.6	34.120.208.123
Oct 30, 2024 21:56:14.488965988 CET	443	50040	34.120.208.123	192.168.2.6
Oct 30, 2024 21:56:14.488980055 CET	50039	443	192.168.2.6	34.120.208.123
Oct 30, 2024 21:56:14.488990068 CET	443	50039	34.120.208.123	192.168.2.6
Oct 30, 2024 21:56:14.489053011 CET	50038	443	192.168.2.6	34.120.208.123
Oct 30, 2024 21:56:14.489064932 CET	443	50038	34.120.208.123	192.168.2.6
Oct 30, 2024 21:56:15.094435930 CET	443	50035	34.120.208.123	192.168.2.6
Oct 30, 2024 21:56:15.094516993 CET	50035	443	192.168.2.6	34.120.208.123
Oct 30, 2024 21:56:15.097997904 CET	50035	443	192.168.2.6	34.120.208.123
Oct 30, 2024 21:56:15.098006010 CET	443	50035	34.120.208.123	192.168.2.6
Oct 30, 2024 21:56:15.098046064 CET	443	50037	34.120.208.123	192.168.2.6
Oct 30, 2024 21:56:15.098109961 CET	50037	443	192.168.2.6	34.120.208.123
Oct 30, 2024 21:56:15.098242998 CET	443	50035	34.120.208.123	192.168.2.6
Oct 30, 2024 21:56:15.100581884 CET	50037	443	192.168.2.6	34.120.208.123
Oct 30, 2024 21:56:15.100600958 CET	443	50037	34.120.208.123	192.168.2.6
Oct 30, 2024 21:56:15.100939989 CET	443	50037	34.120.208.123	192.168.2.6
Oct 30, 2024 21:56:15.103707075 CET	50035	443	192.168.2.6	34.120.208.123
Oct 30, 2024 21:56:15.103827953 CET	50035	443	192.168.2.6	34.120.208.123
Oct 30, 2024 21:56:15.103866100 CET	443	50035	34.120.208.123	192.168.2.6
Oct 30, 2024 21:56:15.104480028 CET	50041	443	192.168.2.6	34.120.208.123
Oct 30, 2024 21:56:15.104574919 CET	443	50041	34.120.208.123	192.168.2.6
Oct 30, 2024 21:56:15.104774952 CET	50037	443	192.168.2.6	34.120.208.123
Oct 30, 2024 21:56:15.104849100 CET	50037	443	192.168.2.6	34.120.208.123
Oct 30, 2024 21:56:15.104971886 CET	443	50037	34.120.208.123	192.168.2.6
Oct 30, 2024 21:56:15.105210066 CET	50042	443	192.168.2.6	34.120.208.123
Oct 30, 2024 21:56:15.105273962 CET	443	50042	34.120.208.123	192.168.2.6
Oct 30, 2024 21:56:15.105304003 CET	50035	443	192.168.2.6	34.120.208.123
Oct 30, 2024 21:56:15.105340958 CET	50037	443	192.168.2.6	34.120.208.123
Oct 30, 2024 21:56:15.105353117 CET	50041	443	192.168.2.6	34.120.208.123
Oct 30, 2024 21:56:15.105596066 CET	50042	443	192.168.2.6	34.120.208.123
Oct 30, 2024 21:56:15.106806040 CET	50041	443	192.168.2.6	34.120.208.123
Oct 30, 2024 21:56:15.106842995 CET	443	50041	34.120.208.123	192.168.2.6
Oct 30, 2024 21:56:15.106884003 CET	50042	443	192.168.2.6	34.120.208.123
Oct 30, 2024 21:56:15.106915951 CET	443	50042	34.120.208.123	192.168.2.6
Oct 30, 2024 21:56:15.110069990 CET	49738	80	192.168.2.6	34.107.221.82
Oct 30, 2024 21:56:15.110254049 CET	443	50039	34.120.208.123	192.168.2.6
Oct 30, 2024 21:56:15.110379934 CET	50039	443	192.168.2.6	34.120.208.123
Oct 30, 2024 21:56:15.113173962 CET	50039	443	192.168.2.6	34.120.208.123
Oct 30, 2024 21:56:15.113193035 CET	443	50039	34.120.208.123	192.168.2.6
Oct 30, 2024 21:56:15.113538980 CET	443	50039	34.120.208.123	192.168.2.6
Oct 30, 2024 21:56:15.114629030 CET	443	50040	34.120.208.123	192.168.2.6
Oct 30, 2024 21:56:15.114794016 CET	50040	443	192.168.2.6	34.120.208.123
Oct 30, 2024 21:56:15.115242004 CET	443	50038	34.120.208.123	192.168.2.6
Oct 30, 2024 21:56:15.115329981 CET	50038	443	192.168.2.6	34.120.208.123
Oct 30, 2024 21:56:15.116265059 CET	80	49738	34.107.221.82	192.168.2.6
Oct 30, 2024 21:56:15.116888046 CET	50040	443	192.168.2.6	34.120.208.123
Oct 30, 2024 21:56:15.116899967 CET	443	50040	34.120.208.123	192.168.2.6
Oct 30, 2024 21:56:15.117655993 CET	443	50040	34.120.208.123	192.168.2.6
Oct 30, 2024 21:56:15.119400024 CET	50038	443	192.168.2.6	34.120.208.123
Oct 30, 2024 21:56:15.119431019 CET	443	50038	34.120.208.123	192.168.2.6
Oct 30, 2024 21:56:15.119914055 CET	443	50038	34.120.208.123	192.168.2.6
Oct 30, 2024 21:56:15.120990038 CET	50039	443	192.168.2.6	34.120.208.123
Oct 30, 2024 21:56:15.121073008 CET	50039	443	192.168.2.6	34.120.208.123
Oct 30, 2024 21:56:15.121337891 CET	443	50039	34.120.208.123	192.168.2.6
Oct 30, 2024 21:56:15.121444941 CET	443	50036	34.120.208.123	192.168.2.6
Oct 30, 2024 21:56:15.121946096 CET	50039	443	192.168.2.6	34.120.208.123
Oct 30, 2024 21:56:15.121989965 CET	50036	443	192.168.2.6	34.120.208.123
Oct 30, 2024 21:56:15.124464989 CET	50036	443	192.168.2.6	34.120.208.123
Oct 30, 2024 21:56:15.124481916 CET	443	50036	34.120.208.123	192.168.2.6
Oct 30, 2024 21:56:15.125353098 CET	443	50036	34.120.208.123	192.168.2.6
Oct 30, 2024 21:56:15.126221895 CET	50040	443	192.168.2.6	34.120.208.123
Oct 30, 2024 21:56:15.126415014 CET	443	50040	34.120.208.123	192.168.2.6
Oct 30, 2024 21:56:15.126432896 CET	50040	443	192.168.2.6	34.120.208.123
Oct 30, 2024 21:56:15.126446962 CET	443	50040	34.120.208.123	192.168.2.6
Oct 30, 2024 21:56:15.126935959 CET	50038	443	192.168.2.6	34.120.208.123
Oct 30, 2024 21:56:15.127002954 CET	50038	443	192.168.2.6	34.120.208.123
Oct 30, 2024 21:56:15.127228975 CET	443	50038	34.120.208.123	192.168.2.6
Oct 30, 2024 21:56:15.127309084 CET	50038	443	192.168.2.6	34.120.208.123
Oct 30, 2024 21:56:15.127342939 CET	50040	443	192.168.2.6	34.120.208.123
Oct 30, 2024 21:56:15.128766060 CET	50036	443	192.168.2.6	34.120.208.123
Oct 30, 2024 21:56:15.128854036 CET	50036	443	192.168.2.6	34.120.208.123
Oct 30, 2024 21:56:15.129193068 CET	443	50036	34.120.208.123	192.168.2.6
Oct 30, 2024 21:56:15.129282951 CET	50036	443	192.168.2.6	34.120.208.123
Oct 30, 2024 21:56:15.242486954 CET	80	49738	34.107.221.82	192.168.2.6
Oct 30, 2024 21:56:15.246516943 CET	49748	80	192.168.2.6	34.107.221.82
Oct 30, 2024 21:56:15.253015995 CET	80	49748	34.107.221.82	192.168.2.6
Oct 30, 2024 21:56:15.290508986 CET	49738	80	192.168.2.6	34.107.221.82
Oct 30, 2024 21:56:15.375284910 CET	80	49748	34.107.221.82	192.168.2.6
Oct 30, 2024 21:56:15.422120094 CET	49748	80	192.168.2.6	34.107.221.82
Oct 30, 2024 21:56:15.731045961 CET	443	50042	34.120.208.123	192.168.2.6
Oct 30, 2024 21:56:15.731197119 CET	50042	443	192.168.2.6	34.120.208.123
Oct 30, 2024 21:56:15.733966112 CET	50042	443	192.168.2.6	34.120.208.123
Oct 30, 2024 21:56:15.734013081 CET	443	50042	34.120.208.123	192.168.2.6
Oct 30, 2024 21:56:15.734345913 CET	443	50042	34.120.208.123	192.168.2.6
Oct 30, 2024 21:56:15.734797001 CET	443	50041	34.120.208.123	192.168.2.6
Oct 30, 2024 21:56:15.735060930 CET	50041	443	192.168.2.6	34.120.208.123
Oct 30, 2024 21:56:15.737066984 CET	50041	443	192.168.2.6	34.120.208.123
Oct 30, 2024 21:56:15.737099886 CET	443	50041	34.120.208.123	192.168.2.6
Oct 30, 2024 21:56:15.737351894 CET	443	50041	34.120.208.123	192.168.2.6
Oct 30, 2024 21:56:15.738308907 CET	50042	443	192.168.2.6	34.120.208.123
Oct 30, 2024 21:56:15.738414049 CET	50042	443	192.168.2.6	34.120.208.123
Oct 30, 2024 21:56:15.738506079 CET	443	50042	34.120.208.123	192.168.2.6
Oct 30, 2024 21:56:15.740006924 CET	50041	443	192.168.2.6	34.120.208.123
Oct 30, 2024 21:56:15.740104914 CET	50041	443	192.168.2.6	34.120.208.123
Oct 30, 2024 21:56:15.740168095 CET	443	50041	34.120.208.123	192.168.2.6
Oct 30, 2024 21:56:15.740359068 CET	50041	443	192.168.2.6	34.120.208.123
Oct 30, 2024 21:56:15.740371943 CET	50042	443	192.168.2.6	34.120.208.123
Oct 30, 2024 21:56:15.740401030 CET	50041	443	192.168.2.6	34.120.208.123
Oct 30, 2024 21:56:15.741873026 CET	49738	80	192.168.2.6	34.107.221.82
Oct 30, 2024 21:56:15.747790098 CET	80	49738	34.107.221.82	192.168.2.6
Oct 30, 2024 21:56:16.046967983 CET	80	49738	34.107.221.82	192.168.2.6
Oct 30, 2024 21:56:16.050147057 CET	49748	80	192.168.2.6	34.107.221.82
Oct 30, 2024 21:56:16.056101084 CET	80	49748	34.107.221.82	192.168.2.6
Oct 30, 2024 21:56:16.092884064 CET	49738	80	192.168.2.6	34.107.221.82
Oct 30, 2024 21:56:16.178302050 CET	80	49748	34.107.221.82	192.168.2.6
Oct 30, 2024 21:56:16.224468946 CET	49748	80	192.168.2.6	34.107.221.82
Oct 30, 2024 21:56:26.051651001 CET	49738	80	192.168.2.6	34.107.221.82
Oct 30, 2024 21:56:26.057516098 CET	80	49738	34.107.221.82	192.168.2.6
Oct 30, 2024 21:56:26.189807892 CET	49748	80	192.168.2.6	34.107.221.82
Oct 30, 2024 21:56:26.195652962 CET	80	49748	34.107.221.82	192.168.2.6
Oct 30, 2024 21:56:36.072118044 CET	49738	80	192.168.2.6	34.107.221.82
Oct 30, 2024 21:56:36.078023911 CET	80	49738	34.107.221.82	192.168.2.6
Oct 30, 2024 21:56:36.210120916 CET	49748	80	192.168.2.6	34.107.221.82
Oct 30, 2024 21:56:36.215990067 CET	80	49748	34.107.221.82	192.168.2.6
Oct 30, 2024 21:56:42.953219891 CET	50044	443	192.168.2.6	34.107.243.93
Oct 30, 2024 21:56:42.953247070 CET	443	50044	34.107.243.93	192.168.2.6
Oct 30, 2024 21:56:42.953530073 CET	50044	443	192.168.2.6	34.107.243.93
Oct 30, 2024 21:56:42.955116034 CET	50044	443	192.168.2.6	34.107.243.93
Oct 30, 2024 21:56:42.955127954 CET	443	50044	34.107.243.93	192.168.2.6
Oct 30, 2024 21:56:43.580657959 CET	443	50044	34.107.243.93	192.168.2.6
Oct 30, 2024 21:56:43.582890987 CET	50044	443	192.168.2.6	34.107.243.93
Oct 30, 2024 21:56:43.587865114 CET	50044	443	192.168.2.6	34.107.243.93
Oct 30, 2024 21:56:43.587894917 CET	443	50044	34.107.243.93	192.168.2.6
Oct 30, 2024 21:56:43.588133097 CET	443	50044	34.107.243.93	192.168.2.6
Oct 30, 2024 21:56:43.589835882 CET	50044	443	192.168.2.6	34.107.243.93
Oct 30, 2024 21:56:43.589842081 CET	443	50044	34.107.243.93	192.168.2.6
Oct 30, 2024 21:56:43.591130972 CET	50044	443	192.168.2.6	34.107.243.93
Oct 30, 2024 21:56:43.591983080 CET	49738	80	192.168.2.6	34.107.221.82
Oct 30, 2024 21:56:43.597791910 CET	80	49738	34.107.221.82	192.168.2.6
Oct 30, 2024 21:56:43.720880032 CET	80	49738	34.107.221.82	192.168.2.6
Oct 30, 2024 21:56:43.724870920 CET	49748	80	192.168.2.6	34.107.221.82
Oct 30, 2024 21:56:43.730722904 CET	80	49748	34.107.221.82	192.168.2.6
Oct 30, 2024 21:56:43.764344931 CET	49738	80	192.168.2.6	34.107.221.82
Oct 30, 2024 21:56:43.853070021 CET	80	49748	34.107.221.82	192.168.2.6
Oct 30, 2024 21:56:43.895944118 CET	49748	80	192.168.2.6	34.107.221.82
Oct 30, 2024 21:56:53.724838972 CET	49738	80	192.168.2.6	34.107.221.82
Oct 30, 2024 21:56:53.730760098 CET	80	49738	34.107.221.82	192.168.2.6
Oct 30, 2024 21:56:53.863008022 CET	49748	80	192.168.2.6	34.107.221.82
Oct 30, 2024 21:56:53.868999958 CET	80	49748	34.107.221.82	192.168.2.6
Oct 30, 2024 21:57:03.737217903 CET	49738	80	192.168.2.6	34.107.221.82
Oct 30, 2024 21:57:03.743191004 CET	80	49738	34.107.221.82	192.168.2.6
Oct 30, 2024 21:57:03.875019073 CET	49748	80	192.168.2.6	34.107.221.82
Oct 30, 2024 21:57:03.881153107 CET	80	49748	34.107.221.82	192.168.2.6
Oct 30, 2024 21:57:13.754082918 CET	49738	80	192.168.2.6	34.107.221.82
Oct 30, 2024 21:57:13.759932041 CET	80	49738	34.107.221.82	192.168.2.6
Oct 30, 2024 21:57:13.884228945 CET	49748	80	192.168.2.6	34.107.221.82
Oct 30, 2024 21:57:13.890047073 CET	80	49748	34.107.221.82	192.168.2.6

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 30, 2024 21:55:16.985501051 CET	50413	53	192.168.2.6	1.1.1.1
Oct 30, 2024 21:55:16.986938953 CET	56219	53	192.168.2.6	1.1.1.1
Oct 30, 2024 21:55:16.994352102 CET	53	50413	1.1.1.1	192.168.2.6
Oct 30, 2024 21:55:17.007877111 CET	57827	53	192.168.2.6	1.1.1.1
Oct 30, 2024 21:55:17.009337902 CET	50360	53	192.168.2.6	1.1.1.1
Oct 30, 2024 21:55:17.011322021 CET	57527	53	192.168.2.6	1.1.1.1
Oct 30, 2024 21:55:17.017643929 CET	53	57827	1.1.1.1	192.168.2.6
Oct 30, 2024 21:55:17.018712044 CET	53	50360	1.1.1.1	192.168.2.6
Oct 30, 2024 21:55:17.019979954 CET	53	57527	1.1.1.1	192.168.2.6
Oct 30, 2024 21:55:17.030040979 CET	60251	53	192.168.2.6	1.1.1.1
Oct 30, 2024 21:55:17.030380011 CET	49496	53	192.168.2.6	1.1.1.1
Oct 30, 2024 21:55:17.030421972 CET	64574	53	192.168.2.6	1.1.1.1
Oct 30, 2024 21:55:17.039042950 CET	53	64574	1.1.1.1	192.168.2.6
Oct 30, 2024 21:55:17.039058924 CET	53	60251	1.1.1.1	192.168.2.6
Oct 30, 2024 21:55:17.039067984 CET	53	49496	1.1.1.1	192.168.2.6
Oct 30, 2024 21:55:17.281569958 CET	62996	53	192.168.2.6	1.1.1.1
Oct 30, 2024 21:55:17.291140079 CET	53	62996	1.1.1.1	192.168.2.6
Oct 30, 2024 21:55:17.293018103 CET	49615	53	192.168.2.6	1.1.1.1
Oct 30, 2024 21:55:17.302349091 CET	53	49615	1.1.1.1	192.168.2.6
Oct 30, 2024 21:55:17.303049088 CET	63165	53	192.168.2.6	1.1.1.1
Oct 30, 2024 21:55:17.312983990 CET	53	63165	1.1.1.1	192.168.2.6
Oct 30, 2024 21:55:17.370265961 CET	52772	53	192.168.2.6	1.1.1.1
Oct 30, 2024 21:55:17.379605055 CET	53	52772	1.1.1.1	192.168.2.6
Oct 30, 2024 21:55:17.381048918 CET	52466	53	192.168.2.6	1.1.1.1
Oct 30, 2024 21:55:17.390542984 CET	53	52466	1.1.1.1	192.168.2.6
Oct 30, 2024 21:55:17.395503044 CET	53027	53	192.168.2.6	1.1.1.1
Oct 30, 2024 21:55:17.404206991 CET	53	53027	1.1.1.1	192.168.2.6
Oct 30, 2024 21:55:17.765113115 CET	51150	53	192.168.2.6	1.1.1.1
Oct 30, 2024 21:55:17.772475004 CET	63624	53	192.168.2.6	1.1.1.1
Oct 30, 2024 21:55:17.774449110 CET	53	51150	1.1.1.1	192.168.2.6
Oct 30, 2024 21:55:17.775793076 CET	56456	53	192.168.2.6	1.1.1.1
Oct 30, 2024 21:55:17.781130075 CET	53	63624	1.1.1.1	192.168.2.6
Oct 30, 2024 21:55:17.785345078 CET	53	56456	1.1.1.1	192.168.2.6
Oct 30, 2024 21:55:17.801621914 CET	51641	53	192.168.2.6	1.1.1.1
Oct 30, 2024 21:55:17.810462952 CET	53	51641	1.1.1.1	192.168.2.6
Oct 30, 2024 21:55:17.821149111 CET	50002	53	192.168.2.6	1.1.1.1
Oct 30, 2024 21:55:17.834283113 CET	56250	53	192.168.2.6	1.1.1.1
Oct 30, 2024 21:55:17.843246937 CET	53	56250	1.1.1.1	192.168.2.6
Oct 30, 2024 21:55:17.845128059 CET	57630	53	192.168.2.6	1.1.1.1
Oct 30, 2024 21:55:17.854157925 CET	53	57630	1.1.1.1	192.168.2.6
Oct 30, 2024 21:55:17.854733944 CET	55009	53	192.168.2.6	1.1.1.1
Oct 30, 2024 21:55:17.863059998 CET	53	55009	1.1.1.1	192.168.2.6
Oct 30, 2024 21:55:18.192198038 CET	50296	53	192.168.2.6	1.1.1.1
Oct 30, 2024 21:55:18.233247995 CET	53	64665	1.1.1.1	192.168.2.6
Oct 30, 2024 21:55:19.958872080 CET	63870	53	192.168.2.6	1.1.1.1
Oct 30, 2024 21:55:19.967888117 CET	53	63870	1.1.1.1	192.168.2.6
Oct 30, 2024 21:55:19.972107887 CET	62605	53	192.168.2.6	1.1.1.1
Oct 30, 2024 21:55:19.980897903 CET	53	62605	1.1.1.1	192.168.2.6
Oct 30, 2024 21:55:19.985177994 CET	61142	53	192.168.2.6	1.1.1.1
Oct 30, 2024 21:55:19.993578911 CET	53	61142	1.1.1.1	192.168.2.6
Oct 30, 2024 21:55:23.697729111 CET	53661	53	192.168.2.6	1.1.1.1
Oct 30, 2024 21:55:23.711555958 CET	53	53661	1.1.1.1	192.168.2.6
Oct 30, 2024 21:55:23.711824894 CET	63276	53	192.168.2.6	1.1.1.1
Oct 30, 2024 21:55:23.715884924 CET	64753	53	192.168.2.6	1.1.1.1
Oct 30, 2024 21:55:23.723520041 CET	54529	53	192.168.2.6	1.1.1.1
Oct 30, 2024 21:55:23.725914955 CET	53	63276	1.1.1.1	192.168.2.6
Oct 30, 2024 21:55:23.728182077 CET	53	64753	1.1.1.1	192.168.2.6
Oct 30, 2024 21:55:23.729135036 CET	55777	53	192.168.2.6	1.1.1.1
Oct 30, 2024 21:55:23.732345104 CET	53	54529	1.1.1.1	192.168.2.6
Oct 30, 2024 21:55:23.733654976 CET	54244	53	192.168.2.6	1.1.1.1
Oct 30, 2024 21:55:23.737972021 CET	53	55777	1.1.1.1	192.168.2.6
Oct 30, 2024 21:55:23.742336035 CET	53	54244	1.1.1.1	192.168.2.6
Oct 30, 2024 21:55:23.751023054 CET	53556	53	192.168.2.6	1.1.1.1
Oct 30, 2024 21:55:23.759726048 CET	53	53556	1.1.1.1	192.168.2.6
Oct 30, 2024 21:55:23.763451099 CET	65062	53	192.168.2.6	1.1.1.1
Oct 30, 2024 21:55:23.772360086 CET	53	65062	1.1.1.1	192.168.2.6
Oct 30, 2024 21:55:23.776012897 CET	51187	53	192.168.2.6	1.1.1.1
Oct 30, 2024 21:55:23.785031080 CET	53	51187	1.1.1.1	192.168.2.6
Oct 30, 2024 21:55:30.357417107 CET	53293	53	192.168.2.6	1.1.1.1
Oct 30, 2024 21:55:30.358026028 CET	55588	53	192.168.2.6	1.1.1.1
Oct 30, 2024 21:55:30.366018057 CET	53	53293	1.1.1.1	192.168.2.6
Oct 30, 2024 21:55:30.366919994 CET	53	55588	1.1.1.1	192.168.2.6
Oct 30, 2024 21:55:30.370553017 CET	50964	53	192.168.2.6	1.1.1.1
Oct 30, 2024 21:55:30.379728079 CET	53	50964	1.1.1.1	192.168.2.6
Oct 30, 2024 21:55:35.997411013 CET	57734	53	192.168.2.6	1.1.1.1
Oct 30, 2024 21:55:35.997494936 CET	64009	53	192.168.2.6	1.1.1.1
Oct 30, 2024 21:55:35.997682095 CET	52671	53	192.168.2.6	1.1.1.1
Oct 30, 2024 21:55:36.006397009 CET	53	57734	1.1.1.1	192.168.2.6
Oct 30, 2024 21:55:36.006494999 CET	53	52671	1.1.1.1	192.168.2.6
Oct 30, 2024 21:55:36.006509066 CET	53	64009	1.1.1.1	192.168.2.6
Oct 30, 2024 21:55:36.007421017 CET	50083	53	192.168.2.6	1.1.1.1
Oct 30, 2024 21:55:36.007535934 CET	53908	53	192.168.2.6	1.1.1.1
Oct 30, 2024 21:55:36.008059978 CET	60118	53	192.168.2.6	1.1.1.1
Oct 30, 2024 21:55:36.017358065 CET	53	60118	1.1.1.1	192.168.2.6
Oct 30, 2024 21:55:36.017726898 CET	53	50083	1.1.1.1	192.168.2.6
Oct 30, 2024 21:55:36.017741919 CET	53	53908	1.1.1.1	192.168.2.6
Oct 30, 2024 21:55:36.018157005 CET	64091	53	192.168.2.6	1.1.1.1
Oct 30, 2024 21:55:36.018358946 CET	52085	53	192.168.2.6	1.1.1.1
Oct 30, 2024 21:55:36.018465996 CET	50760	53	192.168.2.6	1.1.1.1
Oct 30, 2024 21:55:36.027164936 CET	53	50760	1.1.1.1	192.168.2.6
Oct 30, 2024 21:55:36.027220011 CET	53	64091	1.1.1.1	192.168.2.6
Oct 30, 2024 21:55:36.027884007 CET	53	52085	1.1.1.1	192.168.2.6
Oct 30, 2024 21:55:36.028086901 CET	62851	53	192.168.2.6	1.1.1.1
Oct 30, 2024 21:55:36.028259039 CET	62482	53	192.168.2.6	1.1.1.1
Oct 30, 2024 21:55:36.037331104 CET	53	62851	1.1.1.1	192.168.2.6
Oct 30, 2024 21:55:36.037390947 CET	53	62482	1.1.1.1	192.168.2.6
Oct 30, 2024 21:55:36.038203001 CET	63235	53	192.168.2.6	1.1.1.1
Oct 30, 2024 21:55:36.038336039 CET	57150	53	192.168.2.6	1.1.1.1
Oct 30, 2024 21:55:36.047599077 CET	53	63235	1.1.1.1	192.168.2.6
Oct 30, 2024 21:55:36.047610998 CET	53	57150	1.1.1.1	192.168.2.6
Oct 30, 2024 21:55:36.048252106 CET	51238	53	192.168.2.6	1.1.1.1
Oct 30, 2024 21:55:36.048310041 CET	59375	53	192.168.2.6	1.1.1.1
Oct 30, 2024 21:55:36.056992054 CET	53	51238	1.1.1.1	192.168.2.6
Oct 30, 2024 21:55:36.057483912 CET	53	59375	1.1.1.1	192.168.2.6
Oct 30, 2024 21:55:41.097501993 CET	55792	53	192.168.2.6	1.1.1.1
Oct 30, 2024 21:55:41.106496096 CET	53	55792	1.1.1.1	192.168.2.6
Oct 30, 2024 21:55:44.499813080 CET	61549	53	192.168.2.6	1.1.1.1
Oct 30, 2024 21:55:44.508763075 CET	53	61549	1.1.1.1	192.168.2.6
Oct 30, 2024 21:55:44.509704113 CET	54836	53	192.168.2.6	1.1.1.1
Oct 30, 2024 21:55:44.513417959 CET	57226	53	192.168.2.6	1.1.1.1
Oct 30, 2024 21:55:44.518707991 CET	53	54836	1.1.1.1	192.168.2.6
Oct 30, 2024 21:55:44.522466898 CET	53	57226	1.1.1.1	192.168.2.6
Oct 30, 2024 21:55:44.522998095 CET	55852	53	192.168.2.6	1.1.1.1
Oct 30, 2024 21:55:44.532401085 CET	53	55852	1.1.1.1	192.168.2.6
Oct 30, 2024 21:55:44.563215017 CET	49569	53	192.168.2.6	1.1.1.1
Oct 30, 2024 21:55:44.572516918 CET	53	49569	1.1.1.1	192.168.2.6
Oct 30, 2024 21:55:44.582422018 CET	57433	53	192.168.2.6	1.1.1.1
Oct 30, 2024 21:55:44.591617107 CET	53	57433	1.1.1.1	192.168.2.6
Oct 30, 2024 21:55:44.592134953 CET	62561	53	192.168.2.6	1.1.1.1
Oct 30, 2024 21:55:44.600857019 CET	53	62561	1.1.1.1	192.168.2.6
Oct 30, 2024 21:56:01.875272036 CET	60011	53	192.168.2.6	1.1.1.1
Oct 30, 2024 21:56:01.885593891 CET	53	60011	1.1.1.1	192.168.2.6
Oct 30, 2024 21:56:01.887012959 CET	55025	53	192.168.2.6	1.1.1.1
Oct 30, 2024 21:56:01.896477938 CET	53	55025	1.1.1.1	192.168.2.6
Oct 30, 2024 21:56:14.483566999 CET	64636	53	192.168.2.6	1.1.1.1
Oct 30, 2024 21:56:14.492510080 CET	53	64636	1.1.1.1	192.168.2.6
Oct 30, 2024 21:56:15.110630035 CET	57184	53	192.168.2.6	1.1.1.1
Oct 30, 2024 21:56:42.943080902 CET	59671	53	192.168.2.6	1.1.1.1
Oct 30, 2024 21:56:42.952204943 CET	53	59671	1.1.1.1	192.168.2.6
Oct 30, 2024 21:56:42.952900887 CET	63760	53	192.168.2.6	1.1.1.1
Oct 30, 2024 21:56:42.961772919 CET	53	63760	1.1.1.1	192.168.2.6

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Oct 30, 2024 21:55:16.985501051 CET	192.168.2.6	1.1.1.1	0xc2ad	Standard query (0)	youtube.com	A (IP address)	IN (0x0001)	false
Oct 30, 2024 21:55:16.986938953 CET	192.168.2.6	1.1.1.1	0xff	Standard query (0)	detectportal.firefox.com	A (IP address)	IN (0x0001)	false
Oct 30, 2024 21:55:17.007877111 CET	192.168.2.6	1.1.1.1	0x50ef	Standard query (0)	prod.classify-client.prod.webservices.mozgcp.net	A (IP address)	IN (0x0001)	false
Oct 30, 2024 21:55:17.009337902 CET	192.168.2.6	1.1.1.1	0xd817	Standard query (0)	prod.detectportal.prod.cloudops.mozgcp.net	A (IP address)	IN (0x0001)	false
Oct 30, 2024 21:55:17.011322021 CET	192.168.2.6	1.1.1.1	0xbd96	Standard query (0)	youtube.com	A (IP address)	IN (0x0001)	false
Oct 30, 2024 21:55:17.030040979 CET	192.168.2.6	1.1.1.1	0xc837	Standard query (0)	prod.classify-client.prod.webservices.mozgcp.net	28	IN (0x0001)	false
Oct 30, 2024 21:55:17.030380011 CET	192.168.2.6	1.1.1.1	0x1042	Standard query (0)	youtube.com	28	IN (0x0001)	false
Oct 30, 2024 21:55:17.030421972 CET	192.168.2.6	1.1.1.1	0xfcf9	Standard query (0)	prod.detectportal.prod.cloudops.mozgcp.net	28	IN (0x0001)	false
Oct 30, 2024 21:55:17.281569958 CET	192.168.2.6	1.1.1.1	0xbb22	Standard query (0)	contile.services.mozilla.com	A (IP address)	IN (0x0001)	false
Oct 30, 2024 21:55:17.293018103 CET	192.168.2.6	1.1.1.1	0xf929	Standard query (0)	contile.services.mozilla.com	A (IP address)	IN (0x0001)	false
Oct 30, 2024 21:55:17.303049088 CET	192.168.2.6	1.1.1.1	0x3f34	Standard query (0)	contile.services.mozilla.com	28	IN (0x0001)	false
Oct 30, 2024 21:55:17.370265961 CET	192.168.2.6	1.1.1.1	0x7de3	Standard query (0)	spocs.getpocket.com	A (IP address)	IN (0x0001)	false
Oct 30, 2024 21:55:17.381048918 CET	192.168.2.6	1.1.1.1	0x294f	Standard query (0)	prod.ads.prod.webservices.mozgcp.net	A (IP address)	IN (0x0001)	false
Oct 30, 2024 21:55:17.395503044 CET	192.168.2.6	1.1.1.1	0x2cca	Standard query (0)	prod.ads.prod.webservices.mozgcp.net	28	IN (0x0001)	false
Oct 30, 2024 21:55:17.765113115 CET	192.168.2.6	1.1.1.1	0xb17b	Standard query (0)	example.org	A (IP address)	IN (0x0001)	false
Oct 30, 2024 21:55:17.772475004 CET	192.168.2.6	1.1.1.1	0x22a0	Standard query (0)	ipv4only.arpa	A (IP address)	IN (0x0001)	false
Oct 30, 2024 21:55:17.775793076 CET	192.168.2.6	1.1.1.1	0x1a34	Standard query (0)	prod.balrog.prod.cloudops.mozgcp.net	A (IP address)	IN (0x0001)	false
Oct 30, 2024 21:55:17.801621914 CET	192.168.2.6	1.1.1.1	0xea63	Standard query (0)	prod.balrog.prod.cloudops.mozgcp.net	28	IN (0x0001)	false
Oct 30, 2024 21:55:17.821149111 CET	192.168.2.6	1.1.1.1	0x85e5	Standard query (0)	detectportal.firefox.com	A (IP address)	IN (0x0001)	false
Oct 30, 2024 21:55:17.834283113 CET	192.168.2.6	1.1.1.1	0x767a	Standard query (0)	content-signature-2.cdn.mozilla.net	A (IP address)	IN (0x0001)	false
Oct 30, 2024 21:55:17.845128059 CET	192.168.2.6	1.1.1.1	0x3294	Standard query (0)	prod.content-signature-chains.prod.webservices.mozgcp.net	A (IP address)	IN (0x0001)	false
Oct 30, 2024 21:55:17.854733944 CET	192.168.2.6	1.1.1.1	0x93ac	Standard query (0)	prod.content-signature-chains.prod.webservices.mozgcp.net	28	IN (0x0001)	false
Oct 30, 2024 21:55:18.192198038 CET	192.168.2.6	1.1.1.1	0xdfb3	Standard query (0)	shavar.services.mozilla.com	A (IP address)	IN (0x0001)	false
Oct 30, 2024 21:55:19.958872080 CET	192.168.2.6	1.1.1.1	0x124e	Standard query (0)	push.services.mozilla.com	A (IP address)	IN (0x0001)	false
Oct 30, 2024 21:55:19.972107887 CET	192.168.2.6	1.1.1.1	0x91b3	Standard query (0)	push.services.mozilla.com	A (IP address)	IN (0x0001)	false
Oct 30, 2024 21:55:19.985177994 CET	192.168.2.6	1.1.1.1	0x7468	Standard query (0)	push.services.mozilla.com	28	IN (0x0001)	false
Oct 30, 2024 21:55:23.697729111 CET	192.168.2.6	1.1.1.1	0x9eb	Standard query (0)	support.mozilla.org	A (IP address)	IN (0x0001)	false
Oct 30, 2024 21:55:23.711824894 CET	192.168.2.6	1.1.1.1	0x2c81	Standard query (0)	prod.balrog.prod.cloudops.mozgcp.net	28	IN (0x0001)	false
Oct 30, 2024 21:55:23.715884924 CET	192.168.2.6	1.1.1.1	0x42ce	Standard query (0)	us-west1.prod.sumo.prod.webservices.mozgcp.net	A (IP address)	IN (0x0001)	false
Oct 30, 2024 21:55:23.723520041 CET	192.168.2.6	1.1.1.1	0x781a	Standard query (0)	telemetry-incoming.r53-2.services.mozilla.com	A (IP address)	IN (0x0001)	false
Oct 30, 2024 21:55:23.729135036 CET	192.168.2.6	1.1.1.1	0xe2f	Standard query (0)	us-west1.prod.sumo.prod.webservices.mozgcp.net	28	IN (0x0001)	false
Oct 30, 2024 21:55:23.733654976 CET	192.168.2.6	1.1.1.1	0xfb3	Standard query (0)	telemetry-incoming.r53-2.services.mozilla.com	28	IN (0x0001)	false
Oct 30, 2024 21:55:23.751023054 CET	192.168.2.6	1.1.1.1	0xccd3	Standard query (0)	firefox.settings.services.mozilla.com	A (IP address)	IN (0x0001)	false
Oct 30, 2024 21:55:23.763451099 CET	192.168.2.6	1.1.1.1	0x883f	Standard query (0)	prod.remote-settings.prod.webservices.mozgcp.net	A (IP address)	IN (0x0001)	false
Oct 30, 2024 21:55:23.776012897 CET	192.168.2.6	1.1.1.1	0x5caa	Standard query (0)	prod.remote-settings.prod.webservices.mozgcp.net	28	IN (0x0001)	false
Oct 30, 2024 21:55:30.357417107 CET	192.168.2.6	1.1.1.1	0xa148	Standard query (0)	push.services.mozilla.com	A (IP address)	IN (0x0001)	false
Oct 30, 2024 21:55:30.358026028 CET	192.168.2.6	1.1.1.1	0xa19b	Standard query (0)	telemetry-incoming.r53-2.services.mozilla.com	28	IN (0x0001)	false
Oct 30, 2024 21:55:30.370553017 CET	192.168.2.6	1.1.1.1	0x808a	Standard query (0)	push.services.mozilla.com	28	IN (0x0001)	false
Oct 30, 2024 21:55:35.997411013 CET	192.168.2.6	1.1.1.1	0x3221	Standard query (0)	www.wikipedia.org	A (IP address)	IN (0x0001)	false
Oct 30, 2024 21:55:35.997494936 CET	192.168.2.6	1.1.1.1	0x9f5a	Standard query (0)	www.youtube.com	A (IP address)	IN (0x0001)	false
Oct 30, 2024 21:55:35.997682095 CET	192.168.2.6	1.1.1.1	0x5f99	Standard query (0)	www.facebook.com	A (IP address)	IN (0x0001)	false
Oct 30, 2024 21:55:36.007421017 CET	192.168.2.6	1.1.1.1	0xa50c	Standard query (0)	dyna.wikimedia.org	A (IP address)	IN (0x0001)	false
Oct 30, 2024 21:55:36.007535934 CET	192.168.2.6	1.1.1.1	0xd125	Standard query (0)	youtube-ui.l.google.com	A (IP address)	IN (0x0001)	false
Oct 30, 2024 21:55:36.008059978 CET	192.168.2.6	1.1.1.1	0x904	Standard query (0)	star-mini.c10r.facebook.com	A (IP address)	IN (0x0001)	false
Oct 30, 2024 21:55:36.018157005 CET	192.168.2.6	1.1.1.1	0xb5eb	Standard query (0)	star-mini.c10r.facebook.com	28	IN (0x0001)	false
Oct 30, 2024 21:55:36.018358946 CET	192.168.2.6	1.1.1.1	0x4d12	Standard query (0)	dyna.wikimedia.org	28	IN (0x0001)	false
Oct 30, 2024 21:55:36.018465996 CET	192.168.2.6	1.1.1.1	0x8521	Standard query (0)	youtube-ui.l.google.com	28	IN (0x0001)	false
Oct 30, 2024 21:55:36.028086901 CET	192.168.2.6	1.1.1.1	0xb152	Standard query (0)	www.reddit.com	A (IP address)	IN (0x0001)	false
Oct 30, 2024 21:55:36.028259039 CET	192.168.2.6	1.1.1.1	0x76d1	Standard query (0)	twitter.com	A (IP address)	IN (0x0001)	false
Oct 30, 2024 21:55:36.038203001 CET	192.168.2.6	1.1.1.1	0xb6b1	Standard query (0)	twitter.com	A (IP address)	IN (0x0001)	false
Oct 30, 2024 21:55:36.038336039 CET	192.168.2.6	1.1.1.1	0x3c49	Standard query (0)	reddit.map.fastly.net	A (IP address)	IN (0x0001)	false
Oct 30, 2024 21:55:36.048252106 CET	192.168.2.6	1.1.1.1	0xea62	Standard query (0)	twitter.com	28	IN (0x0001)	false
Oct 30, 2024 21:55:36.048310041 CET	192.168.2.6	1.1.1.1	0x127e	Standard query (0)	reddit.map.fastly.net	28	IN (0x0001)	false
Oct 30, 2024 21:55:41.097501993 CET	192.168.2.6	1.1.1.1	0x841b	Standard query (0)	push.services.mozilla.com	28	IN (0x0001)	false
Oct 30, 2024 21:55:44.499813080 CET	192.168.2.6	1.1.1.1	0xf2b1	Standard query (0)	services.addons.mozilla.org	A (IP address)	IN (0x0001)	false
Oct 30, 2024 21:55:44.509704113 CET	192.168.2.6	1.1.1.1	0xbf0b	Standard query (0)	prod.balrog.prod.cloudops.mozgcp.net	28	IN (0x0001)	false
Oct 30, 2024 21:55:44.513417959 CET	192.168.2.6	1.1.1.1	0x363d	Standard query (0)	services.addons.mozilla.org	A (IP address)	IN (0x0001)	false
Oct 30, 2024 21:55:44.522998095 CET	192.168.2.6	1.1.1.1	0x1ce0	Standard query (0)	services.addons.mozilla.org	28	IN (0x0001)	false
Oct 30, 2024 21:55:44.563215017 CET	192.168.2.6	1.1.1.1	0x6a3f	Standard query (0)	normandy.cdn.mozilla.net	A (IP address)	IN (0x0001)	false
Oct 30, 2024 21:55:44.582422018 CET	192.168.2.6	1.1.1.1	0xdab8	Standard query (0)	normandy-cdn.services.mozilla.com	A (IP address)	IN (0x0001)	false
Oct 30, 2024 21:55:44.592134953 CET	192.168.2.6	1.1.1.1	0xd37f	Standard query (0)	normandy-cdn.services.mozilla.com	28	IN (0x0001)	false
Oct 30, 2024 21:56:01.875272036 CET	192.168.2.6	1.1.1.1	0x8905	Standard query (0)	push.services.mozilla.com	A (IP address)	IN (0x0001)	false
Oct 30, 2024 21:56:01.887012959 CET	192.168.2.6	1.1.1.1	0x72e1	Standard query (0)	push.services.mozilla.com	28	IN (0x0001)	false
Oct 30, 2024 21:56:14.483566999 CET	192.168.2.6	1.1.1.1	0xd24e	Standard query (0)	telemetry-incoming.r53-2.services.mozilla.com	28	IN (0x0001)	false
Oct 30, 2024 21:56:15.110630035 CET	192.168.2.6	1.1.1.1	0xafbd	Standard query (0)	detectportal.firefox.com	A (IP address)	IN (0x0001)	false
Oct 30, 2024 21:56:42.943080902 CET	192.168.2.6	1.1.1.1	0x6aa5	Standard query (0)	push.services.mozilla.com	A (IP address)	IN (0x0001)	false
Oct 30, 2024 21:56:42.952900887 CET	192.168.2.6	1.1.1.1	0x2c12	Standard query (0)	push.services.mozilla.com	28	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Oct 30, 2024 21:55:16.993849039 CET	1.1.1.1	192.168.2.6	0x2dde	No error (0)	prod.classify-client.prod.webservices.mozgcp.net		35.190.72.216	A (IP address)	IN (0x0001)	false
Oct 30, 2024 21:55:16.994352102 CET	1.1.1.1	192.168.2.6	0xc2ad	No error (0)	youtube.com		142.250.185.238	A (IP address)	IN (0x0001)	false
Oct 30, 2024 21:55:16.995613098 CET	1.1.1.1	192.168.2.6	0xff	No error (0)	detectportal.firefox.com	detectportal.prod.mozaws.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 30, 2024 21:55:16.995613098 CET	1.1.1.1	192.168.2.6	0xff	No error (0)	prod.detectportal.prod.cloudops.mozgcp.net		34.107.221.82	A (IP address)	IN (0x0001)	false
Oct 30, 2024 21:55:17.017643929 CET	1.1.1.1	192.168.2.6	0x50ef	No error (0)	prod.classify-client.prod.webservices.mozgcp.net		35.190.72.216	A (IP address)	IN (0x0001)	false
Oct 30, 2024 21:55:17.018712044 CET	1.1.1.1	192.168.2.6	0xd817	No error (0)	prod.detectportal.prod.cloudops.mozgcp.net		34.107.221.82	A (IP address)	IN (0x0001)	false
Oct 30, 2024 21:55:17.019979954 CET	1.1.1.1	192.168.2.6	0xbd96	No error (0)	youtube.com		142.250.186.142	A (IP address)	IN (0x0001)	false
Oct 30, 2024 21:55:17.039042950 CET	1.1.1.1	192.168.2.6	0xfcf9	No error (0)	prod.detectportal.prod.cloudops.mozgcp.net			28	IN (0x0001)	false
Oct 30, 2024 21:55:17.039067984 CET	1.1.1.1	192.168.2.6	0x1042	No error (0)	youtube.com			28	IN (0x0001)	false
Oct 30, 2024 21:55:17.291140079 CET	1.1.1.1	192.168.2.6	0xbb22	No error (0)	contile.services.mozilla.com		34.117.188.166	A (IP address)	IN (0x0001)	false
Oct 30, 2024 21:55:17.302349091 CET	1.1.1.1	192.168.2.6	0xf929	No error (0)	contile.services.mozilla.com		34.117.188.166	A (IP address)	IN (0x0001)	false
Oct 30, 2024 21:55:17.379605055 CET	1.1.1.1	192.168.2.6	0x7de3	No error (0)	spocs.getpocket.com	prod.ads.prod.webservices.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 30, 2024 21:55:17.379605055 CET	1.1.1.1	192.168.2.6	0x7de3	No error (0)	prod.ads.prod.webservices.mozgcp.net		34.117.188.166	A (IP address)	IN (0x0001)	false
Oct 30, 2024 21:55:17.390542984 CET	1.1.1.1	192.168.2.6	0x294f	No error (0)	prod.ads.prod.webservices.mozgcp.net		34.117.188.166	A (IP address)	IN (0x0001)	false
Oct 30, 2024 21:55:17.771544933 CET	1.1.1.1	192.168.2.6	0x3de4	No error (0)	balrog-aus5.r53-2.services.mozilla.com	prod.balrog.prod.cloudops.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 30, 2024 21:55:17.771544933 CET	1.1.1.1	192.168.2.6	0x3de4	No error (0)	prod.balrog.prod.cloudops.mozgcp.net		35.244.181.201	A (IP address)	IN (0x0001)	false
Oct 30, 2024 21:55:17.774449110 CET	1.1.1.1	192.168.2.6	0xb17b	No error (0)	example.org		93.184.215.14	A (IP address)	IN (0x0001)	false
Oct 30, 2024 21:55:17.781130075 CET	1.1.1.1	192.168.2.6	0x22a0	No error (0)	ipv4only.arpa		192.0.0.171	A (IP address)	IN (0x0001)	false
Oct 30, 2024 21:55:17.781130075 CET	1.1.1.1	192.168.2.6	0x22a0	No error (0)	ipv4only.arpa		192.0.0.170	A (IP address)	IN (0x0001)	false
Oct 30, 2024 21:55:17.785345078 CET	1.1.1.1	192.168.2.6	0x1a34	No error (0)	prod.balrog.prod.cloudops.mozgcp.net		35.244.181.201	A (IP address)	IN (0x0001)	false
Oct 30, 2024 21:55:17.830414057 CET	1.1.1.1	192.168.2.6	0x85e5	No error (0)	detectportal.firefox.com	detectportal.prod.mozaws.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 30, 2024 21:55:17.830414057 CET	1.1.1.1	192.168.2.6	0x85e5	No error (0)	prod.detectportal.prod.cloudops.mozgcp.net		34.107.221.82	A (IP address)	IN (0x0001)	false
Oct 30, 2024 21:55:17.843246937 CET	1.1.1.1	192.168.2.6	0x767a	No error (0)	content-signature-2.cdn.mozilla.net	content-signature-chains.prod.autograph.services.mozaws.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 30, 2024 21:55:17.843246937 CET	1.1.1.1	192.168.2.6	0x767a	No error (0)	content-signature-chains.prod.autograph.services.mozaws.net	prod.content-signature-chains.prod.webservices.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 30, 2024 21:55:17.843246937 CET	1.1.1.1	192.168.2.6	0x767a	No error (0)	prod.content-signature-chains.prod.webservices.mozgcp.net		34.160.144.191	A (IP address)	IN (0x0001)	false
Oct 30, 2024 21:55:17.854157925 CET	1.1.1.1	192.168.2.6	0x3294	No error (0)	prod.content-signature-chains.prod.webservices.mozgcp.net		34.160.144.191	A (IP address)	IN (0x0001)	false
Oct 30, 2024 21:55:17.863059998 CET	1.1.1.1	192.168.2.6	0x93ac	No error (0)	prod.content-signature-chains.prod.webservices.mozgcp.net			28	IN (0x0001)	false
Oct 30, 2024 21:55:18.200988054 CET	1.1.1.1	192.168.2.6	0xdfb3	No error (0)	shavar.services.mozilla.com	shavar.prod.mozaws.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 30, 2024 21:55:19.967888117 CET	1.1.1.1	192.168.2.6	0x124e	No error (0)	push.services.mozilla.com		34.107.243.93	A (IP address)	IN (0x0001)	false
Oct 30, 2024 21:55:19.980897903 CET	1.1.1.1	192.168.2.6	0x91b3	No error (0)	push.services.mozilla.com		34.107.243.93	A (IP address)	IN (0x0001)	false
Oct 30, 2024 21:55:23.709069967 CET	1.1.1.1	192.168.2.6	0x4356	No error (0)	balrog-aus5.r53-2.services.mozilla.com	prod.balrog.prod.cloudops.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 30, 2024 21:55:23.709069967 CET	1.1.1.1	192.168.2.6	0x4356	No error (0)	prod.balrog.prod.cloudops.mozgcp.net		35.244.181.201	A (IP address)	IN (0x0001)	false
Oct 30, 2024 21:55:23.711555958 CET	1.1.1.1	192.168.2.6	0x9eb	No error (0)	support.mozilla.org	prod.sumo.prod.webservices.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 30, 2024 21:55:23.711555958 CET	1.1.1.1	192.168.2.6	0x9eb	No error (0)	prod.sumo.prod.webservices.mozgcp.net	us-west1.prod.sumo.prod.webservices.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 30, 2024 21:55:23.711555958 CET	1.1.1.1	192.168.2.6	0x9eb	No error (0)	us-west1.prod.sumo.prod.webservices.mozgcp.net		34.149.128.2	A (IP address)	IN (0x0001)	false
Oct 30, 2024 21:55:23.721436977 CET	1.1.1.1	192.168.2.6	0xffd7	No error (0)	telemetry-incoming.r53-2.services.mozilla.com		34.120.208.123	A (IP address)	IN (0x0001)	false
Oct 30, 2024 21:55:23.728182077 CET	1.1.1.1	192.168.2.6	0x42ce	No error (0)	us-west1.prod.sumo.prod.webservices.mozgcp.net		34.149.128.2	A (IP address)	IN (0x0001)	false
Oct 30, 2024 21:55:23.732345104 CET	1.1.1.1	192.168.2.6	0x781a	No error (0)	telemetry-incoming.r53-2.services.mozilla.com		34.120.208.123	A (IP address)	IN (0x0001)	false
Oct 30, 2024 21:55:23.759726048 CET	1.1.1.1	192.168.2.6	0xccd3	No error (0)	firefox.settings.services.mozilla.com	prod.remote-settings.prod.webservices.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 30, 2024 21:55:23.759726048 CET	1.1.1.1	192.168.2.6	0xccd3	No error (0)	prod.remote-settings.prod.webservices.mozgcp.net		34.149.100.209	A (IP address)	IN (0x0001)	false
Oct 30, 2024 21:55:23.772360086 CET	1.1.1.1	192.168.2.6	0x883f	No error (0)	prod.remote-settings.prod.webservices.mozgcp.net		34.149.100.209	A (IP address)	IN (0x0001)	false
Oct 30, 2024 21:55:30.365374088 CET	1.1.1.1	192.168.2.6	0xe70d	No error (0)	telemetry-incoming.r53-2.services.mozilla.com		34.120.208.123	A (IP address)	IN (0x0001)	false
Oct 30, 2024 21:55:30.366018057 CET	1.1.1.1	192.168.2.6	0xa148	No error (0)	push.services.mozilla.com		34.107.243.93	A (IP address)	IN (0x0001)	false
Oct 30, 2024 21:55:36.006397009 CET	1.1.1.1	192.168.2.6	0x3221	No error (0)	www.wikipedia.org	dyna.wikimedia.org		CNAME (Canonical name)	IN (0x0001)	false
Oct 30, 2024 21:55:36.006397009 CET	1.1.1.1	192.168.2.6	0x3221	No error (0)	dyna.wikimedia.org		185.15.59.224	A (IP address)	IN (0x0001)	false
Oct 30, 2024 21:55:36.006494999 CET	1.1.1.1	192.168.2.6	0x5f99	No error (0)	www.facebook.com	star-mini.c10r.facebook.com		CNAME (Canonical name)	IN (0x0001)	false
Oct 30, 2024 21:55:36.006494999 CET	1.1.1.1	192.168.2.6	0x5f99	No error (0)	star-mini.c10r.facebook.com		157.240.253.35	A (IP address)	IN (0x0001)	false
Oct 30, 2024 21:55:36.006509066 CET	1.1.1.1	192.168.2.6	0x9f5a	No error (0)	www.youtube.com	youtube-ui.l.google.com		CNAME (Canonical name)	IN (0x0001)	false
Oct 30, 2024 21:55:36.006509066 CET	1.1.1.1	192.168.2.6	0x9f5a	No error (0)	youtube-ui.l.google.com		142.250.185.110	A (IP address)	IN (0x0001)	false
Oct 30, 2024 21:55:36.006509066 CET	1.1.1.1	192.168.2.6	0x9f5a	No error (0)	youtube-ui.l.google.com		142.250.74.206	A (IP address)	IN (0x0001)	false
Oct 30, 2024 21:55:36.006509066 CET	1.1.1.1	192.168.2.6	0x9f5a	No error (0)	youtube-ui.l.google.com		142.250.184.238	A (IP address)	IN (0x0001)	false
Oct 30, 2024 21:55:36.006509066 CET	1.1.1.1	192.168.2.6	0x9f5a	No error (0)	youtube-ui.l.google.com		172.217.18.14	A (IP address)	IN (0x0001)	false
Oct 30, 2024 21:55:36.006509066 CET	1.1.1.1	192.168.2.6	0x9f5a	No error (0)	youtube-ui.l.google.com		172.217.16.206	A (IP address)	IN (0x0001)	false
Oct 30, 2024 21:55:36.006509066 CET	1.1.1.1	192.168.2.6	0x9f5a	No error (0)	youtube-ui.l.google.com		142.250.186.110	A (IP address)	IN (0x0001)	false
Oct 30, 2024 21:55:36.006509066 CET	1.1.1.1	192.168.2.6	0x9f5a	No error (0)	youtube-ui.l.google.com		142.250.186.142	A (IP address)	IN (0x0001)	false
Oct 30, 2024 21:55:36.006509066 CET	1.1.1.1	192.168.2.6	0x9f5a	No error (0)	youtube-ui.l.google.com		142.250.186.78	A (IP address)	IN (0x0001)	false
Oct 30, 2024 21:55:36.006509066 CET	1.1.1.1	192.168.2.6	0x9f5a	No error (0)	youtube-ui.l.google.com		216.58.206.78	A (IP address)	IN (0x0001)	false
Oct 30, 2024 21:55:36.006509066 CET	1.1.1.1	192.168.2.6	0x9f5a	No error (0)	youtube-ui.l.google.com		172.217.23.110	A (IP address)	IN (0x0001)	false
Oct 30, 2024 21:55:36.006509066 CET	1.1.1.1	192.168.2.6	0x9f5a	No error (0)	youtube-ui.l.google.com		142.250.185.142	A (IP address)	IN (0x0001)	false
Oct 30, 2024 21:55:36.006509066 CET	1.1.1.1	192.168.2.6	0x9f5a	No error (0)	youtube-ui.l.google.com		172.217.18.110	A (IP address)	IN (0x0001)	false
Oct 30, 2024 21:55:36.006509066 CET	1.1.1.1	192.168.2.6	0x9f5a	No error (0)	youtube-ui.l.google.com		172.217.16.142	A (IP address)	IN (0x0001)	false
Oct 30, 2024 21:55:36.006509066 CET	1.1.1.1	192.168.2.6	0x9f5a	No error (0)	youtube-ui.l.google.com		142.250.186.174	A (IP address)	IN (0x0001)	false
Oct 30, 2024 21:55:36.006509066 CET	1.1.1.1	192.168.2.6	0x9f5a	No error (0)	youtube-ui.l.google.com		142.250.185.78	A (IP address)	IN (0x0001)	false
Oct 30, 2024 21:55:36.006509066 CET	1.1.1.1	192.168.2.6	0x9f5a	No error (0)	youtube-ui.l.google.com		142.250.184.206	A (IP address)	IN (0x0001)	false
Oct 30, 2024 21:55:36.017358065 CET	1.1.1.1	192.168.2.6	0x904	No error (0)	star-mini.c10r.facebook.com		157.240.253.35	A (IP address)	IN (0x0001)	false
Oct 30, 2024 21:55:36.017726898 CET	1.1.1.1	192.168.2.6	0xa50c	No error (0)	dyna.wikimedia.org		185.15.59.224	A (IP address)	IN (0x0001)	false
Oct 30, 2024 21:55:36.017741919 CET	1.1.1.1	192.168.2.6	0xd125	No error (0)	youtube-ui.l.google.com		172.217.16.206	A (IP address)	IN (0x0001)	false
Oct 30, 2024 21:55:36.017741919 CET	1.1.1.1	192.168.2.6	0xd125	No error (0)	youtube-ui.l.google.com		172.217.18.14	A (IP address)	IN (0x0001)	false
Oct 30, 2024 21:55:36.017741919 CET	1.1.1.1	192.168.2.6	0xd125	No error (0)	youtube-ui.l.google.com		142.250.186.78	A (IP address)	IN (0x0001)	false
Oct 30, 2024 21:55:36.017741919 CET	1.1.1.1	192.168.2.6	0xd125	No error (0)	youtube-ui.l.google.com		142.250.186.110	A (IP address)	IN (0x0001)	false
Oct 30, 2024 21:55:36.017741919 CET	1.1.1.1	192.168.2.6	0xd125	No error (0)	youtube-ui.l.google.com		142.250.184.206	A (IP address)	IN (0x0001)	false
Oct 30, 2024 21:55:36.017741919 CET	1.1.1.1	192.168.2.6	0xd125	No error (0)	youtube-ui.l.google.com		142.250.185.78	A (IP address)	IN (0x0001)	false
Oct 30, 2024 21:55:36.017741919 CET	1.1.1.1	192.168.2.6	0xd125	No error (0)	youtube-ui.l.google.com		142.250.184.238	A (IP address)	IN (0x0001)	false
Oct 30, 2024 21:55:36.017741919 CET	1.1.1.1	192.168.2.6	0xd125	No error (0)	youtube-ui.l.google.com		142.250.186.142	A (IP address)	IN (0x0001)	false
Oct 30, 2024 21:55:36.017741919 CET	1.1.1.1	192.168.2.6	0xd125	No error (0)	youtube-ui.l.google.com		142.250.186.174	A (IP address)	IN (0x0001)	false
Oct 30, 2024 21:55:36.017741919 CET	1.1.1.1	192.168.2.6	0xd125	No error (0)	youtube-ui.l.google.com		172.217.16.142	A (IP address)	IN (0x0001)	false
Oct 30, 2024 21:55:36.017741919 CET	1.1.1.1	192.168.2.6	0xd125	No error (0)	youtube-ui.l.google.com		216.58.206.78	A (IP address)	IN (0x0001)	false
Oct 30, 2024 21:55:36.017741919 CET	1.1.1.1	192.168.2.6	0xd125	No error (0)	youtube-ui.l.google.com		172.217.23.110	A (IP address)	IN (0x0001)	false
Oct 30, 2024 21:55:36.017741919 CET	1.1.1.1	192.168.2.6	0xd125	No error (0)	youtube-ui.l.google.com		142.250.186.46	A (IP address)	IN (0x0001)	false
Oct 30, 2024 21:55:36.017741919 CET	1.1.1.1	192.168.2.6	0xd125	No error (0)	youtube-ui.l.google.com		142.250.181.238	A (IP address)	IN (0x0001)	false
Oct 30, 2024 21:55:36.017741919 CET	1.1.1.1	192.168.2.6	0xd125	No error (0)	youtube-ui.l.google.com		216.58.212.142	A (IP address)	IN (0x0001)	false
Oct 30, 2024 21:55:36.017741919 CET	1.1.1.1	192.168.2.6	0xd125	No error (0)	youtube-ui.l.google.com		172.217.18.110	A (IP address)	IN (0x0001)	false
Oct 30, 2024 21:55:36.027164936 CET	1.1.1.1	192.168.2.6	0x8521	No error (0)	youtube-ui.l.google.com			28	IN (0x0001)	false
Oct 30, 2024 21:55:36.027164936 CET	1.1.1.1	192.168.2.6	0x8521	No error (0)	youtube-ui.l.google.com			28	IN (0x0001)	false
Oct 30, 2024 21:55:36.027164936 CET	1.1.1.1	192.168.2.6	0x8521	No error (0)	youtube-ui.l.google.com			28	IN (0x0001)	false
Oct 30, 2024 21:55:36.027164936 CET	1.1.1.1	192.168.2.6	0x8521	No error (0)	youtube-ui.l.google.com			28	IN (0x0001)	false
Oct 30, 2024 21:55:36.027220011 CET	1.1.1.1	192.168.2.6	0xb5eb	No error (0)	star-mini.c10r.facebook.com			28	IN (0x0001)	false
Oct 30, 2024 21:55:36.027884007 CET	1.1.1.1	192.168.2.6	0x4d12	No error (0)	dyna.wikimedia.org			28	IN (0x0001)	false
Oct 30, 2024 21:55:36.037331104 CET	1.1.1.1	192.168.2.6	0xb152	No error (0)	www.reddit.com	reddit.map.fastly.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 30, 2024 21:55:36.037331104 CET	1.1.1.1	192.168.2.6	0xb152	No error (0)	reddit.map.fastly.net		151.101.1.140	A (IP address)	IN (0x0001)	false
Oct 30, 2024 21:55:36.037331104 CET	1.1.1.1	192.168.2.6	0xb152	No error (0)	reddit.map.fastly.net		151.101.65.140	A (IP address)	IN (0x0001)	false
Oct 30, 2024 21:55:36.037331104 CET	1.1.1.1	192.168.2.6	0xb152	No error (0)	reddit.map.fastly.net		151.101.129.140	A (IP address)	IN (0x0001)	false
Oct 30, 2024 21:55:36.037331104 CET	1.1.1.1	192.168.2.6	0xb152	No error (0)	reddit.map.fastly.net		151.101.193.140	A (IP address)	IN (0x0001)	false
Oct 30, 2024 21:55:36.037390947 CET	1.1.1.1	192.168.2.6	0x76d1	No error (0)	twitter.com		104.244.42.193	A (IP address)	IN (0x0001)	false
Oct 30, 2024 21:55:36.047599077 CET	1.1.1.1	192.168.2.6	0xb6b1	No error (0)	twitter.com		104.244.42.129	A (IP address)	IN (0x0001)	false
Oct 30, 2024 21:55:36.047610998 CET	1.1.1.1	192.168.2.6	0x3c49	No error (0)	reddit.map.fastly.net		151.101.1.140	A (IP address)	IN (0x0001)	false
Oct 30, 2024 21:55:36.047610998 CET	1.1.1.1	192.168.2.6	0x3c49	No error (0)	reddit.map.fastly.net		151.101.193.140	A (IP address)	IN (0x0001)	false
Oct 30, 2024 21:55:36.047610998 CET	1.1.1.1	192.168.2.6	0x3c49	No error (0)	reddit.map.fastly.net		151.101.129.140	A (IP address)	IN (0x0001)	false
Oct 30, 2024 21:55:36.047610998 CET	1.1.1.1	192.168.2.6	0x3c49	No error (0)	reddit.map.fastly.net		151.101.65.140	A (IP address)	IN (0x0001)	false
Oct 30, 2024 21:55:44.501703024 CET	1.1.1.1	192.168.2.6	0xf6b3	No error (0)	balrog-aus5.r53-2.services.mozilla.com	prod.balrog.prod.cloudops.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 30, 2024 21:55:44.501703024 CET	1.1.1.1	192.168.2.6	0xf6b3	No error (0)	prod.balrog.prod.cloudops.mozgcp.net		35.244.181.201	A (IP address)	IN (0x0001)	false
Oct 30, 2024 21:55:44.508763075 CET	1.1.1.1	192.168.2.6	0xf2b1	No error (0)	services.addons.mozilla.org		151.101.193.91	A (IP address)	IN (0x0001)	false
Oct 30, 2024 21:55:44.508763075 CET	1.1.1.1	192.168.2.6	0xf2b1	No error (0)	services.addons.mozilla.org		151.101.129.91	A (IP address)	IN (0x0001)	false
Oct 30, 2024 21:55:44.508763075 CET	1.1.1.1	192.168.2.6	0xf2b1	No error (0)	services.addons.mozilla.org		151.101.1.91	A (IP address)	IN (0x0001)	false
Oct 30, 2024 21:55:44.508763075 CET	1.1.1.1	192.168.2.6	0xf2b1	No error (0)	services.addons.mozilla.org		151.101.65.91	A (IP address)	IN (0x0001)	false
Oct 30, 2024 21:55:44.522466898 CET	1.1.1.1	192.168.2.6	0x363d	No error (0)	services.addons.mozilla.org		151.101.65.91	A (IP address)	IN (0x0001)	false
Oct 30, 2024 21:55:44.522466898 CET	1.1.1.1	192.168.2.6	0x363d	No error (0)	services.addons.mozilla.org		151.101.129.91	A (IP address)	IN (0x0001)	false
Oct 30, 2024 21:55:44.522466898 CET	1.1.1.1	192.168.2.6	0x363d	No error (0)	services.addons.mozilla.org		151.101.1.91	A (IP address)	IN (0x0001)	false
Oct 30, 2024 21:55:44.522466898 CET	1.1.1.1	192.168.2.6	0x363d	No error (0)	services.addons.mozilla.org		151.101.193.91	A (IP address)	IN (0x0001)	false
Oct 30, 2024 21:55:44.532401085 CET	1.1.1.1	192.168.2.6	0x1ce0	No error (0)	services.addons.mozilla.org			28	IN (0x0001)	false
Oct 30, 2024 21:55:44.532401085 CET	1.1.1.1	192.168.2.6	0x1ce0	No error (0)	services.addons.mozilla.org			28	IN (0x0001)	false
Oct 30, 2024 21:55:44.532401085 CET	1.1.1.1	192.168.2.6	0x1ce0	No error (0)	services.addons.mozilla.org			28	IN (0x0001)	false
Oct 30, 2024 21:55:44.532401085 CET	1.1.1.1	192.168.2.6	0x1ce0	No error (0)	services.addons.mozilla.org			28	IN (0x0001)	false
Oct 30, 2024 21:55:44.572516918 CET	1.1.1.1	192.168.2.6	0x6a3f	No error (0)	normandy.cdn.mozilla.net	normandy-cdn.services.mozilla.com		CNAME (Canonical name)	IN (0x0001)	false
Oct 30, 2024 21:55:44.572516918 CET	1.1.1.1	192.168.2.6	0x6a3f	No error (0)	normandy-cdn.services.mozilla.com		35.201.103.21	A (IP address)	IN (0x0001)	false
Oct 30, 2024 21:55:44.591617107 CET	1.1.1.1	192.168.2.6	0xdab8	No error (0)	normandy-cdn.services.mozilla.com		35.201.103.21	A (IP address)	IN (0x0001)	false
Oct 30, 2024 21:55:45.834383965 CET	1.1.1.1	192.168.2.6	0xde82	No error (0)	a21ed24aedde648804e7-228765c84088fef4ff5e70f2710398e9.r17.cf1.rackcdn.com	a17.rackcdn.com		CNAME (Canonical name)	IN (0x0001)	false
Oct 30, 2024 21:55:45.834383965 CET	1.1.1.1	192.168.2.6	0xde82	No error (0)	a17.rackcdn.com	a17.rackcdn.com.mdc.edgesuite.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 30, 2024 21:56:01.885593891 CET	1.1.1.1	192.168.2.6	0x8905	No error (0)	push.services.mozilla.com		34.107.243.93	A (IP address)	IN (0x0001)	false
Oct 30, 2024 21:56:14.477909088 CET	1.1.1.1	192.168.2.6	0xa34b	No error (0)	telemetry-incoming.r53-2.services.mozilla.com		34.120.208.123	A (IP address)	IN (0x0001)	false
Oct 30, 2024 21:56:15.119553089 CET	1.1.1.1	192.168.2.6	0xafbd	No error (0)	detectportal.firefox.com	detectportal.prod.mozaws.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 30, 2024 21:56:15.119553089 CET	1.1.1.1	192.168.2.6	0xafbd	No error (0)	prod.detectportal.prod.cloudops.mozgcp.net		34.107.221.82	A (IP address)	IN (0x0001)	false
Oct 30, 2024 21:56:42.952204943 CET	1.1.1.1	192.168.2.6	0x6aa5	No error (0)	push.services.mozilla.com		34.107.243.93	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

detectportal.firefox.com

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.6	49719	34.107.221.82	80	3196	C:\Program Files\Mozilla Firefox\firefox.exe

Timestamp	Bytes transferred	Direction	Data
Oct 30, 2024 21:55:17.029324055 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 30, 2024 21:55:17.610349894 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Wed, 30 Oct 2024 04:31:13 GMT Age: 59044 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.6	49726	34.107.221.82	80	3196	C:\Program Files\Mozilla Firefox\firefox.exe

Timestamp	Bytes transferred	Direction	Data
Oct 30, 2024 21:55:17.844127893 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 30, 2024 21:55:18.472644091 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Wed, 30 Oct 2024 04:30:51 GMT Age: 59067 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.6	49738	34.107.221.82	80	3196	C:\Program Files\Mozilla Firefox\firefox.exe

Timestamp	Bytes transferred	Direction	Data
Oct 30, 2024 21:55:18.645287991 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 30, 2024 21:55:19.270859003 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Wed, 30 Oct 2024 04:31:13 GMT Age: 59046 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 30, 2024 21:55:19.556731939 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 30, 2024 21:55:19.686866999 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Wed, 30 Oct 2024 04:31:13 GMT Age: 59046 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 30, 2024 21:55:20.207565069 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 30, 2024 21:55:20.352660894 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Wed, 30 Oct 2024 04:31:13 GMT Age: 59047 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 30, 2024 21:55:23.748863935 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 30, 2024 21:55:23.878442049 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Wed, 30 Oct 2024 04:31:13 GMT Age: 59050 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 30, 2024 21:55:30.355679989 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 30, 2024 21:55:30.485512972 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Wed, 30 Oct 2024 04:31:13 GMT Age: 59057 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 30, 2024 21:55:31.087975979 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 30, 2024 21:55:31.243989944 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Wed, 30 Oct 2024 04:31:13 GMT Age: 59058 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 30, 2024 21:55:31.793018103 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 30, 2024 21:55:31.922640085 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Wed, 30 Oct 2024 04:31:13 GMT Age: 59058 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 30, 2024 21:55:41.728866100 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 30, 2024 21:55:41.857917070 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Wed, 30 Oct 2024 04:31:13 GMT Age: 59068 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 30, 2024 21:55:45.123090029 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 30, 2024 21:55:45.251925945 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Wed, 30 Oct 2024 04:31:13 GMT Age: 59072 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 30, 2024 21:55:45.792006969 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 30, 2024 21:55:45.921947956 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Wed, 30 Oct 2024 04:31:13 GMT Age: 59072 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 30, 2024 21:55:53.804960012 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 30, 2024 21:55:53.933931112 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Wed, 30 Oct 2024 04:31:13 GMT Age: 59080 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 30, 2024 21:56:02.505974054 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 30, 2024 21:56:02.634835005 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Wed, 30 Oct 2024 04:31:13 GMT Age: 59089 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 30, 2024 21:56:12.636154890 CET	6	OUT	Data Raw: 00 Data Ascii:
Oct 30, 2024 21:56:15.110069990 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 30, 2024 21:56:15.242486954 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Wed, 30 Oct 2024 04:31:13 GMT Age: 59102 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 30, 2024 21:56:15.741873026 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 30, 2024 21:56:16.046967983 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Wed, 30 Oct 2024 04:31:13 GMT Age: 59102 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 30, 2024 21:56:26.051651001 CET	6	OUT	Data Raw: 00 Data Ascii:
Oct 30, 2024 21:56:36.072118044 CET	6	OUT	Data Raw: 00 Data Ascii:
Oct 30, 2024 21:56:43.591983080 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 30, 2024 21:56:43.720880032 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Wed, 30 Oct 2024 04:31:13 GMT Age: 59130 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 30, 2024 21:56:53.724838972 CET	6	OUT	Data Raw: 00 Data Ascii:
Oct 30, 2024 21:57:03.737217903 CET	6	OUT	Data Raw: 00 Data Ascii:
Oct 30, 2024 21:57:13.754082918 CET	6	OUT	Data Raw: 00 Data Ascii:

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.6	49747	34.107.221.82	80	3196	C:\Program Files\Mozilla Firefox\firefox.exe

Timestamp	Bytes transferred	Direction	Data
Oct 30, 2024 21:55:19.543340921 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.6	49748	34.107.221.82	80	3196	C:\Program Files\Mozilla Firefox\firefox.exe

Timestamp	Bytes transferred	Direction	Data
Oct 30, 2024 21:55:19.970679998 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 30, 2024 21:55:20.594187975 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Wed, 30 Oct 2024 04:30:51 GMT Age: 59069 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 30, 2024 21:55:23.748186111 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 30, 2024 21:55:23.877276897 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Wed, 30 Oct 2024 04:30:51 GMT Age: 59072 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 30, 2024 21:55:30.321474075 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 30, 2024 21:55:30.449565887 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Wed, 30 Oct 2024 04:30:51 GMT Age: 59079 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 30, 2024 21:55:31.084300041 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 30, 2024 21:55:31.243377924 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Wed, 30 Oct 2024 04:30:51 GMT Age: 59080 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 30, 2024 21:55:31.746133089 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 30, 2024 21:55:31.874456882 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Wed, 30 Oct 2024 04:30:51 GMT Age: 59080 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 30, 2024 21:55:32.577058077 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 30, 2024 21:55:32.706324100 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Wed, 30 Oct 2024 04:30:51 GMT Age: 59081 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 30, 2024 21:55:41.861216068 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 30, 2024 21:55:41.989662886 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Wed, 30 Oct 2024 04:30:51 GMT Age: 59090 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 30, 2024 21:55:45.260163069 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 30, 2024 21:55:45.592418909 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Wed, 30 Oct 2024 04:30:51 GMT Age: 59094 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 30, 2024 21:55:45.633346081 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Wed, 30 Oct 2024 04:30:51 GMT Age: 59094 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 30, 2024 21:55:45.935455084 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 30, 2024 21:55:46.063493013 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Wed, 30 Oct 2024 04:30:51 GMT Age: 59095 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 30, 2024 21:55:53.937165022 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 30, 2024 21:55:54.065474987 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Wed, 30 Oct 2024 04:30:51 GMT Age: 59103 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 30, 2024 21:56:02.638665915 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 30, 2024 21:56:02.766778946 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Wed, 30 Oct 2024 04:30:51 GMT Age: 59111 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 30, 2024 21:56:12.783282042 CET	6	OUT	Data Raw: 00 Data Ascii:
Oct 30, 2024 21:56:15.246516943 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 30, 2024 21:56:15.375284910 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Wed, 30 Oct 2024 04:30:51 GMT Age: 59124 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 30, 2024 21:56:16.050147057 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 30, 2024 21:56:16.178302050 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Wed, 30 Oct 2024 04:30:51 GMT Age: 59125 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 30, 2024 21:56:26.189807892 CET	6	OUT	Data Raw: 00 Data Ascii:
Oct 30, 2024 21:56:36.210120916 CET	6	OUT	Data Raw: 00 Data Ascii:
Oct 30, 2024 21:56:43.724870920 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 30, 2024 21:56:43.853070021 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Wed, 30 Oct 2024 04:30:51 GMT Age: 59152 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 30, 2024 21:56:53.863008022 CET	6	OUT	Data Raw: 00 Data Ascii:
Oct 30, 2024 21:57:03.875019073 CET	6	OUT	Data Raw: 00 Data Ascii:
Oct 30, 2024 21:57:13.884228945 CET	6	OUT	Data Raw: 00 Data Ascii:

Target ID:	0
Start time:	16:55:08
Start date:	30/10/2024
Path:	C:\Users\user\Desktop\file.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\file.exe"
Imagebase:	0xe80000
File size:	919'552 bytes
MD5 hash:	A5C626CB978C8D7070F00E5EEEAC13F9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CredentialFlusher, Description: Yara detected Credential Flusher, Source: 00000000.00000003.2201583150.000000000124F000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	16:55:08
Start date:	30/10/2024
Path:	C:\Windows\SysWOW64\taskkill.exe
Wow64 process (32bit):	true
Commandline:	taskkill /F /IM firefox.exe /T
Imagebase:	0x1e0000
File size:	74'240 bytes
MD5 hash:	CA313FD7E6C2A778FFD21CFB5C1C56CD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	16:55:08
Start date:	30/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff66e660000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	16:55:10
Start date:	30/10/2024
Path:	C:\Windows\SysWOW64\taskkill.exe
Wow64 process (32bit):	true
Commandline:	taskkill /F /IM chrome.exe /T
Imagebase:	0x1e0000
File size:	74'240 bytes
MD5 hash:	CA313FD7E6C2A778FFD21CFB5C1C56CD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	16:55:10
Start date:	30/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff66e660000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	16:55:10
Start date:	30/10/2024
Path:	C:\Windows\SysWOW64\taskkill.exe
Wow64 process (32bit):	true
Commandline:	taskkill /F /IM msedge.exe /T
Imagebase:	0x1e0000
File size:	74'240 bytes
MD5 hash:	CA313FD7E6C2A778FFD21CFB5C1C56CD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	16:55:10
Start date:	30/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff66e660000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	16:55:10
Start date:	30/10/2024
Path:	C:\Windows\SysWOW64\taskkill.exe
Wow64 process (32bit):	true
Commandline:	taskkill /F /IM opera.exe /T
Imagebase:	0x1e0000
File size:	74'240 bytes
MD5 hash:	CA313FD7E6C2A778FFD21CFB5C1C56CD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	9
Start time:	16:55:11
Start date:	30/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff66e660000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	10
Start time:	16:55:11
Start date:	30/10/2024
Path:	C:\Windows\SysWOW64\taskkill.exe
Wow64 process (32bit):	true
Commandline:	taskkill /F /IM brave.exe /T
Imagebase:	0x1e0000
File size:	74'240 bytes
MD5 hash:	CA313FD7E6C2A778FFD21CFB5C1C56CD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	11
Start time:	16:55:11
Start date:	30/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff66e660000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	12
Start time:	16:55:11
Start date:	30/10/2024
Path:	C:\Program Files\Mozilla Firefox\firefox.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking
Imagebase:	0x7ff728280000
File size:	676'768 bytes
MD5 hash:	C86B1BE9ED6496FE0E0CBE73F81D8045
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	13
Start time:	16:55:11
Start date:	30/10/2024
Path:	C:\Program Files\Mozilla Firefox\firefox.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking --attempting-deelevation
Imagebase:	0x7ff728280000
File size:	676'768 bytes
MD5 hash:	C86B1BE9ED6496FE0E0CBE73F81D8045
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	14
Start time:	16:55:11
Start date:	30/10/2024
Path:	C:\Program Files\Mozilla Firefox\firefox.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking
Imagebase:	0x7ff728280000
File size:	676'768 bytes
MD5 hash:	C86B1BE9ED6496FE0E0CBE73F81D8045
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	16
Start time:	16:55:12
Start date:	30/10/2024
Path:	C:\Program Files\Mozilla Firefox\firefox.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2304 -parentBuildID 20230927232528 -prefsHandle 2224 -prefMapHandle 2216 -prefsLen 25250 -prefMapSize 238690 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {9e3ee68f-9cdf-464b-bcc4-bfcae5e827a3} 3196 "\\.\pipe\gecko-crash-server-pipe.3196" 230a1e6d710 socket
Imagebase:	0x7ff728280000
File size:	676'768 bytes
MD5 hash:	C86B1BE9ED6496FE0E0CBE73F81D8045
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	18
Start time:	16:55:14
Start date:	30/10/2024
Path:	C:\Program Files\Mozilla Firefox\firefox.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3904 -parentBuildID 20230927232528 -prefsHandle 3912 -prefMapHandle 3908 -prefsLen 26265 -prefMapSize 238690 -appDir "C:\Program Files\Mozilla Firefox\browser" - {85363194-8cc0-4802-91a8-e213973fd8be} 3196 "\\.\pipe\gecko-crash-server-pipe.3196" 230b43aee10 rdd
Imagebase:	0x7ff728280000
File size:	676'768 bytes
MD5 hash:	C86B1BE9ED6496FE0E0CBE73F81D8045
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	19
Start time:	16:55:22
Start date:	30/10/2024
Path:	C:\Program Files\Mozilla Firefox\firefox.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4948 -parentBuildID 20230927232528 -sandboxingKind 0 -prefsHandle 4972 -prefMapHandle 4740 -prefsLen 33076 -prefMapSize 238690 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {be7d4054-5c38-4189-9f83-6f293799c454} 3196 "\\.\pipe\gecko-crash-server-pipe.3196" 230bc211b10 utility
Imagebase:	0x7ff66e660000
File size:	676'768 bytes
MD5 hash:	C86B1BE9ED6496FE0E0CBE73F81D8045
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	1.9%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	4.5%
Total number of Nodes:	1497
Total number of Limit Nodes:	49

Executed Functions

Function 00E842DE Relevance: 21.2, APIs: 9, Strings: 3, Instructions: 235
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetVersionExW.KERNEL32(?), ref: 00E8430D

Part of subcall function 00E86B57: _wcslen.LIBCMT ref: 00E86B6A

GetCurrentProcess.KERNEL32(?,00F1CB64,00000000,?,?), ref: 00E84422
IsWow64Process.KERNEL32(00000000,?,?), ref: 00E84429
LoadLibraryA.KERNEL32(kernel32.dll,?,?), ref: 00E84454
GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo), ref: 00E84466
GetNativeSystemInfo.KERNELBASE(?,?,?), ref: 00E84474
FreeLibrary.KERNEL32(00000000,?,?), ref: 00E8447B
GetSystemInfo.KERNEL32(?,?,?), ref: 00E844A0

Strings

kernel32.dll, xrefs: 00E8444F
GetNativeSystemInfo, xrefs: 00E84460
|O, xrefs: 00EC36F8

Memory Dump Source

Source File: 00000000.00000002.2209670476.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.2209637951.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210917413.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210917413.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2211217556.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2211312581.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_file.jbxd

Similarity

API ID: InfoLibraryProcessSystem$AddressCurrentFreeLoadNativeProcVersionWow64_wcslen
String ID: GetNativeSystemInfo$kernel32.dll$|O
API String ID: 3290436268-3101561225
Opcode ID: 2bbdddd6a260fb97ff36812543c23a4a1c16860e394ceaac1f3ee122f710e6fa
Instruction ID: 7c5143cadead0cc38d8bcb3cc8792a0ab19bf43b6acc153b571e8aa8ebf2278e
Opcode Fuzzy Hash: 2bbdddd6a260fb97ff36812543c23a4a1c16860e394ceaac1f3ee122f710e6fa
Instruction Fuzzy Hash: E8A109A18093CCCFC711D7B87C607D57FA4BF3634AB08A89DD289B3662D2216509FB61

Function 00E842A2 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 61
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateStreamOnHGlobal.COMBASE(00000000,00000001,?,?,?,?,?,00E850AA,?,?,00000000,00000000), ref: 00E842B2
FindResourceExW.KERNEL32(?,0000000A,SCRIPT,00000000,?,?,00E850AA,?,?,00000000,00000000), ref: 00E842C9
LoadResource.KERNEL32(?,00000000,?,?,00E850AA,?,?,00000000,00000000,?,?,?,?,?,?,00E84F20), ref: 00EC35BE
SizeofResource.KERNEL32(?,00000000,?,?,00E850AA,?,?,00000000,00000000,?,?,?,?,?,?,00E84F20), ref: 00EC35D3
LockResource.KERNEL32(00E850AA,?,?,00E850AA,?,?,00000000,00000000,?,?,?,?,?,?,00E84F20,?), ref: 00EC35E6

Strings

SCRIPT, xrefs: 00E842BF

Memory Dump Source

Source File: 00000000.00000002.2209670476.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.2209637951.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210917413.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210917413.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2211217556.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2211312581.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_file.jbxd

Similarity

API ID: Resource$CreateFindGlobalLoadLockSizeofStream
String ID: SCRIPT
API String ID: 3051347437-3967369404
Opcode ID: cb8fb15b5493bf404823137f1cdcdfa596574221ca499e106b8b5360be044b52
Instruction ID: a171543af4690ed93fd532478b1e9ef21c388951bd311694cd314efe69be315e
Opcode Fuzzy Hash: cb8fb15b5493bf404823137f1cdcdfa596574221ca499e106b8b5360be044b52
Instruction Fuzzy Hash: 5511ACB0240309BFD722AB65DC48FA77BB9EBC9B55F108169F40AE62A0DB71D8009660

Function 00EEDBBE Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 29
filestringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

lstrlenW.KERNEL32(?,"R), ref: 00EEDBCE
GetFileAttributesW.KERNELBASE(?), ref: 00EEDBDD
FindFirstFileW.KERNEL32(?,?), ref: 00EEDBEE
FindClose.KERNEL32(00000000), ref: 00EEDBFA

Strings

"R, xrefs: 00EEDBCA

Memory Dump Source

Source File: 00000000.00000002.2209670476.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.2209637951.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210917413.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210917413.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2211217556.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2211312581.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_file.jbxd

Similarity

API ID: FileFind$AttributesCloseFirstlstrlen
String ID: "R
API String ID: 2695905019-1746183819
Opcode ID: 8f779e0729fe2b9794303380af241f38dce9ae2b41f63c614fe7941d7a3ace93
Instruction ID: b2f5408e92280e119150d6d7e8134a50412e47f41f34d281d4f70d6fbc6d5851
Opcode Fuzzy Hash: 8f779e0729fe2b9794303380af241f38dce9ae2b41f63c614fe7941d7a3ace93
Instruction Fuzzy Hash: 50F0E53085895C6782206B7CAC0D8EAB76C9E01378B219702F836D20F0EBB15D64D6D6

Function 00EC2BA5 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 62
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetCurrentDirectoryW.KERNEL32(?), ref: 00E82B6B

Part of subcall function 00E83A5A: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,00F51418,?,00E82E7F,?,?,?,00000000), ref: 00E83A78

Part of subcall function 00E89CB3: _wcslen.LIBCMT ref: 00E89CBD

GetForegroundWindow.USER32(runas,?,?,?,?,?,00F42224), ref: 00EC2C10
ShellExecuteW.SHELL32(00000000,?,?,00F42224), ref: 00EC2C17

Strings

runas, xrefs: 00EC2C0B

Memory Dump Source

Source File: 00000000.00000002.2209670476.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.2209637951.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210917413.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210917413.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2211217556.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2211312581.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_file.jbxd

Similarity

API ID: CurrentDirectoryExecuteFileForegroundModuleNameShellWindow_wcslen
String ID: runas
API String ID: 448630720-4000483414
Opcode ID: 0be8c299fd2dcf6dbeaaf474a4abddc4e10b71d72a1cc340a52aa0517113f66c
Instruction ID: 30f95a4977973a426db68fce03385f2efab597d50af28012a5ab1eec15631c3f
Opcode Fuzzy Hash: 0be8c299fd2dcf6dbeaaf474a4abddc4e10b71d72a1cc340a52aa0517113f66c
Instruction Fuzzy Hash: 1C11D6315083056AC704FF70D851EBEBBE4AB91745F44342DF64E720E3CF259A4AA752

Function 00EA4CE8 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 20
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32(00EB28E9,(,00EA4CBE,00000000,00F488B8,0000000C,00EA4E15,(,00000002,00000000,?,00EB28E9,00000003,00EB2DF7,?,?), ref: 00EA4D09
TerminateProcess.KERNEL32(00000000,?,00EB28E9,00000003,00EB2DF7,?,?,?,00EAE6D1,?,00F48A48,00000010,00E84F4A,?,?,00000000), ref: 00EA4D10
ExitProcess.KERNEL32 ref: 00EA4D22

Strings

(, xrefs: 00EA4CEA

Memory Dump Source

Source File: 00000000.00000002.2209670476.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.2209637951.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210917413.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210917413.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2211217556.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2211312581.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_file.jbxd

Similarity

API ID: Process$CurrentExitTerminate
String ID: (
API String ID: 1703294689-2063206799
Opcode ID: 3d90856dc74c9d00fc399c1c3b7ed73c98fa235cba5bccbc1a8235030783c6fa
Instruction ID: c5a47610bc3bf693330f48a32b753aabe93f6e6693a0f044598becc8ce804ec7
Opcode Fuzzy Hash: 3d90856dc74c9d00fc399c1c3b7ed73c98fa235cba5bccbc1a8235030783c6fa
Instruction Fuzzy Hash: 34E046B1040108ABCF11AF24DD0AA883B69EB86785F018014FD14AA162CB75EE42EA80

Function 00EED4DC Relevance: 6.1, APIs: 4, Instructions: 86processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 00EED501
Process32FirstW.KERNEL32(00000000,?), ref: 00EED50F
Process32NextW.KERNEL32(00000000,?), ref: 00EED52F
CloseHandle.KERNELBASE(00000000), ref: 00EED5DC

Memory Dump Source

Source File: 00000000.00000002.2209670476.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.2209637951.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210917413.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210917413.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2211217556.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2211312581.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_file.jbxd

Similarity

API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32
String ID:
API String ID: 420147892-0
Opcode ID: 7281622e37c4e3470f0cc07abd19ed45ba235181b5c3f2e01d08c31fbe64f471
Instruction ID: b2fdf799b3083ce451d3601dab81853e3caa3b1a0dc56cca6c2aea0175c12b33
Opcode Fuzzy Hash: 7281622e37c4e3470f0cc07abd19ed45ba235181b5c3f2e01d08c31fbe64f471
Instruction Fuzzy Hash: 2931AF310083449FD304EF54CC85ABFBBF8EF99344F14092DF589A21A2EB719948CB92

Function 00F0AFF9 Relevance: 24.4, APIs: 16, Instructions: 418
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_wcslen.LIBCMT ref: 00F0B198
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 00F0B1B0
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 00F0B1D4
_wcslen.LIBCMT ref: 00F0B200
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 00F0B214
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 00F0B236
_wcslen.LIBCMT ref: 00F0B332

Part of subcall function 00EF05A7: GetStdHandle.KERNEL32(000000F6), ref: 00EF05C6

_wcslen.LIBCMT ref: 00F0B34B
_wcslen.LIBCMT ref: 00F0B366
CreateProcessW.KERNELBASE(00000000,?,00000000,00000000,?,?,00000000,?,?,?), ref: 00F0B3B6
GetLastError.KERNEL32(00000000), ref: 00F0B407
CloseHandle.KERNEL32(?), ref: 00F0B439
CloseHandle.KERNEL32(00000000), ref: 00F0B44A
CloseHandle.KERNEL32(00000000), ref: 00F0B45C
CloseHandle.KERNEL32(00000000), ref: 00F0B46E
CloseHandle.KERNEL32(?), ref: 00F0B4E3

Memory Dump Source

Source File: 00000000.00000002.2209670476.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.2209637951.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210917413.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210917413.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2211217556.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2211312581.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_file.jbxd

Similarity

API ID: Handle$Close_wcslen$Directory$CurrentSystem$CreateErrorLastProcess
String ID:
API String ID: 2178637699-0
Opcode ID: 32c1bb06c003d45a29efc33dcfde244eb094442036f361675a5d1a4c3dc2c6c6
Instruction ID: f97f58c3ad29e7062be0653d74edceb421c98e1de1c5ee726c0ea5451b242c5f
Opcode Fuzzy Hash: 32c1bb06c003d45a29efc33dcfde244eb094442036f361675a5d1a4c3dc2c6c6
Instruction Fuzzy Hash: 92F1A071A043409FC715EF24C881B6EBBE5AF85724F14855DF8999B2E2DB31EC40EB52

Function 00E8D730 Relevance: 21.6, APIs: 14, Instructions: 623windowsleeptimeCOMMON

Download Yara Rule

APIs

GetInputState.USER32 ref: 00E8D807
timeGetTime.WINMM ref: 00E8DA07
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00E8DB28
TranslateMessage.USER32(?), ref: 00E8DB7B
DispatchMessageW.USER32(?), ref: 00E8DB89
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00E8DB9F
Sleep.KERNELBASE(0000000A), ref: 00E8DBB1

Memory Dump Source

Source File: 00000000.00000002.2209670476.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.2209637951.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210917413.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210917413.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2211217556.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2211312581.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_file.jbxd

Similarity

API ID: Message$Peek$DispatchInputSleepStateTimeTranslatetime
String ID:
API String ID: 2189390790-0
Opcode ID: cbce7fbc36bec4399462e7a2b01b501b025f152398da0a4d1c7d801d5d535a3c
Instruction ID: f7aaba9fc0867f717b1e88739617615836d75578b5fc9d80864ad5931e0a2369
Opcode Fuzzy Hash: cbce7fbc36bec4399462e7a2b01b501b025f152398da0a4d1c7d801d5d535a3c
Instruction Fuzzy Hash: F742FF30608341AFD728EB24CC44BAAB7E0FF85318F14A65EE55DA73D1D7B0A845DB82

Function 00E82CD4 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 53
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 00E82D07
RegisterClassExW.USER32(00000030), ref: 00E82D31
RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00E82D42
InitCommonControlsEx.COMCTL32(?), ref: 00E82D5F
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00E82D6F
LoadIconW.USER32(000000A9), ref: 00E82D85
ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00E82D94

Strings

TaskbarCreated, xrefs: 00E82D37
+, xrefs: 00E82CF0
0, xrefs: 00E82CE9
AutoIt v3 GUI, xrefs: 00E82D23

Memory Dump Source

Source File: 00000000.00000002.2209670476.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.2209637951.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210917413.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210917413.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2211217556.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2211312581.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_file.jbxd

Similarity

API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
String ID: +$0$AutoIt v3 GUI$TaskbarCreated
API String ID: 2914291525-1005189915
Opcode ID: 5a41d85c0a20967af79f75443e99d32f32f061b51e85c65d631131acba0b7d4b
Instruction ID: dc9081884853eb00f15e9130fdce910869deb48f24791844c928cafbe381bc09
Opcode Fuzzy Hash: 5a41d85c0a20967af79f75443e99d32f32f061b51e85c65d631131acba0b7d4b
Instruction Fuzzy Hash: C821C0B594131CAFDB00DFA4E889BDDBBB4FB08701F01811AF611A62A0D7B55544EF91

Function 00EC065B Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 272
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00EC039A: CreateFileW.KERNELBASE(00000000,00000000,?,00EC0704,?,?,00000000,?,00EC0704,00000000,0000000C), ref: 00EC03B7

GetLastError.KERNEL32 ref: 00EC076F
__dosmaperr.LIBCMT ref: 00EC0776
GetFileType.KERNELBASE(00000000), ref: 00EC0782
GetLastError.KERNEL32 ref: 00EC078C
__dosmaperr.LIBCMT ref: 00EC0795
CloseHandle.KERNEL32(00000000), ref: 00EC07B5
CloseHandle.KERNEL32(?), ref: 00EC08FF
GetLastError.KERNEL32 ref: 00EC0931
__dosmaperr.LIBCMT ref: 00EC0938

Strings

H, xrefs: 00EC08BD

Memory Dump Source

Source File: 00000000.00000002.2209670476.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.2209637951.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210917413.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210917413.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2211217556.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2211312581.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_file.jbxd

Similarity

API ID: ErrorLast__dosmaperr$CloseFileHandle$CreateType
String ID: H
API String ID: 4237864984-2852464175
Opcode ID: 65bb2cda94358ff4ddfd7fbd69029cdbf7154b87b6bd089f78db07eef2fcbb9c
Instruction ID: df31f2a81efd6d46a08f57eeaa6d9763410f0ea1d985ca42b051cbb0d03fb23b
Opcode Fuzzy Hash: 65bb2cda94358ff4ddfd7fbd69029cdbf7154b87b6bd089f78db07eef2fcbb9c
Instruction Fuzzy Hash: A0A12532A002088FDF19AF68D951BAE7BE0EB46324F14515DF815AF2A1DB329913DB91

Function 00E8344D Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 201
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00E83A5A: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,00F51418,?,00E82E7F,?,?,?,00000000), ref: 00E83A78

Part of subcall function 00E83357: GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 00E83379

RegOpenKeyExW.KERNELBASE(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?,?,\Include\), ref: 00E8356A
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,00000000,?), ref: 00EC318D
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,?,?,00000000), ref: 00EC31CE
RegCloseKey.ADVAPI32(?), ref: 00EC3210
_wcslen.LIBCMT ref: 00EC3277
_wcslen.LIBCMT ref: 00EC3286

Strings

\Include\, xrefs: 00E83527
Software\AutoIt v3\AutoIt, xrefs: 00E83560
\, xrefs: 00EC328C
Include, xrefs: 00EC3184, 00EC31C5

Memory Dump Source

Source File: 00000000.00000002.2209670476.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.2209637951.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210917413.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210917413.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2211217556.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2211312581.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_file.jbxd

Similarity

API ID: NameQueryValue_wcslen$CloseFileFullModuleOpenPath
String ID: Include$Software\AutoIt v3\AutoIt$\$\Include\
API String ID: 98802146-2727554177
Opcode ID: 6cf8623dce9e0596a83e3f9c61d916b215094e3999e113241b2d3848667094d1
Instruction ID: 35a6cce0efda4fea8ba6e446df9f846f9fffe8dd8ec704996049cd4e62540af1
Opcode Fuzzy Hash: 6cf8623dce9e0596a83e3f9c61d916b215094e3999e113241b2d3848667094d1
Instruction Fuzzy Hash: 4F71C0714083059EC704EF65DC819ABBBE8FF8A740F40562EF649A71B1EB319A48DB52

Function 00E82B83 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 63
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 00E82B8E
LoadCursorW.USER32(00000000,00007F00), ref: 00E82B9D
LoadIconW.USER32(00000063), ref: 00E82BB3
LoadIconW.USER32(000000A4), ref: 00E82BC5
LoadIconW.USER32(000000A2), ref: 00E82BD7
LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 00E82BEF
RegisterClassExW.USER32(?), ref: 00E82C40

Part of subcall function 00E82CD4: GetSysColorBrush.USER32(0000000F), ref: 00E82D07
Part of subcall function 00E82CD4: RegisterClassExW.USER32(00000030), ref: 00E82D31
Part of subcall function 00E82CD4: RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00E82D42
Part of subcall function 00E82CD4: InitCommonControlsEx.COMCTL32(?), ref: 00E82D5F
Part of subcall function 00E82CD4: ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00E82D6F
Part of subcall function 00E82CD4: LoadIconW.USER32(000000A9), ref: 00E82D85
Part of subcall function 00E82CD4: ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00E82D94

Strings

#, xrefs: 00E82C16
AutoIt v3, xrefs: 00E82C2F
0, xrefs: 00E82C0F

Memory Dump Source

Source File: 00000000.00000002.2209670476.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.2209637951.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210917413.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210917413.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2211217556.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2211312581.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_file.jbxd

Similarity

API ID: Load$Icon$ImageRegister$BrushClassColorList_$CommonControlsCreateCursorInitMessageReplaceWindow
String ID: #$0$AutoIt v3
API String ID: 423443420-4155596026
Opcode ID: 47e938b6b2a22d40ef605803b839e663e27693cb22c2be5b25310deaaaa5f66d
Instruction ID: ca3e3018075aa390411999b7983d1dc80f74e5833b09e457fb344828cfb62086
Opcode Fuzzy Hash: 47e938b6b2a22d40ef605803b839e663e27693cb22c2be5b25310deaaaa5f66d
Instruction Fuzzy Hash: 41215E70E4031CAFDB109FA5EC65BAE7FB4FB48B51F01415AF604A66A0D3B12940EF90

Function 00E83170 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 145
windowtimeregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DefWindowProcW.USER32(?,?,?,?,?,?,?,?,?,00E8316A,?,?), ref: 00E831D8
KillTimer.USER32(?,00000001,?,?,?,?,?,00E8316A,?,?), ref: 00E83204
SetTimer.USER32(?,00000001,000002EE,00000000), ref: 00E83227
RegisterWindowMessageW.USER32(TaskbarCreated,?,?,?,?,?,00E8316A,?,?), ref: 00E83232
CreatePopupMenu.USER32 ref: 00E83246
PostQuitMessage.USER32(00000000), ref: 00E83267

Strings

TaskbarCreated, xrefs: 00E8322D

Memory Dump Source

Source File: 00000000.00000002.2209670476.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.2209637951.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210917413.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210917413.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2211217556.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2211312581.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_file.jbxd

Similarity

API ID: MessageTimerWindow$CreateKillMenuPopupPostProcQuitRegister
String ID: TaskbarCreated
API String ID: 129472671-2362178303
Opcode ID: 9ec61e3f89b7b92aef43fe7e1dfaddb0c050a6cdaf4f8bf66bdc7cde8799ae34
Instruction ID: e1ea18cc51a4aeaa1f439c50b153dbaddb48b574a8801c999cfaf6372d89279e
Opcode Fuzzy Hash: 9ec61e3f89b7b92aef43fe7e1dfaddb0c050a6cdaf4f8bf66bdc7cde8799ae34
Instruction Fuzzy Hash: 8D414B31240308ABDB153B789D1DBFD3A59F706F09F046119FB0EB51E2D7B1AA41A7A1

Function 00E81410 Relevance: 14.3, APIs: 7, Strings: 1, Instructions: 332
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

mciSendStringW.WINMM(close all,00000000,00000000,00000000), ref: 00E81459
CoUninitialize.COMBASE ref: 00E814F8
UnregisterHotKey.USER32(?), ref: 00E816DD
DestroyWindow.USER32(?), ref: 00EC24B9
FreeLibrary.KERNEL32(?), ref: 00EC251E
VirtualFree.KERNEL32(?,00000000,00008000), ref: 00EC254B

Strings

close all, xrefs: 00E81454

Memory Dump Source

Source File: 00000000.00000002.2209670476.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.2209637951.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210917413.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210917413.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2211217556.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2211312581.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_file.jbxd

Similarity

API ID: Free$DestroyLibrarySendStringUninitializeUnregisterVirtualWindow
String ID: close all
API String ID: 469580280-3243417748
Opcode ID: 9962eec67a3309802445c3fad4c835783357219ba653d5d1b3a00301c4b0c876
Instruction ID: c6ea14f8e73b686974b7ba6c90739461d3f0119a873c9ac717e76ded717f6c79
Opcode Fuzzy Hash: 9962eec67a3309802445c3fad4c835783357219ba653d5d1b3a00301c4b0c876
Instruction Fuzzy Hash: 1ED145316012128FCB19EF14C995B69F7A4BF05714F2462ADE54EBB262DB32AC13CF91

Function 00E82C63 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 00E82C91
CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00E82CB2
ShowWindow.USER32(00000000,?,?,?,?,?,?,00E81CAD,?), ref: 00E82CC6
ShowWindow.USER32(00000000,?,?,?,?,?,?,00E81CAD,?), ref: 00E82CCF

Strings

AutoIt v3, xrefs: 00E82C89, 00E82C8E, 00E82C8F
edit, xrefs: 00E82CAC

Memory Dump Source

Source File: 00000000.00000002.2209670476.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.2209637951.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210917413.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210917413.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2211217556.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2211312581.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_file.jbxd

Similarity

API ID: Window$CreateShow
String ID: AutoIt v3$edit
API String ID: 1584632944-3779509399
Opcode ID: a648c142c68f59e505f13e4ef55c705515facfd7b8e571af58c41d2bdf56f6c9
Instruction ID: 674c4e1776c30cc57da9db59ae40bfa08f8473b7a5152ccbc36402bf0da6746d
Opcode Fuzzy Hash: a648c142c68f59e505f13e4ef55c705515facfd7b8e571af58c41d2bdf56f6c9
Instruction Fuzzy Hash: CDF0B7755813987AEB211717AC18FB73EBDE7C6F61B02405EFA00A65A0C6626850EAB4

Function 00E83B1C Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 58
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegOpenKeyExW.KERNELBASE(80000001,Control Panel\Mouse,00000000,00000001,00000000,?,?,80000001,80000001,?,00E83B0F,SwapMouseButtons,00000004,?), ref: 00E83B40
RegQueryValueExW.KERNELBASE(00000000,00000000,00000000,00000000,?,?,?,?,?,80000001,80000001,?,00E83B0F,SwapMouseButtons,00000004,?), ref: 00E83B61
RegCloseKey.KERNELBASE(00000000,?,?,?,80000001,80000001,?,00E83B0F,SwapMouseButtons,00000004,?), ref: 00E83B83

Strings

Control Panel\Mouse, xrefs: 00E83B3E

Memory Dump Source

Source File: 00000000.00000002.2209670476.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.2209637951.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210917413.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210917413.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2211217556.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2211312581.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_file.jbxd

Similarity

API ID: CloseOpenQueryValue
String ID: Control Panel\Mouse
API String ID: 3677997916-824357125
Opcode ID: 72ca1f873657b8b48de6267b7f6a90a6df0610b3aa15c46a00b60fda8cef1f9e
Instruction ID: 1b13d9f4718bbcfc3836fa7c41ca0a910c21bdab0fd455a23e3b0dab9d99d47c
Opcode Fuzzy Hash: 72ca1f873657b8b48de6267b7f6a90a6df0610b3aa15c46a00b60fda8cef1f9e
Instruction Fuzzy Hash: 67112AB5510208FFDB20DFA5DC44AEEBBB9EF04B84B109459A809E7110E2319F40A7A0

Function 00E83923 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 94windowCOMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000065,?,0000007F,00000104), ref: 00EC33A2

Part of subcall function 00E86B57: _wcslen.LIBCMT ref: 00E86B6A

Shell_NotifyIconW.SHELL32(00000001,?), ref: 00E83A04

Strings

Line: , xrefs: 00EC33EB

Memory Dump Source

Source File: 00000000.00000002.2209670476.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.2209637951.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210917413.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210917413.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2211217556.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2211312581.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_file.jbxd

Similarity

API ID: IconLoadNotifyShell_String_wcslen
String ID: Line:
API String ID: 2289894680-1585850449
Opcode ID: c29e959d9d8e55626036b62baac1fe7e1147438db93c56d1d5e91c44b3bbd568
Instruction ID: 46300efbda7ecdaca63c802952e0c29a8df2890dba7e9cd8ce41fd198ab4c09f
Opcode Fuzzy Hash: c29e959d9d8e55626036b62baac1fe7e1147438db93c56d1d5e91c44b3bbd568
Instruction Fuzzy Hash: EF31C371508304AAD725FB20DC45BEBB7D8AB84B14F00692EF69DA2091EB74A649C7C2

Function 00E9FDDB Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 43COMMON

Download Yara Rule

APIs

__CxxThrowException@8.LIBVCRUNTIME ref: 00EA0668

Part of subcall function 00EA32A4: RaiseException.KERNEL32(?,?,?,00EA068A,?,00F51444,?,?,?,?,?,?,00EA068A,00E81129,00F48738,00E81129), ref: 00EA3304

__CxxThrowException@8.LIBVCRUNTIME ref: 00EA0685

Strings

Unknown exception, xrefs: 00EA0692

Memory Dump Source

Source File: 00000000.00000002.2209670476.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.2209637951.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210917413.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210917413.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2211217556.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2211312581.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_file.jbxd

Similarity

API ID: Exception@8Throw$ExceptionRaise
String ID: Unknown exception
API String ID: 3476068407-410509341
Opcode ID: 2b93c92e630efdb226c1f6836a7389f2ba39191ffce21abaf022da273f54005c
Instruction ID: 76a92a9bb0db1e7e346a004267e6f5a2173d4d5a283ddfb80464e4f7e9973dcb
Opcode Fuzzy Hash: 2b93c92e630efdb226c1f6836a7389f2ba39191ffce21abaf022da273f54005c
Instruction Fuzzy Hash: 1AF0C23490020D778F00B6B4D856DAE7BAC5E4A358B605131F814FE9E2EF71FA66C5D1

Function 00E810F3 Relevance: 4.7, APIs: 3, Instructions: 153comCOMMON

Download Yara Rule

APIs

Part of subcall function 00E81BC3: MapVirtualKeyW.USER32(0000005B,00000000), ref: 00E81BF4
Part of subcall function 00E81BC3: MapVirtualKeyW.USER32(00000010,00000000), ref: 00E81BFC
Part of subcall function 00E81BC3: MapVirtualKeyW.USER32(000000A0,00000000), ref: 00E81C07
Part of subcall function 00E81BC3: MapVirtualKeyW.USER32(000000A1,00000000), ref: 00E81C12
Part of subcall function 00E81BC3: MapVirtualKeyW.USER32(00000011,00000000), ref: 00E81C1A
Part of subcall function 00E81BC3: MapVirtualKeyW.USER32(00000012,00000000), ref: 00E81C22

Part of subcall function 00E81B4A: RegisterWindowMessageW.USER32(00000004,?,00E812C4), ref: 00E81BA2

GetStdHandle.KERNEL32(000000F6,00000000,00000000), ref: 00E8136A
OleInitialize.OLE32 ref: 00E81388
CloseHandle.KERNEL32(00000000,00000000), ref: 00EC24AB

Memory Dump Source

Source File: 00000000.00000002.2209670476.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.2209637951.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210917413.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210917413.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2211217556.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2211312581.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_file.jbxd

Similarity

API ID: Virtual$Handle$CloseInitializeMessageRegisterWindow
String ID:
API String ID: 1986988660-0
Opcode ID: fcb9265b3b503670fa1f6f1ad4f34ed70ec8a6c95d931768fa780ad908ba30a7
Instruction ID: 86abb9199ff8b4ffa4178647cf9fc86db1778f7719c88ff6eb88c8a0a536ab38
Opcode Fuzzy Hash: fcb9265b3b503670fa1f6f1ad4f34ed70ec8a6c95d931768fa780ad908ba30a7
Instruction Fuzzy Hash: 3471EDB49013088FC794EF79A9417953AE4BB89347B58962AD60ED7362FB306845EF40

Function 00EEC161 Relevance: 4.6, APIs: 3, Instructions: 74timewindowCOMMON

Download Yara Rule

APIs

Part of subcall function 00E83923: Shell_NotifyIconW.SHELL32(00000001,?), ref: 00E83A04

Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 00EEC259
KillTimer.USER32(?,00000001,?,?), ref: 00EEC261
SetTimer.USER32(?,00000001,000002EE,00000000), ref: 00EEC270

Memory Dump Source

Source File: 00000000.00000002.2209670476.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.2209637951.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210917413.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210917413.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2211217556.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2211312581.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_file.jbxd

Similarity

API ID: IconNotifyShell_Timer$Kill
String ID:
API String ID: 3500052701-0
Opcode ID: 43afb788b6d237f5111a05f0fccf6614704838b9c97f8a42cbeb65e8fc6554fb
Instruction ID: 2571cf161b2af8446e86bb491b0fb8dcf4273164e591020ef786d138a0647d99
Opcode Fuzzy Hash: 43afb788b6d237f5111a05f0fccf6614704838b9c97f8a42cbeb65e8fc6554fb
Instruction Fuzzy Hash: 5631D470904788AFEB229B648855BE6BBECAB0A308F10109DD29EA7251C3745A85CB51

Function 00EB86AE Relevance: 4.6, APIs: 3, Instructions: 61COMMONLIBRARYCODE

Download Yara Rule

APIs

CloseHandle.KERNELBASE(00000000,00000000,?,?,00EB85CC,?,00F48CC8,0000000C), ref: 00EB8704
GetLastError.KERNEL32(?,00EB85CC,?,00F48CC8,0000000C), ref: 00EB870E
__dosmaperr.LIBCMT ref: 00EB8739

Memory Dump Source

Source File: 00000000.00000002.2209670476.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.2209637951.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210917413.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210917413.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2211217556.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2211312581.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_file.jbxd

Similarity

API ID: CloseErrorHandleLast__dosmaperr
String ID:
API String ID: 2583163307-0
Opcode ID: 3119f523233a74476db04b6e7b21110df89245cd764a72c5e53a8974aa89e1b6
Instruction ID: de3054e506043aa4cef2aa8fe58051476163af55b8f9ad8731568ce35111f0d7
Opcode Fuzzy Hash: 3119f523233a74476db04b6e7b21110df89245cd764a72c5e53a8974aa89e1b6
Instruction Fuzzy Hash: D901083360562026D6647234AA457EF67CD4B8277CF392129E814BB3D6DEA08C81D590

Function 00E8DB38 Relevance: 4.5, APIs: 3, Instructions: 29windowsleepCOMMON

Download Yara Rule

APIs

TranslateMessage.USER32(?), ref: 00E8DB7B
DispatchMessageW.USER32(?), ref: 00E8DB89
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00E8DB9F
Sleep.KERNELBASE(0000000A), ref: 00E8DBB1
TranslateAcceleratorW.USER32(?,?,?), ref: 00ED1CC9

Memory Dump Source

Source File: 00000000.00000002.2209670476.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.2209637951.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210917413.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210917413.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2211217556.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2211312581.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_file.jbxd

Similarity

API ID: Message$Translate$AcceleratorDispatchPeekSleep
String ID:
API String ID: 3288985973-0
Opcode ID: ff59c5bfc061aa99ce71c01a70824f5a6bbdd6d39ed375c22904112d301e3143
Instruction ID: 250cdc0129f8819b17eefd01e131e93e7dd9d28f464b3283d12dd95ac4de981b
Opcode Fuzzy Hash: ff59c5bfc061aa99ce71c01a70824f5a6bbdd6d39ed375c22904112d301e3143
Instruction Fuzzy Hash: 79F082306483449BEB34DB70CC49FEA73ADEB44315F105919E60EE30C0DB70A488DB55

Function 00E91310 Relevance: 4.0, APIs: 1, Strings: 1, Instructions: 531COMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 00E917F6

Strings

CALL, xrefs: 00E917C6

Memory Dump Source

Source File: 00000000.00000002.2209670476.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.2209637951.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210917413.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210917413.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2211217556.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2211312581.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_file.jbxd

Similarity

API ID: Init_thread_footer
String ID: CALL
API String ID: 1385522511-4196123274
Opcode ID: eb93510cc1ead4ac2cbe145aeed4b57bbd99d428d541494b9a4f7ae25f3099ab
Instruction ID: e997a6c3a35e9588c5e34038ce9ae514bbbd4522c9f23325f40217b875877d48
Opcode Fuzzy Hash: eb93510cc1ead4ac2cbe145aeed4b57bbd99d428d541494b9a4f7ae25f3099ab
Instruction Fuzzy Hash: D3226C706083429FCB14DF14C480A6ABBF1FF89314F19999DF496AB3A2D771E845CB92

Function 00E82DE3 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 64COMMON

Download Yara Rule

APIs

GetOpenFileNameW.COMDLG32(?), ref: 00EC2C8C

Part of subcall function 00E83AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00E83A97,?,?,00E82E7F,?,?,?,00000000), ref: 00E83AC2

Part of subcall function 00E82DA5: GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 00E82DC4

Strings

X, xrefs: 00EC2C5A

Memory Dump Source

Source File: 00000000.00000002.2209670476.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.2209637951.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210917413.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210917413.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2211217556.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2211312581.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_file.jbxd

Similarity

API ID: Name$Path$FileFullLongOpen
String ID: X
API String ID: 779396738-3081909835
Opcode ID: b993dd09a8cf8b36296bec006840525053d4052fe89f664e6c224af7c8c90df4
Instruction ID: efc2f9ab7c2c7f2fd95938c4fa48f595b35607ee43d1ef29573aeff78f889c09
Opcode Fuzzy Hash: b993dd09a8cf8b36296bec006840525053d4052fe89f664e6c224af7c8c90df4
Instruction Fuzzy Hash: F9219371A002589BDF01EF94C845BEE7BF8AF49715F00905DE50DFB241DBB45A498BA1

Function 00E83837 Relevance: 3.1, APIs: 2, Instructions: 77windowCOMMON

Download Yara Rule

APIs

Shell_NotifyIconW.SHELL32(00000000,?), ref: 00E83908

Memory Dump Source

Source File: 00000000.00000002.2209670476.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.2209637951.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210917413.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210917413.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2211217556.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2211312581.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_file.jbxd

Similarity

API ID: IconNotifyShell_
String ID:
API String ID: 1144537725-0
Opcode ID: da28d94d12a4cf1a7099a79998155e9482be22dfc53343313ba0cdfee41f0894
Instruction ID: 30e32cd0f1cf04271226eb35720157eef61f8bc352b131d54f697ad7bf9fe6e0
Opcode Fuzzy Hash: da28d94d12a4cf1a7099a79998155e9482be22dfc53343313ba0cdfee41f0894
Instruction Fuzzy Hash: 6D31C3705047059FD720EF34D895797BBE4FB49709F00092EF69DA3290E771AA44CB52

Function 00E9F645 Relevance: 3.0, APIs: 2, Instructions: 29sleeptimeCOMMON

Download Yara Rule

APIs

timeGetTime.WINMM ref: 00E9F661

Part of subcall function 00E8D730: GetInputState.USER32 ref: 00E8D807

Sleep.KERNEL32(00000000), ref: 00EDF2DE

Memory Dump Source

Source File: 00000000.00000002.2209670476.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.2209637951.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210917413.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210917413.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2211217556.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2211312581.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_file.jbxd

Similarity

API ID: InputSleepStateTimetime
String ID:
API String ID: 4149333218-0
Opcode ID: d518a41c3fbe28023f7bb87789613920bf5e5f2e8591eab120ecc60a125b91f1
Instruction ID: 3f0e2860c6e3f0b562621ea33971a015f91def7921dc0aa98592d544c5c54b77
Opcode Fuzzy Hash: d518a41c3fbe28023f7bb87789613920bf5e5f2e8591eab120ecc60a125b91f1
Instruction Fuzzy Hash: 77F082712802059FD310FF65D845B9ABBE9EF45760F00502AE85DE73A1DB70A800CB91

Function 00E84ECB Relevance: 1.6, APIs: 1, Instructions: 65libraryCOMMON

Download Yara Rule

APIs

Part of subcall function 00E84E90: LoadLibraryA.KERNEL32(kernel32.dll,?,?,00E84EDD,?,00F51418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00E84E9C
Part of subcall function 00E84E90: GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 00E84EAE
Part of subcall function 00E84E90: FreeLibrary.KERNEL32(00000000,?,?,00E84EDD,?,00F51418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00E84EC0

LoadLibraryExW.KERNEL32(?,00000000,00000002,?,00F51418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00E84EFD

Part of subcall function 00E84E59: LoadLibraryA.KERNEL32(kernel32.dll,?,?,00EC3CDE,?,00F51418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00E84E62
Part of subcall function 00E84E59: GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 00E84E74
Part of subcall function 00E84E59: FreeLibrary.KERNEL32(00000000,?,?,00EC3CDE,?,00F51418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00E84E87

Memory Dump Source

Source File: 00000000.00000002.2209670476.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.2209637951.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210917413.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210917413.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2211217556.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2211312581.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_file.jbxd

Similarity

API ID: Library$Load$AddressFreeProc
String ID:
API String ID: 2632591731-0
Opcode ID: a78f95f61ec82769484684adb88524345082b876cc48e6fd7b0aed5f07acdddc
Instruction ID: 73a944a5fb168e80df535322341807277b19bd43de0a1f24a12dcb35a44aa39d
Opcode Fuzzy Hash: a78f95f61ec82769484684adb88524345082b876cc48e6fd7b0aed5f07acdddc
Instruction Fuzzy Hash: 2E11C172700206AACB14BB60D902FAD77E5EF40714F10A42EF64EBA1D1EE719A459790

Function 00EB8402 Relevance: 1.6, APIs: 1, Instructions: 54COMMON

Download Yara Rule

APIs

__wsopen_s.LIBCMT ref: 00EB8440

Memory Dump Source

Source File: 00000000.00000002.2209670476.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.2209637951.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210917413.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210917413.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2211217556.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2211312581.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_file.jbxd

Similarity

API ID: __wsopen_s
String ID:
API String ID: 3347428461-0
Opcode ID: 2c8aade0e153c04de5333c13dc1de2315d20e6ffcecd031c174ef03ec98bfe60
Instruction ID: 910ae7e2fef82e891e457a6dcc0bb69edd7d21b5ba129ee7067f7a80830554a1
Opcode Fuzzy Hash: 2c8aade0e153c04de5333c13dc1de2315d20e6ffcecd031c174ef03ec98bfe60
Instruction Fuzzy Hash: 3211067590420AAFCB05DF58EA41ADF7BF9EF48314F104059F818AB312DA31DA11CBA5

Function 00EB5000 Relevance: 1.6, APIs: 1, Instructions: 52COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00EB4C7D: RtlAllocateHeap.NTDLL(00000008,00E81129,00000000,?,00EB2E29,00000001,00000364,?,?,?,00EAF2DE,00EB3863,00F51444,?,00E9FDF5,?), ref: 00EB4CBE

_free.LIBCMT ref: 00EB506C

Memory Dump Source

Source File: 00000000.00000002.2209670476.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.2209637951.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210917413.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210917413.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2211217556.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2211312581.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_file.jbxd

Similarity

API ID: AllocateHeap_free
String ID:
API String ID: 614378929-0
Opcode ID: 9ba45ce058d1080761d5af908226540236078fd1fc19e2e0238d0ad147f07c6e
Instruction ID: 0b8e7350566b953dd8bbfcbb1960e1904af0e9459bd2d9117d9b14d59f37ce5e
Opcode Fuzzy Hash: 9ba45ce058d1080761d5af908226540236078fd1fc19e2e0238d0ad147f07c6e
Instruction Fuzzy Hash: C50126732047056BE3219E659881ADBFBE8FB89370F25091DE294A32C0EA30A905C6B4

Function 00EAE602 Relevance: 1.5, APIs: 1, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2209670476.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.2209637951.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210917413.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210917413.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2211217556.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2211312581.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d6c69ec2a70ac845cc05b5f137181c3f07394ab8b33ef369e8c7ef627d5c9574
Instruction ID: c151f39cc51abbfaac46ae00f63411847774a7ee2b708e64beb2bd52431a7f62
Opcode Fuzzy Hash: d6c69ec2a70ac845cc05b5f137181c3f07394ab8b33ef369e8c7ef627d5c9574
Instruction Fuzzy Hash: D3F0F432510A14A6D6353A699C05B9B33DC9FD7334F102B59F525BA3D2DB70F80186A5

Function 00EB4C7D Relevance: 1.5, APIs: 1, Instructions: 39memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000008,00E81129,00000000,?,00EB2E29,00000001,00000364,?,?,?,00EAF2DE,00EB3863,00F51444,?,00E9FDF5,?), ref: 00EB4CBE

Memory Dump Source

Source File: 00000000.00000002.2209670476.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.2209637951.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210917413.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210917413.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2211217556.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2211312581.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_file.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 36e75ac671b51678a7ae16d41bb3c4b9d369a486a3c185a00e88b2b96bee8f21
Instruction ID: 2d3864af718183b85ffde846d57e2cb58f3ac8139377542b6bd9bcb9618aeef1
Opcode Fuzzy Hash: 36e75ac671b51678a7ae16d41bb3c4b9d369a486a3c185a00e88b2b96bee8f21
Instruction Fuzzy Hash: AFF0BB7164222866FB215F629C05FD7BFC8BF41B65B196121F919BA1D3CA70EC0059E0

Function 00EB3820 Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000000,?,00F51444,?,00E9FDF5,?,?,00E8A976,00000010,00F51440,00E813FC,?,00E813C6,?,00E81129), ref: 00EB3852

Memory Dump Source

Source File: 00000000.00000002.2209670476.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.2209637951.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210917413.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210917413.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2211217556.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2211312581.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_file.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: b125f32be4c55ec52c5bd31bb454ce63861f3df7f419743f4d7f06ba4702d955
Instruction ID: f288e896b89ef67e64d087ef2d489cb63d1bcefb2c071f84436bf3451518c7be
Opcode Fuzzy Hash: b125f32be4c55ec52c5bd31bb454ce63861f3df7f419743f4d7f06ba4702d955
Instruction Fuzzy Hash: 09E0E53114022466D72526BB9C02BDB36C8BF827B4F162230BC04BA4E1DB50ED0181E2

Function 00E84F39 Relevance: 1.5, APIs: 1, Instructions: 28COMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32(?,?,00F51418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00E84F6D

Memory Dump Source

Source File: 00000000.00000002.2209670476.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.2209637951.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210917413.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210917413.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2211217556.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2211312581.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_file.jbxd

Similarity

API ID: FreeLibrary
String ID:
API String ID: 3664257935-0
Opcode ID: 9697a235ea71ce469eaac94b020cb4fe8d1611b63c773a193ceb93de3e8e56e0
Instruction ID: 2d0418afe28c06b49a146ad4f6a841081362e8c7508d324bc400e8aa9092f929
Opcode Fuzzy Hash: 9697a235ea71ce469eaac94b020cb4fe8d1611b63c773a193ceb93de3e8e56e0
Instruction Fuzzy Hash: 0DF030B1205752CFDB34AF64D490852B7E4FF1431D315A97EE2DEA2651C7319844DF50

Function 00F12A55 Relevance: 1.5, APIs: 1, Instructions: 25COMMON

Download Yara Rule

APIs

IsWindow.USER32(00000000), ref: 00F12A66

Memory Dump Source

Source File: 00000000.00000002.2209670476.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.2209637951.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210917413.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210917413.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2211217556.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2211312581.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_file.jbxd

Similarity

API ID: Window
String ID:
API String ID: 2353593579-0
Opcode ID: 56e6eb85cd84c5c6c1d9a8c47604bc7a31019ad4adf37ef95ee36d57c76cb7c8
Instruction ID: 4fd9b08f9b99d6bfde93b7c34d52c8332d7fd4ddf431c3f550ba644ff40335d1
Opcode Fuzzy Hash: 56e6eb85cd84c5c6c1d9a8c47604bc7a31019ad4adf37ef95ee36d57c76cb7c8
Instruction Fuzzy Hash: B6E0263238011EAACB50EB70DC809FE738CEF50390700403AFC1AD2100DF34AAE1A6E0

Function 00E830F2 Relevance: 1.5, APIs: 1, Instructions: 24windowCOMMON

Download Yara Rule

APIs

Shell_NotifyIconW.SHELL32(00000002,?), ref: 00E8314E

Memory Dump Source

Source File: 00000000.00000002.2209670476.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.2209637951.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210917413.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210917413.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2211217556.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2211312581.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_file.jbxd

Similarity

API ID: IconNotifyShell_
String ID:
API String ID: 1144537725-0
Opcode ID: c2974eba05a8da2aec8e9abf0657bf65da134ee83421ea890e8178b0d5203a5c
Instruction ID: 1874ad64ee452153d16eb823d75c1c26332ebd89cc9bec5863f5ce94ccc85486
Opcode Fuzzy Hash: c2974eba05a8da2aec8e9abf0657bf65da134ee83421ea890e8178b0d5203a5c
Instruction Fuzzy Hash: 87F037709143189FEB52DB64DC497D57BFCB70570CF0001E9A648A6191D7745788CF51

Function 00E82DA5 Relevance: 1.5, APIs: 1, Instructions: 23COMMON

Download Yara Rule

APIs

GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 00E82DC4

Part of subcall function 00E86B57: _wcslen.LIBCMT ref: 00E86B6A

Memory Dump Source

Source File: 00000000.00000002.2209670476.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.2209637951.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210917413.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210917413.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2211217556.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2211312581.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_file.jbxd

Similarity

API ID: LongNamePath_wcslen
String ID:
API String ID: 541455249-0
Opcode ID: 0bfbff7e68eb68b6ea0bb00c12d0a2d92c9f2f13560251695c60ad2b32d3aec1
Instruction ID: 38e3dacaa5d581c33be39ccb732d8467556c649c8c1c9b4a26442451110918d5
Opcode Fuzzy Hash: 0bfbff7e68eb68b6ea0bb00c12d0a2d92c9f2f13560251695c60ad2b32d3aec1
Instruction Fuzzy Hash: 99E0CD726002245BC710A2989C05FDA77DDDFC8794F0540B5FD0DE7248D970ED808690

Function 00E82B3D Relevance: 1.5, APIs: 1, Instructions: 22COMMON

Download Yara Rule

APIs

Part of subcall function 00E83837: Shell_NotifyIconW.SHELL32(00000000,?), ref: 00E83908

Part of subcall function 00E8D730: GetInputState.USER32 ref: 00E8D807

SetCurrentDirectoryW.KERNEL32(?), ref: 00E82B6B

Part of subcall function 00E830F2: Shell_NotifyIconW.SHELL32(00000002,?), ref: 00E8314E

Memory Dump Source

Source File: 00000000.00000002.2209670476.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.2209637951.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210917413.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210917413.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2211217556.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2211312581.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_file.jbxd

Similarity

API ID: IconNotifyShell_$CurrentDirectoryInputState
String ID:
API String ID: 3667716007-0
Opcode ID: 811d9d662f5233e3d2fe4ae71b36ac1c7f2eb5020141e55cc2ab7b1039642fd7
Instruction ID: 156647871b1602c03f113fa5a85847309ebb3d8ffa66e9f2b7e2234ae0beaf16
Opcode Fuzzy Hash: 811d9d662f5233e3d2fe4ae71b36ac1c7f2eb5020141e55cc2ab7b1039642fd7
Instruction Fuzzy Hash: 02E0862170424806CA08BB74A8525BDF7D99BD2756F40353EF64EB71E3CE2549494352

Function 00EC039A Relevance: 1.5, APIs: 1, Instructions: 15fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

CreateFileW.KERNELBASE(00000000,00000000,?,00EC0704,?,?,00000000,?,00EC0704,00000000,0000000C), ref: 00EC03B7

Memory Dump Source

Source File: 00000000.00000002.2209670476.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.2209637951.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210917413.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210917413.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2211217556.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2211312581.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_file.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: a53b64cbcf100b8a5715fd72bf8ba6f5c62ff87e7c1a7b0047f73aebeb157a6a
Instruction ID: 3b91d21c470b8b76c699d12721301452dd52698c001a00d0b7d690470abde19f
Opcode Fuzzy Hash: a53b64cbcf100b8a5715fd72bf8ba6f5c62ff87e7c1a7b0047f73aebeb157a6a
Instruction Fuzzy Hash: 7BD06C3208010DBBDF028F84DD06EDA3BAAFB48714F018000BE1866020C732E821AB90

Function 00E81CAD Relevance: 1.5, APIs: 1, Instructions: 8COMMON

Download Yara Rule

APIs

SystemParametersInfoW.USER32(00002001,00000000,00000002), ref: 00E81CBC

Memory Dump Source

Source File: 00000000.00000002.2209670476.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.2209637951.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210917413.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210917413.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2211217556.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2211312581.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_file.jbxd

Similarity

API ID: InfoParametersSystem
String ID:
API String ID: 3098949447-0
Opcode ID: df33790c980f8244a0b265299ee47125fb353cfc42b698fda71aa558929eda51
Instruction ID: a62342313c9bb40367302a4a05cdc849472804e2a971c86240189e5b38af912c
Opcode Fuzzy Hash: df33790c980f8244a0b265299ee47125fb353cfc42b698fda71aa558929eda51
Instruction Fuzzy Hash: D9C092362C030CAFF2198B80BC5AF507765B349B02F098401F709A95F3D7A22820FA90

Non-executed Functions

Function 00F19576 Relevance: 72.4, APIs: 39, Strings: 2, Instructions: 625windowkeyboardCOMMON

Download Yara Rule

APIs

Part of subcall function 00E99BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00E99BB2

DefDlgProcW.USER32(?,0000004E,?,?,?,?,?,?), ref: 00F1961A
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 00F1965B
GetWindowLongW.USER32(FFFFFDD9,000000F0), ref: 00F1969F
SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00F196C9
SendMessageW.USER32 ref: 00F196F2
GetKeyState.USER32(00000011), ref: 00F1978B
GetKeyState.USER32(00000009), ref: 00F19798
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 00F197AE
GetKeyState.USER32(00000010), ref: 00F197B8
SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00F197E9
SendMessageW.USER32 ref: 00F19810
SendMessageW.USER32(?,00001030,?,00F17E95), ref: 00F19918
ImageList_SetDragCursorImage.COMCTL32(00000000,00000000,00000000,?,?,?), ref: 00F1992E
ImageList_BeginDrag.COMCTL32(00000000,000000F8,000000F0), ref: 00F19941
SetCapture.USER32(?), ref: 00F1994A
ClientToScreen.USER32(?,?), ref: 00F199AF
ImageList_DragEnter.COMCTL32(00000000,?,?), ref: 00F199BC
InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 00F199D6
ReleaseCapture.USER32 ref: 00F199E1
GetCursorPos.USER32(?), ref: 00F19A19
ScreenToClient.USER32(?,?), ref: 00F19A26
SendMessageW.USER32(?,00001012,00000000,?), ref: 00F19A80
SendMessageW.USER32 ref: 00F19AAE
SendMessageW.USER32(?,00001111,00000000,?), ref: 00F19AEB
SendMessageW.USER32 ref: 00F19B1A
SendMessageW.USER32(?,0000110B,00000009,00000000), ref: 00F19B3B
SendMessageW.USER32(?,0000110B,00000009,?), ref: 00F19B4A
GetCursorPos.USER32(?), ref: 00F19B68
ScreenToClient.USER32(?,?), ref: 00F19B75
GetParent.USER32(?), ref: 00F19B93
SendMessageW.USER32(?,00001012,00000000,?), ref: 00F19BFA
SendMessageW.USER32 ref: 00F19C2B
ClientToScreen.USER32(?,?), ref: 00F19C84
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000), ref: 00F19CB4
SendMessageW.USER32(?,00001111,00000000,?), ref: 00F19CDE
SendMessageW.USER32 ref: 00F19D01
ClientToScreen.USER32(?,?), ref: 00F19D4E
TrackPopupMenuEx.USER32(?,00000080,?,?,?,00000000), ref: 00F19D82

Part of subcall function 00E99944: GetWindowLongW.USER32(?,000000EB), ref: 00E99952

GetWindowLongW.USER32(?,000000F0), ref: 00F19E05

Strings

F, xrefs: 00F19D07
@GUI_DRAGID, xrefs: 00F1997D

Memory Dump Source

Source File: 00000000.00000002.2209670476.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.2209637951.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210917413.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210917413.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2211217556.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2211312581.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_file.jbxd

Similarity

API ID: MessageSend$ClientScreen$ImageLongWindow$CursorDragList_State$CaptureMenuPopupTrack$BeginEnterInvalidateParentProcRectRelease
String ID: @GUI_DRAGID$F
API String ID: 3429851547-4164748364
Opcode ID: c43365b659742c0f02762f67f2adc844d93e5c2b9f3f55c1665f5012b408a424
Instruction ID: 25c97b66cfd2952d78dbd0a7b59993272126776a0bf6b2867885fe1f2b65eb0b
Opcode Fuzzy Hash: c43365b659742c0f02762f67f2adc844d93e5c2b9f3f55c1665f5012b408a424
Instruction Fuzzy Hash: CE429031508205EFD724CF24CC64BEABBE5FF88320F154619F699972A1D7B1E890EB91

Function 00F14873 Relevance: 60.1, APIs: 33, Strings: 1, Instructions: 566windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000408,00000000,00000000), ref: 00F148F3
SendMessageW.USER32(00000000,00000188,00000000,00000000), ref: 00F14908
SendMessageW.USER32(00000000,0000018A,00000000,00000000), ref: 00F14927
SendMessageW.USER32(?,00000148,00000000,00000000), ref: 00F1494B
SendMessageW.USER32(00000000,00000147,00000000,00000000), ref: 00F1495C
SendMessageW.USER32(00000000,00000149,00000000,00000000), ref: 00F1497B
SendMessageW.USER32(00000000,0000130B,00000000,00000000), ref: 00F149AE
SendMessageW.USER32(00000000,0000133C,00000000,?), ref: 00F149D4
SendMessageW.USER32(00000000,0000110A,00000009,00000000), ref: 00F14A0F
SendMessageW.USER32(00000000,0000113E,00000000,00000004), ref: 00F14A56
SendMessageW.USER32(00000000,0000113E,00000000,00000004), ref: 00F14A7E
IsMenu.USER32(?), ref: 00F14A97
GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00F14AF2
GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00F14B20
GetWindowLongW.USER32(?,000000F0), ref: 00F14B94
SendMessageW.USER32(?,0000113E,00000000,00000008), ref: 00F14BE3
SendMessageW.USER32(00000000,00001001,00000000,?), ref: 00F14C82
wsprintfW.USER32 ref: 00F14CAE
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 00F14CC9
GetWindowTextW.USER32(?,00000000,00000001), ref: 00F14CF1
SendMessageW.USER32(00000000,000000F0,00000000,00000000), ref: 00F14D13
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 00F14D33
GetWindowTextW.USER32(?,00000000,00000001), ref: 00F14D5A

Strings

%d/%02d/%02d, xrefs: 00F14CA8

Memory Dump Source

Source File: 00000000.00000002.2209670476.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.2209637951.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210917413.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210917413.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2211217556.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2211312581.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_file.jbxd

Similarity

API ID: MessageSend$MenuWindow$InfoItemText$Longwsprintf
String ID: %d/%02d/%02d
API String ID: 4054740463-328681919
Opcode ID: 984c627b064a435732cd79183a20ee8bcdb47029cb7b69474a66c82eebff73d6
Instruction ID: 02a5ba752a97b4efba23af09c0814e00eca1ff28326c09b38898c9b770b49a62
Opcode Fuzzy Hash: 984c627b064a435732cd79183a20ee8bcdb47029cb7b69474a66c82eebff73d6
Instruction Fuzzy Hash: 2012E271A40218ABEB248F24CC49FEE7BF8EF85720F144119F519EB2E1D774A981EB50

Function 00E9F98E Relevance: 43.9, APIs: 24, Strings: 1, Instructions: 130keyboardthreadwindowCOMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(00000000,00000000,00000000), ref: 00E9F998
FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 00EDF474
IsIconic.USER32(00000000), ref: 00EDF47D
ShowWindow.USER32(00000000,00000009), ref: 00EDF48A
SetForegroundWindow.USER32(00000000), ref: 00EDF494
GetWindowThreadProcessId.USER32(00000000,00000000), ref: 00EDF4AA
GetCurrentThreadId.KERNEL32 ref: 00EDF4B1
GetWindowThreadProcessId.USER32(00000000,00000000), ref: 00EDF4BD
AttachThreadInput.USER32(?,00000000,00000001), ref: 00EDF4CE
AttachThreadInput.USER32(?,00000000,00000001), ref: 00EDF4D6
AttachThreadInput.USER32(00000000,000000FF,00000001), ref: 00EDF4DE
SetForegroundWindow.USER32(00000000), ref: 00EDF4E1
MapVirtualKeyW.USER32(00000012,00000000), ref: 00EDF4F6
keybd_event.USER32(00000012,00000000), ref: 00EDF501
MapVirtualKeyW.USER32(00000012,00000000), ref: 00EDF50B
keybd_event.USER32(00000012,00000000), ref: 00EDF510
MapVirtualKeyW.USER32(00000012,00000000), ref: 00EDF519
keybd_event.USER32(00000012,00000000), ref: 00EDF51E
MapVirtualKeyW.USER32(00000012,00000000), ref: 00EDF528
keybd_event.USER32(00000012,00000000), ref: 00EDF52D
SetForegroundWindow.USER32(00000000), ref: 00EDF530
AttachThreadInput.USER32(?,000000FF,00000000), ref: 00EDF557

Strings

Shell_TrayWnd, xrefs: 00EDF46F

Memory Dump Source

Source File: 00000000.00000002.2209670476.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.2209637951.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210917413.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210917413.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2211217556.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2211312581.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_file.jbxd

Similarity

API ID: Window$Thread$AttachForegroundInputVirtualkeybd_event$Process$CurrentFindIconicShow
String ID: Shell_TrayWnd
API String ID: 4125248594-2988720461
Opcode ID: 17cbd8ff0e50409cdf148b13b148ccb5969c1374de52032fe300b27f4ec511b3
Instruction ID: fd81f19cd94dd1dda75e16e525114354601f3d41c8e45d13657a1498ba837f94
Opcode Fuzzy Hash: 17cbd8ff0e50409cdf148b13b148ccb5969c1374de52032fe300b27f4ec511b3
Instruction Fuzzy Hash: 56315D71A8021CBEEB216BB55C4AFFF7E6DEB44B50F154026FA05F61D1C6B09D01BAA0

Function 00EE1201 Relevance: 38.7, APIs: 19, Strings: 3, Instructions: 241COMMON

Download Yara Rule

APIs

Part of subcall function 00EE16C3: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 00EE170D
Part of subcall function 00EE16C3: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00EE173A
Part of subcall function 00EE16C3: GetLastError.KERNEL32 ref: 00EE174A

LogonUserW.ADVAPI32(?,?,?,00000000,00000000,?), ref: 00EE1286
DuplicateTokenEx.ADVAPI32(?,00000000,00000000,00000002,00000001,?), ref: 00EE12A8
CloseHandle.KERNEL32(?), ref: 00EE12B9
OpenWindowStationW.USER32(winsta0,00000000,00060000), ref: 00EE12D1
GetProcessWindowStation.USER32 ref: 00EE12EA
SetProcessWindowStation.USER32(00000000), ref: 00EE12F4
OpenDesktopW.USER32(default,00000000,00000000,00060081), ref: 00EE1310

Part of subcall function 00EE10BF: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,00EE11FC), ref: 00EE10D4
Part of subcall function 00EE10BF: CloseHandle.KERNEL32(?,?,00EE11FC), ref: 00EE10E9

Strings

default, xrefs: 00EE130B
winsta0, xrefs: 00EE12CC
, xrefs: 00EE125A

Memory Dump Source

Source File: 00000000.00000002.2209670476.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.2209637951.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210917413.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210917413.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2211217556.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2211312581.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_file.jbxd

Similarity

API ID: StationTokenWindow$AdjustCloseHandleOpenPrivilegesProcess$DesktopDuplicateErrorLastLogonLookupPrivilegeUserValue
String ID: $default$winsta0
API String ID: 22674027-1027155976
Opcode ID: e0c55cac5c5c44473aecd84873d11876267ed03a7ad82f3d8f9c69ea1e289c12
Instruction ID: ae03c043973e2d6c4db039a10cde9aa4eaf90974f333e2c3619a81056cef361a
Opcode Fuzzy Hash: e0c55cac5c5c44473aecd84873d11876267ed03a7ad82f3d8f9c69ea1e289c12
Instruction Fuzzy Hash: 03819D7190028DAFDF219FA5DC49FEE7BB9EF08704F149169F920B62A0D7708984DB61

Function 00EE0B62 Relevance: 31.7, APIs: 21, Instructions: 202memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00EE10F9: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00EE1114
Part of subcall function 00EE10F9: GetLastError.KERNEL32(?,00000000,00000000,?,?,00EE0B9B,?,?,?), ref: 00EE1120
Part of subcall function 00EE10F9: GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,00EE0B9B,?,?,?), ref: 00EE112F
Part of subcall function 00EE10F9: HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,00EE0B9B,?,?,?), ref: 00EE1136
Part of subcall function 00EE10F9: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 00EE114D

GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00EE0BCC
GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 00EE0C00
GetLengthSid.ADVAPI32(?), ref: 00EE0C17
GetAce.ADVAPI32(?,00000000,?), ref: 00EE0C51
AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 00EE0C6D
GetLengthSid.ADVAPI32(?), ref: 00EE0C84
GetProcessHeap.KERNEL32(00000008,00000008), ref: 00EE0C8C
HeapAlloc.KERNEL32(00000000), ref: 00EE0C93
GetLengthSid.ADVAPI32(?,00000008,?), ref: 00EE0CB4
CopySid.ADVAPI32(00000000), ref: 00EE0CBB
AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 00EE0CEA
SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 00EE0D0C
SetUserObjectSecurity.USER32(?,00000004,?), ref: 00EE0D1E
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00EE0D45
HeapFree.KERNEL32(00000000), ref: 00EE0D4C
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00EE0D55
HeapFree.KERNEL32(00000000), ref: 00EE0D5C
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00EE0D65
HeapFree.KERNEL32(00000000), ref: 00EE0D6C
GetProcessHeap.KERNEL32(00000000,?), ref: 00EE0D78
HeapFree.KERNEL32(00000000), ref: 00EE0D7F

Part of subcall function 00EE1193: GetProcessHeap.KERNEL32(00000008,00EE0BB1,?,00000000,?,00EE0BB1,?), ref: 00EE11A1
Part of subcall function 00EE1193: HeapAlloc.KERNEL32(00000000,?,00000000,?,00EE0BB1,?), ref: 00EE11A8
Part of subcall function 00EE1193: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00000000,?,00EE0BB1,?), ref: 00EE11B7

Memory Dump Source

Source File: 00000000.00000002.2209670476.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.2209637951.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210917413.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210917413.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2211217556.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2211312581.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_file.jbxd

Similarity

API ID: Heap$Process$Security$Free$AllocDescriptorLengthObjectUser$Dacl$CopyErrorInformationInitializeLast
String ID:
API String ID: 4175595110-0
Opcode ID: 1995b1140a89b59f5463be17c4eb62022f4c5b16b8462a2c371522e2b4760e8b
Instruction ID: be2ab79495d98e2c47f607b48b80bbf737f1498d4f6c8f8caf6d51ed91956c4b
Opcode Fuzzy Hash: 1995b1140a89b59f5463be17c4eb62022f4c5b16b8462a2c371522e2b4760e8b
Instruction Fuzzy Hash: C871777294024EAFDF10DFA6DC44BEEBBB8AF08304F158115E914F6291D7B5AA45CBA0

Function 00EFEAFF Relevance: 30.2, APIs: 20, Instructions: 191clipboardfileCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32(00F1CC08), ref: 00EFEB29
IsClipboardFormatAvailable.USER32(0000000D), ref: 00EFEB37
GetClipboardData.USER32(0000000D), ref: 00EFEB43
CloseClipboard.USER32 ref: 00EFEB4F
GlobalLock.KERNEL32(00000000), ref: 00EFEB87
CloseClipboard.USER32 ref: 00EFEB91
GlobalUnlock.KERNEL32(00000000), ref: 00EFEBBC
IsClipboardFormatAvailable.USER32(00000001), ref: 00EFEBC9
GetClipboardData.USER32(00000001), ref: 00EFEBD1
GlobalLock.KERNEL32(00000000), ref: 00EFEBE2
GlobalUnlock.KERNEL32(00000000), ref: 00EFEC22
IsClipboardFormatAvailable.USER32(0000000F), ref: 00EFEC38
GetClipboardData.USER32(0000000F), ref: 00EFEC44
GlobalLock.KERNEL32(00000000), ref: 00EFEC55
DragQueryFileW.SHELL32(00000000,000000FF,00000000,00000000), ref: 00EFEC77
DragQueryFileW.SHELL32(00000000,?,?,00000104), ref: 00EFEC94
DragQueryFileW.SHELL32(00000000,?,?,00000104), ref: 00EFECD2
GlobalUnlock.KERNEL32(00000000), ref: 00EFECF3
CountClipboardFormats.USER32 ref: 00EFED14
CloseClipboard.USER32 ref: 00EFED59

Memory Dump Source

Source File: 00000000.00000002.2209670476.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.2209637951.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210917413.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210917413.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2211217556.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2211312581.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_file.jbxd

Similarity

API ID: Clipboard$Global$AvailableCloseDataDragFileFormatLockQueryUnlock$CountFormatsOpen
String ID:
API String ID: 420908878-0
Opcode ID: 121ee79edffe0212cded4040c945465c16eb7bcebf66d2de754f714565960703
Instruction ID: 9e1b3448ef11e20916e188f0aee668f65578004a5644456f536a0f3e09277a1f
Opcode Fuzzy Hash: 121ee79edffe0212cded4040c945465c16eb7bcebf66d2de754f714565960703
Instruction Fuzzy Hash: 0161D1342043099FD310EF24C884FBA77E4AF84708F15951DF55AA72A2DB31E905DBA2

Function 00EF698F Relevance: 21.4, APIs: 7, Strings: 5, Instructions: 363timefileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 00EF69BE
FindClose.KERNEL32(00000000), ref: 00EF6A12
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00EF6A4E
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00EF6A75

Part of subcall function 00E89CB3: _wcslen.LIBCMT ref: 00E89CBD

FileTimeToSystemTime.KERNEL32(?,?), ref: 00EF6AB2
FileTimeToSystemTime.KERNEL32(?,?), ref: 00EF6ADF

Strings

%4d, xrefs: 00EF6BB1
%02d, xrefs: 00EF6C00, 00EF6C0A, 00EF6C5A, 00EF6CAA, 00EF6CFA, 00EF6D4A
%03d, xrefs: 00EF6DA2
%4d%02d%02d%02d%02d%02d, xrefs: 00EF6B6A
%4d%02d%02d%02d%02d%02d%03d, xrefs: 00EF6B32

Memory Dump Source

Source File: 00000000.00000002.2209670476.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.2209637951.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210917413.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210917413.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2211217556.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2211312581.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_file.jbxd

Similarity

API ID: Time$File$FindLocalSystem$CloseFirst_wcslen
String ID: %02d$%03d$%4d$%4d%02d%02d%02d%02d%02d$%4d%02d%02d%02d%02d%02d%03d
API String ID: 3830820486-3289030164
Opcode ID: 31150759839fe6d9335886d39a930826ece12d32eb5e98a173f9512d5c25a11a
Instruction ID: 7e3559e19b7767146a3885c46c01ae423b673c606282ae9e3ae8f76b0c1ae974
Opcode Fuzzy Hash: 31150759839fe6d9335886d39a930826ece12d32eb5e98a173f9512d5c25a11a
Instruction Fuzzy Hash: 07D15E72908304AFC714EBA0C891EBBB7ECAF98704F04591DF589E6191EB74DA44CB62

Function 00EF9642 Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 118fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,76228FB0,?,00000000), ref: 00EF9663
GetFileAttributesW.KERNEL32(?), ref: 00EF96A1
SetFileAttributesW.KERNEL32(?,?), ref: 00EF96BB
FindNextFileW.KERNEL32(00000000,?), ref: 00EF96D3
FindClose.KERNEL32(00000000), ref: 00EF96DE
FindFirstFileW.KERNEL32(*.*,?), ref: 00EF96FA
SetCurrentDirectoryW.KERNEL32(?), ref: 00EF974A
SetCurrentDirectoryW.KERNEL32(00F46B7C), ref: 00EF9768
FindNextFileW.KERNEL32(00000000,00000010), ref: 00EF9772
FindClose.KERNEL32(00000000), ref: 00EF977F
FindClose.KERNEL32(00000000), ref: 00EF978F

Strings

*.*, xrefs: 00EF96F5

Memory Dump Source

Source File: 00000000.00000002.2209670476.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.2209637951.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210917413.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210917413.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2211217556.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2211312581.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_file.jbxd

Similarity

API ID: Find$File$Close$AttributesCurrentDirectoryFirstNext
String ID: *.*
API String ID: 1409584000-438819550
Opcode ID: dc8b01e93705825d6520f4764b707fd5755359b043b55c2af7d2e44bd8d9b95f
Instruction ID: f07da18c1e3b13b682ad32f4d48238657ead9f0fbcc53e663bc42654d8a00457
Opcode Fuzzy Hash: dc8b01e93705825d6520f4764b707fd5755359b043b55c2af7d2e44bd8d9b95f
Instruction Fuzzy Hash: 8931F13258021D6BCB14AFB4DC08BEE37ACAF49325F118056FA54F20E1EB35DE409AA1

Function 00EF979D Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 111fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,76228FB0,?,00000000), ref: 00EF97BE
FindNextFileW.KERNEL32(00000000,?), ref: 00EF9819
FindClose.KERNEL32(00000000), ref: 00EF9824
FindFirstFileW.KERNEL32(*.*,?), ref: 00EF9840
SetCurrentDirectoryW.KERNEL32(?), ref: 00EF9890
SetCurrentDirectoryW.KERNEL32(00F46B7C), ref: 00EF98AE
FindNextFileW.KERNEL32(00000000,00000010), ref: 00EF98B8
FindClose.KERNEL32(00000000), ref: 00EF98C5
FindClose.KERNEL32(00000000), ref: 00EF98D5

Part of subcall function 00EEDAE5: CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000003,02000080,00000000), ref: 00EEDB00

Strings

*.*, xrefs: 00EF983B

Memory Dump Source

Source File: 00000000.00000002.2209670476.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.2209637951.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210917413.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210917413.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2211217556.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2211312581.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_file.jbxd

Similarity

API ID: Find$File$Close$CurrentDirectoryFirstNext$Create
String ID: *.*
API String ID: 2640511053-438819550
Opcode ID: 4833a210d43e8a5f0b3879539da3b380d5489029eeb4e03388d5646a6ab2bf4a
Instruction ID: b6d4cf9a320d0dd5594b0363b239bc004218f415f89594922c56aa97fa5b7f6c
Opcode Fuzzy Hash: 4833a210d43e8a5f0b3879539da3b380d5489029eeb4e03388d5646a6ab2bf4a
Instruction Fuzzy Hash: 5731033254029D6ADB18AFB4DC48BEE37AC9F4A364F108056F990F20A1DB31DE849B60

Function 00F0BE44 Relevance: 17.0, APIs: 11, Instructions: 456registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00F0C998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00F0B6AE,?,?), ref: 00F0C9B5
Part of subcall function 00F0C998: _wcslen.LIBCMT ref: 00F0C9F1
Part of subcall function 00F0C998: _wcslen.LIBCMT ref: 00F0CA68
Part of subcall function 00F0C998: _wcslen.LIBCMT ref: 00F0CA9E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00F0BF3E
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?,?,?), ref: 00F0BFA9
RegCloseKey.ADVAPI32(00000000), ref: 00F0BFCD
RegQueryValueExW.ADVAPI32(?,?,00000000,?,00000000,?), ref: 00F0C02C
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,00000008), ref: 00F0C0E7
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,?,?,00000000), ref: 00F0C154
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,?,?,00000000), ref: 00F0C1E9
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,00000000,?,?,?,00000000), ref: 00F0C23A
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,?,?,00000000), ref: 00F0C2E3
RegCloseKey.ADVAPI32(?,?,00000000), ref: 00F0C382
RegCloseKey.ADVAPI32(00000000), ref: 00F0C38F

Memory Dump Source

Source File: 00000000.00000002.2209670476.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.2209637951.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210917413.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210917413.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2211217556.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2211312581.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_file.jbxd

Similarity

API ID: QueryValue$Close_wcslen$BuffCharConnectOpenRegistryUpper
String ID:
API String ID: 3102970594-0
Opcode ID: 1fbdf2ce35d049f7b549dd3d3bfa946689b4577631592447495362ff3f84e9d8
Instruction ID: 4264d44ccfc50fafb184cb6dd672e57dcb1cb8e8997237ce13134eef7c4e450d
Opcode Fuzzy Hash: 1fbdf2ce35d049f7b549dd3d3bfa946689b4577631592447495362ff3f84e9d8
Instruction Fuzzy Hash: 78027E716042009FD714DF28C895E2ABBE5EF89318F18C59DF84ADB2A2D731EC45EB91

Function 00EF8195 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 186timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?), ref: 00EF8257
SystemTimeToFileTime.KERNEL32(?,?), ref: 00EF8267
LocalFileTimeToFileTime.KERNEL32(?,?), ref: 00EF8273
GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00EF8310
SetCurrentDirectoryW.KERNEL32(?), ref: 00EF8324
SetCurrentDirectoryW.KERNEL32(?), ref: 00EF8356
SetCurrentDirectoryW.KERNEL32(?,?,?,?,?), ref: 00EF838C
SetCurrentDirectoryW.KERNEL32(?), ref: 00EF8395

Strings

*.*, xrefs: 00EF839B

Memory Dump Source

Source File: 00000000.00000002.2209670476.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.2209637951.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210917413.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210917413.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2211217556.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2211312581.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_file.jbxd

Similarity

API ID: CurrentDirectoryTime$File$Local$System
String ID: *.*
API String ID: 1464919966-438819550
Opcode ID: da7a21c86fd7d352316a034b1ff2c0ea71ef54170fdf9f320ffb0a8a97d8b26d
Instruction ID: e0435a21387a94a44464f2b5e164976c9bc7f8ff5d818a1d35c4d6672ae9930b
Opcode Fuzzy Hash: da7a21c86fd7d352316a034b1ff2c0ea71ef54170fdf9f320ffb0a8a97d8b26d
Instruction Fuzzy Hash: 1B616E725043499FD710EF60C8409AFB3E9FF89314F04991EFA99A7261DB31E945CB92

Function 00EED076 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 172fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00E83AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00E83A97,?,?,00E82E7F,?,?,?,00000000), ref: 00E83AC2

Part of subcall function 00EEE199: GetFileAttributesW.KERNEL32(?,00EECF95), ref: 00EEE19A

FindFirstFileW.KERNEL32(?,?), ref: 00EED122
DeleteFileW.KERNEL32(?,?,?,?,?,00000000,?,?,?), ref: 00EED1DD
MoveFileW.KERNEL32(?,?), ref: 00EED1F0
DeleteFileW.KERNEL32(?,?,?,?), ref: 00EED20D
FindNextFileW.KERNEL32(00000000,00000010), ref: 00EED237

Part of subcall function 00EED29C: CopyFileExW.KERNEL32(?,?,00000000,00000000,00000000,00000008,?,?,00EED21C,?,?), ref: 00EED2B2

FindClose.KERNEL32(00000000,?,?,?), ref: 00EED253
FindClose.KERNEL32(00000000), ref: 00EED264

Strings

\*.*, xrefs: 00EED0CD, 00EED0D6, 00EED0EB

Memory Dump Source

Source File: 00000000.00000002.2209670476.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.2209637951.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210917413.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210917413.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2211217556.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2211312581.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_file.jbxd

Similarity

API ID: File$Find$CloseDelete$AttributesCopyFirstFullMoveNameNextPath
String ID: \*.*
API String ID: 1946585618-1173974218
Opcode ID: 5a7d6df65d8a416dbc49c37f5d4b31e4bbafc8fa2b356c69eaa6bef0aee6824c
Instruction ID: 5f41002ea4d4dd1509c4d6c219ab7c6805489e6c73ced5c36a37658a91f0ab52
Opcode Fuzzy Hash: 5a7d6df65d8a416dbc49c37f5d4b31e4bbafc8fa2b356c69eaa6bef0aee6824c
Instruction Fuzzy Hash: 3661793180918D9BCF05EBE1DE829FDB7B5AF54304F249065E40A731A2EB316F09DB60

Function 00EFED6A Relevance: 13.6, APIs: 9, Instructions: 102clipboardmemoryCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32 ref: 00EFED91
EmptyClipboard.USER32 ref: 00EFED97
GlobalAlloc.KERNEL32(00000002,?), ref: 00EFEDAC
CloseClipboard.USER32 ref: 00EFEEA3

Memory Dump Source

Source File: 00000000.00000002.2209670476.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.2209637951.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210917413.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210917413.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2211217556.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2211312581.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_file.jbxd

Similarity

API ID: Clipboard$AllocCloseEmptyGlobalOpen
String ID:
API String ID: 1737998785-0
Opcode ID: abef708485b1f9b8a420f0add5eeb85b271ee8165cad3db0b89e2cb543dbcb35
Instruction ID: 20cf7a5cfbbf7d0d70f2c5756d9e69e0442e8a6da95cbf3d2b58afeee70f21bb
Opcode Fuzzy Hash: abef708485b1f9b8a420f0add5eeb85b271ee8165cad3db0b89e2cb543dbcb35
Instruction Fuzzy Hash: CA41AB31204215AFE320DF25E888B69BBE1AF44318F15D099E559ABB72C736FC41DBD0

Function 00EEE8F6 Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 57shutdownCOMMON

Download Yara Rule

APIs

Part of subcall function 00EE16C3: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 00EE170D
Part of subcall function 00EE16C3: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00EE173A
Part of subcall function 00EE16C3: GetLastError.KERNEL32 ref: 00EE174A

ExitWindowsEx.USER32(?,00000000), ref: 00EEE932

Strings

, xrefs: 00EEE920
SeShutdownPrivilege, xrefs: 00EEE902
@, xrefs: 00EEE925
, xrefs: 00EEE95C

Memory Dump Source

Source File: 00000000.00000002.2209670476.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.2209637951.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210917413.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210917413.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2211217556.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2211312581.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_file.jbxd

Similarity

API ID: AdjustErrorExitLastLookupPrivilegePrivilegesTokenValueWindows
String ID: $ $@$SeShutdownPrivilege
API String ID: 2234035333-3163812486
Opcode ID: 1730d38af81eeb2e2bd948742d5261513c54c1c67c1519f34ef6e4a7b84ec414
Instruction ID: c017533923f6ab3562377ae55df284e377a3055e16a9096791ddd8691d0b103e
Opcode Fuzzy Hash: 1730d38af81eeb2e2bd948742d5261513c54c1c67c1519f34ef6e4a7b84ec414
Instruction Fuzzy Hash: 9401267261025DABEB1462B6AC86FFB72DC9B44744F155461FC02F32D3E6A29C4491A0

Function 00F01204 Relevance: 12.1, APIs: 8, Instructions: 113networkCOMMON

Download Yara Rule

APIs

socket.WSOCK32(00000002,00000001,00000006,?,00000002,00000000), ref: 00F01276
WSAGetLastError.WSOCK32 ref: 00F01283
bind.WSOCK32(00000000,?,00000010), ref: 00F012BA
WSAGetLastError.WSOCK32 ref: 00F012C5
closesocket.WSOCK32(00000000), ref: 00F012F4
listen.WSOCK32(00000000,00000005), ref: 00F01303
WSAGetLastError.WSOCK32 ref: 00F0130D
closesocket.WSOCK32(00000000), ref: 00F0133C

Memory Dump Source

Source File: 00000000.00000002.2209670476.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.2209637951.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210917413.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210917413.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2211217556.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2211312581.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_file.jbxd

Similarity

API ID: ErrorLast$closesocket$bindlistensocket
String ID:
API String ID: 540024437-0
Opcode ID: 3f9d4ea21b84a1b7f467d127aefa06456ba8b2251d670db5f139d52194d641c2
Instruction ID: 6abee52d0251eb45ae38b02c1e7c170a83a879d5f788f781c2c28ca8dbf8e906
Opcode Fuzzy Hash: 3f9d4ea21b84a1b7f467d127aefa06456ba8b2251d670db5f139d52194d641c2
Instruction Fuzzy Hash: 01417271A001049FD710DF68C484B69BBE6BF46328F19819CE85A9F2D2C771ED81EBE1

Function 00EBB952 Relevance: 10.9, APIs: 7, Instructions: 370timeCOMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 00EBB9D4
_free.LIBCMT ref: 00EBB9F8
_free.LIBCMT ref: 00EBBB7F
GetTimeZoneInformation.KERNEL32(?,00000000,00000000,00000000,?,00F23700), ref: 00EBBB91
WideCharToMultiByte.KERNEL32(00000000,00000000,00F5121C,000000FF,00000000,0000003F,00000000,?,?), ref: 00EBBC09
WideCharToMultiByte.KERNEL32(00000000,00000000,00F51270,000000FF,?,0000003F,00000000,?), ref: 00EBBC36
_free.LIBCMT ref: 00EBBD4B

Memory Dump Source

Source File: 00000000.00000002.2209670476.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.2209637951.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210917413.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210917413.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2211217556.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2211312581.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_file.jbxd

Similarity

API ID: _free$ByteCharMultiWide$InformationTimeZone
String ID:
API String ID: 314583886-0
Opcode ID: 1033d44c057faebfb639e18c3b75223f2da5c2fd036a1a0e54bf3e5710125c81
Instruction ID: 33a4067a1217b8b303ab5c1237143e1b49d6519d0337a398ded9204342251c20
Opcode Fuzzy Hash: 1033d44c057faebfb639e18c3b75223f2da5c2fd036a1a0e54bf3e5710125c81
Instruction Fuzzy Hash: 36C11671904208AFDB20DF688C41BEFBBE8EF41314F1461AAE594FB251EBB09E41DB50

Function 00EED3A9 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 91fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00E83AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00E83A97,?,?,00E82E7F,?,?,?,00000000), ref: 00E83AC2

Part of subcall function 00EEE199: GetFileAttributesW.KERNEL32(?,00EECF95), ref: 00EEE19A

FindFirstFileW.KERNEL32(?,?), ref: 00EED420
DeleteFileW.KERNEL32(?,?,?,?), ref: 00EED470
FindNextFileW.KERNEL32(00000000,00000010), ref: 00EED481
FindClose.KERNEL32(00000000), ref: 00EED498
FindClose.KERNEL32(00000000), ref: 00EED4A1

Strings

\*.*, xrefs: 00EED3F2

Memory Dump Source

Source File: 00000000.00000002.2209670476.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.2209637951.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210917413.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210917413.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2211217556.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2211312581.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_file.jbxd

Similarity

API ID: FileFind$Close$AttributesDeleteFirstFullNameNextPath
String ID: \*.*
API String ID: 2649000838-1173974218
Opcode ID: 35d9ba015311f3630948bb3d5d71761ce488e0e57c8028bf233ff3b905da2ccf
Instruction ID: 51d283b23fc7306229d80379b280cd94e4ab2578799922a7e59c0b0242d0b751
Opcode Fuzzy Hash: 35d9ba015311f3630948bb3d5d71761ce488e0e57c8028bf233ff3b905da2ccf
Instruction Fuzzy Hash: 9F31703100C3899BC305FF64D8518EF77E8AEA1314F446A2DF4E9A3191EB30AA09D763

Function 00EBE4FF Relevance: 10.1, APIs: 1, Strings: 4, Instructions: 1381COMMON

Download Yara Rule

APIs

__floor_pentium4.LIBCMT ref: 00EBE645

Strings

1#IND, xrefs: 00EBF83D
1#INF, xrefs: 00EBF852
1#SNAN, xrefs: 00EBF844
1#QNAN, xrefs: 00EBF84B

Memory Dump Source

Source File: 00000000.00000002.2209670476.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.2209637951.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210917413.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210917413.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2211217556.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2211312581.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_file.jbxd

Similarity

API ID: __floor_pentium4
String ID: 1#IND$1#INF$1#QNAN$1#SNAN
API String ID: 4168288129-2761157908
Opcode ID: c2ee4bc664117fbbe9b732e329b8dcd05c20c79d0df2af2ed591a7258ac65abe
Instruction ID: 3785b77bba91a86b9d9bf3489ff9052c890031790b1f45412a9e32ad43939319
Opcode Fuzzy Hash: c2ee4bc664117fbbe9b732e329b8dcd05c20c79d0df2af2ed591a7258ac65abe
Instruction Fuzzy Hash: 6EC23972E086298FDB29CE28DD407EAB7B5EB49305F1451EAD84DF7241E774AE818F40

Function 00EF648E Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 367comCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00EF64DC
CoInitialize.OLE32(00000000), ref: 00EF6639
CoCreateInstance.OLE32(00F1FCF8,00000000,00000001,00F1FB68,?), ref: 00EF6650
CoUninitialize.OLE32 ref: 00EF68D4

Strings

.lnk, xrefs: 00EF64BA, 00EF6524, 00EF65E0

Memory Dump Source

Source File: 00000000.00000002.2209670476.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.2209637951.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210917413.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210917413.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2211217556.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2211312581.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_file.jbxd

Similarity

API ID: CreateInitializeInstanceUninitialize_wcslen
String ID: .lnk
API String ID: 886957087-24824748
Opcode ID: 9566d42eecdafc81248f6bef985b47590c9151239b79a5d950c0b4c1d83d72ad
Instruction ID: a9ec2e64228b0a15f1cadd2d502bda30e02961624994ab82e8f664c27693be8b
Opcode Fuzzy Hash: 9566d42eecdafc81248f6bef985b47590c9151239b79a5d950c0b4c1d83d72ad
Instruction Fuzzy Hash: 18D16B71608305AFC304EF24C88196BB7E8FF95308F14596DF599AB292DB71ED05CB92

Function 00F022DA Relevance: 9.1, APIs: 6, Instructions: 103COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(?,?,00000000), ref: 00F022E8

Part of subcall function 00EFE4EC: GetWindowRect.USER32(?,?), ref: 00EFE504

GetDesktopWindow.USER32 ref: 00F02312
GetWindowRect.USER32(00000000), ref: 00F02319
mouse_event.USER32(00008001,?,?,00000002,00000002), ref: 00F02355
GetCursorPos.USER32(?), ref: 00F02381
mouse_event.USER32(00008001,?,?,00000000,00000000), ref: 00F023DF

Memory Dump Source

Source File: 00000000.00000002.2209670476.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.2209637951.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210917413.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210917413.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2211217556.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2211312581.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_file.jbxd

Similarity

API ID: Window$Rectmouse_event$CursorDesktopForeground
String ID:
API String ID: 2387181109-0
Opcode ID: 10fdd29d134368f3a1e0faf9c83b118d9b983eb30af3f8a755254409aca918f8
Instruction ID: e121a8c984f9ff1d007d5d804bfc35441f6b44c74e7b4e98e2e0315a046f0bc1
Opcode Fuzzy Hash: 10fdd29d134368f3a1e0faf9c83b118d9b983eb30af3f8a755254409aca918f8
Instruction Fuzzy Hash: 1D31C272504319AFD720DF55C849B9BBBEAFF84314F004919F985A7191DB34E908DBE2

Function 00EF9B2B Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 119filesleepCOMMON

Download Yara Rule

APIs

Part of subcall function 00E89CB3: _wcslen.LIBCMT ref: 00E89CBD

FindFirstFileW.KERNEL32(00000001,?,*.*,?,?,00000000,00000000), ref: 00EF9B78
FindClose.KERNEL32(00000000,?,00000000,00000000), ref: 00EF9C8B

Part of subcall function 00EF3874: GetInputState.USER32 ref: 00EF38CB
Part of subcall function 00EF3874: PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00EF3966

Sleep.KERNEL32(0000000A,?,00000000,00000000), ref: 00EF9BA8
FindNextFileW.KERNEL32(?,?,?,00000000,00000000), ref: 00EF9C75

Strings

*.*, xrefs: 00EF9B5D

Memory Dump Source

Source File: 00000000.00000002.2209670476.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.2209637951.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210917413.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210917413.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2211217556.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2211312581.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_file.jbxd

Similarity

API ID: Find$File$CloseFirstInputMessageNextPeekSleepState_wcslen
String ID: *.*
API String ID: 1972594611-438819550
Opcode ID: 425f6430b880de2b839f95f4328b958d74dc8db519e797ca32b4d4418ceeeec3
Instruction ID: c221c77514fef94ffbf6b174d4cb5d265e9a709a6d1b89c36fa54d0562ae5a10
Opcode Fuzzy Hash: 425f6430b880de2b839f95f4328b958d74dc8db519e797ca32b4d4418ceeeec3
Instruction Fuzzy Hash: 04415E7194420E9BCF14EF64C845BEEBBF4EF05314F245055E959B2192EB319E84CFA1

Function 00E9997D Relevance: 7.9, APIs: 5, Instructions: 375COMMON

Download Yara Rule

APIs

Part of subcall function 00E99BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00E99BB2

DefDlgProcW.USER32(?,?,?,?,?), ref: 00E99A4E
GetSysColor.USER32(0000000F), ref: 00E99B23
SetBkColor.GDI32(?,00000000), ref: 00E99B36

Memory Dump Source

Source File: 00000000.00000002.2209670476.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.2209637951.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210917413.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210917413.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2211217556.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2211312581.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_file.jbxd

Similarity

API ID: Color$LongProcWindow
String ID:
API String ID: 3131106179-0
Opcode ID: 525d5c49e10aa83a35507fd483f89490ae7f3ce5b48f1a6fea706e6961582acb
Instruction ID: 9316d78f3b546d21bb0b11813cfbb126ec829c74b8773d4da863e88bfce48416
Opcode Fuzzy Hash: 525d5c49e10aa83a35507fd483f89490ae7f3ce5b48f1a6fea706e6961582acb
Instruction Fuzzy Hash: 1CA12870108504BFEB289B2C8C58EFF369DEB42349B15210EF552F6793EA65DD42E272

Function 00F01806 Relevance: 7.7, APIs: 5, Instructions: 153networkCOMMON

Download Yara Rule

APIs

Part of subcall function 00F0304E: inet_addr.WSOCK32(?,?,?,?,?,00000000), ref: 00F0307A
Part of subcall function 00F0304E: _wcslen.LIBCMT ref: 00F0309B

socket.WSOCK32(00000002,00000002,00000011,?,?,00000000), ref: 00F0185D
WSAGetLastError.WSOCK32 ref: 00F01884
bind.WSOCK32(00000000,?,00000010), ref: 00F018DB
WSAGetLastError.WSOCK32 ref: 00F018E6
closesocket.WSOCK32(00000000), ref: 00F01915

Memory Dump Source

Source File: 00000000.00000002.2209670476.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.2209637951.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210917413.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210917413.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2211217556.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2211312581.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_file.jbxd

Similarity

API ID: ErrorLast$_wcslenbindclosesocketinet_addrsocket
String ID:
API String ID: 1601658205-0
Opcode ID: 6f433edd84c2398d12ac1ce3d6a1b043fb0009abb500760e302bde49a32ce262
Instruction ID: b9cd8a232a19bb27a4843591ea0f5d07d953aab902752881edb4f6cf561ee0b6
Opcode Fuzzy Hash: 6f433edd84c2398d12ac1ce3d6a1b043fb0009abb500760e302bde49a32ce262
Instruction Fuzzy Hash: 75519171A40200AFEB10AF24C886F6A77E5AB45718F58C098FA596F2D3C771AD41DBA1

Function 00F11C41 Relevance: 7.6, APIs: 5, Instructions: 83windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32 ref: 00F11CC0
IsWindowEnabled.USER32 ref: 00F11CCE
GetForegroundWindow.USER32(?,?,00000001,?), ref: 00F11CDB
IsIconic.USER32 ref: 00F11CE9
IsZoomed.USER32 ref: 00F11CF7

Memory Dump Source

Source File: 00000000.00000002.2209670476.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.2209637951.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210917413.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210917413.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2211217556.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2211312581.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_file.jbxd

Similarity

API ID: Window$EnabledForegroundIconicVisibleZoomed
String ID:
API String ID: 292994002-0
Opcode ID: 4651b255bdd43b17cc1449b1931c6cbbaf3dbc9785826a120c6753841a13aa4e
Instruction ID: 9541e190c4101ef1c9d533c8c2ff777879624f81539783d1fe679040370e3e45
Opcode Fuzzy Hash: 4651b255bdd43b17cc1449b1931c6cbbaf3dbc9785826a120c6753841a13aa4e
Instruction Fuzzy Hash: 0D21D631B802155FD7208F1AD844BDA7BE5FF85324B198058E9498B351CB71DC82EBD0

Function 00E88060 Relevance: 7.4, Strings: 5, Instructions: 1151COMMON

Download Yara Rule

Strings

VUUU, xrefs: 00E8843C
VUUU, xrefs: 00E883E8
ERCP, xrefs: 00E8813C
VUUU, xrefs: 00E883FA
VUUU, xrefs: 00EC5DF0

Memory Dump Source

Source File: 00000000.00000002.2209670476.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.2209637951.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210917413.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210917413.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2211217556.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2211312581.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_file.jbxd

Similarity

API ID:
String ID: ERCP$VUUU$VUUU$VUUU$VUUU
API String ID: 0-1546025612
Opcode ID: 2d200e978b8de8b86d04c711091cc8074e930fd5491bdd7173f224d8d409e899
Instruction ID: c883a702ff3b46e730e0fd21acf26b3f7e1771f5ed32f6530f399d6801b94165
Opcode Fuzzy Hash: 2d200e978b8de8b86d04c711091cc8074e930fd5491bdd7173f224d8d409e899
Instruction Fuzzy Hash: FFA27E71A0061ACBDF24DF58CA40BEEB7B1BF54314F6491AADC19B7281EB319D82DB50

Function 00EEAA57 Relevance: 6.1, APIs: 4, Instructions: 107keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,00000001,00000040,00000000), ref: 00EEAAAC
SetKeyboardState.USER32(00000080), ref: 00EEAAC8
PostMessageW.USER32(?,00000102,00000001,00000001), ref: 00EEAB36
SendInput.USER32(00000001,?,0000001C,00000001,00000040,00000000), ref: 00EEAB88

Memory Dump Source

Source File: 00000000.00000002.2209670476.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.2209637951.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210917413.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210917413.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2211217556.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2211312581.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_file.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: 44455814dce26ff860e2c7d37a639c5197d7e6159d53009e9c9d090811ee20de
Instruction ID: c9723d0041a603ed385dd9f980320331274cc82ffbc0ce0a229642d320e528e6
Opcode Fuzzy Hash: 44455814dce26ff860e2c7d37a639c5197d7e6159d53009e9c9d090811ee20de
Instruction Fuzzy Hash: 98312A30A4028CAEFB348A66CC05BFA77E6AB54314F0C522EF185B61D1D375A985D7A2

Function 00EFCE44 Relevance: 6.1, APIs: 4, Instructions: 75filenetworkCOMMON

Download Yara Rule

APIs

InternetReadFile.WININET(?,?,00000400,?), ref: 00EFCE89
GetLastError.KERNEL32(?,00000000), ref: 00EFCEEA
SetEvent.KERNEL32(?,?,00000000), ref: 00EFCEFE

Memory Dump Source

Source File: 00000000.00000002.2209670476.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.2209637951.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210917413.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210917413.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2211217556.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2211312581.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_file.jbxd

Similarity

API ID: ErrorEventFileInternetLastRead
String ID:
API String ID: 234945975-0
Opcode ID: dd6c64006b924cedbfcf5a56e1722c97ccc8b9a3e34ab88f615d8d7171b76853
Instruction ID: 6d14b896b8c0dc6924b0392ef32e3b63cc536cba2f229f9a08d2a08b3eb77b00
Opcode Fuzzy Hash: dd6c64006b924cedbfcf5a56e1722c97ccc8b9a3e34ab88f615d8d7171b76853
Instruction Fuzzy Hash: CE21BD7164030D9BDB20CF65CA48BB6B7F8EF40318F30941EE646E2151E770EE049BA0

Function 00EE8298 Relevance: 5.1, APIs: 1, Strings: 2, Instructions: 568stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,?,?,00000000), ref: 00EE82AA

Strings

(, xrefs: 00EE82F0
|, xrefs: 00EE82DA

Memory Dump Source

Source File: 00000000.00000002.2209670476.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.2209637951.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210917413.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210917413.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2211217556.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2211312581.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_file.jbxd

Similarity

API ID: lstrlen
String ID: ($|
API String ID: 1659193697-1631851259
Opcode ID: 10a853ca8e55841ecad4e6a56e24b2bd98d75246f05fb1ed9788f89009afc110
Instruction ID: cbe9c6409d12d672991cd77f7df0203cc33ec8a9eefd5259ab6d82fcae699fe2
Opcode Fuzzy Hash: 10a853ca8e55841ecad4e6a56e24b2bd98d75246f05fb1ed9788f89009afc110
Instruction Fuzzy Hash: 63324774A007459FCB28CF19C580AAAB7F0FF48714B15D56EE49AEB3A1EB70E941CB40

Function 00EF5C97 Relevance: 4.6, APIs: 3, Instructions: 138fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 00EF5CC1
FindNextFileW.KERNEL32(00000000,?), ref: 00EF5D17
FindClose.KERNEL32(?), ref: 00EF5D5F

Memory Dump Source

Source File: 00000000.00000002.2209670476.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.2209637951.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210917413.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210917413.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2211217556.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2211312581.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_file.jbxd

Similarity

API ID: Find$File$CloseFirstNext
String ID:
API String ID: 3541575487-0
Opcode ID: 1af329209fb9a098e018d5a37d9fd9c1639953458cf28577db260c32d8f96005
Instruction ID: 98f5071b9f616d207d3fc691bbb1d8578282508f3d92f788d7a06e28fbf282d3
Opcode Fuzzy Hash: 1af329209fb9a098e018d5a37d9fd9c1639953458cf28577db260c32d8f96005
Instruction Fuzzy Hash: C151BA35604A059FC704DF28C484AA6B7E4FF4A318F14955EEA5A9B3A1CB31ED00CBA1

Function 00EB2622 Relevance: 4.6, APIs: 3, Instructions: 78COMMONLIBRARYCODE

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32 ref: 00EB271A
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00EB2724
UnhandledExceptionFilter.KERNEL32(?), ref: 00EB2731

Memory Dump Source

Source File: 00000000.00000002.2209670476.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.2209637951.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210917413.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210917413.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2211217556.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2211312581.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_file.jbxd

Similarity

API ID: ExceptionFilterUnhandled$DebuggerPresent
String ID:
API String ID: 3906539128-0
Opcode ID: f918bafef36be527b0f005c0a452ef1acad2de2fc0cedefc074dd9dbeaeaef69
Instruction ID: 1c39e16b3e98c97b084ddc2f181aadb02aa3963e686fa382f22ec344eb06033c
Opcode Fuzzy Hash: f918bafef36be527b0f005c0a452ef1acad2de2fc0cedefc074dd9dbeaeaef69
Instruction Fuzzy Hash: 0631C47494122C9BCB21DF68DC887D9B7B8AF08310F5051EAE91CA6260EB309F858F44

Function 00EF51CD Relevance: 4.6, APIs: 3, Instructions: 76COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 00EF51DA
GetDiskFreeSpaceExW.KERNEL32(?,?,?,?), ref: 00EF5238
SetErrorMode.KERNEL32(00000000), ref: 00EF52A1

Memory Dump Source

Source File: 00000000.00000002.2209670476.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.2209637951.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210917413.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210917413.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2211217556.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2211312581.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_file.jbxd

Similarity

API ID: ErrorMode$DiskFreeSpace
String ID:
API String ID: 1682464887-0
Opcode ID: de88d1498a6733c9b63c5ed1a9c045e26595c2e69966c9a844e332bd22dfe425
Instruction ID: 0dd49143572d1a0b9a4747a5135035c238f2eb0bac13de2618b8244564a28a58
Opcode Fuzzy Hash: de88d1498a6733c9b63c5ed1a9c045e26595c2e69966c9a844e332bd22dfe425
Instruction Fuzzy Hash: D3313E75A00518DFDB00DF54D884EADBBF5FF49318F198099E909AB362DB31E856CBA0

Function 00EE16C3 Relevance: 4.6, APIs: 3, Instructions: 68COMMON

Download Yara Rule

APIs

Part of subcall function 00E9FDDB: __CxxThrowException@8.LIBVCRUNTIME ref: 00EA0668
Part of subcall function 00E9FDDB: __CxxThrowException@8.LIBVCRUNTIME ref: 00EA0685

LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 00EE170D
AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00EE173A
GetLastError.KERNEL32 ref: 00EE174A

Memory Dump Source

Source File: 00000000.00000002.2209670476.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.2209637951.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210917413.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210917413.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2211217556.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2211312581.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_file.jbxd

Similarity

API ID: Exception@8Throw$AdjustErrorLastLookupPrivilegePrivilegesTokenValue
String ID:
API String ID: 577356006-0
Opcode ID: fd8b6c93bc832932776cd2d638ee82076e3135a4dd6fdcf9aac75071e1a2799d
Instruction ID: 82051b837072e179718a16ba927e14fc19607ac1fc4ab202bc40ad9850895467
Opcode Fuzzy Hash: fd8b6c93bc832932776cd2d638ee82076e3135a4dd6fdcf9aac75071e1a2799d
Instruction Fuzzy Hash: 1911C1B2410308AFD7189F54DC86EAAB7F9EB04714B20956EE056A7241EB70BC81CA60

Function 00EED5EB Relevance: 4.6, APIs: 3, Instructions: 58fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 00EED608
DeviceIoControl.KERNEL32(00000000,002D1400,?,0000000C,?,00000028,?,00000000), ref: 00EED645
CloseHandle.KERNEL32(?,?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 00EED650

Memory Dump Source

Source File: 00000000.00000002.2209670476.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.2209637951.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210917413.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210917413.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2211217556.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2211312581.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_file.jbxd

Similarity

API ID: CloseControlCreateDeviceFileHandle
String ID:
API String ID: 33631002-0
Opcode ID: 9485b91224298285cb38b90cc6a85e0d3ee7ae5d373eb91b52bac40fd75cb5dc
Instruction ID: 35c86952bf9042dcda955f22a179845d755c6252a7f5b1f624118eb2650fea03
Opcode Fuzzy Hash: 9485b91224298285cb38b90cc6a85e0d3ee7ae5d373eb91b52bac40fd75cb5dc
Instruction Fuzzy Hash: 54117CB1E45228BBDB108F95AC44FEFBBBCEB45B50F108111F914F7290C2704A018BE1

Function 00EE1663 Relevance: 4.5, APIs: 3, Instructions: 40memoryCOMMON

Download Yara Rule

APIs

AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?,?), ref: 00EE168C
CheckTokenMembership.ADVAPI32(00000000,?,?), ref: 00EE16A1
FreeSid.ADVAPI32(?), ref: 00EE16B1

Memory Dump Source

Source File: 00000000.00000002.2209670476.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.2209637951.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210917413.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210917413.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2211217556.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2211312581.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_file.jbxd

Similarity

API ID: AllocateCheckFreeInitializeMembershipToken
String ID:
API String ID: 3429775523-0
Opcode ID: d33b5b275e1a4f9072fbf452dac10a75df4a7ed521c720415280385d4e679849
Instruction ID: 14d552d19965e33dae89ec394d0e3eb4ab442e653d2ce850637209af871a3f6a
Opcode Fuzzy Hash: d33b5b275e1a4f9072fbf452dac10a75df4a7ed521c720415280385d4e679849
Instruction Fuzzy Hash: 0AF0F47199030DFBDB00DFE49C89EAEBBBCEB08604F5085A5E501E2181E774AA449A90

Function 00EBC2A2 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 127COMMON

Download Yara Rule

Strings

/, xrefs: 00EBC36C

Memory Dump Source

Source File: 00000000.00000002.2209670476.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.2209637951.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210917413.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210917413.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2211217556.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2211312581.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_file.jbxd

Similarity

API ID:
String ID: /
API String ID: 0-2043925204
Opcode ID: 598e6911298860c89314f32c7cac48ae32fdfb9f653fd6d5e13a16ed5c6f6014
Instruction ID: 4348c5f833abb012ee68c193f62c7bbf0953dacfbcbb392b2222525f0c9bf9e0
Opcode Fuzzy Hash: 598e6911298860c89314f32c7cac48ae32fdfb9f653fd6d5e13a16ed5c6f6014
Instruction Fuzzy Hash: 71413B769006196FCB209FB9CC49DFB77B8EB84718F6052ADF915E7180E6709E81CB50

Function 00EDD27A Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON

Download Yara Rule

APIs

GetUserNameW.ADVAPI32(?,?), ref: 00EDD28C

Strings

X64, xrefs: 00EDD2A8

Memory Dump Source

Source File: 00000000.00000002.2209670476.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.2209637951.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210917413.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210917413.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2211217556.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2211312581.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_file.jbxd

Similarity

API ID: NameUser
String ID: X64
API String ID: 2645101109-893830106
Opcode ID: a0f853ff5b96f3478080f650d3bb88214ccc620ad334b0380b4bdaaf3b94a7ca
Instruction ID: 7b22138190abef8c32ea2f605a068f7d0993faed6343b88b38196f68f376a1b4
Opcode Fuzzy Hash: a0f853ff5b96f3478080f650d3bb88214ccc620ad334b0380b4bdaaf3b94a7ca
Instruction Fuzzy Hash: 38D0CAB480922DEACF94CBA0EC88DDAB3BCFB08345F105292F546F2100DB3096499F20

Function 00EACAA0 Relevance: 3.5, APIs: 2, Instructions: 464COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2209670476.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.2209637951.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210917413.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210917413.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2211217556.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2211312581.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2fbdbeface8d474e65e3d830227d731b015bc4fe83c76ff0107a9da6199ccf29
Instruction ID: 1e71b40a1cfbb33dc88290d822204e8fc1b06e524a6539c2b7e37303f0407acc
Opcode Fuzzy Hash: 2fbdbeface8d474e65e3d830227d731b015bc4fe83c76ff0107a9da6199ccf29
Instruction Fuzzy Hash: 47020A71E002199FDF14CFA9C9806ADFBF1EF49324F25916AD819FB280D731AA41CB94

Function 00EF68EE Relevance: 3.1, APIs: 2, Instructions: 57fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 00EF6918
FindClose.KERNEL32(00000000), ref: 00EF6961

Memory Dump Source

Source File: 00000000.00000002.2209670476.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.2209637951.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210917413.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210917413.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2211217556.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2211312581.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_file.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID:
API String ID: 2295610775-0
Opcode ID: 089cd1df342759593fb9f1b9e588712875b8421327454854aabb51a6ce5cecfd
Instruction ID: 06ff71a191ac7afeeef5ce922fb1e2681fa90089c83643d492ecd9e289ec559e
Opcode Fuzzy Hash: 089cd1df342759593fb9f1b9e588712875b8421327454854aabb51a6ce5cecfd
Instruction Fuzzy Hash: DC11D0316042049FD710DF29D484A26BBE1FF85328F15C699E5699F2A2C770EC05CB90

Function 00EF37B5 Relevance: 3.0, APIs: 2, Instructions: 33windowCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(00000000,?,00000FFF,00000000,?,?,?,00F04891,?,?,00000035,?), ref: 00EF37E4
FormatMessageW.KERNEL32(00001000,00000000,?,00000000,?,00000FFF,00000000,?,?,?,00F04891,?,?,00000035,?), ref: 00EF37F4

Memory Dump Source

Source File: 00000000.00000002.2209670476.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.2209637951.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210917413.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210917413.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2211217556.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2211312581.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_file.jbxd

Similarity

API ID: ErrorFormatLastMessage
String ID:
API String ID: 3479602957-0
Opcode ID: cdafbc39ae490badc5cdcda63ab18d20084593eaa4d28738aba46dccbdc5819e
Instruction ID: 3e95d6a9a992053f6d6b30381b1808349b4dd7df1b5f1ed911586915181e3fd5
Opcode Fuzzy Hash: cdafbc39ae490badc5cdcda63ab18d20084593eaa4d28738aba46dccbdc5819e
Instruction Fuzzy Hash: 7FF0E5B070422C2AE72027769C4DFEB7AAEEFC5761F0001A6F609E22C1D9A09944C7F0

Function 00EEB226 Relevance: 3.0, APIs: 2, Instructions: 29keyboardCOMMON

Download Yara Rule

APIs

SendInput.USER32(00000001,?,0000001C,?,?,00000002), ref: 00EEB25D
keybd_event.USER32(?,7694C0D0,?,00000000), ref: 00EEB270

Memory Dump Source

Source File: 00000000.00000002.2209670476.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.2209637951.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210917413.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210917413.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2211217556.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2211312581.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_file.jbxd

Similarity

API ID: InputSendkeybd_event
String ID:
API String ID: 3536248340-0
Opcode ID: 0d56755e0f50b2917cab9b5587f6b92d2ec1d005da504b4e4913aaeb5513e680
Instruction ID: 9d318b921a1419f40347280234ca1d3011c2524f6f0954bfc7ffd36fe0588e3d
Opcode Fuzzy Hash: 0d56755e0f50b2917cab9b5587f6b92d2ec1d005da504b4e4913aaeb5513e680
Instruction Fuzzy Hash: 94F01D7184428DABDB059FA1C805BEE7BB4FF08309F049009F955A51A1C77986119F94

Function 00EE10BF Relevance: 3.0, APIs: 2, Instructions: 24COMMON

Download Yara Rule

APIs

AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,00EE11FC), ref: 00EE10D4
CloseHandle.KERNEL32(?,?,00EE11FC), ref: 00EE10E9

Memory Dump Source

Source File: 00000000.00000002.2209670476.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.2209637951.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210917413.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210917413.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2211217556.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2211312581.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_file.jbxd

Similarity

API ID: AdjustCloseHandlePrivilegesToken
String ID:
API String ID: 81990902-0
Opcode ID: 488e7aebbeadb74c4053ef05348ea7f551d0246a4b035ee85c23fbe3e4ed99c5
Instruction ID: cc54777f5b15d65292a4e57716aed9b3b1a865baff452651615c18f4a8f90c86
Opcode Fuzzy Hash: 488e7aebbeadb74c4053ef05348ea7f551d0246a4b035ee85c23fbe3e4ed99c5
Instruction Fuzzy Hash: 3FE0BF72058614AFFB252B51FC05EB777E9EB04320F25D82DF5A5D04B1DB626C90EB50

Function 00E8CAF0 Relevance: 1.9, Strings: 1, Instructions: 659COMMON

Download Yara Rule

Strings

Variable is not of type 'Object'., xrefs: 00ED0C40

Memory Dump Source

Source File: 00000000.00000002.2209670476.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.2209637951.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210917413.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210917413.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2211217556.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2211312581.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_file.jbxd

Similarity

API ID:
String ID: Variable is not of type 'Object'.
API String ID: 0-1840281001
Opcode ID: 51cba12ed3dc8ee39893b3103ce1a394e281740f437f33701d64b2bfeaa1b164
Instruction ID: 50be15c066e839033dd1234602775ec8625569b1ad2a1fc7bcde6b634c900b88
Opcode Fuzzy Hash: 51cba12ed3dc8ee39893b3103ce1a394e281740f437f33701d64b2bfeaa1b164
Instruction Fuzzy Hash: B2326E709002189BDF14EF90D981BEDB7B5FF06308F28605AE90EBB291D775AD46CB61

Function 00EB676B Relevance: 1.8, APIs: 1, Instructions: 269COMMONLIBRARYCODE

Download Yara Rule

APIs

RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,00EB6766,?,?,00000008,?,?,00EBFEFE,00000000), ref: 00EB6998

Memory Dump Source

Source File: 00000000.00000002.2209670476.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.2209637951.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210917413.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210917413.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2211217556.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2211312581.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_file.jbxd

Similarity

API ID: ExceptionRaise
String ID:
API String ID: 3997070919-0
Opcode ID: bb9be40ae88e2e5908989610216440ab03b2d7afe8eb1cb01c883d573b16d636
Instruction ID: 356af82c5a5cc5dd723fe91474da706cce09f9e8fc79d7f940638158b911c00d
Opcode Fuzzy Hash: bb9be40ae88e2e5908989610216440ab03b2d7afe8eb1cb01c883d573b16d636
Instruction Fuzzy Hash: 2FB16E31510609DFDB19CF28C486BA67BE0FF45368F259658E899DF2A1C739D981CB40

Function 00E9B119 Relevance: 1.8, Strings: 1, Instructions: 511COMMON

Download Yara Rule

Strings

, xrefs: 00ED851F

Memory Dump Source

Source File: 00000000.00000002.2209670476.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.2209637951.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210917413.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210917413.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2211217556.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2211312581.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_file.jbxd

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: f2567e3282913a43dc99c6325c6a67254825a5bfb2fba13839b088178a4dd2e8
Instruction ID: 461fc6031b69b7d6359308a73d0042447152a2710dc6f946b54e46fa53260d96
Opcode Fuzzy Hash: f2567e3282913a43dc99c6325c6a67254825a5bfb2fba13839b088178a4dd2e8
Instruction Fuzzy Hash: 81125C719002299BCF24CF58D9816EEB7F5FF48710F1491AAE849FB251EB309E81DB90

Function 00EFEAA2 Relevance: 1.5, APIs: 1, Instructions: 25keyboardCOMMON

Download Yara Rule

APIs

BlockInput.USER32(00000001), ref: 00EFEABD

Memory Dump Source

Source File: 00000000.00000002.2209670476.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.2209637951.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210917413.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210917413.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2211217556.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2211312581.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_file.jbxd

Similarity

API ID: BlockInput
String ID:
API String ID: 3456056419-0
Opcode ID: f505187f4da11b7f395f0096eb797c8e349f9698e4ae1b0d2857c4266fd3d40f
Instruction ID: c66d2cf3b7a901e7e4c1a54ce98d7e4882b09cf31d3df63c818ac3fef088bdea
Opcode Fuzzy Hash: f505187f4da11b7f395f0096eb797c8e349f9698e4ae1b0d2857c4266fd3d40f
Instruction Fuzzy Hash: B5E01A312002089FD710EF59D804E9ABBE9AF997A4F009416FD4DE7361DA70A8408BA0

Function 00EA09D5 Relevance: 1.5, APIs: 1, Instructions: 3COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(Function_000209E1,00EA03EE), ref: 00EA09DA

Memory Dump Source

Source File: 00000000.00000002.2209670476.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.2209637951.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210917413.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210917413.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2211217556.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2211312581.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_file.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 4eab8b112c6a99fa05bc2ce36af79dd347f6b3e981549fcefe0c299c25921a4a
Instruction ID: ac866a93df09ee54d1d6616d06794de1e56d0242e63ae79d0facbfe78babb7a6
Opcode Fuzzy Hash: 4eab8b112c6a99fa05bc2ce36af79dd347f6b3e981549fcefe0c299c25921a4a
Instruction Fuzzy Hash:

Function 00EA781B Relevance: 1.5, Strings: 1, Instructions: 214COMMON

Download Yara Rule

Strings

0, xrefs: 00EA798B

Memory Dump Source

Source File: 00000000.00000002.2209670476.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.2209637951.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210917413.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210917413.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2211217556.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2211312581.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_file.jbxd

Similarity

API ID:
String ID: 0
API String ID: 0-4108050209
Opcode ID: 9084b4e029052128895840c3c28e948f6724b1d83b91d22a18243ac96ad56844
Instruction ID: 96a4f67583ffa95e072c4ba21c3d865360fb2e5336c26c0cc0839c3537e35ae3
Opcode Fuzzy Hash: 9084b4e029052128895840c3c28e948f6724b1d83b91d22a18243ac96ad56844
Instruction Fuzzy Hash: A051436260C6156ADB3CC5288D5A7BF67D99B8F308F18350AD8C2FF282C619FE45D352

Function 00EB6DD9 Relevance: .6, Instructions: 637COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2209670476.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.2209637951.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210917413.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210917413.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2211217556.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2211312581.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2f8b8f68ef44b8ffb5b897009495af20389a7ee8a3193c81c5c23216c696753e
Instruction ID: b2657488f37fc72974b64d1171bd9d6b8e3407b15ae251721ac4443f0a76bcba
Opcode Fuzzy Hash: 2f8b8f68ef44b8ffb5b897009495af20389a7ee8a3193c81c5c23216c696753e
Instruction Fuzzy Hash: 3B322222D29F014DD7739634CC22376A289AFB73C5F15E737E86AB5DA9EB28C4835100

Function 00E9CC39 Relevance: .6, Instructions: 635COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2209670476.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.2209637951.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210917413.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210917413.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2211217556.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2211312581.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bb9bd739e36719f30ad77f53a632cd879de1a4e9d4f84d55df17b407266d3be2
Instruction ID: e563c62d3b35f5ac498ccafd9e4f4152f9168647154e5e7799246f89172f9f27
Opcode Fuzzy Hash: bb9bd739e36719f30ad77f53a632cd879de1a4e9d4f84d55df17b407266d3be2
Instruction Fuzzy Hash: E4320831A401078BCF24DA68C4906BDBBA1EB45388F38A967D95AFB391D230DD83DB41

Function 00E87920 Relevance: .6, Instructions: 563COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2209670476.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.2209637951.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210917413.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210917413.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2211217556.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2211312581.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e4cc22e3b765c07168452008aa58bb7d18c0ecc78f8a922adb99fc331a639dac
Instruction ID: 3769f9ca82d9bd39b7f6c1011459592abc1cb6bb4b817830e87be9c8e855a544
Opcode Fuzzy Hash: e4cc22e3b765c07168452008aa58bb7d18c0ecc78f8a922adb99fc331a639dac
Instruction Fuzzy Hash: 4222BE71A046099FDF14DF64C941AAEB3F2FF48304F246129E85AB7291EB36E951CB50

Function 00E891C0 Relevance: .5, Instructions: 475COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2209670476.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.2209637951.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210917413.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210917413.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2211217556.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2211312581.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: db70d7882063e2107145eddb65369d85920a076c502f994b7602d1d802a7cf32
Instruction ID: 758dc4e25ad4ef77c7a8b25ee8fae9e64468c43aa98ac37e0dce859e3b23b58b
Opcode Fuzzy Hash: db70d7882063e2107145eddb65369d85920a076c502f994b7602d1d802a7cf32
Instruction Fuzzy Hash: 900282B0E00209EBDF14DF64D981BADB7F1FF54304F159169E81AAB391EB31AA11CB91

Function 00EB9EEE Relevance: .3, Instructions: 294COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2209670476.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.2209637951.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210917413.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210917413.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2211217556.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2211312581.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8bd868e8557ec1ad01e8de25fb289feeafeba3b405a55bc679bb3a83aa03c912
Instruction ID: 2e0fd37f3c6e1cb234e9bf986eb39e293c6c3e16346c165de47c7cce0f86ba9c
Opcode Fuzzy Hash: 8bd868e8557ec1ad01e8de25fb289feeafeba3b405a55bc679bb3a83aa03c912
Instruction Fuzzy Hash: 20B12460D2AF444DC72396398831336B74CAFBB2C5F91D71BFC2674D22EB268A835140

Function 00EA7A4A Relevance: .2, Instructions: 237COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2209670476.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.2209637951.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210917413.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210917413.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2211217556.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2211312581.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9c8f924fa14035ea9dc808f6acb6e84f64abafb6ee69225ae822a2ca312a4300
Instruction ID: 7aa9786640288d54b2e974fa75089aa5a464e4273d946f0ef71fccda3dc462de
Opcode Fuzzy Hash: 9c8f924fa14035ea9dc808f6acb6e84f64abafb6ee69225ae822a2ca312a4300
Instruction Fuzzy Hash: C26158B120870966DA34DA288D95BFF63D6DF8F708F143919E8C2FF281D611BE428365

Function 00EA7CA7 Relevance: .2, Instructions: 237COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2209670476.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.2209637951.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210917413.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210917413.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2211217556.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2211312581.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f187afd4c7d570bfd0dc3580005d0877652f89a424ed931f68b4a47ebf2f1ed7
Instruction ID: d983c8e516a79ea74182eb3834417905e93937d0d34eb50336eaf2e2ab2a8403
Opcode Fuzzy Hash: f187afd4c7d570bfd0dc3580005d0877652f89a424ed931f68b4a47ebf2f1ed7
Instruction Fuzzy Hash: 2261577160870956DE38CA284DA5BBF23D4AF4F708F14795DE9C3FF281EA12BD428255

Function 00EF2046 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2209670476.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.2209637951.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210917413.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210917413.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2211217556.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2211312581.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f7bf723f9a3c92f3d16638302ff49e0a26796a1d8b33d6b3a1350720856ae0fa
Instruction ID: 8564b1720c0d8ef5fa79e731ae127ecdc18c36da3dff850a87b9d6aeee54dceb
Opcode Fuzzy Hash: f7bf723f9a3c92f3d16638302ff49e0a26796a1d8b33d6b3a1350720856ae0fa
Instruction Fuzzy Hash: 6A21E7323206158BDB28CF79C82367E73E5A764310F14862EE5A7D73D0DE39A904DB80

Function 00E9D063 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2209670476.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.2209637951.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210917413.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210917413.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2211217556.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2211312581.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2279f33e6fc92b13980bfeb94ac58b6175621d3adc6e95f2a867b317778a5135
Instruction ID: c45181b31fd6ad21836f885c3b6c83bd4b38d521cb84f01a31c8deb5347d3d8c
Opcode Fuzzy Hash: 2279f33e6fc92b13980bfeb94ac58b6175621d3adc6e95f2a867b317778a5135
Instruction Fuzzy Hash: 2A11835208DFEBABDB4292B90CBE588BF70881602079847EFC5C446EC7EB8C405BD756

Function 00F02ADE Relevance: 77.5, APIs: 40, Strings: 4, Instructions: 486filecommemoryCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 00F02B30
DeleteObject.GDI32(00000000), ref: 00F02B43
DestroyWindow.USER32 ref: 00F02B52
GetDesktopWindow.USER32 ref: 00F02B6D
GetWindowRect.USER32(00000000), ref: 00F02B74
SetRect.USER32(?,00000000,00000000,00000007,00000002), ref: 00F02CA3
AdjustWindowRectEx.USER32(?,88C00000,00000000,?), ref: 00F02CB1
CreateWindowExW.USER32(?,AutoIt v3,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00F02CF8
GetClientRect.USER32(00000000,?), ref: 00F02D04
CreateWindowExW.USER32(00000000,static,00000000,5000000E,00000000,00000000,?,?,00000000,00000000,00000000), ref: 00F02D40
CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00F02D62
GetFileSize.KERNEL32(00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00F02D75
GlobalAlloc.KERNEL32(00000002,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00F02D80
GlobalLock.KERNEL32(00000000), ref: 00F02D89
ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00F02D98
GlobalUnlock.KERNEL32(00000000), ref: 00F02DA1
CloseHandle.KERNEL32(00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00F02DA8
GlobalFree.KERNEL32(00000000), ref: 00F02DB3
CreateStreamOnHGlobal.OLE32(00000000,00000001,?,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00F02DC5
OleLoadPicture.OLEAUT32(?,00000000,00000000,00F1FC38,00000000), ref: 00F02DDB
GlobalFree.KERNEL32(00000000), ref: 00F02DEB
CopyImage.USER32(00000007,00000000,00000000,00000000,00002000), ref: 00F02E11
SendMessageW.USER32(00000000,00000172,00000000,00000007), ref: 00F02E30
SetWindowPos.USER32(00000000,00000000,00000000,00000000,?,?,00000020,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00F02E52
ShowWindow.USER32(00000004,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00F0303F

Strings

static, xrefs: 00F02D3A, 00F02E91
AutoIt v3, xrefs: 00F02CF2
, xrefs: 00F02FC5
DISPLAY, xrefs: 00F02EA2

Memory Dump Source

Source File: 00000000.00000002.2209670476.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.2209637951.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210917413.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210917413.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2211217556.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2211312581.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_file.jbxd

Similarity

API ID: Window$Global$CreateRect$File$DeleteFreeObject$AdjustAllocClientCloseCopyDesktopDestroyHandleImageLoadLockMessagePictureReadSendShowSizeStreamUnlock
String ID: $AutoIt v3$DISPLAY$static
API String ID: 2211948467-2373415609
Opcode ID: a36f4c915e468581435d8fefa2e60cb687bbfb3eb346ae3f51a2adeae56e084b
Instruction ID: a250e71c8861fde0a47e05e8562e92984947b408f334881c5c918d6e3217d701
Opcode Fuzzy Hash: a36f4c915e468581435d8fefa2e60cb687bbfb3eb346ae3f51a2adeae56e084b
Instruction Fuzzy Hash: 9A027F71940209AFDB14DF64CC89EAE7BB9FF49711F118158F919AB2A1C770ED01EBA0

Function 00F170D5 Relevance: 49.8, APIs: 33, Instructions: 273COMMON

Download Yara Rule

APIs

SetTextColor.GDI32(?,00000000), ref: 00F1712F
GetSysColorBrush.USER32(0000000F), ref: 00F17160
GetSysColor.USER32(0000000F), ref: 00F1716C
SetBkColor.GDI32(?,000000FF), ref: 00F17186
SelectObject.GDI32(?,?), ref: 00F17195
InflateRect.USER32(?,000000FF,000000FF), ref: 00F171C0
GetSysColor.USER32(00000010), ref: 00F171C8
CreateSolidBrush.GDI32(00000000), ref: 00F171CF
FrameRect.USER32(?,?,00000000), ref: 00F171DE
DeleteObject.GDI32(00000000), ref: 00F171E5
InflateRect.USER32(?,000000FE,000000FE), ref: 00F17230
FillRect.USER32(?,?,?), ref: 00F17262
GetWindowLongW.USER32(?,000000F0), ref: 00F17284

Part of subcall function 00F173E8: GetSysColor.USER32(00000012), ref: 00F17421
Part of subcall function 00F173E8: SetTextColor.GDI32(?,?), ref: 00F17425
Part of subcall function 00F173E8: GetSysColorBrush.USER32(0000000F), ref: 00F1743B
Part of subcall function 00F173E8: GetSysColor.USER32(0000000F), ref: 00F17446
Part of subcall function 00F173E8: GetSysColor.USER32(00000011), ref: 00F17463
Part of subcall function 00F173E8: CreatePen.GDI32(00000000,00000001,00743C00), ref: 00F17471
Part of subcall function 00F173E8: SelectObject.GDI32(?,00000000), ref: 00F17482
Part of subcall function 00F173E8: SetBkColor.GDI32(?,00000000), ref: 00F1748B
Part of subcall function 00F173E8: SelectObject.GDI32(?,?), ref: 00F17498
Part of subcall function 00F173E8: InflateRect.USER32(?,000000FF,000000FF), ref: 00F174B7
Part of subcall function 00F173E8: RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 00F174CE
Part of subcall function 00F173E8: GetWindowLongW.USER32(00000000,000000F0), ref: 00F174DB

Memory Dump Source

Source File: 00000000.00000002.2209670476.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.2209637951.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210917413.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210917413.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2211217556.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2211312581.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_file.jbxd

Similarity

API ID: Color$Rect$Object$BrushInflateSelect$CreateLongTextWindow$DeleteFillFrameRoundSolid
String ID:
API String ID: 4124339563-0
Opcode ID: 5a695f7d9e4a2538a5a80d61b02db816b22c254c5a7938fea7870c1e111460e2
Instruction ID: 1c635f4732394e9cf36632859ff69f17ddaedd6bce1edf8dff4818a195d6a58a
Opcode Fuzzy Hash: 5a695f7d9e4a2538a5a80d61b02db816b22c254c5a7938fea7870c1e111460e2
Instruction Fuzzy Hash: 91A1BF72448305BFDB00AF60DC48A9B7BB9FB49320F144A19F966A61E0D730E940EF91

Function 00F02711 Relevance: 45.8, APIs: 22, Strings: 4, Instructions: 330windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(00000000), ref: 00F0273E
SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 00F0286A
SetRect.USER32(?,00000000,00000000,0000012C,?), ref: 00F028A9
AdjustWindowRectEx.USER32(?,88C00000,00000000,00000008), ref: 00F028B9
CreateWindowExW.USER32(00000008,AutoIt v3,?,88C00000,000000FF,?,?,?,00000000,00000000,00000000), ref: 00F02900
GetClientRect.USER32(00000000,?), ref: 00F0290C
CreateWindowExW.USER32(00000000,static,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000), ref: 00F02955
CreateDCW.GDI32(DISPLAY,00000000,00000000,00000000), ref: 00F02964
GetStockObject.GDI32(00000011), ref: 00F02974
SelectObject.GDI32(00000000,00000000), ref: 00F02978
GetTextFaceW.GDI32(00000000,00000040,?,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000,?,88C00000,000000FF,?), ref: 00F02988
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00F02991
DeleteDC.GDI32(00000000), ref: 00F0299A
CreateFontW.GDI32(00000000,00000000,00000000,00000000,00000258,00000000,00000000,00000000,00000001,00000004,00000000,00000002,00000000,?), ref: 00F029C6
SendMessageW.USER32(00000030,00000000,00000001), ref: 00F029DD
CreateWindowExW.USER32(00000200,msctls_progress32,00000000,50000001,?,-0000001D,00000104,00000014,00000000,00000000,00000000), ref: 00F02A1D
SendMessageW.USER32(00000000,00000401,00000000,00640000), ref: 00F02A31
SendMessageW.USER32(00000404,00000001,00000000), ref: 00F02A42
CreateWindowExW.USER32(00000000,static,?,50000000,?,00000041,00000500,-00000027,00000000,00000000,00000000), ref: 00F02A77
GetStockObject.GDI32(00000011), ref: 00F02A82
SendMessageW.USER32(00000030,00000000,?,50000000), ref: 00F02A8D
ShowWindow.USER32(00000004,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000,?,88C00000,000000FF,?,?,?), ref: 00F02A97

Strings

static, xrefs: 00F0294F, 00F02A71
AutoIt v3, xrefs: 00F028F8
msctls_progress32, xrefs: 00F02A13
DISPLAY, xrefs: 00F0295A

Memory Dump Source

Source File: 00000000.00000002.2209670476.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.2209637951.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210917413.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210917413.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2211217556.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2211312581.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_file.jbxd

Similarity

API ID: Window$Create$MessageSend$ObjectRect$Stock$AdjustCapsClientDeleteDestroyDeviceFaceFontInfoParametersSelectShowSystemText
String ID: AutoIt v3$DISPLAY$msctls_progress32$static
API String ID: 2910397461-517079104
Opcode ID: 710e730317a7a86c3f7f4bda50593d30741d41f08bafe56d8b3ab89f73636b60
Instruction ID: eeacaa49f431ac5e5f6a97abb1aa40c1d309d62ee126e2c8ff683bc29d0066f1
Opcode Fuzzy Hash: 710e730317a7a86c3f7f4bda50593d30741d41f08bafe56d8b3ab89f73636b60
Instruction Fuzzy Hash: 50B14971A40219AFEB14DFA8CC49FAA7BA9FB48711F108115FA18E72D0D770ED40DBA0

Function 00EF4ADF Relevance: 45.7, APIs: 3, Strings: 23, Instructions: 191COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 00EF4AED
GetDriveTypeW.KERNEL32(?,00F1CB68,?,\\.\,00F1CC08), ref: 00EF4BCA
SetErrorMode.KERNEL32(00000000,00F1CB68,?,\\.\,00F1CC08), ref: 00EF4D36

Strings

RAMDisk, xrefs: 00EF4BF4
Fibre, xrefs: 00EF4CAD
SATA, xrefs: 00EF4CD0
SCSI, xrefs: 00EF4C8A
1394, xrefs: 00EF4C9F
Unknown, xrefs: 00EF4BED, 00EF4C83
CDROM, xrefs: 00EF4BFB
Virtual, xrefs: 00EF4CE5
Network, xrefs: 00EF4C02
PhysicalDrive, xrefs: 00EF4B76
Removable, xrefs: 00EF4C10, 00EF4C15
SSA, xrefs: 00EF4CA6
SAS, xrefs: 00EF4CC9
ATA, xrefs: 00EF4C98
MMC, xrefs: 00EF4CDE
FileBackedVirtual, xrefs: 00EF4CEC
\\.\, xrefs: 00EF4B3F
RAID, xrefs: 00EF4CBB
iSCSI, xrefs: 00EF4CC2
ATAPI, xrefs: 00EF4C91
Fixed, xrefs: 00EF4C09
SSD, xrefs: 00EF4C4A
USB, xrefs: 00EF4CB4

Memory Dump Source

Source File: 00000000.00000002.2209670476.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.2209637951.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210917413.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210917413.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2211217556.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2211312581.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_file.jbxd

Similarity

API ID: ErrorMode$DriveType
String ID: 1394$ATA$ATAPI$CDROM$Fibre$FileBackedVirtual$Fixed$MMC$Network$PhysicalDrive$RAID$RAMDisk$Removable$SAS$SATA$SCSI$SSA$SSD$USB$Unknown$Virtual$\\.\$iSCSI
API String ID: 2907320926-4222207086
Opcode ID: 0b9751a25fe114cf999ca8920466ed1d5b777d2b73bfce7ab00e824f2f04d52c
Instruction ID: a06b5a3b4c400a46b71bddafab982a0d7d8c78dde5699adfa1b86ea3e34ec21d
Opcode Fuzzy Hash: 0b9751a25fe114cf999ca8920466ed1d5b777d2b73bfce7ab00e824f2f04d52c
Instruction Fuzzy Hash: 7161E6B1A0520D9BDB04DF14C981ABABBB0AB45714B247015FE0AFB2D2DB36DD41EB53

Function 00F173E8 Relevance: 39.2, APIs: 26, Instructions: 201windowCOMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000012), ref: 00F17421
SetTextColor.GDI32(?,?), ref: 00F17425
GetSysColorBrush.USER32(0000000F), ref: 00F1743B
GetSysColor.USER32(0000000F), ref: 00F17446
CreateSolidBrush.GDI32(?), ref: 00F1744B
GetSysColor.USER32(00000011), ref: 00F17463
CreatePen.GDI32(00000000,00000001,00743C00), ref: 00F17471
SelectObject.GDI32(?,00000000), ref: 00F17482
SetBkColor.GDI32(?,00000000), ref: 00F1748B
SelectObject.GDI32(?,?), ref: 00F17498
InflateRect.USER32(?,000000FF,000000FF), ref: 00F174B7
RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 00F174CE
GetWindowLongW.USER32(00000000,000000F0), ref: 00F174DB
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 00F1752A
GetWindowTextW.USER32(00000000,00000000,00000001), ref: 00F17554
InflateRect.USER32(?,000000FD,000000FD), ref: 00F17572
DrawFocusRect.USER32(?,?), ref: 00F1757D
GetSysColor.USER32(00000011), ref: 00F1758E
SetTextColor.GDI32(?,00000000), ref: 00F17596
DrawTextW.USER32(?,00F170F5,000000FF,?,00000000), ref: 00F175A8
SelectObject.GDI32(?,?), ref: 00F175BF
DeleteObject.GDI32(?), ref: 00F175CA
SelectObject.GDI32(?,?), ref: 00F175D0
DeleteObject.GDI32(?), ref: 00F175D5
SetTextColor.GDI32(?,?), ref: 00F175DB
SetBkColor.GDI32(?,?), ref: 00F175E5

Memory Dump Source

Source File: 00000000.00000002.2209670476.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.2209637951.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210917413.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210917413.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2211217556.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2211312581.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_file.jbxd

Similarity

API ID: Color$Object$Text$RectSelect$BrushCreateDeleteDrawInflateWindow$FocusLongMessageRoundSendSolid
String ID:
API String ID: 1996641542-0
Opcode ID: 0ddca7b1baee11fe18345abdcc498531826542dbdd19b1db02c1a60cb4218185
Instruction ID: cdbf0abcdbc58a3db01a3c73cd6e580fd89d9c71554e5a0c8d9377eaa3bf9345
Opcode Fuzzy Hash: 0ddca7b1baee11fe18345abdcc498531826542dbdd19b1db02c1a60cb4218185
Instruction Fuzzy Hash: F7615C72D44218BFDF019FA4DC49AEEBFB9EB08320F158115F915BB2A1D7719940EB90

Function 00F10FF3 Relevance: 37.0, APIs: 18, Strings: 3, Instructions: 284windowCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 00F11128
GetDesktopWindow.USER32 ref: 00F1113D
GetWindowRect.USER32(00000000), ref: 00F11144
GetWindowLongW.USER32(?,000000F0), ref: 00F11199
DestroyWindow.USER32(?), ref: 00F111B9
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,7FFFFFFD,80000000,80000000,80000000,80000000,00000000,00000000,00000000,00000000), ref: 00F111ED
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00F1120B
SendMessageW.USER32(00000000,00000418,00000000,?), ref: 00F1121D
SendMessageW.USER32(00000000,00000421,?,?), ref: 00F11232
SendMessageW.USER32(00000000,0000041D,00000000,00000000), ref: 00F11245
IsWindowVisible.USER32(00000000), ref: 00F112A1
SendMessageW.USER32(00000000,00000412,00000000,D8F0D8F0), ref: 00F112BC
SendMessageW.USER32(00000000,00000411,00000001,00000030), ref: 00F112D0
GetWindowRect.USER32(00000000,?), ref: 00F112E8
MonitorFromPoint.USER32(?,?,00000002), ref: 00F1130E
GetMonitorInfoW.USER32(00000000,?), ref: 00F11328
CopyRect.USER32(?,?), ref: 00F1133F
SendMessageW.USER32(00000000,00000412,00000000), ref: 00F113AA

Strings

(, xrefs: 00F1131B
0, xrefs: 00F110D3
tooltips_class32, xrefs: 00F111E6

Memory Dump Source

Source File: 00000000.00000002.2209670476.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.2209637951.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210917413.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210917413.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2211217556.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2211312581.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_file.jbxd

Similarity

API ID: MessageSendWindow$Rect$Monitor$CopyCreateCursorDesktopDestroyFromInfoLongPointVisible
String ID: ($0$tooltips_class32
API String ID: 698492251-4156429822
Opcode ID: 136dc6032fd23a209604891834b65777ad066a0e7a914529b770687c0e64b18f
Instruction ID: bf683c02e1915530f34a85d730cefe7ece555aa4914eada41d3c6e1539989696
Opcode Fuzzy Hash: 136dc6032fd23a209604891834b65777ad066a0e7a914529b770687c0e64b18f
Instruction Fuzzy Hash: 42B16F71A04341AFD714DF64C885BAABBE5FF88750F00891CFA9DAB2A1C771D844DB91

Function 00F10241 Relevance: 35.4, APIs: 7, Strings: 13, Instructions: 391windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 00F102E5
_wcslen.LIBCMT ref: 00F1031F
_wcslen.LIBCMT ref: 00F10389
_wcslen.LIBCMT ref: 00F103F1
_wcslen.LIBCMT ref: 00F10475
SendMessageW.USER32(?,00001032,00000000,00000000), ref: 00F104C5
SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 00F10504

Part of subcall function 00E9F9F2: _wcslen.LIBCMT ref: 00E9F9FD

Part of subcall function 00EE223F: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00EE2258
Part of subcall function 00EE223F: SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 00EE228A

Strings

SELECTINVERT, xrefs: 00F1057E
GETITEMCOUNT, xrefs: 00F10316, 00F10337
FINDITEM, xrefs: 00F10627
SELECTCLEAR, xrefs: 00F1052D
ISSELECTED, xrefs: 00F104DD
GETSELECTEDCOUNT, xrefs: 00F10470, 00F1048B
GETTEXT, xrefs: 00F103EC, 00F10407
SELECTALL, xrefs: 00F10515
VIEWCHANGE, xrefs: 00F10675
DESELECT, xrefs: 00F1059C
GETSUBITEMCOUNT, xrefs: 00F10384, 00F1039F
GETSELECTED, xrefs: 00F105E1
SELECT, xrefs: 00F10548

Memory Dump Source

Source File: 00000000.00000002.2209670476.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.2209637951.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210917413.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210917413.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2211217556.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2211312581.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_file.jbxd

Similarity

API ID: _wcslen$MessageSend$BuffCharUpper
String ID: DESELECT$FINDITEM$GETITEMCOUNT$GETSELECTED$GETSELECTEDCOUNT$GETSUBITEMCOUNT$GETTEXT$ISSELECTED$SELECT$SELECTALL$SELECTCLEAR$SELECTINVERT$VIEWCHANGE
API String ID: 1103490817-719923060
Opcode ID: e03303ba653923cddae26042181af491fc90b01a3d8ed91623908f0b80e10cbe
Instruction ID: e41f1cde0b568e681448e399dfd96b7b50ae6c4846da604968ab2d270964b068
Opcode Fuzzy Hash: e03303ba653923cddae26042181af491fc90b01a3d8ed91623908f0b80e10cbe
Instruction Fuzzy Hash: 8AE1B2316083418FC714EF24C59096AB7E6BFC8724F14496DF89AAB2A1DB70EDC5EB41

Function 00E98891 Relevance: 33.5, APIs: 18, Strings: 1, Instructions: 282windowtimeCOMMON

Download Yara Rule

APIs

SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 00E98968
GetSystemMetrics.USER32(00000007), ref: 00E98970
SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 00E9899B
GetSystemMetrics.USER32(00000008), ref: 00E989A3
GetSystemMetrics.USER32(00000004), ref: 00E989C8
SetRect.USER32(000000FF,00000000,00000000,000000FF,000000FF), ref: 00E989E5
AdjustWindowRectEx.USER32(000000FF,?,00000000,?), ref: 00E989F5
CreateWindowExW.USER32(?,AutoIt v3 GUI,?,?,?,000000FF,000000FF,000000FF,?,00000000,00000000), ref: 00E98A28
SetWindowLongW.USER32(00000000,000000EB,00000000), ref: 00E98A3C
GetClientRect.USER32(00000000,000000FF), ref: 00E98A5A
GetStockObject.GDI32(00000011), ref: 00E98A76
SendMessageW.USER32(00000000,00000030,00000000), ref: 00E98A81

Part of subcall function 00E9912D: GetCursorPos.USER32(?), ref: 00E99141
Part of subcall function 00E9912D: ScreenToClient.USER32(00000000,?), ref: 00E9915E
Part of subcall function 00E9912D: GetAsyncKeyState.USER32(00000001), ref: 00E99183
Part of subcall function 00E9912D: GetAsyncKeyState.USER32(00000002), ref: 00E9919D

SetTimer.USER32(00000000,00000000,00000028,00E990FC), ref: 00E98AA8

Strings

AutoIt v3 GUI, xrefs: 00E98A20

Memory Dump Source

Source File: 00000000.00000002.2209670476.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.2209637951.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210917413.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210917413.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2211217556.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2211312581.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_file.jbxd

Similarity

API ID: System$MetricsRectWindow$AsyncClientInfoParametersState$AdjustCreateCursorLongMessageObjectScreenSendStockTimer
String ID: AutoIt v3 GUI
API String ID: 1458621304-248962490
Opcode ID: b409fe80966ac7ad1d533e55c78838703bcab16c9bb481bd6a98f93248d8c976
Instruction ID: 0f850a8c1a684748289678ea149977c8dfeb178d167652a6f66328da7dac70a2
Opcode Fuzzy Hash: b409fe80966ac7ad1d533e55c78838703bcab16c9bb481bd6a98f93248d8c976
Instruction Fuzzy Hash: 73B18C31A402099FDF14DFA8CD45BEE3BB5FB48315F11522AFA15AB2A0DB74E841DB90

Function 00EE0D8B Relevance: 31.7, APIs: 21, Instructions: 202memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00EE10F9: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00EE1114
Part of subcall function 00EE10F9: GetLastError.KERNEL32(?,00000000,00000000,?,?,00EE0B9B,?,?,?), ref: 00EE1120
Part of subcall function 00EE10F9: GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,00EE0B9B,?,?,?), ref: 00EE112F
Part of subcall function 00EE10F9: HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,00EE0B9B,?,?,?), ref: 00EE1136
Part of subcall function 00EE10F9: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 00EE114D

GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00EE0DF5
GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 00EE0E29
GetLengthSid.ADVAPI32(?), ref: 00EE0E40
GetAce.ADVAPI32(?,00000000,?), ref: 00EE0E7A
AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 00EE0E96
GetLengthSid.ADVAPI32(?), ref: 00EE0EAD
GetProcessHeap.KERNEL32(00000008,00000008), ref: 00EE0EB5
HeapAlloc.KERNEL32(00000000), ref: 00EE0EBC
GetLengthSid.ADVAPI32(?,00000008,?), ref: 00EE0EDD
CopySid.ADVAPI32(00000000), ref: 00EE0EE4
AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 00EE0F13
SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 00EE0F35
SetUserObjectSecurity.USER32(?,00000004,?), ref: 00EE0F47
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00EE0F6E
HeapFree.KERNEL32(00000000), ref: 00EE0F75
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00EE0F7E
HeapFree.KERNEL32(00000000), ref: 00EE0F85
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00EE0F8E
HeapFree.KERNEL32(00000000), ref: 00EE0F95
GetProcessHeap.KERNEL32(00000000,?), ref: 00EE0FA1
HeapFree.KERNEL32(00000000), ref: 00EE0FA8

Part of subcall function 00EE1193: GetProcessHeap.KERNEL32(00000008,00EE0BB1,?,00000000,?,00EE0BB1,?), ref: 00EE11A1
Part of subcall function 00EE1193: HeapAlloc.KERNEL32(00000000,?,00000000,?,00EE0BB1,?), ref: 00EE11A8
Part of subcall function 00EE1193: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00000000,?,00EE0BB1,?), ref: 00EE11B7

Memory Dump Source

Source File: 00000000.00000002.2209670476.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.2209637951.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210917413.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210917413.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2211217556.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2211312581.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_file.jbxd

Similarity

API ID: Heap$Process$Security$Free$AllocDescriptorLengthObjectUser$Dacl$CopyErrorInformationInitializeLast
String ID:
API String ID: 4175595110-0
Opcode ID: 7fb8805db076c21629c5762cd0369cf183a2b548b8768f4bef1b22015ced24de
Instruction ID: aac8de64b3d74f253462dd9912c77dccc816422c4701a4393be23e2c033fa14e
Opcode Fuzzy Hash: 7fb8805db076c21629c5762cd0369cf183a2b548b8768f4bef1b22015ced24de
Instruction Fuzzy Hash: 72717B72A4024EABDF209FA6DC44BEEBBB8BF08304F058115F959F6191D7709E55CBA0

Function 00F0C3B7 Relevance: 30.2, APIs: 11, Strings: 6, Instructions: 495registryCOMMON

Download Yara Rule

APIs

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00F0C4BD
RegCreateKeyExW.ADVAPI32(?,?,00000000,00F1CC08,00000000,?,00000000,?,?), ref: 00F0C544
RegCloseKey.ADVAPI32(00000000,00000000,00000000), ref: 00F0C5A4
_wcslen.LIBCMT ref: 00F0C5F4
_wcslen.LIBCMT ref: 00F0C66F
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000001,?,?), ref: 00F0C6B2
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000007,?,?), ref: 00F0C7C1
RegSetValueExW.ADVAPI32(00000001,?,00000000,0000000B,?,00000008), ref: 00F0C84D
RegCloseKey.ADVAPI32(?), ref: 00F0C881
RegCloseKey.ADVAPI32(00000000), ref: 00F0C88E
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000003,00000000,00000000), ref: 00F0C960

Strings

REG_QWORD, xrefs: 00F0C8C3
REG_SZ, xrefs: 00F0C644
REG_MULTI_SZ, xrefs: 00F0C6F5
REG_EXPAND_SZ, xrefs: 00F0C5CD
REG_DWORD, xrefs: 00F0C804
REG_BINARY, xrefs: 00F0C913

Memory Dump Source

Source File: 00000000.00000002.2209670476.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.2209637951.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210917413.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210917413.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2211217556.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2211312581.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_file.jbxd

Similarity

API ID: Value$Close$_wcslen$ConnectCreateRegistry
String ID: REG_BINARY$REG_DWORD$REG_EXPAND_SZ$REG_MULTI_SZ$REG_QWORD$REG_SZ
API String ID: 9721498-966354055
Opcode ID: 4efd1b0a6190326b1a1e6cdfb324fe559ff0de31043c829dff95dd0cfdaaca12
Instruction ID: 4576173ac8d5c82f432a0fc919ac9d5ecbe0f51ed466067f0081f925557769e4
Opcode Fuzzy Hash: 4efd1b0a6190326b1a1e6cdfb324fe559ff0de31043c829dff95dd0cfdaaca12
Instruction Fuzzy Hash: 48126A356042019FD714EF14C881A2AB7E5FF88724F19895CF89EAB3A2DB31ED41DB91

Function 00F1091E Relevance: 30.1, APIs: 6, Strings: 11, Instructions: 372windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 00F109C6
_wcslen.LIBCMT ref: 00F10A01
SendMessageW.USER32(?,00001105,00000000,00000000), ref: 00F10A54
_wcslen.LIBCMT ref: 00F10A8A
_wcslen.LIBCMT ref: 00F10B06
_wcslen.LIBCMT ref: 00F10B81

Part of subcall function 00E9F9F2: _wcslen.LIBCMT ref: 00E9F9FD

Part of subcall function 00EE2BE8: SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00EE2BFA

Strings

GETITEMCOUNT, xrefs: 00F10C1E
GETTOTALCOUNT, xrefs: 00F109F2, 00F10A17
EXISTS, xrefs: 00F10B7C, 00F10B97
COLLAPSE, xrefs: 00F10B01, 00F10B1C
EXPAND, xrefs: 00F10BF8
GETSELECTED, xrefs: 00F10C4E
ISCHECKED, xrefs: 00F10CE1
UNCHECK, xrefs: 00F10D3E
SELECT, xrefs: 00F10D11
CHECK, xrefs: 00F10A85, 00F10AA0
GETTEXT, xrefs: 00F10C97

Memory Dump Source

Source File: 00000000.00000002.2209670476.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.2209637951.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210917413.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210917413.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2211217556.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2211312581.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_file.jbxd

Similarity

API ID: _wcslen$MessageSend$BuffCharUpper
String ID: CHECK$COLLAPSE$EXISTS$EXPAND$GETITEMCOUNT$GETSELECTED$GETTEXT$GETTOTALCOUNT$ISCHECKED$SELECT$UNCHECK
API String ID: 1103490817-4258414348
Opcode ID: 1814247841c76698b6ec4e36fe5b5bdcead8600fa57426e5eb5f8e825a94da50
Instruction ID: 56a5e9542fae7b6f196ab5b8e0680aed2d98f47f95d21df4f185352ba2d4894e
Opcode Fuzzy Hash: 1814247841c76698b6ec4e36fe5b5bdcead8600fa57426e5eb5f8e825a94da50
Instruction Fuzzy Hash: E7E1AD326083419FC714EF24C45096AB7E2BFD8314B14895CF89AAB3A2DB71EDC5DB91

Function 00F0C998 Relevance: 30.0, APIs: 7, Strings: 10, Instructions: 242COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,?,?,?,?,?,00F0B6AE,?,?), ref: 00F0C9B5
_wcslen.LIBCMT ref: 00F0C9F1
_wcslen.LIBCMT ref: 00F0CA68
_wcslen.LIBCMT ref: 00F0CA9E
_wcslen.LIBCMT ref: 00F0CAF9
_wcslen.LIBCMT ref: 00F0CB2F
_wcslen.LIBCMT ref: 00F0CB7F

Strings

HKCC, xrefs: 00F0CBAC
HKEY_USERS, xrefs: 00F0CBDF
HKLM, xrefs: 00F0CA98, 00F0CA9D
HKU, xrefs: 00F0CBF0
HKCR, xrefs: 00F0CB29, 00F0CB2E
HKEY_LOCAL_MACHINE, xrefs: 00F0CA62, 00F0CA67
HKEY_CURRENT_USER, xrefs: 00F0CBBD
HKCU, xrefs: 00F0CBCE
HKEY_CURRENT_CONFIG, xrefs: 00F0CB79, 00F0CB7E
HKEY_CLASSES_ROOT, xrefs: 00F0CAF3, 00F0CAF8

Memory Dump Source

Source File: 00000000.00000002.2209670476.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.2209637951.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210917413.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210917413.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2211217556.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2211312581.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_file.jbxd

Similarity

API ID: _wcslen$BuffCharUpper
String ID: HKCC$HKCR$HKCU$HKEY_CLASSES_ROOT$HKEY_CURRENT_CONFIG$HKEY_CURRENT_USER$HKEY_LOCAL_MACHINE$HKEY_USERS$HKLM$HKU
API String ID: 1256254125-909552448
Opcode ID: a6bfcf23fa3613b266022ace5067df7b650e789528ea652c131c2f048a91137a
Instruction ID: c9f651fdb2e4794d7d0f69c3b3ba2478a3a07fa7546187f49953fba17498f485
Opcode Fuzzy Hash: a6bfcf23fa3613b266022ace5067df7b650e789528ea652c131c2f048a91137a
Instruction Fuzzy Hash: D5710473A0016A8BCB20EF6CCC516BB3791ABA1760B654724FC56AB2C5E734DD44B3E0

Function 00F1833C Relevance: 29.9, APIs: 14, Strings: 3, Instructions: 196windowlibraryCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00F1835A
_wcslen.LIBCMT ref: 00F1836E
_wcslen.LIBCMT ref: 00F18391
_wcslen.LIBCMT ref: 00F183B4
LoadImageW.USER32(00000000,?,00000001,?,?,00002010), ref: 00F183F2
LoadLibraryExW.KERNEL32(?,00000000,00000032,00000000,?,?,?,?,?,00F15BF2), ref: 00F1844E
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 00F18487
LoadImageW.USER32(00000000,?,00000001,?,?,00000000), ref: 00F184CA
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 00F18501
FreeLibrary.KERNEL32(?), ref: 00F1850D
ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 00F1851D
DestroyIcon.USER32(?,?,?,?,?,00F15BF2), ref: 00F1852C
SendMessageW.USER32(?,00000170,00000000,00000000), ref: 00F18549
SendMessageW.USER32(?,00000064,00000172,00000001), ref: 00F18555

Strings

.icl, xrefs: 00F18368
.dll, xrefs: 00F183AB
.exe, xrefs: 00F18388

Memory Dump Source

Source File: 00000000.00000002.2209670476.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.2209637951.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210917413.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210917413.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2211217556.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2211312581.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_file.jbxd

Similarity

API ID: Load$Image_wcslen$IconLibraryMessageSend$DestroyExtractFree
String ID: .dll$.exe$.icl
API String ID: 799131459-1154884017
Opcode ID: b6eb51a06825f529ea9bfdca1013c5e2a4963368870fd17ec9971c04d9588583
Instruction ID: 832693c603a1e862b37c3ff45812b26cb7c56d2d79c5642f6ce0c477bc356519
Opcode Fuzzy Hash: b6eb51a06825f529ea9bfdca1013c5e2a4963368870fd17ec9971c04d9588583
Instruction Fuzzy Hash: 1A61D171940209BAEB14DF64CD41BFE77A8FF48761F108609F815EA0D1DFB4A991E7A0

Function 00E87778 Relevance: 28.3, APIs: 1, Strings: 15, Instructions: 273COMMON

Download Yara Rule

Strings

", xrefs: 00EC5153
#ce, xrefs: 00E878ED
#include, xrefs: 00E87847
Cannot parse #include, xrefs: 00EC5279
Bad directive syntax error, xrefs: 00EC519A
#include-once, xrefs: 00E8782F
#pragma compile, xrefs: 00E877D3
#requireadmin, xrefs: 00E877FF
#cs, xrefs: 00E87873, 00E878C5
Unterminated group of comments, xrefs: 00EC528C
#notrayicon, xrefs: 00E877E7
#comments-end, xrefs: 00E878D9
#comments-start, xrefs: 00E8785F, 00E878B1
#OnAutoItStartRegister, xrefs: 00E87817
', xrefs: 00EC5169

Memory Dump Source

Source File: 00000000.00000002.2209670476.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.2209637951.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210917413.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210917413.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2211217556.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2211312581.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_file.jbxd

Similarity

API ID:
String ID: "$#OnAutoItStartRegister$#ce$#comments-end$#comments-start$#cs$#include$#include-once$#notrayicon$#pragma compile$#requireadmin$'$Bad directive syntax error$Cannot parse #include$Unterminated group of comments
API String ID: 0-1645009161
Opcode ID: 692b0ab92ab81436537d2e99777fe437c0fb5a97f6900d22bd175cd0f7523abf
Instruction ID: 0dd8919f1db7979dcd660e1e2706312f124f963039a23bf3363d85203c6849c2
Opcode Fuzzy Hash: 692b0ab92ab81436537d2e99777fe437c0fb5a97f6900d22bd175cd0f7523abf
Instruction Fuzzy Hash: 9281F271A44605ABDB20BF60CD42FEE77F8AF15300F146029F84CBA196EB72E951D7A1

Function 00EF3E79 Relevance: 28.2, APIs: 8, Strings: 8, Instructions: 205COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?), ref: 00EF3EF8
_wcslen.LIBCMT ref: 00EF3F03
_wcslen.LIBCMT ref: 00EF3F5A
_wcslen.LIBCMT ref: 00EF3F98
GetDriveTypeW.KERNEL32(?), ref: 00EF3FD6
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00EF401E
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00EF4059
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00EF4087

Strings

type cdaudio alias cd wait, xrefs: 00EF4001
wait, xrefs: 00EF4044
set cd door , xrefs: 00EF4028
open , xrefs: 00EF3FE5
close, xrefs: 00EF3EFE, 00EF3F18
closed, xrefs: 00EF3F08, 00EF3F2D, 00EF3F46, 00EF3F7E, 00EF3F97
open, xrefs: 00EF3F54, 00EF3F59
close cd wait, xrefs: 00EF4072

Memory Dump Source

Source File: 00000000.00000002.2209670476.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.2209637951.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210917413.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210917413.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2211217556.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2211312581.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_file.jbxd

Similarity

API ID: SendString_wcslen$BuffCharDriveLowerType
String ID: type cdaudio alias cd wait$ wait$close$close cd wait$closed$open$open $set cd door
API String ID: 1839972693-4113822522
Opcode ID: 2cb7494908bd3797df91a6f1577bde06825df8db6de23ccfd81855c986a1a1f1
Instruction ID: 607196999970730444681aecae85de1b6d958f4d4471371eef7ab22bb52980d7
Opcode Fuzzy Hash: 2cb7494908bd3797df91a6f1577bde06825df8db6de23ccfd81855c986a1a1f1
Instruction Fuzzy Hash: F37190726042069FC310EF34C8818BBB7E4EF95758F10592DFA99A7291EB31DE45CB52

Function 00EE5A1B Relevance: 27.2, APIs: 18, Instructions: 198windowtimeCOMMON

Download Yara Rule

APIs

LoadIconW.USER32(00000063), ref: 00EE5A2E
SendMessageW.USER32(?,00000080,00000000,00000000), ref: 00EE5A40
SetWindowTextW.USER32(?,?), ref: 00EE5A57
GetDlgItem.USER32(?,000003EA), ref: 00EE5A6C
SetWindowTextW.USER32(00000000,?), ref: 00EE5A72
GetDlgItem.USER32(?,000003E9), ref: 00EE5A82
SetWindowTextW.USER32(00000000,?), ref: 00EE5A88
SendDlgItemMessageW.USER32(?,000003E9,000000CC,?,00000000), ref: 00EE5AA9
SendDlgItemMessageW.USER32(?,000003E9,000000C5,00000000,00000000), ref: 00EE5AC3
GetWindowRect.USER32(?,?), ref: 00EE5ACC
_wcslen.LIBCMT ref: 00EE5B33
SetWindowTextW.USER32(?,?), ref: 00EE5B6F
GetDesktopWindow.USER32 ref: 00EE5B75
GetWindowRect.USER32(00000000), ref: 00EE5B7C
MoveWindow.USER32(?,?,00000080,00000000,?,00000000), ref: 00EE5BD3
GetClientRect.USER32(?,?), ref: 00EE5BE0
PostMessageW.USER32(?,00000005,00000000,?), ref: 00EE5C05
SetTimer.USER32(?,0000040A,00000000,00000000), ref: 00EE5C2F

Memory Dump Source

Source File: 00000000.00000002.2209670476.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.2209637951.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210917413.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210917413.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2211217556.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2211312581.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_file.jbxd

Similarity

API ID: Window$ItemMessageText$RectSend$ClientDesktopIconLoadMovePostTimer_wcslen
String ID:
API String ID: 895679908-0
Opcode ID: b14a00c3c9758462aae766fcb85f2f76efd90b0da5ceba728699d9041f52c647
Instruction ID: 4dd6764e77ca8b2561ac5130962f2b1dcfeaa62bcfa0f5c5fa60e6fc6a59e4aa
Opcode Fuzzy Hash: b14a00c3c9758462aae766fcb85f2f76efd90b0da5ceba728699d9041f52c647
Instruction Fuzzy Hash: 37717C32900B49AFDB20DFA9CE85AAEBBF5FF48708F105518E146B35A0D775E940DB50

Function 00EFFE0E Relevance: 27.1, APIs: 18, Instructions: 128COMMON

Download Yara Rule

APIs

LoadCursorW.USER32(00000000,00007F89), ref: 00EFFE27
LoadCursorW.USER32(00000000,00007F8A), ref: 00EFFE32
LoadCursorW.USER32(00000000,00007F00), ref: 00EFFE3D
LoadCursorW.USER32(00000000,00007F03), ref: 00EFFE48
LoadCursorW.USER32(00000000,00007F8B), ref: 00EFFE53
LoadCursorW.USER32(00000000,00007F01), ref: 00EFFE5E
LoadCursorW.USER32(00000000,00007F81), ref: 00EFFE69
LoadCursorW.USER32(00000000,00007F88), ref: 00EFFE74
LoadCursorW.USER32(00000000,00007F80), ref: 00EFFE7F
LoadCursorW.USER32(00000000,00007F86), ref: 00EFFE8A
LoadCursorW.USER32(00000000,00007F83), ref: 00EFFE95
LoadCursorW.USER32(00000000,00007F85), ref: 00EFFEA0
LoadCursorW.USER32(00000000,00007F82), ref: 00EFFEAB
LoadCursorW.USER32(00000000,00007F84), ref: 00EFFEB6
LoadCursorW.USER32(00000000,00007F04), ref: 00EFFEC1
LoadCursorW.USER32(00000000,00007F02), ref: 00EFFECC
GetCursorInfo.USER32(?), ref: 00EFFEDC
GetLastError.KERNEL32 ref: 00EFFF1E

Memory Dump Source

Source File: 00000000.00000002.2209670476.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.2209637951.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210917413.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210917413.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2211217556.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2211312581.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_file.jbxd

Similarity

API ID: Cursor$Load$ErrorInfoLast
String ID:
API String ID: 3215588206-0
Opcode ID: 132fb26792f48d75e872350874598aa19194c65f9639decc52dc2c5974a813c2
Instruction ID: 6becfde4e5a8b7fca9c351c2d5d7dd4dd4c261748e18c2af697adc32a7996e9e
Opcode Fuzzy Hash: 132fb26792f48d75e872350874598aa19194c65f9639decc52dc2c5974a813c2
Instruction Fuzzy Hash: CD4154B0E443196ADB109FBA8C8586EBFE8FF04354B54852AE11DE7281DB789901CF91

Function 00EA00C6 Relevance: 26.3, APIs: 10, Strings: 5, Instructions: 81COMMON

Download Yara Rule

APIs

__scrt_initialize_thread_safe_statics_platform_specific.LIBCMT ref: 00EA00C6

Part of subcall function 00EA00ED: InitializeCriticalSectionAndSpinCount.KERNEL32(00F5070C,00000FA0,4AC1A84E,?,?,?,?,00EC23B3,000000FF), ref: 00EA011C
Part of subcall function 00EA00ED: GetModuleHandleW.KERNEL32(api-ms-win-core-synch-l1-2-0.dll,?,?,?,?,00EC23B3,000000FF), ref: 00EA0127
Part of subcall function 00EA00ED: GetModuleHandleW.KERNEL32(kernel32.dll,?,?,?,?,00EC23B3,000000FF), ref: 00EA0138
Part of subcall function 00EA00ED: GetProcAddress.KERNEL32(00000000,InitializeConditionVariable), ref: 00EA014E
Part of subcall function 00EA00ED: GetProcAddress.KERNEL32(00000000,SleepConditionVariableCS), ref: 00EA015C
Part of subcall function 00EA00ED: GetProcAddress.KERNEL32(00000000,WakeAllConditionVariable), ref: 00EA016A
Part of subcall function 00EA00ED: __crt_fast_encode_pointer.LIBVCRUNTIME ref: 00EA0195
Part of subcall function 00EA00ED: __crt_fast_encode_pointer.LIBVCRUNTIME ref: 00EA01A0

___scrt_fastfail.LIBCMT ref: 00EA00E7

Part of subcall function 00EA00A3: __onexit.LIBCMT ref: 00EA00A9

Strings

InitializeConditionVariable, xrefs: 00EA0148
kernel32.dll, xrefs: 00EA0133
api-ms-win-core-synch-l1-2-0.dll, xrefs: 00EA0122
SleepConditionVariableCS, xrefs: 00EA0154
WakeAllConditionVariable, xrefs: 00EA0162

Memory Dump Source

Source File: 00000000.00000002.2209670476.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.2209637951.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210917413.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210917413.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2211217556.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2211312581.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_file.jbxd

Similarity

API ID: AddressProc$HandleModule__crt_fast_encode_pointer$CountCriticalInitializeSectionSpin___scrt_fastfail__onexit__scrt_initialize_thread_safe_statics_platform_specific
String ID: InitializeConditionVariable$SleepConditionVariableCS$WakeAllConditionVariable$api-ms-win-core-synch-l1-2-0.dll$kernel32.dll
API String ID: 66158676-1714406822
Opcode ID: 53ace4fe6217860530e074f69ac18997f2d12ae959375877db81533d1fde4654
Instruction ID: edc2012803edf273d4f751db3280fdd1f84e65f8e0e1db0d74293c126e911e57
Opcode Fuzzy Hash: 53ace4fe6217860530e074f69ac18997f2d12ae959375877db81533d1fde4654
Instruction Fuzzy Hash: 7B212632A857156BE7105B64BC46BEA37E4EB0EB61F01512AFD01FB291DF60E800AA91

Function 00EE30F7 Relevance: 24.9, APIs: 8, Strings: 6, Instructions: 400COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00EE318D
_wcslen.LIBCMT ref: 00EE31F8

Strings

REGEXPCLASS, xrefs: 00EE3255, 00EE3266
TEXT, xrefs: 00EE347C
NAME, xrefs: 00EE3335, 00EE3346
CLASSNN, xrefs: 00EE31F3, 00EE3204
INSTANCE, xrefs: 00EE3453
CLASS, xrefs: 00EE3188, 00EE31A5

Memory Dump Source

Source File: 00000000.00000002.2209670476.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.2209637951.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210917413.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210917413.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2211217556.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2211312581.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_file.jbxd

Similarity

API ID: _wcslen
String ID: CLASS$CLASSNN$INSTANCE$NAME$REGEXPCLASS$TEXT
API String ID: 176396367-1603158881
Opcode ID: 72a0dad7c4805bf0e857dcb67ea7c69a7e5fb29656d218b1d8740e377e35dcff
Instruction ID: 0666854599ba77fa66e6620aa9160e5e1763e9284115f90b109af9fe1e1d8280
Opcode Fuzzy Hash: 72a0dad7c4805bf0e857dcb67ea7c69a7e5fb29656d218b1d8740e377e35dcff
Instruction Fuzzy Hash: 5EE13A31A0055AABCB18DFB5C449BEEFBB0FF44714F54A129E466F7281DB30AE858790

Function 00EF44C0 Relevance: 24.8, APIs: 7, Strings: 7, Instructions: 309COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(00000000,00000000,00F1CC08), ref: 00EF4527
_wcslen.LIBCMT ref: 00EF453B
_wcslen.LIBCMT ref: 00EF4599
_wcslen.LIBCMT ref: 00EF45F4
_wcslen.LIBCMT ref: 00EF463F
_wcslen.LIBCMT ref: 00EF46A7

Part of subcall function 00E9F9F2: _wcslen.LIBCMT ref: 00E9F9FD

GetDriveTypeW.KERNEL32(?,00F46BF0,00000061), ref: 00EF4743

Strings

network, xrefs: 00EF469D, 00EF46A2
cdrom, xrefs: 00EF458F, 00EF4594
unknown, xrefs: 00EF4708
removable, xrefs: 00EF45EA, 00EF45EF
fixed, xrefs: 00EF4635, 00EF463A
all, xrefs: 00EF4531, 00EF4536
ramdisk, xrefs: 00EF46F1

Memory Dump Source

Source File: 00000000.00000002.2209670476.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.2209637951.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210917413.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210917413.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2211217556.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2211312581.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_file.jbxd

Similarity

API ID: _wcslen$BuffCharDriveLowerType
String ID: all$cdrom$fixed$network$ramdisk$removable$unknown
API String ID: 2055661098-1000479233
Opcode ID: ffc1eaa3d1c701c7f5832859676886974c0218f7e27ba343bb395188a74b2ce7
Instruction ID: 0796e59135ab7fbe18b9f646085574d58d1b7f7dd6aac9c0063d99ada643b2af
Opcode Fuzzy Hash: ffc1eaa3d1c701c7f5832859676886974c0218f7e27ba343bb395188a74b2ce7
Instruction Fuzzy Hash: 04B123B16083069BC710EF28C89097BB7E4AFD6724F50691DF69AE72D1D730D944CB52

Function 00F03FE9 Relevance: 23.2, APIs: 11, Strings: 2, Instructions: 478libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,00F1CC08), ref: 00F040BB
GetProcAddress.KERNEL32(00000000,GetModuleHandleExW), ref: 00F040CD
GetModuleFileNameW.KERNEL32(?,?,00000104,?,?,?,00F1CC08), ref: 00F040F2
FreeLibrary.KERNEL32(00000000,?,00F1CC08), ref: 00F0413E
StringFromGUID2.OLE32(?,?,00000028,?,00F1CC08), ref: 00F041A8
SysFreeString.OLEAUT32(00000009), ref: 00F04262
QueryPathOfRegTypeLib.OLEAUT32(?,?,?,?,?), ref: 00F042C8
SysFreeString.OLEAUT32(?), ref: 00F042F2

Strings

kernel32.dll, xrefs: 00F040B6
GetModuleHandleExW, xrefs: 00F040C7

Memory Dump Source

Source File: 00000000.00000002.2209670476.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.2209637951.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210917413.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210917413.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2211217556.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2211312581.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_file.jbxd

Similarity

API ID: FreeString$Library$AddressFileFromLoadModuleNamePathProcQueryType
String ID: GetModuleHandleExW$kernel32.dll
API String ID: 354098117-199464113
Opcode ID: 921a126b1c311a7d949b4291864d086e8269e36c8a00f8c1e47110c3c1881ee3
Instruction ID: 86d5e85acd20e1d14a5dcf573862239939930445511d7a48513e13eed42ff574
Opcode Fuzzy Hash: 921a126b1c311a7d949b4291864d086e8269e36c8a00f8c1e47110c3c1881ee3
Instruction Fuzzy Hash: 1E123CB5A00119EFDB14DF54C884EAEB7B5FF45314F248098EA05AB291D731FD46EBA0

Function 00E8326F Relevance: 23.0, APIs: 12, Strings: 1, Instructions: 214windowCOMMON

Download Yara Rule

APIs

GetMenuItemCount.USER32(00F51990), ref: 00EC2F8D
GetMenuItemCount.USER32(00F51990), ref: 00EC303D
GetCursorPos.USER32(?), ref: 00EC3081
SetForegroundWindow.USER32(00000000), ref: 00EC308A
TrackPopupMenuEx.USER32(00F51990,00000000,?,00000000,00000000,00000000), ref: 00EC309D
PostMessageW.USER32(00000000,00000000,00000000,00000000), ref: 00EC30A9

Strings

0, xrefs: 00E8327D

Memory Dump Source

Source File: 00000000.00000002.2209670476.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.2209637951.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210917413.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210917413.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2211217556.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2211312581.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_file.jbxd

Similarity

API ID: Menu$CountItem$CursorForegroundMessagePopupPostTrackWindow
String ID: 0
API String ID: 36266755-4108050209
Opcode ID: cf9ef4a5ddaeedd4d5bc60e354806213126cdaab65a4391fb1eb1e1b806d455b
Instruction ID: 7361cdbfdab9a4f5a182631032c92c89dd92f5b655ad84c545f429f38a346883
Opcode Fuzzy Hash: cf9ef4a5ddaeedd4d5bc60e354806213126cdaab65a4391fb1eb1e1b806d455b
Instruction Fuzzy Hash: CC711A71644249BEEB219F28CD49FDABF69FF05724F20421EF618761E0C7B2A911D790

Function 00F16CD9 Relevance: 22.9, APIs: 11, Strings: 2, Instructions: 194windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(00000000,?), ref: 00F16DEB

Part of subcall function 00E86B57: _wcslen.LIBCMT ref: 00E86B6A

CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00000000,?), ref: 00F16E5F
SendMessageW.USER32(00000000,00000433,00000000,00000030), ref: 00F16E81
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00F16E94
DestroyWindow.USER32(?), ref: 00F16EB5
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00E80000,00000000), ref: 00F16EE4
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00F16EFD
GetDesktopWindow.USER32 ref: 00F16F16
GetWindowRect.USER32(00000000), ref: 00F16F1D
SendMessageW.USER32(00000000,00000418,00000000,?), ref: 00F16F35
SendMessageW.USER32(00000000,00000421,?,00000000), ref: 00F16F4D

Part of subcall function 00E99944: GetWindowLongW.USER32(?,000000EB), ref: 00E99952

Strings

0, xrefs: 00F16D98
tooltips_class32, xrefs: 00F16E58, 00F16EDD

Memory Dump Source

Source File: 00000000.00000002.2209670476.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.2209637951.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210917413.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210917413.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2211217556.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2211312581.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_file.jbxd

Similarity

API ID: Window$MessageSend$CreateDestroy$DesktopLongRect_wcslen
String ID: 0$tooltips_class32
API String ID: 2429346358-3619404913
Opcode ID: f5f8fff5b03ec2770cf1c28c205b3ee45d89be793f0a941a65f42691b08f61d3
Instruction ID: 409871da581dc3a9bfe09e268741608a3a00f4c48861acb16e96ef4318a9ed97
Opcode Fuzzy Hash: f5f8fff5b03ec2770cf1c28c205b3ee45d89be793f0a941a65f42691b08f61d3
Instruction Fuzzy Hash: 3D718670644348AFEB21CF18D848BAABBE9FB88314F04451DF999C7260D770E946EF52

Function 00F1911E Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 181windowfileCOMMON

Download Yara Rule

APIs

Part of subcall function 00E99BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00E99BB2

DragQueryPoint.SHELL32(?,?), ref: 00F19147

Part of subcall function 00F17674: ClientToScreen.USER32(?,?), ref: 00F1769A
Part of subcall function 00F17674: GetWindowRect.USER32(?,?), ref: 00F17710
Part of subcall function 00F17674: PtInRect.USER32(?,?,00F18B89), ref: 00F17720

SendMessageW.USER32(?,000000B0,?,?), ref: 00F191B0
DragQueryFileW.SHELL32(?,000000FF,00000000,00000000), ref: 00F191BB
DragQueryFileW.SHELL32(?,00000000,?,00000104), ref: 00F191DE
SendMessageW.USER32(?,000000C2,00000001,?), ref: 00F19225
SendMessageW.USER32(?,000000B0,?,?), ref: 00F1923E
SendMessageW.USER32(?,000000B1,?,?), ref: 00F19255
SendMessageW.USER32(?,000000B1,?,?), ref: 00F19277
DragFinish.SHELL32(?), ref: 00F1927E
DefDlgProcW.USER32(?,00000233,?,00000000,?,?,?), ref: 00F19371

Strings

@GUI_DROPID, xrefs: 00F1929E
@GUI_DRAGID, xrefs: 00F192E9
@GUI_DRAGFILE, xrefs: 00F19320

Memory Dump Source

Source File: 00000000.00000002.2209670476.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.2209637951.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210917413.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210917413.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2211217556.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2211312581.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_file.jbxd

Similarity

API ID: MessageSend$Drag$Query$FileRectWindow$ClientFinishLongPointProcScreen
String ID: @GUI_DRAGFILE$@GUI_DRAGID$@GUI_DROPID
API String ID: 221274066-3440237614
Opcode ID: 86a8d7225b311414213eb48c5a241c135d50049f7ffe9eb78d430a8fc035c675
Instruction ID: ccf13c29ba4d2d31158e7f46158bbc40577a65b1722473807741359a2a2d89ce
Opcode Fuzzy Hash: 86a8d7225b311414213eb48c5a241c135d50049f7ffe9eb78d430a8fc035c675
Instruction Fuzzy Hash: 8861AC71108305AFD701EF60DC95DAFBBE8EF89350F04092EF599A31A1DB709A48DB92

Function 00EFC476 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 143networkCOMMON

Download Yara Rule

APIs

InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 00EFC4B0
GetLastError.KERNEL32(?,00000003,?,?,?,?,?,?), ref: 00EFC4C3
SetEvent.KERNEL32(?,?,00000003,?,?,?,?,?,?), ref: 00EFC4D7
HttpOpenRequestW.WININET(00000000,00000000,?,00000000,00000000,00000000,?,00000000), ref: 00EFC4F0
InternetQueryOptionW.WININET(00000000,0000001F,?,?), ref: 00EFC533
InternetSetOptionW.WININET(00000000,0000001F,00000100,00000004), ref: 00EFC549
HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00EFC554
HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 00EFC584
GetLastError.KERNEL32(?,00000003,?,?,?,?,?,?), ref: 00EFC5DC
SetEvent.KERNEL32(?,?,00000003,?,?,?,?,?,?), ref: 00EFC5F0
InternetCloseHandle.WININET(00000000), ref: 00EFC5FB

Strings

, xrefs: 00EFC575

Memory Dump Source

Source File: 00000000.00000002.2209670476.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.2209637951.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210917413.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210917413.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2211217556.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2211312581.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_file.jbxd

Similarity

API ID: Internet$Http$ErrorEventLastOptionQueryRequest$CloseConnectHandleInfoOpenSend
String ID:
API String ID: 3800310941-3916222277
Opcode ID: 3701b00c0b4566cf30dc16632df2c6fd8cb2dd9e3d0b8dfde94c6e200c534439
Instruction ID: 554f4cdda617792b0b815191ee9674bf7b7be9d0792175788398363035f4bb04
Opcode Fuzzy Hash: 3701b00c0b4566cf30dc16632df2c6fd8cb2dd9e3d0b8dfde94c6e200c534439
Instruction Fuzzy Hash: 84514EB154020DBFDB218F60CA48ABB7BFCFF08758F209419FA45A6150DB74E944EBA0

Function 00F1856F Relevance: 22.6, APIs: 15, Instructions: 131filecommemoryCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,00000000,?,?,?,?,?,00000000,?,000000EC), ref: 00F18592
GetFileSize.KERNEL32(00000000,00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 00F185A2
GlobalAlloc.KERNEL32(00000002,00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 00F185AD
CloseHandle.KERNEL32(00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 00F185BA
GlobalLock.KERNEL32(00000000), ref: 00F185C8
ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 00F185D7
GlobalUnlock.KERNEL32(00000000), ref: 00F185E0
CloseHandle.KERNEL32(00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 00F185E7
CreateStreamOnHGlobal.OLE32(00000000,00000001,000000F0,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 00F185F8
OleLoadPicture.OLEAUT32(000000F0,00000000,00000000,00F1FC38,?), ref: 00F18611
GlobalFree.KERNEL32(00000000), ref: 00F18621
GetObjectW.GDI32(?,00000018,?), ref: 00F18641
CopyImage.USER32(?,00000000,00000000,?,00002000), ref: 00F18671
DeleteObject.GDI32(?), ref: 00F18699
SendMessageW.USER32(?,00000172,00000000,00000000), ref: 00F186AF

Memory Dump Source

Source File: 00000000.00000002.2209670476.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.2209637951.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210917413.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210917413.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2211217556.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2211312581.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_file.jbxd

Similarity

API ID: Global$File$CloseCreateHandleObject$AllocCopyDeleteFreeImageLoadLockMessagePictureReadSendSizeStreamUnlock
String ID:
API String ID: 3840717409-0
Opcode ID: fe4dde5608e8a9a3b1793f742cd0d14f0c14d659eb5abf9ad098fb9ddef6a7e5
Instruction ID: df1dde1c9ccefc2827b136aaf460e4c568556cf94e43706bdea0295a116ba91a
Opcode Fuzzy Hash: fe4dde5608e8a9a3b1793f742cd0d14f0c14d659eb5abf9ad098fb9ddef6a7e5
Instruction Fuzzy Hash: 42413971640208AFDB118FA5CD48EEA7BB9EF89761F158058F909E7260DB309D41EB60

Function 00EF14BD Relevance: 21.4, APIs: 10, Strings: 2, Instructions: 360timeCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(00000000), ref: 00EF1502
VariantCopy.OLEAUT32(?,?), ref: 00EF150B
VariantClear.OLEAUT32(?), ref: 00EF1517
VariantTimeToSystemTime.OLEAUT32(?,?,?), ref: 00EF15FB
VarR8FromDec.OLEAUT32(?,?), ref: 00EF1657
VariantInit.OLEAUT32(?), ref: 00EF1708
SysFreeString.OLEAUT32(?), ref: 00EF178C
VariantClear.OLEAUT32(?), ref: 00EF17D8
VariantClear.OLEAUT32(?), ref: 00EF17E7
VariantInit.OLEAUT32(00000000), ref: 00EF1823

Strings

Default, xrefs: 00EF16AF
%4d%02d%02d%02d%02d%02d, xrefs: 00EF1625

Memory Dump Source

Source File: 00000000.00000002.2209670476.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.2209637951.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210917413.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210917413.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2211217556.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2211312581.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_file.jbxd

Similarity

API ID: Variant$ClearInit$Time$CopyFreeFromStringSystem
String ID: %4d%02d%02d%02d%02d%02d$Default
API String ID: 1234038744-3931177956
Opcode ID: b10b2bd4209e4391566ec1f0a95cec0019d3b7bb13bcaad38668908ba11f814a
Instruction ID: aa88a01a2d0c7a1d62eaedd215342d4a3250c2a361726398768639696b2c0b8b
Opcode Fuzzy Hash: b10b2bd4209e4391566ec1f0a95cec0019d3b7bb13bcaad38668908ba11f814a
Instruction Fuzzy Hash: 30D1D031A0421DDBDF04AF65D885BB9B7F6BF45700F14909AEA4ABB181DB30DC41DBA2

Function 00F0B60E Relevance: 21.3, APIs: 10, Strings: 2, Instructions: 285registrylibraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 00E89CB3: _wcslen.LIBCMT ref: 00E89CBD

Part of subcall function 00F0C998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00F0B6AE,?,?), ref: 00F0C9B5
Part of subcall function 00F0C998: _wcslen.LIBCMT ref: 00F0C9F1
Part of subcall function 00F0C998: _wcslen.LIBCMT ref: 00F0CA68
Part of subcall function 00F0C998: _wcslen.LIBCMT ref: 00F0CA9E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00F0B6F4
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00F0B772
RegDeleteValueW.ADVAPI32(?,?), ref: 00F0B80A
RegCloseKey.ADVAPI32(?), ref: 00F0B87E
RegCloseKey.ADVAPI32(?), ref: 00F0B89C
LoadLibraryA.KERNEL32(advapi32.dll), ref: 00F0B8F2
GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 00F0B904
RegDeleteKeyW.ADVAPI32(?,?), ref: 00F0B922
FreeLibrary.KERNEL32(00000000), ref: 00F0B983
RegCloseKey.ADVAPI32(00000000), ref: 00F0B994

Strings

RegDeleteKeyExW, xrefs: 00F0B8FE
advapi32.dll, xrefs: 00F0B8ED

Memory Dump Source

Source File: 00000000.00000002.2209670476.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.2209637951.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210917413.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210917413.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2211217556.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2211312581.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_file.jbxd

Similarity

API ID: _wcslen$Close$DeleteLibrary$AddressBuffCharConnectFreeLoadOpenProcRegistryUpperValue
String ID: RegDeleteKeyExW$advapi32.dll
API String ID: 146587525-4033151799
Opcode ID: 380dfeb00884f15c0eefd92785894764198e03b47ab7a9698f0a8b3bc5a02651
Instruction ID: bf7c59b1931484d0ce6533eef08b60179bda2e1d0d3beb64579ce846fd28b8a1
Opcode Fuzzy Hash: 380dfeb00884f15c0eefd92785894764198e03b47ab7a9698f0a8b3bc5a02651
Instruction Fuzzy Hash: 41C1AD31608201AFD714DF14C494F2ABBE5FF84318F18859CF59A9B2A2CB75EC46EB91

Function 00F0255C Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 169windowCOMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 00F025D8
CreateCompatibleBitmap.GDI32(00000000,?,?), ref: 00F025E8
CreateCompatibleDC.GDI32(?), ref: 00F025F4
SelectObject.GDI32(00000000,?), ref: 00F02601
StretchBlt.GDI32(?,00000000,00000000,?,?,?,00000006,?,?,?,00CC0020), ref: 00F0266D
GetDIBits.GDI32(?,?,00000000,00000000,00000000,00000028,00000000), ref: 00F026AC
GetDIBits.GDI32(?,?,00000000,?,00000000,00000028,00000000), ref: 00F026D0
SelectObject.GDI32(?,?), ref: 00F026D8
DeleteObject.GDI32(?), ref: 00F026E1
DeleteDC.GDI32(?), ref: 00F026E8
ReleaseDC.USER32(00000000,?), ref: 00F026F3

Strings

(, xrefs: 00F0268D

Memory Dump Source

Source File: 00000000.00000002.2209670476.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.2209637951.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210917413.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210917413.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2211217556.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2211312581.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_file.jbxd

Similarity

API ID: Object$BitsCompatibleCreateDeleteSelect$BitmapReleaseStretch
String ID: (
API String ID: 2598888154-3887548279
Opcode ID: 3a9342dd4cb1486f57fb9e1f2509a8c7e89a96a913e9918aa14266e1b9bdedcf
Instruction ID: e75d547ca76ecbb5ab1cc844e2a3ef0161dcc3ea0be15a3cceb5056602503c70
Opcode Fuzzy Hash: 3a9342dd4cb1486f57fb9e1f2509a8c7e89a96a913e9918aa14266e1b9bdedcf
Instruction Fuzzy Hash: FE61D275D00219EFCF04CFA4DC84AAEBBB5FF48310F248529E959A7250D775A941EFA0

Function 00EBDA5D Relevance: 19.6, APIs: 13, Instructions: 114COMMONLIBRARYCODE

Download Yara Rule

APIs

___free_lconv_mon.LIBCMT ref: 00EBDAA1

Part of subcall function 00EBD63C: _free.LIBCMT ref: 00EBD659
Part of subcall function 00EBD63C: _free.LIBCMT ref: 00EBD66B
Part of subcall function 00EBD63C: _free.LIBCMT ref: 00EBD67D
Part of subcall function 00EBD63C: _free.LIBCMT ref: 00EBD68F
Part of subcall function 00EBD63C: _free.LIBCMT ref: 00EBD6A1
Part of subcall function 00EBD63C: _free.LIBCMT ref: 00EBD6B3
Part of subcall function 00EBD63C: _free.LIBCMT ref: 00EBD6C5
Part of subcall function 00EBD63C: _free.LIBCMT ref: 00EBD6D7
Part of subcall function 00EBD63C: _free.LIBCMT ref: 00EBD6E9
Part of subcall function 00EBD63C: _free.LIBCMT ref: 00EBD6FB
Part of subcall function 00EBD63C: _free.LIBCMT ref: 00EBD70D
Part of subcall function 00EBD63C: _free.LIBCMT ref: 00EBD71F
Part of subcall function 00EBD63C: _free.LIBCMT ref: 00EBD731

_free.LIBCMT ref: 00EBDA96

Part of subcall function 00EB29C8: RtlFreeHeap.NTDLL(00000000,00000000,?,00EBD7D1,00000000,00000000,00000000,00000000,?,00EBD7F8,00000000,00000007,00000000,?,00EBDBF5,00000000), ref: 00EB29DE
Part of subcall function 00EB29C8: GetLastError.KERNEL32(00000000,?,00EBD7D1,00000000,00000000,00000000,00000000,?,00EBD7F8,00000000,00000007,00000000,?,00EBDBF5,00000000,00000000), ref: 00EB29F0

_free.LIBCMT ref: 00EBDAB8
_free.LIBCMT ref: 00EBDACD
_free.LIBCMT ref: 00EBDAD8
_free.LIBCMT ref: 00EBDAFA
_free.LIBCMT ref: 00EBDB0D
_free.LIBCMT ref: 00EBDB1B
_free.LIBCMT ref: 00EBDB26
_free.LIBCMT ref: 00EBDB5E
_free.LIBCMT ref: 00EBDB65
_free.LIBCMT ref: 00EBDB82
_free.LIBCMT ref: 00EBDB9A

Memory Dump Source

Source File: 00000000.00000002.2209670476.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.2209637951.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210917413.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210917413.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2211217556.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2211312581.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_file.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast___free_lconv_mon
String ID:
API String ID: 161543041-0
Opcode ID: ece94b988cee1c1ac0ca4d5f44834684ea241796837c9a8419ea9dd936b0c7e1
Instruction ID: cb69b2dff3487c4c8bb0b8f9fdab21ffc1bf143fee6eb52e029d5616423c5323
Opcode Fuzzy Hash: ece94b988cee1c1ac0ca4d5f44834684ea241796837c9a8419ea9dd936b0c7e1
Instruction Fuzzy Hash: A3316D31608704AFEB22AA38EC85BD7B7E8FF40314F156819E548F7191EF31AC408720

Function 00EE365B Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 267windowtimeCOMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000100), ref: 00EE369C
_wcslen.LIBCMT ref: 00EE36A7
SendMessageTimeoutW.USER32(?,?,00000101,00000000,00000002,00001388,?), ref: 00EE3797
GetClassNameW.USER32(?,?,00000400), ref: 00EE380C
GetDlgCtrlID.USER32(?), ref: 00EE385D
GetWindowRect.USER32(?,?), ref: 00EE3882
GetParent.USER32(?), ref: 00EE38A0
ScreenToClient.USER32(00000000), ref: 00EE38A7
GetClassNameW.USER32(?,?,00000100), ref: 00EE3921
GetWindowTextW.USER32(?,?,00000400), ref: 00EE395D

Strings

%s%u, xrefs: 00EE3734

Memory Dump Source

Source File: 00000000.00000002.2209670476.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.2209637951.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210917413.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210917413.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2211217556.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2211312581.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_file.jbxd

Similarity

API ID: ClassName$Window$ClientCtrlMessageParentRectScreenSendTextTimeout_wcslen
String ID: %s%u
API String ID: 4010501982-679674701
Opcode ID: 1124c6e0e070bf42526acf04fbb3c01b12fd157a582279497c29bb0474498b81
Instruction ID: 589c05424b8c5bddd15046319e1e904b205b1b2150225e07af058e09cc2a6f54
Opcode Fuzzy Hash: 1124c6e0e070bf42526acf04fbb3c01b12fd157a582279497c29bb0474498b81
Instruction Fuzzy Hash: 9B91D27120064AAFD708DF36C889BEAB7E8FF84314F009519F999E3191DB31EA45CB91

Function 00EE4954 Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 253COMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000400), ref: 00EE4994
GetWindowTextW.USER32(?,?,00000400), ref: 00EE49DA
_wcslen.LIBCMT ref: 00EE49EB
CharUpperBuffW.USER32(?,00000000), ref: 00EE49F7
_wcsstr.LIBVCRUNTIME ref: 00EE4A2C
GetClassNameW.USER32(00000018,?,00000400), ref: 00EE4A64
GetWindowTextW.USER32(?,?,00000400), ref: 00EE4A9D
GetClassNameW.USER32(00000018,?,00000400), ref: 00EE4AE6
GetClassNameW.USER32(?,?,00000400), ref: 00EE4B20
GetWindowRect.USER32(?,?), ref: 00EE4B8B

Strings

ThumbnailClass, xrefs: 00EE4A6F, 00EE4AF1

Memory Dump Source

Source File: 00000000.00000002.2209670476.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.2209637951.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210917413.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210917413.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2211217556.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2211312581.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_file.jbxd

Similarity

API ID: ClassName$Window$Text$BuffCharRectUpper_wcslen_wcsstr
String ID: ThumbnailClass
API String ID: 1311036022-1241985126
Opcode ID: ad005fb8d370309149c6a39ff88c2d2da16a06dbc29b37a5abda447dd0229bfd
Instruction ID: 3dade7433127bb047e73be435848defe56e682f6496fb588042019fc0048216d
Opcode Fuzzy Hash: ad005fb8d370309149c6a39ff88c2d2da16a06dbc29b37a5abda447dd0229bfd
Instruction Fuzzy Hash: 6391A4B10042499FDB04DF16C985BAA77E8FF84318F049469FD89AA0D6EB34ED45CBA1

Function 00F18D0E Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 221windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00E99BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00E99BB2

PostMessageW.USER32(?,00000111,00000000,00000000), ref: 00F18D5A
GetFocus.USER32 ref: 00F18D6A
GetDlgCtrlID.USER32(00000000), ref: 00F18D75
DefDlgProcW.USER32(?,00000111,?,?,00000000,?,?,?,?,?,?,?), ref: 00F18E1D
GetMenuItemInfoW.USER32(?,00000000,00000000,?), ref: 00F18ECF
GetMenuItemCount.USER32(?), ref: 00F18EEC
GetMenuItemID.USER32(?,00000000), ref: 00F18EFC
GetMenuItemInfoW.USER32(?,-00000001,00000001,?), ref: 00F18F2E
GetMenuItemInfoW.USER32(?,?,00000001,?), ref: 00F18F70
CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 00F18FA1

Strings

0, xrefs: 00F18E9F

Memory Dump Source

Source File: 00000000.00000002.2209670476.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.2209637951.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210917413.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210917413.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2211217556.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2211312581.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_file.jbxd

Similarity

API ID: ItemMenu$Info$CheckCountCtrlFocusLongMessagePostProcRadioWindow
String ID: 0
API String ID: 1026556194-4108050209
Opcode ID: 70fbd44db02378a6e188267c391f7201386b483ec772140b804cff4f4d2e78fb
Instruction ID: 542fbe6fd7c219199c54cfcc0ba7b10255c26abfd2a55a1bd088f5f9497b8c97
Opcode Fuzzy Hash: 70fbd44db02378a6e188267c391f7201386b483ec772140b804cff4f4d2e78fb
Instruction Fuzzy Hash: 8881B2719043059FDB10CF14D984AEB7BEAFB883A4F14051DF985D7291DB30D982EBA1

Function 00EEBF30 Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 190windowsleepCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(00F51990,000000FF,00000000,00000030), ref: 00EEBFAC
SetMenuItemInfoW.USER32(00F51990,00000004,00000000,00000030), ref: 00EEBFE1
Sleep.KERNEL32(000001F4), ref: 00EEBFF3
GetMenuItemCount.USER32(?), ref: 00EEC039
GetMenuItemID.USER32(?,00000000), ref: 00EEC056
GetMenuItemID.USER32(?,-00000001), ref: 00EEC082
GetMenuItemID.USER32(?,?), ref: 00EEC0C9
CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 00EEC10F
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00EEC124
SetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00EEC145

Strings

0, xrefs: 00EEBF3D

Memory Dump Source

Source File: 00000000.00000002.2209670476.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.2209637951.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210917413.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210917413.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2211217556.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2211312581.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_file.jbxd

Similarity

API ID: ItemMenu$Info$CheckCountRadioSleep
String ID: 0
API String ID: 1460738036-4108050209
Opcode ID: 7fea262185f761744ce90d7604ec9c80a693e367859c522c4be8331601df4b83
Instruction ID: 0f8138882173e57c094e56a66070d81db7b5d054a429a4ba0569fc3ee3f65e26
Opcode Fuzzy Hash: 7fea262185f761744ce90d7604ec9c80a693e367859c522c4be8331601df4b83
Instruction Fuzzy Hash: D4617CB090038EAFDF11CF65DC88AEEBBB9EB05348F245055E911B3291C731AD06DBA0

Function 00EEDC0E Relevance: 19.4, APIs: 6, Strings: 5, Instructions: 178COMMON

Download Yara Rule

APIs

GetFileVersionInfoSizeW.VERSION(?,?), ref: 00EEDC20
GetFileVersionInfoW.VERSION(?,00000000,00000000,00000000,?,?), ref: 00EEDC46
_wcslen.LIBCMT ref: 00EEDC50
_wcsstr.LIBVCRUNTIME ref: 00EEDCA0
VerQueryValueW.VERSION(?,\VarFileInfo\Translation,?,?,?,?,?,?,00000000,?,?), ref: 00EEDCBC

Strings

04090000, xrefs: 00EEDCF2
%u.%u.%u.%u, xrefs: 00EEDD9A
DefaultLangCodepage, xrefs: 00EEDD1F
\VarFileInfo\Translation, xrefs: 00EEDCB4
StringFileInfo\, xrefs: 00EEDC8F

Memory Dump Source

Source File: 00000000.00000002.2209670476.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.2209637951.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210917413.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210917413.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2211217556.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2211312581.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_file.jbxd

Similarity

API ID: FileInfoVersion$QuerySizeValue_wcslen_wcsstr
String ID: %u.%u.%u.%u$04090000$DefaultLangCodepage$StringFileInfo\$\VarFileInfo\Translation
API String ID: 1939486746-1459072770
Opcode ID: 548f088230f96a4002972a9e81ec857c0edef50f86c1266ac4e536d72a98cf71
Instruction ID: a4d2dd8506643ac13efada799c54111c8797ac26b86b742325a59b76a2758d28
Opcode Fuzzy Hash: 548f088230f96a4002972a9e81ec857c0edef50f86c1266ac4e536d72a98cf71
Instruction Fuzzy Hash: BA413472A442087ADB00A7658C47EFF7BECEF46760F101169F900FA193EB70E90097A6

Function 00F0CC34 Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 104registryCOMMON

Download Yara Rule

APIs

RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?,00000000), ref: 00F0CC64
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?,?,?,00000000), ref: 00F0CC8D
FreeLibrary.KERNEL32(00000000,?,?,00000000), ref: 00F0CD48

Part of subcall function 00F0CC34: RegCloseKey.ADVAPI32(?,?,?,00000000), ref: 00F0CCAA
Part of subcall function 00F0CC34: LoadLibraryA.KERNEL32(advapi32.dll,?,?,00000000), ref: 00F0CCBD
Part of subcall function 00F0CC34: GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 00F0CCCF
Part of subcall function 00F0CC34: FreeLibrary.KERNEL32(00000000,?,?,00000000), ref: 00F0CD05
Part of subcall function 00F0CC34: RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?,00000000), ref: 00F0CD28

RegDeleteKeyW.ADVAPI32(?,?), ref: 00F0CCF3

Strings

RegDeleteKeyExW, xrefs: 00F0CCC9
advapi32.dll, xrefs: 00F0CCB8

Memory Dump Source

Source File: 00000000.00000002.2209670476.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.2209637951.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210917413.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210917413.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2211217556.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2211312581.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_file.jbxd

Similarity

API ID: Library$EnumFree$AddressCloseDeleteLoadOpenProc
String ID: RegDeleteKeyExW$advapi32.dll
API String ID: 2734957052-4033151799
Opcode ID: 43de736e869db5f6004937be9ec32e5b52aaee046e60cf14eb08faef8a683a21
Instruction ID: 06d76154d3b4cf39562af43eff1b00df2cef3b748ba71819da497c0b52b6aa18
Opcode Fuzzy Hash: 43de736e869db5f6004937be9ec32e5b52aaee046e60cf14eb08faef8a683a21
Instruction Fuzzy Hash: 92317C71E4212CBBDB209B50DC88EFFBB7CEF05750F014265E915E2280DB349A45BAE0

Function 00EF3D1E Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 101fileCOMMON

Download Yara Rule

APIs

GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 00EF3D40
_wcslen.LIBCMT ref: 00EF3D6D
CreateDirectoryW.KERNEL32(?,00000000), ref: 00EF3D9D
CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000003,02200000,00000000), ref: 00EF3DBE
RemoveDirectoryW.KERNEL32(?), ref: 00EF3DCE
DeviceIoControl.KERNEL32(00000000,000900A4,?,?,00000000,00000000,?,00000000), ref: 00EF3E55
CloseHandle.KERNEL32(00000000), ref: 00EF3E60
CloseHandle.KERNEL32(00000000), ref: 00EF3E6B

Strings

\, xrefs: 00EF3D77
\??\%s, xrefs: 00EF3D5B
:, xrefs: 00EF3D82

Memory Dump Source

Source File: 00000000.00000002.2209670476.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.2209637951.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210917413.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210917413.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2211217556.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2211312581.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_file.jbxd

Similarity

API ID: CloseCreateDirectoryHandle$ControlDeviceFileFullNamePathRemove_wcslen
String ID: :$\$\??\%s
API String ID: 1149970189-3457252023
Opcode ID: 75db0b16a6cea772dea37b4bc03cd5edf2ba2f97f155800f4fc858dfd55a4357
Instruction ID: 7e780797bfc33b306351743cee9a7bb5ca6b4ada26d129f1b7f755bc89be4867
Opcode Fuzzy Hash: 75db0b16a6cea772dea37b4bc03cd5edf2ba2f97f155800f4fc858dfd55a4357
Instruction Fuzzy Hash: 6F31A17194025DABDB209FA0DC49FEF37BDEF89744F1050A9F605E6060EB7097448B64

Function 00EEE6B0 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 72sleepwindowtimeCOMMON

Download Yara Rule

APIs

timeGetTime.WINMM ref: 00EEE6B4

Part of subcall function 00E9E551: timeGetTime.WINMM(?,?,00EEE6D4), ref: 00E9E555

Sleep.KERNEL32(0000000A), ref: 00EEE6E1
EnumThreadWindows.USER32(?,Function_0006E665,00000000), ref: 00EEE705
FindWindowExW.USER32(00000000,00000000,BUTTON,00000000), ref: 00EEE727
SetActiveWindow.USER32 ref: 00EEE746
SendMessageW.USER32(00000000,000000F5,00000000,00000000), ref: 00EEE754
SendMessageW.USER32(00000010,00000000,00000000), ref: 00EEE773
Sleep.KERNEL32(000000FA), ref: 00EEE77E
IsWindow.USER32 ref: 00EEE78A
EndDialog.USER32(00000000), ref: 00EEE79B

Strings

BUTTON, xrefs: 00EEE719

Memory Dump Source

Source File: 00000000.00000002.2209670476.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.2209637951.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210917413.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210917413.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2211217556.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2211312581.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_file.jbxd

Similarity

API ID: Window$MessageSendSleepTimetime$ActiveDialogEnumFindThreadWindows
String ID: BUTTON
API String ID: 1194449130-3405671355
Opcode ID: 966e3491e531ae3e60ff1fd084b7a58fa1e92402d537a0adc1942ea40e120e04
Instruction ID: d34c1bc952492fd4ee07f9740ff74e540eecb4ffada131b67abff97863c017ea
Opcode Fuzzy Hash: 966e3491e531ae3e60ff1fd084b7a58fa1e92402d537a0adc1942ea40e120e04
Instruction Fuzzy Hash: E521A87024038DAFEB005F32EC89B653B69F75674EF116425F609A22B1DB71AC01BB55

Function 00EEE9FC Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 71COMMON

Download Yara Rule

APIs

Part of subcall function 00E89CB3: _wcslen.LIBCMT ref: 00E89CBD

mciSendStringW.WINMM(status PlayMe mode,?,00000100,00000000), ref: 00EEEA5D
mciSendStringW.WINMM(close PlayMe,00000000,00000000,00000000), ref: 00EEEA73
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00EEEA84
mciSendStringW.WINMM(play PlayMe wait,00000000,00000000,00000000), ref: 00EEEA96
mciSendStringW.WINMM(play PlayMe,00000000,00000000,00000000), ref: 00EEEAA7

Strings

play PlayMe wait, xrefs: 00EEEA91
play PlayMe, xrefs: 00EEEAA2
open , xrefs: 00EEEA0C
alias PlayMe, xrefs: 00EEEA36
status PlayMe mode, xrefs: 00EEEA58
close PlayMe, xrefs: 00EEEA6E, 00EEEA9B

Memory Dump Source

Source File: 00000000.00000002.2209670476.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.2209637951.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210917413.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210917413.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2211217556.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2211312581.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_file.jbxd

Similarity

API ID: SendString$_wcslen
String ID: alias PlayMe$close PlayMe$open $play PlayMe$play PlayMe wait$status PlayMe mode
API String ID: 2420728520-1007645807
Opcode ID: c895cd1aa00567edda7358cc1e81a92c625fd4f61a9f8d20bb8b02e1a9df3186
Instruction ID: 92c6a11c2e2bfcdb92517d1da7b31e42bea7feffc1f8561e2759f5342b1921c1
Opcode Fuzzy Hash: c895cd1aa00567edda7358cc1e81a92c625fd4f61a9f8d20bb8b02e1a9df3186
Instruction Fuzzy Hash: 41114271A5025979D720B762DC4ADFB7ABCEBD2B04F001429B819F21D1EAB04945C6B2

Function 00EE9F91 Relevance: 18.2, APIs: 12, Instructions: 188keyboardCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?), ref: 00EEA012
SetKeyboardState.USER32(?), ref: 00EEA07D
GetAsyncKeyState.USER32(000000A0), ref: 00EEA09D
GetKeyState.USER32(000000A0), ref: 00EEA0B4
GetAsyncKeyState.USER32(000000A1), ref: 00EEA0E3
GetKeyState.USER32(000000A1), ref: 00EEA0F4
GetAsyncKeyState.USER32(00000011), ref: 00EEA120
GetKeyState.USER32(00000011), ref: 00EEA12E
GetAsyncKeyState.USER32(00000012), ref: 00EEA157
GetKeyState.USER32(00000012), ref: 00EEA165
GetAsyncKeyState.USER32(0000005B), ref: 00EEA18E
GetKeyState.USER32(0000005B), ref: 00EEA19C

Memory Dump Source

Source File: 00000000.00000002.2209670476.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.2209637951.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210917413.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210917413.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2211217556.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2211312581.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_file.jbxd

Similarity

API ID: State$Async$Keyboard
String ID:
API String ID: 541375521-0
Opcode ID: 45f9d7435cc84206fdddf2f5590f1fd96723c7011fa54554c47917adc5287136
Instruction ID: d09b25a463a1781350d2d142d6a09a59e8ba4f1685bc0f71cd3b01671928d334
Opcode Fuzzy Hash: 45f9d7435cc84206fdddf2f5590f1fd96723c7011fa54554c47917adc5287136
Instruction Fuzzy Hash: 4E51B7606047CC29FB35DB6284117EABFF55F12348F0C95ADD5C2671C3DA54AA4CC762

Function 00EE5CC6 Relevance: 18.2, APIs: 12, Instructions: 173COMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,00000001), ref: 00EE5CE2
GetWindowRect.USER32(00000000,?), ref: 00EE5CFB
MoveWindow.USER32(?,0000000A,00000004,?,?,00000004,00000000), ref: 00EE5D59
GetDlgItem.USER32(?,00000002), ref: 00EE5D69
GetWindowRect.USER32(00000000,?), ref: 00EE5D7B
MoveWindow.USER32(?,?,00000004,00000000,?,00000004,00000000), ref: 00EE5DCF
GetDlgItem.USER32(?,000003E9), ref: 00EE5DDD
GetWindowRect.USER32(00000000,?), ref: 00EE5DEF
MoveWindow.USER32(?,0000000A,00000000,?,00000004,00000000), ref: 00EE5E31
GetDlgItem.USER32(?,000003EA), ref: 00EE5E44
MoveWindow.USER32(00000000,0000000A,0000000A,?,-00000005,00000000), ref: 00EE5E5A
InvalidateRect.USER32(?,00000000,00000001), ref: 00EE5E67

Memory Dump Source

Source File: 00000000.00000002.2209670476.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.2209637951.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210917413.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210917413.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2211217556.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2211312581.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_file.jbxd

Similarity

API ID: Window$ItemMoveRect$Invalidate
String ID:
API String ID: 3096461208-0
Opcode ID: 7eecec60a8ec50532260493010543a69d6440be9e8f8669e51890c06ed56355c
Instruction ID: 9c4fca5011ebf02ebf04154111ad8ed9525578d1d76685b4adaba6186c5d0c1e
Opcode Fuzzy Hash: 7eecec60a8ec50532260493010543a69d6440be9e8f8669e51890c06ed56355c
Instruction Fuzzy Hash: 37512F71B40609AFDF18CF69DD89AAEBBB5FB48314F158129F519E7290D7709E00CB90

Function 00E98BCD Relevance: 18.2, APIs: 12, Instructions: 168timeCOMMON

Download Yara Rule

APIs

Part of subcall function 00E98F62: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00E98BE8,?,00000000,?,?,?,?,00E98BBA,00000000,?), ref: 00E98FC5

DestroyWindow.USER32(?), ref: 00E98C81
KillTimer.USER32(00000000,?,?,?,?,00E98BBA,00000000,?), ref: 00E98D1B
DestroyAcceleratorTable.USER32(00000000), ref: 00ED6973
ImageList_Destroy.COMCTL32(00000000,?,?,?,?,?,?,00000000,?,?,?,?,00E98BBA,00000000,?), ref: 00ED69A1
ImageList_Destroy.COMCTL32(?,?,?,?,?,?,?,00000000,?,?,?,?,00E98BBA,00000000,?), ref: 00ED69B8
ImageList_Destroy.COMCTL32(00000000,?,?,?,?,?,?,?,?,00000000,?,?,?,?,00E98BBA,00000000), ref: 00ED69D4
DeleteObject.GDI32(00000000), ref: 00ED69E6

Memory Dump Source

Source File: 00000000.00000002.2209670476.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.2209637951.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210917413.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210917413.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2211217556.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2211312581.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_file.jbxd

Similarity

API ID: Destroy$ImageList_$AcceleratorDeleteInvalidateKillObjectRectTableTimerWindow
String ID:
API String ID: 641708696-0
Opcode ID: 232ab1cf66081559ce5e938f9a32d43651ee7c92b58770aaf0fa43301e253b18
Instruction ID: 5409aa8d43f43e10cab98db0a91874c280b7eac288908625c354fbd53927932a
Opcode Fuzzy Hash: 232ab1cf66081559ce5e938f9a32d43651ee7c92b58770aaf0fa43301e253b18
Instruction Fuzzy Hash: 7C619C30502708DFDF259F14CA58B69B7F1FB4131AF14A51AE182AB6B0CB71BD81EB91

Function 00E99838 Relevance: 18.1, APIs: 12, Instructions: 137COMMON

Download Yara Rule

APIs

Part of subcall function 00E99944: GetWindowLongW.USER32(?,000000EB), ref: 00E99952

GetSysColor.USER32(0000000F), ref: 00E99862

Memory Dump Source

Source File: 00000000.00000002.2209670476.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.2209637951.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210917413.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210917413.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2211217556.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2211312581.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_file.jbxd

Similarity

API ID: ColorLongWindow
String ID:
API String ID: 259745315-0
Opcode ID: a84659da984bf2fbdbb0ae607840d1af85f9a0b2a289bac8c537803fe85d8f61
Instruction ID: dd223bab938b471153a013caa64386ebd4f2f369545820670178058f462b9a7b
Opcode Fuzzy Hash: a84659da984bf2fbdbb0ae607840d1af85f9a0b2a289bac8c537803fe85d8f61
Instruction Fuzzy Hash: EE41BF31140604AFDF345B3C9C84BB93BA5EB06324F15560EE9A2A72E2E7319C42EB51

Function 00EB8D45 Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 300COMMONLIBRARYCODE

Download Yara Rule

Strings

., xrefs: 00EB903A, 00EB8FD0, 00EB8FF2

Memory Dump Source

Source File: 00000000.00000002.2209670476.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.2209637951.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210917413.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210917413.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2211217556.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2211312581.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_file.jbxd

Similarity

API ID:
String ID: .
API String ID: 0-3963672497
Opcode ID: f9b334fdd812e33d495bbfc44ac487132fdfa62ff573b2ac54f4a1a234e90e70
Instruction ID: b20468182793d2102172766b4e9e337ac9a1dbf3537024f7e6a116adfc2efae3
Opcode Fuzzy Hash: f9b334fdd812e33d495bbfc44ac487132fdfa62ff573b2ac54f4a1a234e90e70
Instruction Fuzzy Hash: 5CC1E474A04249AFDB11EFA8D841BEEBBF4AF49314F185159F614BB393CB309941CB61

Function 00EE96E2 Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 137windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,00000FFF,00000001,00000000,?,?,00ECF7F8,00000001,0000138C,00000001,?,00000001,00000000,?,?), ref: 00EE9717
LoadStringW.USER32(00000000,?,00ECF7F8,00000001), ref: 00EE9720

Part of subcall function 00E89CB3: _wcslen.LIBCMT ref: 00E89CBD

GetModuleHandleW.KERNEL32(00000000,00000001,?,00000FFF,?,?,00ECF7F8,00000001,0000138C,00000001,?,00000001,00000000,?,?,00000000), ref: 00EE9742
LoadStringW.USER32(00000000,?,00ECF7F8,00000001), ref: 00EE9745
MessageBoxW.USER32(00000000,00000000,?,00011010), ref: 00EE9866

Strings

Line %d:, xrefs: 00EE97A0
%s (%d) : ==> %s: %s %s, xrefs: 00EE984A
^ ERROR, xrefs: 00EE97FB
Line %d (File "%s"):, xrefs: 00EE978F
Error: , xrefs: 00EE981D

Memory Dump Source

Source File: 00000000.00000002.2209670476.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.2209637951.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210917413.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210917413.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2211217556.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2211312581.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_file.jbxd

Similarity

API ID: HandleLoadModuleString$Message_wcslen
String ID: Error: $%s (%d) : ==> %s: %s %s$Line %d (File "%s"):$Line %d:$^ ERROR
API String ID: 747408836-2268648507
Opcode ID: 652c58e47360255eebc5a8ee17c8dbcfc9d238989a9ae514a0f40d311fe6c5cd
Instruction ID: 7b1c9a7588c3f81e56ee3cd16a294936fddc735fa90882f37f72ae0d21be44d9
Opcode Fuzzy Hash: 652c58e47360255eebc5a8ee17c8dbcfc9d238989a9ae514a0f40d311fe6c5cd
Instruction Fuzzy Hash: 57414D7290024DAACF04FBE0DD46DEEB7B8AF55740F141065F609B2092EB356F49DBA1

Function 00EE06DE Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 127registryshareCOMMON

Download Yara Rule

APIs

Part of subcall function 00E86B57: _wcslen.LIBCMT ref: 00E86B6A

WNetAddConnection2W.MPR(?,?,?,00000000), ref: 00EE07A2
RegConnectRegistryW.ADVAPI32(?,80000002,?), ref: 00EE07BE
RegOpenKeyExW.ADVAPI32(?,?,00000000,00020019,?,?,SOFTWARE\Classes\), ref: 00EE07DA
RegQueryValueExW.ADVAPI32(?,00000000,00000000,00000000,?,?,?,SOFTWARE\Classes\), ref: 00EE0804
CLSIDFromString.OLE32(?,000001FE,?,SOFTWARE\Classes\), ref: 00EE082C
RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 00EE0837
RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 00EE083C

Strings

\CLSID, xrefs: 00EE0724
SOFTWARE\Classes\, xrefs: 00EE070E
\IPC$, xrefs: 00EE0784

Memory Dump Source

Source File: 00000000.00000002.2209670476.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.2209637951.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210917413.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210917413.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2211217556.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2211312581.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_file.jbxd

Similarity

API ID: Close$ConnectConnection2FromOpenQueryRegistryStringValue_wcslen
String ID: SOFTWARE\Classes\$\CLSID$\IPC$
API String ID: 323675364-22481851
Opcode ID: 4b7e810881e57e67eb948dff8834a401999626fc00fa4c4d070ce9cd0f52e4e6
Instruction ID: c3007cd0acde4d131b158d4b13c581614fe5022d8c8fdb4401f8fe3fe51bd3fa
Opcode Fuzzy Hash: 4b7e810881e57e67eb948dff8834a401999626fc00fa4c4d070ce9cd0f52e4e6
Instruction Fuzzy Hash: C3412672C1022DABDF15FBA4DC858EDB7B8BF04754B05512AE909B3161EB749E44CBA0

Function 00F13F98 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 101windowCOMMON

Download Yara Rule

APIs

MoveWindow.USER32(?,?,?,000000FF,000000FF,00000000,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?), ref: 00F1403B
CreateCompatibleDC.GDI32(00000000), ref: 00F14042
SendMessageW.USER32(?,00000173,00000000,00000000), ref: 00F14055
SelectObject.GDI32(00000000,00000000), ref: 00F1405D
GetPixel.GDI32(00000000,00000000,00000000), ref: 00F14068
DeleteDC.GDI32(00000000), ref: 00F14072
GetWindowLongW.USER32(?,000000EC), ref: 00F1407C
SetLayeredWindowAttributes.USER32(?,?,00000000,00000001,?,00000000,?), ref: 00F14092
DestroyWindow.USER32(?,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?,?,00000000,00000000,?), ref: 00F1409E

Strings

static, xrefs: 00F13FD3

Memory Dump Source

Source File: 00000000.00000002.2209670476.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.2209637951.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210917413.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210917413.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2211217556.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2211312581.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_file.jbxd

Similarity

API ID: Window$AttributesCompatibleCreateDeleteDestroyLayeredLongMessageMoveObjectPixelSelectSend
String ID: static
API String ID: 2559357485-2160076837
Opcode ID: b96b197e79493b71b3072ae025ed334a2156f73264f7f6151daee65870b6006a
Instruction ID: 90d79e43f04ba5b12888a7aad4d5cc192c2543441a77bb1f23fe49a7c4b9e0bd
Opcode Fuzzy Hash: b96b197e79493b71b3072ae025ed334a2156f73264f7f6151daee65870b6006a
Instruction Fuzzy Hash: BB316E32541219BBDF219FA4DC09FDA3B69FF0D360F124211FA18E61A0C775D861EBA4

Function 00F03C30 Relevance: 16.8, APIs: 11, Instructions: 344fileCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00F03C5C
CoInitialize.OLE32(00000000), ref: 00F03C8A
CoUninitialize.OLE32 ref: 00F03C94
_wcslen.LIBCMT ref: 00F03D2D
GetRunningObjectTable.OLE32(00000000,?), ref: 00F03DB1
SetErrorMode.KERNEL32(00000001,00000029), ref: 00F03ED5
CoGetInstanceFromFile.OLE32(00000000,?,00000000,00000015,00000002,?,00000001,?), ref: 00F03F0E
CoGetObject.OLE32(?,00000000,00F1FB98,?), ref: 00F03F2D
SetErrorMode.KERNEL32(00000000), ref: 00F03F40
SetErrorMode.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 00F03FC4
VariantClear.OLEAUT32(?), ref: 00F03FD8

Memory Dump Source

Source File: 00000000.00000002.2209670476.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.2209637951.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210917413.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210917413.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2211217556.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2211312581.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_file.jbxd

Similarity

API ID: ErrorMode$ObjectVariant$ClearFileFromInitInitializeInstanceRunningTableUninitialize_wcslen
String ID:
API String ID: 429561992-0
Opcode ID: 4ab59db31495bf070a6ea579ad0b260fa84a7f1770794d042a1bfcaa66ac53ad
Instruction ID: 7eae4e635aceccf00a35f5ca5c495e2c11253a823f972fac83540498a9b84f30
Opcode Fuzzy Hash: 4ab59db31495bf070a6ea579ad0b260fa84a7f1770794d042a1bfcaa66ac53ad
Instruction Fuzzy Hash: 17C15671A083059FD700DF68C88492BBBE9FF89754F00491DF98A9B291D731EE05EB92

Function 00EF7A96 Relevance: 16.8, APIs: 11, Instructions: 298comCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 00EF7AF3
SHGetSpecialFolderLocation.SHELL32(00000000,00000000,?), ref: 00EF7B8F
SHGetDesktopFolder.SHELL32(?), ref: 00EF7BA3
CoCreateInstance.OLE32(00F1FD08,00000000,00000001,00F46E6C,?), ref: 00EF7BEF
SHCreateShellItem.SHELL32(00000000,00000000,?,00000003), ref: 00EF7C74
CoTaskMemFree.OLE32(?,?), ref: 00EF7CCC
SHBrowseForFolderW.SHELL32(?), ref: 00EF7D57
SHGetPathFromIDListW.SHELL32(00000000,?), ref: 00EF7D7A
CoTaskMemFree.OLE32(00000000), ref: 00EF7D81
CoTaskMemFree.OLE32(00000000), ref: 00EF7DD6
CoUninitialize.OLE32 ref: 00EF7DDC

Memory Dump Source

Source File: 00000000.00000002.2209670476.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.2209637951.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210917413.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210917413.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2211217556.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2211312581.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_file.jbxd

Similarity

API ID: FolderFreeTask$Create$BrowseDesktopFromInitializeInstanceItemListLocationPathShellSpecialUninitialize
String ID:
API String ID: 2762341140-0
Opcode ID: 3d4d510bc7bb3320dcd7c7179ce1b28d1a512142f9903539934b43207a3c2178
Instruction ID: cf53b48ae2c8a952e13f1d3a9d6b50f3f61a20b34fc156f1d284b09cc1474ca8
Opcode Fuzzy Hash: 3d4d510bc7bb3320dcd7c7179ce1b28d1a512142f9903539934b43207a3c2178
Instruction Fuzzy Hash: BFC14B75A04109AFCB14DFA4C884DAEBBF9FF49304B149498E95AEB361D731EE41CB90

Function 00F1541D Relevance: 16.7, APIs: 11, Instructions: 191windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000158,000000FF,00000158), ref: 00F15504
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00F15515
CharNextW.USER32(00000158), ref: 00F15544
SendMessageW.USER32(?,0000014B,00000000,00000000), ref: 00F15585
SendMessageW.USER32(?,00000158,000000FF,0000014E), ref: 00F1559B
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00F155AC

Memory Dump Source

Source File: 00000000.00000002.2209670476.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.2209637951.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210917413.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210917413.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2211217556.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2211312581.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_file.jbxd

Similarity

API ID: MessageSend$CharNext
String ID:
API String ID: 1350042424-0
Opcode ID: c5909dc50ebe54e16d5e7a9561d03b5fcf3f124aa54dc7cdf95cbe2c6e76b940
Instruction ID: e2fac1761c1310ecb3c5ae657368f4abe8844929ff0da7e27fa133d0a1f73c87
Opcode Fuzzy Hash: c5909dc50ebe54e16d5e7a9561d03b5fcf3f124aa54dc7cdf95cbe2c6e76b940
Instruction Fuzzy Hash: 7461B031900608EFDF10DF50CC94AFE3BB9EB89B35F108145F925AA290D7748AC0EBA1

Function 00EDFA88 Relevance: 16.6, APIs: 11, Instructions: 122memoryCOMMON

Download Yara Rule

APIs

SafeArrayAllocDescriptorEx.OLEAUT32(0000000C,?,?), ref: 00EDFAAF
SafeArrayAllocData.OLEAUT32(?), ref: 00EDFB08
VariantInit.OLEAUT32(?), ref: 00EDFB1A
SafeArrayAccessData.OLEAUT32(?,?), ref: 00EDFB3A
VariantCopy.OLEAUT32(?,?), ref: 00EDFB8D
SafeArrayUnaccessData.OLEAUT32(?), ref: 00EDFBA1
VariantClear.OLEAUT32(?), ref: 00EDFBB6
SafeArrayDestroyData.OLEAUT32(?), ref: 00EDFBC3
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 00EDFBCC
VariantClear.OLEAUT32(?), ref: 00EDFBDE
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 00EDFBE9

Memory Dump Source

Source File: 00000000.00000002.2209670476.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.2209637951.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210917413.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210917413.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2211217556.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2211312581.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_file.jbxd

Similarity

API ID: ArraySafe$DataVariant$DescriptorDestroy$AllocClear$AccessCopyInitUnaccess
String ID:
API String ID: 2706829360-0
Opcode ID: 12cde59f1beb919855eab79c7148980a700b2c9c06b5fbbb3fb117ce3d13f423
Instruction ID: 3e00e63a7b968abbd52a3baef460e10655d0e59689d94bd7afd87a38396396e3
Opcode Fuzzy Hash: 12cde59f1beb919855eab79c7148980a700b2c9c06b5fbbb3fb117ce3d13f423
Instruction Fuzzy Hash: 05416235A04219DFDF04DFA4D8549EDBBB9FF08344F01906AE946A7361C730A946CFA0

Function 00EE9C79 Relevance: 16.6, APIs: 11, Instructions: 119keyboardCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?), ref: 00EE9CA1
GetAsyncKeyState.USER32(000000A0), ref: 00EE9D22
GetKeyState.USER32(000000A0), ref: 00EE9D3D
GetAsyncKeyState.USER32(000000A1), ref: 00EE9D57
GetKeyState.USER32(000000A1), ref: 00EE9D6C
GetAsyncKeyState.USER32(00000011), ref: 00EE9D84
GetKeyState.USER32(00000011), ref: 00EE9D96
GetAsyncKeyState.USER32(00000012), ref: 00EE9DAE
GetKeyState.USER32(00000012), ref: 00EE9DC0
GetAsyncKeyState.USER32(0000005B), ref: 00EE9DD8
GetKeyState.USER32(0000005B), ref: 00EE9DEA

Memory Dump Source

Source File: 00000000.00000002.2209670476.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.2209637951.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210917413.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210917413.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2211217556.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2211312581.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_file.jbxd

Similarity

API ID: State$Async$Keyboard
String ID:
API String ID: 541375521-0
Opcode ID: 0e35682423230cde1dcdc0ecb7a016b045888ad6c2fc641ed00efe196ee492f1
Instruction ID: 9fd22c762e4ac96c35ad72fda0a98476f9f0793b0f9c97de6bd2eebe9baf0785
Opcode Fuzzy Hash: 0e35682423230cde1dcdc0ecb7a016b045888ad6c2fc641ed00efe196ee492f1
Instruction Fuzzy Hash: 8441D5345047DD69FF34966288043F5FEE16B1134CF08A05ADAC66A5C3DBA599C8C7A2

Function 00F0055B Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 207networkfileCOMMON

Download Yara Rule

APIs

WSAStartup.WSOCK32(00000101,?), ref: 00F005BC
inet_addr.WSOCK32(?), ref: 00F0061C
gethostbyname.WSOCK32(?), ref: 00F00628
IcmpCreateFile.IPHLPAPI ref: 00F00636
IcmpSendEcho.IPHLPAPI(?,?,?,00000005,00000000,?,00000029,00000FA0), ref: 00F006C6
IcmpSendEcho.IPHLPAPI(00000000,00000000,?,00000005,00000000,?,00000029,00000FA0), ref: 00F006E5
IcmpCloseHandle.IPHLPAPI(?), ref: 00F007B9
WSACleanup.WSOCK32 ref: 00F007BF

Strings

Ping, xrefs: 00F00676

Memory Dump Source

Source File: 00000000.00000002.2209670476.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.2209637951.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210917413.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210917413.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2211217556.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2211312581.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_file.jbxd

Similarity

API ID: Icmp$EchoSend$CleanupCloseCreateFileHandleStartupgethostbynameinet_addr
String ID: Ping
API String ID: 1028309954-2246546115
Opcode ID: 950007e6849d1289e700c8bf57cd54fb0d2bdf2cb587297deeded798a3aa71e1
Instruction ID: 2573323ff0aea23ea7dda9fd25c8bd0c778506c45438566d58eadee70c64d0fb
Opcode Fuzzy Hash: 950007e6849d1289e700c8bf57cd54fb0d2bdf2cb587297deeded798a3aa71e1
Instruction Fuzzy Hash: 2591C235A042019FD720DF15C888F1ABBE1AF45328F1885A9F4699B7A2CB34FD41EF91

Function 00F08CD3 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 193COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?,00000000,?), ref: 00F08CF3

Part of subcall function 00EE8E54: _wcslen.LIBCMT ref: 00EE8E77

_wcslen.LIBCMT ref: 00F08D4E
_wcslen.LIBCMT ref: 00F08D9C
_wcslen.LIBCMT ref: 00F08DDC
_wcslen.LIBCMT ref: 00F08E6E

Strings

none, xrefs: 00F08E65, 00F08E6A
cdecl, xrefs: 00F08D48, 00F08D4D
stdcall, xrefs: 00F08DD6, 00F08DDB
winapi, xrefs: 00F08D96, 00F08D9B

Memory Dump Source

Source File: 00000000.00000002.2209670476.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.2209637951.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210917413.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210917413.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2211217556.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2211312581.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_file.jbxd

Similarity

API ID: _wcslen$BuffCharLower
String ID: cdecl$none$stdcall$winapi
API String ID: 707087890-567219261
Opcode ID: 7ceeb6d2af318a14dec9455a686e84b389924a8e69cef1bfc08faeeaa2942ecd
Instruction ID: 107aae7f8fa5fbd68ae5101ea62fa8837304074c3bd088f94ea78775c836321a
Opcode Fuzzy Hash: 7ceeb6d2af318a14dec9455a686e84b389924a8e69cef1bfc08faeeaa2942ecd
Instruction Fuzzy Hash: 7E51B431E005169BCF14DFA8C9405BEB7E5BF65360B254229E89AE72C5DB30DD41F790

Function 00F0372C Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 187comCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32 ref: 00F03774
CoUninitialize.OLE32 ref: 00F0377F
CoCreateInstance.OLE32(?,00000000,00000017,00F1FB78,?), ref: 00F037D9
IIDFromString.OLE32(?,?), ref: 00F0384C
VariantInit.OLEAUT32(?), ref: 00F038E4
VariantClear.OLEAUT32(?), ref: 00F03936

Strings

NULL Pointer assignment, xrefs: 00F0381E
Invalid parameter, xrefs: 00F03865
Failed to create object, xrefs: 00F037E4, 00F0389A

Memory Dump Source

Source File: 00000000.00000002.2209670476.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.2209637951.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210917413.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210917413.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2211217556.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2211312581.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_file.jbxd

Similarity

API ID: Variant$ClearCreateFromInitInitializeInstanceStringUninitialize
String ID: Failed to create object$Invalid parameter$NULL Pointer assignment
API String ID: 636576611-1287834457
Opcode ID: 68847103cb5be1bc186e90ca255536241e39985f3c95b82132ac2604d2384248
Instruction ID: 7d203c5de864816c6e44be6af9aa5942b03d0c82120d932edf3a24c5682d5ca7
Opcode Fuzzy Hash: 68847103cb5be1bc186e90ca255536241e39985f3c95b82132ac2604d2384248
Instruction Fuzzy Hash: 2961B072608301AFD310DF54C888F6ABBE8EF49710F104949F985AB2D1D770EE48EB92

Function 00EF3388 Relevance: 15.9, APIs: 3, Strings: 6, Instructions: 149COMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000066,?,00000FFF,?), ref: 00EF33CF

Part of subcall function 00E89CB3: _wcslen.LIBCMT ref: 00E89CBD

LoadStringW.USER32(00000072,?,00000FFF,?), ref: 00EF33F0

Strings

"%s" (%d) : ==> %s:%s%s, xrefs: 00EF3504
"%s" (%d) : ==> %s:, xrefs: 00EF3522
Line %d (File "%s"):, xrefs: 00EF3443, 00EF345C
Incorrect parameters to object property !, xrefs: 00EF34AB
Error: , xrefs: 00EF34D1
^ ERROR , xrefs: 00EF349E

Memory Dump Source

Source File: 00000000.00000002.2209670476.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.2209637951.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210917413.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210917413.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2211217556.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2211312581.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_file.jbxd

Similarity

API ID: LoadString$_wcslen
String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Incorrect parameters to object property !$Line %d (File "%s"):$^ ERROR
API String ID: 4099089115-3080491070
Opcode ID: 74e009ce21910a7a264bde0802804b58b0797df7f8bf9c17d8d6178eb7e8966d
Instruction ID: 63b0b3272715781a9ce94cb76562ec3b760c3a0a8cbb3b06da11ca9889dd3198
Opcode Fuzzy Hash: 74e009ce21910a7a264bde0802804b58b0797df7f8bf9c17d8d6178eb7e8966d
Instruction Fuzzy Hash: 94518B71D0020AAADF15FBE0CD46EFEB7B9AF04740F245065F509B20A2EB256F58DB61

Function 00EEB5C8 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 142COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 00EEB5FC
_wcslen.LIBCMT ref: 00EEB608
_wcslen.LIBCMT ref: 00EEB64D
_wcslen.LIBCMT ref: 00EEB68C
_wcslen.LIBCMT ref: 00EEB6C7

Strings

EXISTS, xrefs: 00EEB686, 00EEB68B
APPEND, xrefs: 00EEB6C1, 00EEB6C6
REMOVE, xrefs: 00EEB602, 00EEB607
KEYS, xrefs: 00EEB647, 00EEB64C

Memory Dump Source

Source File: 00000000.00000002.2209670476.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.2209637951.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210917413.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210917413.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2211217556.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2211312581.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_file.jbxd

Similarity

API ID: _wcslen$BuffCharUpper
String ID: APPEND$EXISTS$KEYS$REMOVE
API String ID: 1256254125-769500911
Opcode ID: 8573a5a7784b8ce8623229028a058be500775f7dc501e6f8977bad311435f5a1
Instruction ID: 99345bd97da0aefa4990c35bf4debc256be792597ec25f336d78acae5aacfce7
Opcode Fuzzy Hash: 8573a5a7784b8ce8623229028a058be500775f7dc501e6f8977bad311435f5a1
Instruction Fuzzy Hash: A541DD72A0016B9BCB105F7EC8905BF77A5AFA1758B245129E465FB284F731CD81C790

Function 00EF5393 Relevance: 15.9, APIs: 4, Strings: 5, Instructions: 103COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 00EF53A0
GetDiskFreeSpaceW.KERNEL32(?,?,?,?,?,00000002,00000001), ref: 00EF5416
GetLastError.KERNEL32 ref: 00EF5420
SetErrorMode.KERNEL32(00000000,READY), ref: 00EF54A7

Strings

NOTREADY, xrefs: 00EF544B
INVALID, xrefs: 00EF5459
READY, xrefs: 00EF5460, 00EF5468
READONLY, xrefs: 00EF5452
UNKNOWN, xrefs: 00EF5444

Memory Dump Source

Source File: 00000000.00000002.2209670476.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.2209637951.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210917413.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210917413.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2211217556.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2211312581.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_file.jbxd

Similarity

API ID: Error$Mode$DiskFreeLastSpace
String ID: INVALID$NOTREADY$READONLY$READY$UNKNOWN
API String ID: 4194297153-14809454
Opcode ID: 1a1cd8e8cc5153ae0771db3c435a1343d970b37a15562b05cc9bc269487b4667
Instruction ID: 528f3120e2bc03c9d63fd1032e6618f4845f537237692c0319628406aff92c51
Opcode Fuzzy Hash: 1a1cd8e8cc5153ae0771db3c435a1343d970b37a15562b05cc9bc269487b4667
Instruction Fuzzy Hash: 7A31B536A005099FD710DF68C484AF9BBF4EF15309F149056EA16EB292D731DD82CBA1

Function 00F13C46 Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 101windowCOMMON

Download Yara Rule

APIs

CreateMenu.USER32 ref: 00F13C79
SetMenu.USER32(?,00000000), ref: 00F13C88
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00F13D10
IsMenu.USER32(?), ref: 00F13D24
CreatePopupMenu.USER32 ref: 00F13D2E
InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 00F13D5B
DrawMenuBar.USER32 ref: 00F13D63

Strings

0, xrefs: 00F13C54
F, xrefs: 00F13D4E

Memory Dump Source

Source File: 00000000.00000002.2209670476.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.2209637951.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210917413.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210917413.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2211217556.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2211312581.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_file.jbxd

Similarity

API ID: Menu$CreateItem$DrawInfoInsertPopup
String ID: 0$F
API String ID: 161812096-3044882817
Opcode ID: b4e59989165d235e7924d278d92ce76895049f1d274e4d9c57a1cb6dc43f2ebf
Instruction ID: fece29bd83db75fd547cd6937fe988f18ec02388940fff7a455bd2af40c69e42
Opcode Fuzzy Hash: b4e59989165d235e7924d278d92ce76895049f1d274e4d9c57a1cb6dc43f2ebf
Instruction Fuzzy Hash: 4E416879A01209AFDB14CF64E844BEA7BB6FF49354F144029EA46A7360D770AA10EB94

Function 00EE1EDF Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 78windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00E89CB3: _wcslen.LIBCMT ref: 00E89CBD

Part of subcall function 00EE3CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00EE3CCA

SendMessageW.USER32(?,0000018C,000000FF,00020000), ref: 00EE1F64
GetDlgCtrlID.USER32 ref: 00EE1F6F
GetParent.USER32 ref: 00EE1F8B
SendMessageW.USER32(00000000,?,00000111,?), ref: 00EE1F8E
GetDlgCtrlID.USER32(?), ref: 00EE1F97
GetParent.USER32(?), ref: 00EE1FAB
SendMessageW.USER32(00000000,?,00000111,?), ref: 00EE1FAE

Strings

ListBox, xrefs: 00EE1F21
ComboBox, xrefs: 00EE1EEC

Memory Dump Source

Source File: 00000000.00000002.2209670476.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.2209637951.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210917413.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210917413.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2211217556.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2211312581.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_file.jbxd

Similarity

API ID: MessageSend$CtrlParent$ClassName_wcslen
String ID: ComboBox$ListBox
API String ID: 711023334-1403004172
Opcode ID: 259dcf9061880ba999de24ddf98f93a03d49a309e5ddc12a5f035925436cc2f5
Instruction ID: cab6c30531c2c06c10f34076bce74ed099ff7b39cd04ec5895ac90557026f544
Opcode Fuzzy Hash: 259dcf9061880ba999de24ddf98f93a03d49a309e5ddc12a5f035925436cc2f5
Instruction Fuzzy Hash: F421B070E40218BFCF04AFA1CC95DFEBBB8EF05310B105155B96977292DB399948DBA0

Function 00EE1FC0 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 77windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00E89CB3: _wcslen.LIBCMT ref: 00E89CBD

Part of subcall function 00EE3CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00EE3CCA

SendMessageW.USER32(?,00000186,00020000,00000000), ref: 00EE2043
GetDlgCtrlID.USER32 ref: 00EE204E
GetParent.USER32 ref: 00EE206A
SendMessageW.USER32(00000000,?,00000111,?), ref: 00EE206D
GetDlgCtrlID.USER32(?), ref: 00EE2076
GetParent.USER32(?), ref: 00EE208A
SendMessageW.USER32(00000000,?,00000111,?), ref: 00EE208D

Strings

ListBox, xrefs: 00EE2002
ComboBox, xrefs: 00EE1FCD

Memory Dump Source

Source File: 00000000.00000002.2209670476.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.2209637951.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210917413.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210917413.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2211217556.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2211312581.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_file.jbxd

Similarity

API ID: MessageSend$CtrlParent$ClassName_wcslen
String ID: ComboBox$ListBox
API String ID: 711023334-1403004172
Opcode ID: e26e9a742604a19231112b2caa10305a0e4c8b7b8df1068d70eac76fe20052fe
Instruction ID: c6ab1094085b4dfeeefbec6169d10f1504679a01c395c4a35d2307078b161060
Opcode Fuzzy Hash: e26e9a742604a19231112b2caa10305a0e4c8b7b8df1068d70eac76fe20052fe
Instruction Fuzzy Hash: FF21D171D40218BFCF15AFA1CC85EFEBBB8EF09300F105005B959B71A2DA798914EB60

Function 00F13A23 Relevance: 15.2, APIs: 10, Instructions: 182windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000101F,00000000,00000000), ref: 00F13A9D
SendMessageW.USER32(00000000,?,0000101F,00000000), ref: 00F13AA0
GetWindowLongW.USER32(?,000000F0), ref: 00F13AC7
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00F13AEA
SendMessageW.USER32(?,0000104D,00000000,00000007), ref: 00F13B62
SendMessageW.USER32(?,00001074,00000000,00000007), ref: 00F13BAC
SendMessageW.USER32(?,00001057,00000000,00000000), ref: 00F13BC7
SendMessageW.USER32(?,0000101D,00001004,00000000), ref: 00F13BE2
SendMessageW.USER32(?,0000101E,00001004,00000000), ref: 00F13BF6
SendMessageW.USER32(?,00001008,00000000,00000007), ref: 00F13C13

Memory Dump Source

Source File: 00000000.00000002.2209670476.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.2209637951.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210917413.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210917413.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2211217556.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2211312581.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_file.jbxd

Similarity

API ID: MessageSend$LongWindow
String ID:
API String ID: 312131281-0
Opcode ID: baa22df319c1f90c4990387de54f48da4bf38a5d78aaa5aca51ec9b3a1142ef2
Instruction ID: e3cb1e1e3af52112ce7ba6faf92b7b3517e977a45dc8edfe505301ae04393729
Opcode Fuzzy Hash: baa22df319c1f90c4990387de54f48da4bf38a5d78aaa5aca51ec9b3a1142ef2
Instruction Fuzzy Hash: DD618A75A00248AFDB10DFA8CC81FEE77F8EB49710F104099FA15A72A1D774AE85EB50

Function 00EB2C80 Relevance: 15.1, APIs: 10, Instructions: 54COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00EB2C94

Part of subcall function 00EB29C8: RtlFreeHeap.NTDLL(00000000,00000000,?,00EBD7D1,00000000,00000000,00000000,00000000,?,00EBD7F8,00000000,00000007,00000000,?,00EBDBF5,00000000), ref: 00EB29DE
Part of subcall function 00EB29C8: GetLastError.KERNEL32(00000000,?,00EBD7D1,00000000,00000000,00000000,00000000,?,00EBD7F8,00000000,00000007,00000000,?,00EBDBF5,00000000,00000000), ref: 00EB29F0

_free.LIBCMT ref: 00EB2CA0
_free.LIBCMT ref: 00EB2CAB
_free.LIBCMT ref: 00EB2CB6
_free.LIBCMT ref: 00EB2CC1
_free.LIBCMT ref: 00EB2CCC
_free.LIBCMT ref: 00EB2CD7
_free.LIBCMT ref: 00EB2CE2
_free.LIBCMT ref: 00EB2CED
_free.LIBCMT ref: 00EB2CFB

Memory Dump Source

Source File: 00000000.00000002.2209670476.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.2209637951.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210917413.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210917413.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2211217556.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2211312581.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_file.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 16bf2d0648d33846a952f3c6b01b14ea63274378ad9443da0af611d922437b5c
Instruction ID: 7b743ac391e0ff3df73cc629b8362886047f8e18ffe957e77af4b7d337f37b29
Opcode Fuzzy Hash: 16bf2d0648d33846a952f3c6b01b14ea63274378ad9443da0af611d922437b5c
Instruction Fuzzy Hash: DF117476500108BFCB02EF54D982CDE3BA5FF49350F5159A9FA48AF222DA31EE509B90

Function 00EF7DF0 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 230COMMON

Download Yara Rule

APIs

GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00EF7FAD
SetCurrentDirectoryW.KERNEL32(?), ref: 00EF7FC1
GetFileAttributesW.KERNEL32(?), ref: 00EF7FEB
SetFileAttributesW.KERNEL32(?,00000000), ref: 00EF8005
SetCurrentDirectoryW.KERNEL32(?), ref: 00EF8017
SetCurrentDirectoryW.KERNEL32(?), ref: 00EF8060
SetCurrentDirectoryW.KERNEL32(?,?,?,?,?), ref: 00EF80B0

Strings

*.*, xrefs: 00EF8066

Memory Dump Source

Source File: 00000000.00000002.2209670476.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.2209637951.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210917413.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210917413.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2211217556.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2211312581.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_file.jbxd

Similarity

API ID: CurrentDirectory$AttributesFile
String ID: *.*
API String ID: 769691225-438819550
Opcode ID: 0f47527053b270bcd3e9fffb7af9bd53a65ef98f86e4846f37711cb37626077d
Instruction ID: 6e3f59ee597647687d66d5263f1fb61c20985313a578e2557dbafffbe00e9783
Opcode Fuzzy Hash: 0f47527053b270bcd3e9fffb7af9bd53a65ef98f86e4846f37711cb37626077d
Instruction Fuzzy Hash: 1881D1725082099BDB20EF14C8449BEB3E8BF89318F54685EFAC9E7250EB34DD45CB52

Function 00E85BEA Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 184windowCOMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(?,000000EB), ref: 00E85C7A

Part of subcall function 00E85D0A: GetClientRect.USER32(?,?), ref: 00E85D30
Part of subcall function 00E85D0A: GetWindowRect.USER32(?,?), ref: 00E85D71
Part of subcall function 00E85D0A: ScreenToClient.USER32(?,?), ref: 00E85D99

GetDC.USER32 ref: 00EC46F5
SendMessageW.USER32(?,00000031,00000000,00000000), ref: 00EC4708
SelectObject.GDI32(00000000,00000000), ref: 00EC4716
SelectObject.GDI32(00000000,00000000), ref: 00EC472B
ReleaseDC.USER32(?,00000000), ref: 00EC4733
MoveWindow.USER32(?,?,?,?,?,?,?,00000031,00000000,00000000), ref: 00EC47C4

Strings

U, xrefs: 00EC4693

Memory Dump Source

Source File: 00000000.00000002.2209670476.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.2209637951.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210917413.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210917413.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2211217556.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2211312581.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_file.jbxd

Similarity

API ID: Window$ClientObjectRectSelect$LongMessageMoveReleaseScreenSend
String ID: U
API String ID: 4009187628-3372436214
Opcode ID: d372e91147aa827a3d26ff736b77624caf52f6b56ea4de42427d313b42ca6519
Instruction ID: 6323038511778019afdc18bc709b034b2193a13e8a777e0f821854a8d3adc6b8
Opcode Fuzzy Hash: d372e91147aa827a3d26ff736b77624caf52f6b56ea4de42427d313b42ca6519
Instruction Fuzzy Hash: 8571D171400209DFCF219F64CA94FEA7BB1FF46318F14626AED596A1A6C7329842DF50

Function 00EF359C Relevance: 14.2, APIs: 3, Strings: 5, Instructions: 150COMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000066,?,00000FFF,00000000), ref: 00EF35E4

Part of subcall function 00E89CB3: _wcslen.LIBCMT ref: 00E89CBD

LoadStringW.USER32(00F52390,?,00000FFF,?), ref: 00EF360A

Strings

"%s" (%d) : ==> %s:%s%s, xrefs: 00EF3724
"%s" (%d) : ==> %s:, xrefs: 00EF3742
^ ERROR, xrefs: 00EF36C9
Line %d (File "%s"):, xrefs: 00EF366B
Error: , xrefs: 00EF36EF

Memory Dump Source

Source File: 00000000.00000002.2209670476.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.2209637951.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210917413.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210917413.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2211217556.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2211312581.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_file.jbxd

Similarity

API ID: LoadString$_wcslen
String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Line %d (File "%s"):$^ ERROR
API String ID: 4099089115-2391861430
Opcode ID: 1b04a672ef0235b3484ed58bfbb8e418335c38217569e40a685d77617ff67c60
Instruction ID: 8778be548c4df85369126ad3a3507e2d691e1ba7599fc7bc9916ab5859d58c7b
Opcode Fuzzy Hash: 1b04a672ef0235b3484ed58bfbb8e418335c38217569e40a685d77617ff67c60
Instruction Fuzzy Hash: 29513E71D00209AADF15FBA0DC42EFEBBB4AF04704F146125F609721A2EB356B95DBA1

Function 00F18B02 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 149windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00E99BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00E99BB2

Part of subcall function 00E9912D: GetCursorPos.USER32(?), ref: 00E99141
Part of subcall function 00E9912D: ScreenToClient.USER32(00000000,?), ref: 00E9915E
Part of subcall function 00E9912D: GetAsyncKeyState.USER32(00000001), ref: 00E99183
Part of subcall function 00E9912D: GetAsyncKeyState.USER32(00000002), ref: 00E9919D

ImageList_DragLeave.COMCTL32(00000000,00000000,00000001,?,?,?,?), ref: 00F18B6B
ImageList_EndDrag.COMCTL32 ref: 00F18B71
ReleaseCapture.USER32 ref: 00F18B77
SetWindowTextW.USER32(?,00000000), ref: 00F18C12
SendMessageW.USER32(?,000000B1,00000000,000000FF), ref: 00F18C25
DefDlgProcW.USER32(?,00000202,?,?,00000000,00000001,?,?,?,?), ref: 00F18CFF

Strings

@GUI_DROPID, xrefs: 00F18C51
@GUI_DRAGFILE, xrefs: 00F18C9A

Memory Dump Source

Source File: 00000000.00000002.2209670476.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.2209637951.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210917413.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210917413.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2211217556.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2211312581.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_file.jbxd

Similarity

API ID: AsyncDragImageList_StateWindow$CaptureClientCursorLeaveLongMessageProcReleaseScreenSendText
String ID: @GUI_DRAGFILE$@GUI_DROPID
API String ID: 1924731296-2107944366
Opcode ID: 816e53eadc57f842772c2571832c83530d2c2ebc6ae592fdca0c502ec42eba65
Instruction ID: e825f2bd1b51379e8f59450408b68af3313755e069a8d757b65d9cd675382055
Opcode Fuzzy Hash: 816e53eadc57f842772c2571832c83530d2c2ebc6ae592fdca0c502ec42eba65
Instruction Fuzzy Hash: 5951BE70504304AFD700EF14DC56BAA77E4FB88751F04062DF95AA72E2CB30A944EBA2

Function 00EFC253 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 94networkCOMMON

Download Yara Rule

APIs

InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 00EFC272
HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00EFC29A
HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 00EFC2CA
GetLastError.KERNEL32 ref: 00EFC322
SetEvent.KERNEL32(?), ref: 00EFC336
InternetCloseHandle.WININET(00000000), ref: 00EFC341

Strings

, xrefs: 00EFC2BB

Memory Dump Source

Source File: 00000000.00000002.2209670476.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.2209637951.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210917413.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210917413.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2211217556.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2211312581.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_file.jbxd

Similarity

API ID: HttpInternet$CloseErrorEventHandleInfoLastOpenQueryRequestSend
String ID:
API String ID: 3113390036-3916222277
Opcode ID: 1720e8646db7cec01d57e3026813fe9de653f7e47d3d5782273ae1463c5adb97
Instruction ID: ffab49baf1452239b0a7e997a4b815bad17bccc6f7734371200d19dadcc61cb4
Opcode Fuzzy Hash: 1720e8646db7cec01d57e3026813fe9de653f7e47d3d5782273ae1463c5adb97
Instruction Fuzzy Hash: F731BFB160160CAFD7219F648E88ABB7BFCEB49784F34951EF546A2200DB30DD059BA0

Function 00EE989B Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 74windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000FFF,00000000,?,00EC3AAF,?,?,Bad directive syntax error,00F1CC08,00000000,00000010,?,?,>>>AUTOIT SCRIPT<<<), ref: 00EE98BC
LoadStringW.USER32(00000000,?,00EC3AAF,?), ref: 00EE98C3

Part of subcall function 00E89CB3: _wcslen.LIBCMT ref: 00E89CBD

MessageBoxW.USER32(00000000,00000001,00000001,00011010), ref: 00EE9987

Strings

., xrefs: 00EE996D
Line %d:, xrefs: 00EE9912
Error: , xrefs: 00EE9955
%s (%d) : ==> %s.: %s %s, xrefs: 00EE98F1
Line %d (File "%s"):, xrefs: 00EE992D

Memory Dump Source

Source File: 00000000.00000002.2209670476.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.2209637951.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210917413.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210917413.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2211217556.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2211312581.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_file.jbxd

Similarity

API ID: HandleLoadMessageModuleString_wcslen
String ID: Error: $%s (%d) : ==> %s.: %s %s$.$Line %d (File "%s"):$Line %d:
API String ID: 858772685-4153970271
Opcode ID: 7cc2414a4eb9c6a1c90ee23febdd53b243fa8699e28c0cdec3819029d49a8c89
Instruction ID: 41fe636feabd483e7bafa58975cd4318019ef0a83132b60222db573fa76f8129
Opcode Fuzzy Hash: 7cc2414a4eb9c6a1c90ee23febdd53b243fa8699e28c0cdec3819029d49a8c89
Instruction Fuzzy Hash: F7218D31D4025EABCF15AF90CC06EEE77B5BF18700F045429F519720A2EB369618DB51

Function 00EE209F Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 71windowCOMMON

Download Yara Rule

APIs

GetParent.USER32 ref: 00EE20AB
GetClassNameW.USER32(00000000,?,00000100), ref: 00EE20C0
SendMessageW.USER32(00000000,00000111,0000702B,00000000), ref: 00EE214D

Strings

smallicons, xrefs: 00EE2115
details, xrefs: 00EE20FB
largeicons, xrefs: 00EE20E1
SHELLDLL_DefView, xrefs: 00EE20CC
list, xrefs: 00EE212F

Memory Dump Source

Source File: 00000000.00000002.2209670476.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.2209637951.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210917413.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210917413.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2211217556.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2211312581.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_file.jbxd

Similarity

API ID: ClassMessageNameParentSend
String ID: SHELLDLL_DefView$details$largeicons$list$smallicons
API String ID: 1290815626-3381328864
Opcode ID: 7d41eb4e0951cf257257ea408ae03ae699dc3997d9c86b99f0b083518da8fd56
Instruction ID: f02af724245bcec6b153a52a70656a350479fc706a0b2e4aafdbfe27a5631f79
Opcode Fuzzy Hash: 7d41eb4e0951cf257257ea408ae03ae699dc3997d9c86b99f0b083518da8fd56
Instruction Fuzzy Hash: 07112C766C470EBAF6013A21DC07DE637DCCB49728B20201AFB04B90E2FEB1A9016555

Function 00EBCE90 Relevance: 13.7, APIs: 9, Instructions: 209COMMON

Download Yara Rule

APIs

___from_strstr_to_strchr.LIBCMT ref: 00EBCEB7
_free.LIBCMT ref: 00EBCF22
_free.LIBCMT ref: 00EBCF48
_free.LIBCMT ref: 00EBCF71
_free.LIBCMT ref: 00EBCFA9
_free.LIBCMT ref: 00EBCFDA
_free.LIBCMT ref: 00EBD01B
SetEnvironmentVariableA.KERNEL32(00000000,00000000), ref: 00EBD09C
_free.LIBCMT ref: 00EBD0B5

Memory Dump Source

Source File: 00000000.00000002.2209670476.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.2209637951.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210917413.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210917413.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2211217556.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2211312581.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_file.jbxd

Similarity

API ID: _free$EnvironmentVariable___from_strstr_to_strchr
String ID:
API String ID: 1282221369-0
Opcode ID: 39fa9fa9a45a456f94f07faa10f240ea4772c6457ab60ea3aea8fc4f7e8ed43f
Instruction ID: b8cf40785291db921f68d670909bfa01431b08195e19451824f014210d9c9d8e
Opcode Fuzzy Hash: 39fa9fa9a45a456f94f07faa10f240ea4772c6457ab60ea3aea8fc4f7e8ed43f
Instruction Fuzzy Hash: 32616A71A08304AFDF21AFB49C81AFB7BE6EF05324F2451ADFA44B7281EA319D019750

Function 00F150D4 Relevance: 13.7, APIs: 9, Instructions: 162windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00002001,00000000,00000000), ref: 00F15186
ShowWindow.USER32(?,00000000), ref: 00F151C7
ShowWindow.USER32(?,00000005,?,00000000), ref: 00F151CD
SetFocus.USER32(?,?,00000005,?,00000000), ref: 00F151D1

Part of subcall function 00F16FBA: DeleteObject.GDI32(00000000), ref: 00F16FE6

GetWindowLongW.USER32(?,000000F0), ref: 00F1520D
SetWindowLongW.USER32(?,000000F0,00000000), ref: 00F1521A
InvalidateRect.USER32(?,00000000,00000001,?,00000001), ref: 00F1524D
SendMessageW.USER32(?,00001001,00000000,000000FE), ref: 00F15287
SendMessageW.USER32(?,00001026,00000000,000000FE), ref: 00F15296

Memory Dump Source

Source File: 00000000.00000002.2209670476.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.2209637951.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210917413.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210917413.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2211217556.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2211312581.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_file.jbxd

Similarity

API ID: Window$MessageSend$LongShow$DeleteFocusInvalidateObjectRect
String ID:
API String ID: 3210457359-0
Opcode ID: f4a772f61799041f3c32e32db4943f22a4b6e15961aa1ed64dfbbbe9050e6a59
Instruction ID: adf3a7565b2fc687ef2ec97972573e9fcb459b1cc04b82a1d3f704f20fba006c
Opcode Fuzzy Hash: f4a772f61799041f3c32e32db4943f22a4b6e15961aa1ed64dfbbbe9050e6a59
Instruction Fuzzy Hash: F651B432A50A08FEEF219F64CC45BD83B65FB85B21F148115F615A62E1C7B5A9C0FF40

Function 00E98B06 Relevance: 13.7, APIs: 9, Instructions: 155windowCOMMON

Download Yara Rule

APIs

LoadImageW.USER32(00000000,?,?,00000010,00000010,00000010), ref: 00ED6890
ExtractIconExW.SHELL32(?,?,00000000,00000000,00000001), ref: 00ED68A9
LoadImageW.USER32(00000000,?,00000001,00000000,00000000,00000050), ref: 00ED68B9
ExtractIconExW.SHELL32(?,?,?,00000000,00000001), ref: 00ED68D1
SendMessageW.USER32(00000000,00000080,00000000,00000000), ref: 00ED68F2
DestroyIcon.USER32(00000000,?,00000010,00000010,00000010,?,?,?,?,?,00E98874,00000000,00000000,00000000,000000FF,00000000), ref: 00ED6901
SendMessageW.USER32(00000000,00000080,00000001,00000000), ref: 00ED691E
DestroyIcon.USER32(00000000,?,00000010,00000010,00000010,?,?,?,?,?,00E98874,00000000,00000000,00000000,000000FF,00000000), ref: 00ED692D

Memory Dump Source

Source File: 00000000.00000002.2209670476.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.2209637951.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210917413.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210917413.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2211217556.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2211312581.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_file.jbxd

Similarity

API ID: Icon$DestroyExtractImageLoadMessageSend
String ID:
API String ID: 1268354404-0
Opcode ID: 576073ead9d9e0077996a81a38ba2d5f8adc90f6bdfa192c5843974a5a461b60
Instruction ID: 8ef36cdf8359450b57c0b1035ae01c8c4c72220a47012f24130e8068a5178c40
Opcode Fuzzy Hash: 576073ead9d9e0077996a81a38ba2d5f8adc90f6bdfa192c5843974a5a461b60
Instruction Fuzzy Hash: 6B518874600209EFDF24CF24CC55FAA7BB6FB48354F145519FA46A72A0EB70E991EB80

Function 00EFC143 Relevance: 13.6, APIs: 9, Instructions: 95networkCOMMON

Download Yara Rule

APIs

InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 00EFC182
GetLastError.KERNEL32 ref: 00EFC195
SetEvent.KERNEL32(?), ref: 00EFC1A9

Part of subcall function 00EFC253: InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 00EFC272
Part of subcall function 00EFC253: GetLastError.KERNEL32 ref: 00EFC322
Part of subcall function 00EFC253: SetEvent.KERNEL32(?), ref: 00EFC336
Part of subcall function 00EFC253: InternetCloseHandle.WININET(00000000), ref: 00EFC341

Memory Dump Source

Source File: 00000000.00000002.2209670476.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.2209637951.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210917413.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210917413.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2211217556.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2211312581.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_file.jbxd

Similarity

API ID: Internet$ErrorEventLast$CloseConnectHandleOpen
String ID:
API String ID: 337547030-0
Opcode ID: 6ed11a7df4445dc17aba44ed788a9bc6e0bd7df1bd9259e573df270c404825f8
Instruction ID: 346529988c9bb43d1bab77124032545192a4308bb8e6284b77fc916638b0ea88
Opcode Fuzzy Hash: 6ed11a7df4445dc17aba44ed788a9bc6e0bd7df1bd9259e573df270c404825f8
Instruction Fuzzy Hash: EC31A471240A0DAFEB219FA5DE44AB67BF8FF14300B30941DF65692620D730D814EBA0

Function 00EE25A2 Relevance: 13.6, APIs: 9, Instructions: 60sleepkeyboardwindowCOMMON

Download Yara Rule

APIs

Part of subcall function 00EE3A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 00EE3A57
Part of subcall function 00EE3A3D: GetCurrentThreadId.KERNEL32 ref: 00EE3A5E
Part of subcall function 00EE3A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,00EE25B3), ref: 00EE3A65

MapVirtualKeyW.USER32(00000025,00000000), ref: 00EE25BD
PostMessageW.USER32(?,00000100,00000025,00000000), ref: 00EE25DB
Sleep.KERNEL32(00000000,?,00000100,00000025,00000000), ref: 00EE25DF
MapVirtualKeyW.USER32(00000025,00000000), ref: 00EE25E9
PostMessageW.USER32(?,00000100,00000027,00000000), ref: 00EE2601
Sleep.KERNEL32(00000000,?,00000100,00000027,00000000), ref: 00EE2605
MapVirtualKeyW.USER32(00000025,00000000), ref: 00EE260F
PostMessageW.USER32(?,00000101,00000027,00000000), ref: 00EE2623
Sleep.KERNEL32(00000000,?,00000101,00000027,00000000,?,00000100,00000027,00000000), ref: 00EE2627

Memory Dump Source

Source File: 00000000.00000002.2209670476.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.2209637951.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210917413.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210917413.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2211217556.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2211312581.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_file.jbxd

Similarity

API ID: MessagePostSleepThreadVirtual$AttachCurrentInputProcessWindow
String ID:
API String ID: 2014098862-0
Opcode ID: 1df4b23449a5435b97cd77bbc3926fbba47c668d66327ca46d9bd9da383662c9
Instruction ID: 8f7823f2cb78a7ccd05330ed627fd1bead2726a88ffc0b2cba4abbc62f87fb7f
Opcode Fuzzy Hash: 1df4b23449a5435b97cd77bbc3926fbba47c668d66327ca46d9bd9da383662c9
Instruction Fuzzy Hash: 3101D8303D0358BBFB10676A9C8EF997F99DB4EB11F115015F318BF0D1C9E114449AA9

Function 00EE1803 Relevance: 13.5, APIs: 9, Instructions: 49memorythreadCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000008,0000000C,?,00000000,?,00EE1449,?,?,00000000), ref: 00EE180C
HeapAlloc.KERNEL32(00000000,?,00EE1449,?,?,00000000), ref: 00EE1813
GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,00EE1449,?,?,00000000), ref: 00EE1828
GetCurrentProcess.KERNEL32(?,00000000,?,00EE1449,?,?,00000000), ref: 00EE1830
DuplicateHandle.KERNEL32(00000000,?,00EE1449,?,?,00000000), ref: 00EE1833
GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,00EE1449,?,?,00000000), ref: 00EE1843
GetCurrentProcess.KERNEL32(00EE1449,00000000,?,00EE1449,?,?,00000000), ref: 00EE184B
DuplicateHandle.KERNEL32(00000000,?,00EE1449,?,?,00000000), ref: 00EE184E
CreateThread.KERNEL32(00000000,00000000,00EE1874,00000000,00000000,00000000), ref: 00EE1868

Memory Dump Source

Source File: 00000000.00000002.2209670476.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.2209637951.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210917413.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210917413.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2211217556.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2211312581.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_file.jbxd

Similarity

API ID: Process$Current$DuplicateHandleHeap$AllocCreateThread
String ID:
API String ID: 1957940570-0
Opcode ID: a441594fb693bb1822fa0304a2b71de4230bbb48a430473fd77dad3f14720ab3
Instruction ID: 61f99da41efbe8c21e0c269615f441bc6ec60d61e58860279ddad4d27a494938
Opcode Fuzzy Hash: a441594fb693bb1822fa0304a2b71de4230bbb48a430473fd77dad3f14720ab3
Instruction Fuzzy Hash: 2701BFB52C0348BFE710AB65DC4DF977B6CEB89B11F018411FA05DB192C6709800DB60

Function 00EB3E80 Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 305COMMON

Download Yara Rule

APIs

_strrchr.LIBCMT ref: 00EB3F0B
__alldvrm.LIBCMT ref: 00EB410C
__alldvrm.LIBCMT ref: 00EB412E

Strings

}}, xrefs: 00EB40CD
}}, xrefs: 00EB3E8A
}}, xrefs: 00EB3E96, 00EB3EF1, 00EB3F0A, 00EB4090

Memory Dump Source

Source File: 00000000.00000002.2209670476.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.2209637951.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210917413.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210917413.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2211217556.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2211312581.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_file.jbxd

Similarity

API ID: __alldvrm$_strrchr
String ID: }}$}}$}}
API String ID: 1036877536-1495402609
Opcode ID: 190bec492484a18a97fe5f025dcdb3e473ceac46589bc02d4dbe4f94f5be8f6e
Instruction ID: 1987bea809140b77a8af8bba7ad2daeddb054942d9ecac8270a97aaaa4422c74
Opcode Fuzzy Hash: 190bec492484a18a97fe5f025dcdb3e473ceac46589bc02d4dbe4f94f5be8f6e
Instruction Fuzzy Hash: 9CA178B1E013869FDB22DF28C8927FFBBE5EF62354F1451ADE585AB282C2348941C751

Function 00F0A0E2 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 160COMMON

Download Yara Rule

APIs

Part of subcall function 00EED4DC: CreateToolhelp32Snapshot.KERNEL32 ref: 00EED501
Part of subcall function 00EED4DC: Process32FirstW.KERNEL32(00000000,?), ref: 00EED50F
Part of subcall function 00EED4DC: CloseHandle.KERNELBASE(00000000), ref: 00EED5DC

OpenProcess.KERNEL32(00000001,00000000,?), ref: 00F0A16D
GetLastError.KERNEL32 ref: 00F0A180
OpenProcess.KERNEL32(00000001,00000000,?), ref: 00F0A1B3
TerminateProcess.KERNEL32(00000000,00000000), ref: 00F0A268
GetLastError.KERNEL32(00000000), ref: 00F0A273
CloseHandle.KERNEL32(00000000), ref: 00F0A2C4

Strings

SeDebugPrivilege, xrefs: 00F0A18F

Memory Dump Source

Source File: 00000000.00000002.2209670476.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.2209637951.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210917413.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210917413.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2211217556.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2211312581.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_file.jbxd

Similarity

API ID: Process$CloseErrorHandleLastOpen$CreateFirstProcess32SnapshotTerminateToolhelp32
String ID: SeDebugPrivilege
API String ID: 2533919879-2896544425
Opcode ID: 24d1a20983c821fc1dca9ece71462b36802d0b8e9ff93ada3bd84b1f1aeaa327
Instruction ID: f0a2c34a8358fc09725b7cd38226c0a57e5be0109c5e32a1c150a79f3f6e4a21
Opcode Fuzzy Hash: 24d1a20983c821fc1dca9ece71462b36802d0b8e9ff93ada3bd84b1f1aeaa327
Instruction Fuzzy Hash: BF618C31604342AFD710DF14C494F16BBE1AF44318F19849CE46A9B7A3C772EC45EB92

Function 00F13886 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 141windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00001036,00000010,00000010), ref: 00F13925
SendMessageW.USER32(00000000,00001036,00000000,?), ref: 00F1393A
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000013), ref: 00F13954
_wcslen.LIBCMT ref: 00F13999
SendMessageW.USER32(?,00001057,00000000,?), ref: 00F139C6
SendMessageW.USER32(?,00001061,?,0000000F), ref: 00F139F4

Strings

SysListView32, xrefs: 00F138F7

Memory Dump Source

Source File: 00000000.00000002.2209670476.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.2209637951.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210917413.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210917413.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2211217556.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2211312581.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_file.jbxd

Similarity

API ID: MessageSend$Window_wcslen
String ID: SysListView32
API String ID: 2147712094-78025650
Opcode ID: 85cd1904b9d670f816cbecb280cbe4e9d01904c08cb7a363204c1e74594280c8
Instruction ID: 4b750d961e90a8a32da2e6e602b9a850fc338d3c2f86f1ae8496a64c68f14694
Opcode Fuzzy Hash: 85cd1904b9d670f816cbecb280cbe4e9d01904c08cb7a363204c1e74594280c8
Instruction Fuzzy Hash: 1F41A171A00319ABEF219F64CC45BEA7BA9EF08360F100526F958E7281D775DE84EB90

Function 00EEBC5E Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 137windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00EEBCFD
IsMenu.USER32(00000000), ref: 00EEBD1D
CreatePopupMenu.USER32 ref: 00EEBD53
GetMenuItemCount.USER32(01244C30), ref: 00EEBDA4
InsertMenuItemW.USER32(01244C30,?,00000001,00000030), ref: 00EEBDCC

Strings

2, xrefs: 00EEBD37
0, xrefs: 00EEBCA8

Memory Dump Source

Source File: 00000000.00000002.2209670476.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.2209637951.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210917413.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210917413.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2211217556.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2211312581.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_file.jbxd

Similarity

API ID: Menu$Item$CountCreateInfoInsertPopup
String ID: 0$2
API String ID: 93392585-3793063076
Opcode ID: f0940446be7a274e5f20087e148cded6f7a2a5937a59b0162de212df089fe4bd
Instruction ID: 61099c117b045e326acf1ef04ac4f5793992d95323df9b801a4679b99b9dfc65
Opcode Fuzzy Hash: f0940446be7a274e5f20087e148cded6f7a2a5937a59b0162de212df089fe4bd
Instruction Fuzzy Hash: F7519C70A0028D9BDB20CFAADC84BEFBBF9AF45318F249219E411F7290D7709945CB61

Function 00EA2D20 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 117COMMON

Download Yara Rule

APIs

_ValidateLocalCookies.LIBCMT ref: 00EA2D4B
___except_validate_context_record.LIBVCRUNTIME ref: 00EA2D53
_ValidateLocalCookies.LIBCMT ref: 00EA2DE1
__IsNonwritableInCurrentImage.LIBCMT ref: 00EA2E0C
_ValidateLocalCookies.LIBCMT ref: 00EA2E61

Strings

&H, xrefs: 00EA2DFE, 00EA2E07, 00EA2E18
csm, xrefs: 00EA2DF6

Memory Dump Source

Source File: 00000000.00000002.2209670476.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.2209637951.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210917413.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210917413.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2211217556.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2211312581.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_file.jbxd

Similarity

API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
String ID: &H$csm
API String ID: 1170836740-1242228090
Opcode ID: 4e92426f9133dd98c3c172d7416cf734bd2633f0c28e1b8c2b399365acd54df3
Instruction ID: 3783d7bbf119b33640efb5c2dc6a0c57d5f91f150a6928422b00798670d85234
Opcode Fuzzy Hash: 4e92426f9133dd98c3c172d7416cf734bd2633f0c28e1b8c2b399365acd54df3
Instruction Fuzzy Hash: 4A41A334A00209ABCF14DF6CC845A9EBBE5BF4A328F149159E914BF292D735FA01CBD0

Function 00EEC874 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 81windowCOMMON

Download Yara Rule

APIs

LoadIconW.USER32(00000000,00007F03), ref: 00EEC913

Strings

question, xrefs: 00EEC8CC
warning, xrefs: 00EEC8FC
info, xrefs: 00EEC8B4
stop, xrefs: 00EEC8E4
blank, xrefs: 00EEC895

Memory Dump Source

Source File: 00000000.00000002.2209670476.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.2209637951.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210917413.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210917413.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2211217556.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2211312581.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_file.jbxd

Similarity

API ID: IconLoad
String ID: blank$info$question$stop$warning
API String ID: 2457776203-404129466
Opcode ID: 2971896de50016e6bb3096d4f1a5685042c11d22538e43e657ccd5aa3549d6c1
Instruction ID: aa5c5e350c13978f140406cd5f96f9ce8fa6c4d6f79b2252cfc90c890b30a01d
Opcode Fuzzy Hash: 2971896de50016e6bb3096d4f1a5685042c11d22538e43e657ccd5aa3549d6c1
Instruction Fuzzy Hash: 38112E3168934EBAA70457559C82CDE77DCDF56318B30202AF904F61C3E7B5AD026269

Function 00EEDE27 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 70networkCOMMON

Download Yara Rule

APIs

WSAStartup.WSOCK32(00000101,?), ref: 00EEDE42
gethostname.WSOCK32(?,00000100), ref: 00EEDE5C
gethostbyname.WSOCK32(?), ref: 00EEDE69
inet_ntoa.WSOCK32(?), ref: 00EEDEAB
_strcat.LIBCMT ref: 00EEDEB9
WSACleanup.WSOCK32 ref: 00EEDEDE

Strings

0.0.0.0, xrefs: 00EEDE87

Memory Dump Source

Source File: 00000000.00000002.2209670476.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.2209637951.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210917413.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210917413.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2211217556.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2211312581.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_file.jbxd

Similarity

API ID: CleanupStartup_strcatgethostbynamegethostnameinet_ntoa
String ID: 0.0.0.0
API String ID: 642191829-3771769585
Opcode ID: afb26f3b11bd3eba3a0111d65127feb744798cf663c5d5d6c7c0c186e5f353a5
Instruction ID: d2482e160189f2059447f1cf0b2d0d7825b0563171e40337c270dc82a91d6104
Opcode Fuzzy Hash: afb26f3b11bd3eba3a0111d65127feb744798cf663c5d5d6c7c0c186e5f353a5
Instruction Fuzzy Hash: 8611367190810DAFCB20AB61DC4AEEF37FCDF55724F011169F405FA0A1EFB19A809A90

Function 00F19F86 Relevance: 12.3, APIs: 8, Instructions: 260windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00E99BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00E99BB2

GetSystemMetrics.USER32(0000000F), ref: 00F19FC7
GetSystemMetrics.USER32(0000000F), ref: 00F19FE7
MoveWindow.USER32(00000003,?,?,?,?,00000000,?,?,?), ref: 00F1A224
SendMessageW.USER32(00000003,00000142,00000000,0000FFFF), ref: 00F1A242
SendMessageW.USER32(00000003,00000469,?,00000000), ref: 00F1A263
ShowWindow.USER32(00000003,00000000), ref: 00F1A282
InvalidateRect.USER32(?,00000000,00000001), ref: 00F1A2A7
DefDlgProcW.USER32(?,00000005,?,?), ref: 00F1A2CA

Memory Dump Source

Source File: 00000000.00000002.2209670476.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.2209637951.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210917413.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210917413.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2211217556.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2211312581.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_file.jbxd

Similarity

API ID: Window$MessageMetricsSendSystem$InvalidateLongMoveProcRectShow
String ID:
API String ID: 1211466189-0
Opcode ID: 8e12958f27fcbfa85a699af954d346d3e91036a4c1c4d8ab15b64a15784bb80b
Instruction ID: be1e4daa949a2d81613519f05584397398c1fcc9ce180edb0db31f887294f1ed
Opcode Fuzzy Hash: 8e12958f27fcbfa85a699af954d346d3e91036a4c1c4d8ab15b64a15784bb80b
Instruction Fuzzy Hash: E1B1A931A01219EFDF14CF68C9857EE7BF2BF48711F098069EC49AB295D731A980EB51

Function 00EEED19 Relevance: 12.1, APIs: 8, Instructions: 137timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32 ref: 00EEED2A
_wcslen.LIBCMT ref: 00EEED3B
_wcslen.LIBCMT ref: 00EEED79
_wcslen.LIBCMT ref: 00EEEDAF
_wcslen.LIBCMT ref: 00EEEDDF
_wcslen.LIBCMT ref: 00EEEDEF
_wcslen.LIBCMT ref: 00EEEE2B
_wcslen.LIBCMT ref: 00EEEE5A

Memory Dump Source

Source File: 00000000.00000002.2209670476.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.2209637951.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210917413.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210917413.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2211217556.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2211312581.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_file.jbxd

Similarity

API ID: _wcslen$LocalTime
String ID:
API String ID: 952045576-0
Opcode ID: 787a468aa48f926ba3dbd7d5ba9a28be8fd5504726ebaea23747ab3a57836550
Instruction ID: 192ba5e825bf757571434ecb7d559cfac7de911135092bee22a5e332b1cee4bd
Opcode Fuzzy Hash: 787a468aa48f926ba3dbd7d5ba9a28be8fd5504726ebaea23747ab3a57836550
Instruction Fuzzy Hash: 18419065C10258A5CB11EBF48C8AACFB7ECAF4A310F50A462E514F7271EB34E255C3A5

Function 00E9F8D8 Relevance: 12.1, APIs: 8, Instructions: 124COMMON

Download Yara Rule

APIs

ShowWindow.USER32(FFFFFFFF,000000FF,?,00000000,?,00ED682C,00000004,00000000,00000000), ref: 00E9F953
ShowWindow.USER32(FFFFFFFF,00000006,?,00000000,?,00ED682C,00000004,00000000,00000000), ref: 00EDF3D1
ShowWindow.USER32(FFFFFFFF,000000FF,?,00000000,?,00ED682C,00000004,00000000,00000000), ref: 00EDF454

Memory Dump Source

Source File: 00000000.00000002.2209670476.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.2209637951.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210917413.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210917413.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2211217556.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2211312581.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_file.jbxd

Similarity

API ID: ShowWindow
String ID:
API String ID: 1268545403-0
Opcode ID: b88c97ed442b00cc77192788af5725e1712c36711f4117e576a1c03321fdaf7a
Instruction ID: f6255a1416fcff949fb158ac90b87d4c1bd8ab50f507c560afa32623499a5712
Opcode Fuzzy Hash: b88c97ed442b00cc77192788af5725e1712c36711f4117e576a1c03321fdaf7a
Instruction Fuzzy Hash: F2413F31604640BECF38CB68C8887AA7BD2ABD6318F15B43DE047F6661C671E481D750

Function 00F12D03 Relevance: 12.1, APIs: 8, Instructions: 95windowCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 00F12D1B
GetDC.USER32(00000000), ref: 00F12D23
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00F12D2E
ReleaseDC.USER32(00000000,00000000), ref: 00F12D3A
CreateFontW.GDI32(?,00000000,00000000,00000000,?,00000000,00000000,00000000,00000001,00000004,00000000,?,00000000,?), ref: 00F12D76
SendMessageW.USER32(?,00000030,00000000,00000001), ref: 00F12D87
MoveWindow.USER32(?,?,?,?,?,00000000,?,?,00F15A65,?,?,000000FF,00000000,?,000000FF,?), ref: 00F12DC2
SendMessageW.USER32(?,00000142,00000000,00000000), ref: 00F12DE1

Memory Dump Source

Source File: 00000000.00000002.2209670476.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.2209637951.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210917413.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210917413.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2211217556.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2211312581.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_file.jbxd

Similarity

API ID: MessageSend$CapsCreateDeleteDeviceFontMoveObjectReleaseWindow
String ID:
API String ID: 3864802216-0
Opcode ID: 57764abb55cf117d0ec52411e8eb304d0eaf6cfd9096bf5988b703d9cf2a2312
Instruction ID: e955908cbc2b11ed6b785e04a20754c98ecd721c84f014b285c8d152ecf152f9
Opcode Fuzzy Hash: 57764abb55cf117d0ec52411e8eb304d0eaf6cfd9096bf5988b703d9cf2a2312
Instruction Fuzzy Hash: D5319C72241214BFEB118F50DC8AFEB3BA9EF09721F058055FE08DA291C6759C50DBA4

Function 00EE5622 Relevance: 12.1, APIs: 8, Instructions: 92COMMON

Download Yara Rule

APIs

_memcmp.LIBVCRUNTIME ref: 00EE5637
_memcmp.LIBVCRUNTIME ref: 00EE5659
_memcmp.LIBVCRUNTIME ref: 00EE5671
_memcmp.LIBVCRUNTIME ref: 00EE5684
_memcmp.LIBVCRUNTIME ref: 00EE569E
_memcmp.LIBVCRUNTIME ref: 00EE56B1
_memcmp.LIBVCRUNTIME ref: 00EE56C9
_memcmp.LIBVCRUNTIME ref: 00EE56E4

Memory Dump Source

Source File: 00000000.00000002.2209670476.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.2209637951.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210917413.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210917413.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2211217556.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2211312581.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_file.jbxd

Similarity

API ID: _memcmp
String ID:
API String ID: 2931989736-0
Opcode ID: e96fa9b9c19d650e6b5a842cb56a57463cc433dbcc98d6c7105a719b0084802a
Instruction ID: 078a83958ea5301dc4536aa2a731fbca18a96bbe54a3bdd576b13613f5b51460
Opcode Fuzzy Hash: e96fa9b9c19d650e6b5a842cb56a57463cc433dbcc98d6c7105a719b0084802a
Instruction Fuzzy Hash: 9721AA73640A4E77D6149A125D92FFB339CAF1538CF441021FD057E581F760EE1895E6

Function 00F04FAE Relevance: 10.9, APIs: 4, Strings: 2, Instructions: 359COMMON

Download Yara Rule

Strings

NULL Pointer assignment, xrefs: 00F0502E, 00F05383
Not an Object type, xrefs: 00F05007

Memory Dump Source

Source File: 00000000.00000002.2209670476.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.2209637951.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210917413.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210917413.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2211217556.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2211312581.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_file.jbxd

Similarity

API ID:
String ID: NULL Pointer assignment$Not an Object type
API String ID: 0-572801152
Opcode ID: 878e5785ddb533c91df92be4997972c02c5def96956da4699c2e8cdb86cb1c7f
Instruction ID: 1a80b7d4adc93c944f8230fde1182b917f3fe5b1ced1ebffab3fe5a350706f2b
Opcode Fuzzy Hash: 878e5785ddb533c91df92be4997972c02c5def96956da4699c2e8cdb86cb1c7f
Instruction Fuzzy Hash: 93D1B175E0060A9FDF10CFA8C881BAEB7B5BF48754F148069E915AB281E7B0DD45EF90

Function 00EC1522 Relevance: 10.8, APIs: 7, Instructions: 268COMMON

Download Yara Rule

APIs

GetCPInfo.KERNEL32(00000000,00000000,?,7FFFFFFF,?,?,00EC17FB,00000000,00000000,?,00000000,?,?,?,?,00000000), ref: 00EC15CE
MultiByteToWideChar.KERNEL32(00000000,00000009,00000000,00000000,00000000,00000000,?,00EC17FB,00000000,00000000,?,00000000,?,?,?,?), ref: 00EC1651
MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00000000,00000000,00EC17FB,?,00EC17FB,00000000,00000000,?,00000000,?,?,?,?), ref: 00EC16E4
MultiByteToWideChar.KERNEL32(00000000,00000009,00000000,00000000,00000000,00000000,?,00EC17FB,00000000,00000000,?,00000000,?,?,?,?), ref: 00EC16FB

Part of subcall function 00EB3820: RtlAllocateHeap.NTDLL(00000000,?,00F51444,?,00E9FDF5,?,?,00E8A976,00000010,00F51440,00E813FC,?,00E813C6,?,00E81129), ref: 00EB3852

MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00000000,00000000,00000000,?,00EC17FB,00000000,00000000,?,00000000,?,?,?,?), ref: 00EC1777
__freea.LIBCMT ref: 00EC17A2
__freea.LIBCMT ref: 00EC17AE

Memory Dump Source

Source File: 00000000.00000002.2209670476.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.2209637951.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210917413.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210917413.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2211217556.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2211312581.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_file.jbxd

Similarity

API ID: ByteCharMultiWide$__freea$AllocateHeapInfo
String ID:
API String ID: 2829977744-0
Opcode ID: 52f680e5bc6655d95d1319c0a22895dbca54f85efa429b8e5822541ab32415cd
Instruction ID: f33a92574accaf7bd319a735197e6642d8a7e903bd258da3e9e9f2840f60b5b3
Opcode Fuzzy Hash: 52f680e5bc6655d95d1319c0a22895dbca54f85efa429b8e5822541ab32415cd
Instruction Fuzzy Hash: A7919371E002169ADB208E64CA51FEE7BF5AF4B714F18659EE801F7182D736DC4287A0

Function 00F04523 Relevance: 10.8, APIs: 4, Strings: 2, Instructions: 262COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00F04648
VariantInit.OLEAUT32(?), ref: 00F04749
VariantClear.OLEAUT32(?), ref: 00F04753
VariantClear.OLEAUT32(?), ref: 00F047B0

Strings

Null Object assignment in FOR..IN loop, xrefs: 00F045D8, 00F04706, 00F047BE
Incorrect Object type in FOR..IN loop, xrefs: 00F0472C

Memory Dump Source

Source File: 00000000.00000002.2209670476.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.2209637951.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210917413.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210917413.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2211217556.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2211312581.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_file.jbxd

Similarity

API ID: Variant$ClearInit
String ID: Incorrect Object type in FOR..IN loop$Null Object assignment in FOR..IN loop
API String ID: 2610073882-625585964
Opcode ID: 9ede337abd49b1472536eea629187d464e8901f315890bef881e7387d303b604
Instruction ID: 81ef30a1325581e1ed3d18fce45788d66a363b48b6bf7982ffba2814e564fb6c
Opcode Fuzzy Hash: 9ede337abd49b1472536eea629187d464e8901f315890bef881e7387d303b604
Instruction Fuzzy Hash: E29174B1E00215ABDF20CF95CC44FAEBBB8EF45714F108559F605AB281D770A945EFA0

Function 00EF1187 Relevance: 10.8, APIs: 7, Instructions: 254COMMON

Download Yara Rule

APIs

SafeArrayGetVartype.OLEAUT32(00000001,?), ref: 00EF125C
SafeArrayAccessData.OLEAUT32(00000000,?), ref: 00EF1284
SafeArrayUnaccessData.OLEAUT32(00000001), ref: 00EF12A8
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 00EF12D8
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 00EF135F
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 00EF13C4
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 00EF1430

Memory Dump Source

Source File: 00000000.00000002.2209670476.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.2209637951.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210917413.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210917413.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2211217556.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2211312581.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_file.jbxd

Similarity

API ID: ArraySafe$Data$Access$UnaccessVartype
String ID:
API String ID: 2550207440-0
Opcode ID: cac65ae4eb3950db6c4dc73dcdaae4184bf57495122623396b7dd27dc7668a2e
Instruction ID: 3d964d8fd176ce35efbc991c48e50dd2da6cd175567daaed1c71b6ed5a7983f2
Opcode Fuzzy Hash: cac65ae4eb3950db6c4dc73dcdaae4184bf57495122623396b7dd27dc7668a2e
Instruction Fuzzy Hash: 68919A71A0020DDFEB009F94C884BBEB7B5EF45324F11A0A9EA50FB2A1D774A941DB90

Function 00E9948A Relevance: 10.8, APIs: 7, Instructions: 254COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2209670476.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.2209637951.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210917413.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210917413.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2211217556.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2211312581.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_file.jbxd

Similarity

API ID: ObjectSelect$BeginCreatePath
String ID:
API String ID: 3225163088-0
Opcode ID: 6436f9be736c21388792100a1dfe505a875ff9c1585e6ef7b1f238f46a781187
Instruction ID: 700f85501ed2a2394ceffa8591d6220cfa401da33f6307a84fe7f1f869de7404
Opcode Fuzzy Hash: 6436f9be736c21388792100a1dfe505a875ff9c1585e6ef7b1f238f46a781187
Instruction Fuzzy Hash: 54913671D40219EFCF10CFA9C884AEEBBB8FF49320F159059E515B7252D374A942DBA0

Function 00F03947 Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 240COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00F0396B
CharUpperBuffW.USER32(?,?), ref: 00F03A7A
_wcslen.LIBCMT ref: 00F03A8A
VariantClear.OLEAUT32(?), ref: 00F03C1F

Part of subcall function 00EF0CDF: VariantInit.OLEAUT32(00000000), ref: 00EF0D1F
Part of subcall function 00EF0CDF: VariantCopy.OLEAUT32(?,?), ref: 00EF0D28
Part of subcall function 00EF0CDF: VariantClear.OLEAUT32(?), ref: 00EF0D34

Strings

AUTOIT.ERROR, xrefs: 00F03A80, 00F03A85
Incorrect Parameter format, xrefs: 00F039A6, 00F03BA1

Memory Dump Source

Source File: 00000000.00000002.2209670476.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.2209637951.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210917413.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210917413.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2211217556.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2211312581.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_file.jbxd

Similarity

API ID: Variant$ClearInit$BuffCharCopyUpper_wcslen
String ID: AUTOIT.ERROR$Incorrect Parameter format
API String ID: 4137639002-1221869570
Opcode ID: 917ce234fd264b23fd2d7ecb3a86d4ae38456015afa4895544cf9d57130d9344
Instruction ID: 64e71a677c5c30e15c9fdf363c1c9686ae4c6e61a765e708da0b3ab2a879c700
Opcode Fuzzy Hash: 917ce234fd264b23fd2d7ecb3a86d4ae38456015afa4895544cf9d57130d9344
Instruction Fuzzy Hash: B7917F75A083059FC704EF24C48096AB7E9FF89314F14892DF889A7391DB31EE45EB92

Function 00F04BAD Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 236COMMON

Download Yara Rule

APIs

Part of subcall function 00EE000E: CLSIDFromProgID.OLE32(?,?,?,00000000,?,?,?,-C000001E,00000001,?,00EDFF41,80070057,?,?,?,00EE035E), ref: 00EE002B
Part of subcall function 00EE000E: ProgIDFromCLSID.OLE32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,00EDFF41,80070057,?,?), ref: 00EE0046
Part of subcall function 00EE000E: lstrcmpiW.KERNEL32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,00EDFF41,80070057,?,?), ref: 00EE0054
Part of subcall function 00EE000E: CoTaskMemFree.OLE32(00000000,?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,00EDFF41,80070057,?), ref: 00EE0064

CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000002,00000003,00000000,00000000,00000000,00000001,?,?), ref: 00F04C51
_wcslen.LIBCMT ref: 00F04D59
CoCreateInstanceEx.OLE32(?,00000000,00000015,?,00000001,?), ref: 00F04DCF
CoTaskMemFree.OLE32(?), ref: 00F04DDA

Strings

NULL Pointer assignment, xrefs: 00F04E23, 00F04E52

Memory Dump Source

Source File: 00000000.00000002.2209670476.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.2209637951.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210917413.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210917413.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2211217556.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2211312581.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_file.jbxd

Similarity

API ID: FreeFromProgTask$CreateInitializeInstanceSecurity_wcslenlstrcmpi
String ID: NULL Pointer assignment
API String ID: 614568839-2785691316
Opcode ID: 77bf604014a67e132c0e98aee73afd4bde33bbe4b29361d294f1badd8566245d
Instruction ID: d1931ef86ff89a9605e22bc825066027405fa28806bdf90282cd3c9fe420bd13
Opcode Fuzzy Hash: 77bf604014a67e132c0e98aee73afd4bde33bbe4b29361d294f1badd8566245d
Instruction Fuzzy Hash: 23912BB1D0021D9FDF14EFA4D891AEDB7B8BF48310F108169E919B7291DB74AA44DF60

Function 00F120FD Relevance: 10.7, APIs: 7, Instructions: 196windowCOMMON

Download Yara Rule

APIs

GetMenu.USER32(?), ref: 00F12183
GetMenuItemCount.USER32(00000000), ref: 00F121B5
GetMenuStringW.USER32(00000000,00000000,?,00007FFF,00000400), ref: 00F121DD
_wcslen.LIBCMT ref: 00F12213
GetMenuItemID.USER32(?,?), ref: 00F1224D
GetSubMenu.USER32(?,?), ref: 00F1225B

Part of subcall function 00EE3A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 00EE3A57
Part of subcall function 00EE3A3D: GetCurrentThreadId.KERNEL32 ref: 00EE3A5E
Part of subcall function 00EE3A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,00EE25B3), ref: 00EE3A65

PostMessageW.USER32(?,00000111,00000000,00000000), ref: 00F122E3

Part of subcall function 00EEE97B: Sleep.KERNEL32 ref: 00EEE9F3

Memory Dump Source

Source File: 00000000.00000002.2209670476.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.2209637951.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210917413.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210917413.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2211217556.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2211312581.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_file.jbxd

Similarity

API ID: Menu$Thread$Item$AttachCountCurrentInputMessagePostProcessSleepStringWindow_wcslen
String ID:
API String ID: 4196846111-0
Opcode ID: 91051ae0a50fa488affaa0989e91fe2b389904d17a6b91d0ee9208f01ee9f60f
Instruction ID: 66368d474d5a0fc2b0d514c6178db050842f6b9e3d793fe36e8b62d8af76632c
Opcode Fuzzy Hash: 91051ae0a50fa488affaa0989e91fe2b389904d17a6b91d0ee9208f01ee9f60f
Instruction Fuzzy Hash: DD717D75E00205AFDB54EFA8C845AEEB7F1EF88320F148459E91AFB341D734A9919B90

Function 00F17E9E Relevance: 10.7, APIs: 7, Instructions: 193windowCOMMON

Download Yara Rule

APIs

IsWindow.USER32(01244B68), ref: 00F17F37
IsWindowEnabled.USER32(01244B68), ref: 00F17F43
SendMessageW.USER32(00000000,0000041C,00000000,00000000), ref: 00F1801E
SendMessageW.USER32(01244B68,000000B0,?,?), ref: 00F18051
IsDlgButtonChecked.USER32(?,?), ref: 00F18089
GetWindowLongW.USER32(01244B68,000000EC), ref: 00F180AB
SendMessageW.USER32(?,000000A1,00000002,00000000), ref: 00F180C3

Memory Dump Source

Source File: 00000000.00000002.2209670476.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.2209637951.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210917413.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210917413.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2211217556.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2211312581.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_file.jbxd

Similarity

API ID: MessageSendWindow$ButtonCheckedEnabledLong
String ID:
API String ID: 4072528602-0
Opcode ID: 00eef524c8e3e5b40ef6998f3489d9cb09c40825af6b774308009b2e869be96e
Instruction ID: 3750300b6fc0288724d12cbba3b4a7c7bace5deff971ea824ae887dcb2ed3783
Opcode Fuzzy Hash: 00eef524c8e3e5b40ef6998f3489d9cb09c40825af6b774308009b2e869be96e
Instruction Fuzzy Hash: 1071A035A08348AFEB25AF64CC84FEB7BB5FF09350F144059E95957261CB31A886FB90

Function 00EEAEBA Relevance: 10.7, APIs: 7, Instructions: 162windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(?), ref: 00EEAEF9
GetKeyboardState.USER32(?), ref: 00EEAF0E
SetKeyboardState.USER32(?), ref: 00EEAF6F
PostMessageW.USER32(?,00000101,00000010,?), ref: 00EEAF9D
PostMessageW.USER32(?,00000101,00000011,?), ref: 00EEAFBC
PostMessageW.USER32(?,00000101,00000012,?), ref: 00EEAFFD
PostMessageW.USER32(?,00000101,0000005B,?), ref: 00EEB020

Memory Dump Source

Source File: 00000000.00000002.2209670476.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.2209637951.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210917413.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210917413.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2211217556.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2211312581.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_file.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: 0bdef07d84e9d22c653bb737e0705d6f150079665b47acb01574384d3019fc1b
Instruction ID: 3e567c1bc97cc8439e0c2fade17d9b3d288509d22aac00e86bb6fd9ee3e53939
Opcode Fuzzy Hash: 0bdef07d84e9d22c653bb737e0705d6f150079665b47acb01574384d3019fc1b
Instruction Fuzzy Hash: 3F51CEA06046D97DFB368336C845BBBBEE95B06308F0C949DE1D9658D2C398A8C8D791

Function 00EEACDA Relevance: 10.7, APIs: 7, Instructions: 161windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(00000000), ref: 00EEAD19
GetKeyboardState.USER32(?), ref: 00EEAD2E
SetKeyboardState.USER32(?), ref: 00EEAD8F
PostMessageW.USER32(00000000,00000100,00000010,?), ref: 00EEADBB
PostMessageW.USER32(00000000,00000100,00000011,?), ref: 00EEADD8
PostMessageW.USER32(00000000,00000100,00000012,?), ref: 00EEAE17
PostMessageW.USER32(00000000,00000100,0000005B,?), ref: 00EEAE38

Memory Dump Source

Source File: 00000000.00000002.2209670476.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.2209637951.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210917413.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210917413.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2211217556.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2211312581.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_file.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: 4bbd325c6a7c7b0510e800f04cd783911c819240872a4931c42001ad50346754
Instruction ID: 7dd7c651bf03b37f073eeb2b06b016b8eadc08cb6d4bd79cbc6c85a497cd8ee6
Opcode Fuzzy Hash: 4bbd325c6a7c7b0510e800f04cd783911c819240872a4931c42001ad50346754
Instruction Fuzzy Hash: 4F51E5A05047D93DFB3282268C95BBA7ED95F45308F0C949CE1D9668D2D294FCC8D752

Function 00EB542E Relevance: 10.7, APIs: 7, Instructions: 152fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetConsoleCP.KERNEL32(00EC3CD6,?,?,?,?,?,?,?,?,00EB5BA3,?,?,00EC3CD6,?,?), ref: 00EB5470
__fassign.LIBCMT ref: 00EB54EB
__fassign.LIBCMT ref: 00EB5506
WideCharToMultiByte.KERNEL32(?,00000000,?,00000001,00EC3CD6,00000005,00000000,00000000), ref: 00EB552C
WriteFile.KERNEL32(?,00EC3CD6,00000000,00EB5BA3,00000000,?,?,?,?,?,?,?,?,?,00EB5BA3,?), ref: 00EB554B
WriteFile.KERNEL32(?,?,00000001,00EB5BA3,00000000,?,?,?,?,?,?,?,?,?,00EB5BA3,?), ref: 00EB5584

Memory Dump Source

Source File: 00000000.00000002.2209670476.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.2209637951.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210917413.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210917413.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2211217556.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2211312581.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_file.jbxd

Similarity

API ID: FileWrite__fassign$ByteCharConsoleMultiWide
String ID:
API String ID: 1324828854-0
Opcode ID: bd5454658b1233d83248606d9de6edb1eed6b88c33a382c1a1d0b38181494aa2
Instruction ID: b46957b36a532399b2873862ac03510d63664c5a226ef0a2bccf05ddd4d25fa4
Opcode Fuzzy Hash: bd5454658b1233d83248606d9de6edb1eed6b88c33a382c1a1d0b38181494aa2
Instruction Fuzzy Hash: 7351B071A00649AFDB20CFA8D845BEEBBF9EF09301F14511AE955F7291D6309A41CF60

Function 00F010B8 Relevance: 10.6, APIs: 7, Instructions: 110networkCOMMON

Download Yara Rule

APIs

Part of subcall function 00F0304E: inet_addr.WSOCK32(?,?,?,?,?,00000000), ref: 00F0307A
Part of subcall function 00F0304E: _wcslen.LIBCMT ref: 00F0309B

socket.WSOCK32(00000002,00000001,00000006,?,?,00000000), ref: 00F01112
WSAGetLastError.WSOCK32 ref: 00F01121
WSAGetLastError.WSOCK32 ref: 00F011C9
closesocket.WSOCK32(00000000), ref: 00F011F9

Memory Dump Source

Source File: 00000000.00000002.2209670476.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.2209637951.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210917413.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210917413.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2211217556.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2211312581.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_file.jbxd

Similarity

API ID: ErrorLast$_wcslenclosesocketinet_addrsocket
String ID:
API String ID: 2675159561-0
Opcode ID: 04e81d630d8cb73423e10cc672c1e70abcd7fbefc78f561599e61cbe6b01e724
Instruction ID: 5c6f1927f355c44ba0663c633d6629892cf4035b8cfe76129cb6cbdac94d6e34
Opcode Fuzzy Hash: 04e81d630d8cb73423e10cc672c1e70abcd7fbefc78f561599e61cbe6b01e724
Instruction Fuzzy Hash: C741C131600208AFDB149F14C884BAABBE9FF45328F158059F919AB2D1C774ED41EBE1

Function 00EECF00 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 108filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 00EEDDE0: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,00EECF22,?), ref: 00EEDDFD

Part of subcall function 00EEDDE0: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,00EECF22,?), ref: 00EEDE16

lstrcmpiW.KERNEL32(?,?), ref: 00EECF45
MoveFileW.KERNEL32(?,?), ref: 00EECF7F
_wcslen.LIBCMT ref: 00EED005
_wcslen.LIBCMT ref: 00EED01B
SHFileOperationW.SHELL32(?), ref: 00EED061

Strings

\*.*, xrefs: 00EECFF3

Memory Dump Source

Source File: 00000000.00000002.2209670476.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.2209637951.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210917413.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210917413.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2211217556.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2211312581.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_file.jbxd

Similarity

API ID: FileFullNamePath_wcslen$MoveOperationlstrcmpi
String ID: \*.*
API String ID: 3164238972-1173974218
Opcode ID: c727c968159f622fea206d1ab07a63fe050e750448db0f2873f8ade970a519fe
Instruction ID: 8815888be68f83a1db54ed6bbff9f425f2c3624c5649e952691e6c60e9a8a219
Opcode Fuzzy Hash: c727c968159f622fea206d1ab07a63fe050e750448db0f2873f8ade970a519fe
Instruction Fuzzy Hash: 0B41747194525C5FDF12EBA5CD81ADEB7F9AF08380F1410E6E509FB142EA34A689CB50

Function 00F12DFD Relevance: 10.6, APIs: 7, Instructions: 99windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,000000F0,00000000,00000000), ref: 00F12E1C
GetWindowLongW.USER32(?,000000F0), ref: 00F12E4F
GetWindowLongW.USER32(?,000000F0), ref: 00F12E84
SendMessageW.USER32(?,000000F1,00000000,00000000), ref: 00F12EB6
SendMessageW.USER32(?,000000F1,00000001,00000000), ref: 00F12EE0
GetWindowLongW.USER32(?,000000F0), ref: 00F12EF1
SetWindowLongW.USER32(?,000000F0,00000000), ref: 00F12F0B

Memory Dump Source

Source File: 00000000.00000002.2209670476.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.2209637951.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210917413.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210917413.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2211217556.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2211312581.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_file.jbxd

Similarity

API ID: LongWindow$MessageSend
String ID:
API String ID: 2178440468-0
Opcode ID: dc4a5beff08b8abfad3d7630e2a1ee3885fc038dc69c83256bee837d1ef8a66f
Instruction ID: 5e0dea8937bb0a7b0042ebed65de18e0b52abc987beb656cdb1eb2211b29005e
Opcode Fuzzy Hash: dc4a5beff08b8abfad3d7630e2a1ee3885fc038dc69c83256bee837d1ef8a66f
Instruction Fuzzy Hash: 3A311731A442589FEB61CF98DC94FA537E1FB4A721F154164FA148F2B1CB71ACA0EB41

Function 00EE7726 Relevance: 10.6, APIs: 7, Instructions: 94memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00EE7769
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00EE778F
SysAllocString.OLEAUT32(00000000), ref: 00EE7792
SysAllocString.OLEAUT32(?), ref: 00EE77B0
SysFreeString.OLEAUT32(?), ref: 00EE77B9
StringFromGUID2.OLE32(?,?,00000028), ref: 00EE77DE
SysAllocString.OLEAUT32(?), ref: 00EE77EC

Memory Dump Source

Source File: 00000000.00000002.2209670476.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.2209637951.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210917413.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210917413.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2211217556.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2211312581.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_file.jbxd

Similarity

API ID: String$Alloc$ByteCharMultiWide$FreeFrom
String ID:
API String ID: 3761583154-0
Opcode ID: a2ecbe7d9ec1b2c08eb2e3cf810c2ee21b1ad9f5a0f1b360f47dc806dd3b1cfe
Instruction ID: d836b2c33920e97f5a504dfdc01097fe568e1a2ecc01b16683cf0237dde63383
Opcode Fuzzy Hash: a2ecbe7d9ec1b2c08eb2e3cf810c2ee21b1ad9f5a0f1b360f47dc806dd3b1cfe
Instruction Fuzzy Hash: 36217C7660821DAFDB10DFA9CC88CFB77ACEB097647058026FA55EB150D6709C8287A0

Function 00EE77FD Relevance: 10.6, APIs: 7, Instructions: 89memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00EE7842
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00EE7868
SysAllocString.OLEAUT32(00000000), ref: 00EE786B
SysAllocString.OLEAUT32 ref: 00EE788C
SysFreeString.OLEAUT32 ref: 00EE7895
StringFromGUID2.OLE32(?,?,00000028), ref: 00EE78AF
SysAllocString.OLEAUT32(?), ref: 00EE78BD

Memory Dump Source

Source File: 00000000.00000002.2209670476.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.2209637951.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210917413.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210917413.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2211217556.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2211312581.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_file.jbxd

Similarity

API ID: String$Alloc$ByteCharMultiWide$FreeFrom
String ID:
API String ID: 3761583154-0
Opcode ID: 4d48f1127408440aac25656f1a8f870bcd4ec22bc6b7f2069b3f31e668b56a20
Instruction ID: 5ddd88c80a11ca1a4bb4fb109135781a4b28715a2654c98a70a3f9772d31f0cb
Opcode Fuzzy Hash: 4d48f1127408440aac25656f1a8f870bcd4ec22bc6b7f2069b3f31e668b56a20
Instruction Fuzzy Hash: ED21C171608228AFDF149FA9CC88DAA77ECEB183607108025F954DB2A0D670DC41DB68

Function 00EF04D2 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 80pipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(0000000C), ref: 00EF04F2
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 00EF052E

Strings

nul, xrefs: 00EF0567

Memory Dump Source

Source File: 00000000.00000002.2209670476.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.2209637951.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210917413.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210917413.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2211217556.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2211312581.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_file.jbxd

Similarity

API ID: CreateHandlePipe
String ID: nul
API String ID: 1424370930-2873401336
Opcode ID: f31c1cceaf0d7c5b734dfd6208a8873111d6c6b0e0727c877f3c19476d20db6f
Instruction ID: 2f39b02cffc122c9e5a3b6ccf63b721538e7a6469357305af8d7630ec61f1f45
Opcode Fuzzy Hash: f31c1cceaf0d7c5b734dfd6208a8873111d6c6b0e0727c877f3c19476d20db6f
Instruction Fuzzy Hash: 25215175500309ABDB309F69D844AAA77A4AF44728F204A19E9A1E61E1E7B0D940DF60

Function 00EF05A7 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 80pipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(000000F6), ref: 00EF05C6
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 00EF0601

Strings

nul, xrefs: 00EF0639

Memory Dump Source

Source File: 00000000.00000002.2209670476.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.2209637951.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210917413.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210917413.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2211217556.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2211312581.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_file.jbxd

Similarity

API ID: CreateHandlePipe
String ID: nul
API String ID: 1424370930-2873401336
Opcode ID: c4ddd567a06aa406222f9f78ce4d241750bd3de4aeaa50786d7b96121b01a2f9
Instruction ID: efc4f995fc8a0a9ea679330f58f8b1087be58973d8e0aa629c4c63323009ef12
Opcode Fuzzy Hash: c4ddd567a06aa406222f9f78ce4d241750bd3de4aeaa50786d7b96121b01a2f9
Instruction Fuzzy Hash: DA21B27560031D9BDB208F68CC04AAA77E4BF85734F214A19FEA1F72E1DBB09860CB50

Function 00F140AD Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 75windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00E8600E: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 00E8604C
Part of subcall function 00E8600E: GetStockObject.GDI32(00000011), ref: 00E86060
Part of subcall function 00E8600E: SendMessageW.USER32(00000000,00000030,00000000), ref: 00E8606A

SendMessageW.USER32(00000000,00002001,00000000,FF000000), ref: 00F14112
SendMessageW.USER32(?,00000409,00000000,FF000000), ref: 00F1411F
SendMessageW.USER32(?,00000402,00000000,00000000), ref: 00F1412A
SendMessageW.USER32(?,00000401,00000000,00640000), ref: 00F14139
SendMessageW.USER32(?,00000404,00000001,00000000), ref: 00F14145

Strings

Msctls_Progress32, xrefs: 00F140E3

Memory Dump Source

Source File: 00000000.00000002.2209670476.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.2209637951.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210917413.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210917413.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2211217556.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2211312581.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_file.jbxd

Similarity

API ID: MessageSend$CreateObjectStockWindow
String ID: Msctls_Progress32
API String ID: 1025951953-3636473452
Opcode ID: c3cd5a282a9e6c792d5207571c70a5eae7a8fd436288f01a184b76cd604e9d40
Instruction ID: 6637098fba6ee65e824ae0bdb7326f8bf6df053fb59013e186354b597c1c34af
Opcode Fuzzy Hash: c3cd5a282a9e6c792d5207571c70a5eae7a8fd436288f01a184b76cd604e9d40
Instruction Fuzzy Hash: AC1193B214021D7EEF219E64CC85EE77F5DEF097A8F014110BA18A6050C6729C61ABA4

Function 00EBD7DF Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00EBD7A3: _free.LIBCMT ref: 00EBD7CC

_free.LIBCMT ref: 00EBD82D

Part of subcall function 00EB29C8: RtlFreeHeap.NTDLL(00000000,00000000,?,00EBD7D1,00000000,00000000,00000000,00000000,?,00EBD7F8,00000000,00000007,00000000,?,00EBDBF5,00000000), ref: 00EB29DE
Part of subcall function 00EB29C8: GetLastError.KERNEL32(00000000,?,00EBD7D1,00000000,00000000,00000000,00000000,?,00EBD7F8,00000000,00000007,00000000,?,00EBDBF5,00000000,00000000), ref: 00EB29F0

_free.LIBCMT ref: 00EBD838
_free.LIBCMT ref: 00EBD843
_free.LIBCMT ref: 00EBD897
_free.LIBCMT ref: 00EBD8A2
_free.LIBCMT ref: 00EBD8AD
_free.LIBCMT ref: 00EBD8B8

Memory Dump Source

Source File: 00000000.00000002.2209670476.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.2209637951.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210917413.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210917413.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2211217556.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2211312581.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_file.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: d5e9bbcb1dbdafe4c8d3bd98f36014f41f46dc5d4a3df644b036f3c2391e0fc8
Instruction ID: 7a32fcbbb999df6f05a650a52608f8f570bb0caa892b5f1dfbe1eb129e725550
Opcode Fuzzy Hash: d5e9bbcb1dbdafe4c8d3bd98f36014f41f46dc5d4a3df644b036f3c2391e0fc8
Instruction Fuzzy Hash: 46112B71944B14BBDA21BFB0CC47FCB7BDCAF44700F406C2AB29DB6492EA65B50587A0

Function 00EEDA5A Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 46windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000100,00000000), ref: 00EEDA74
LoadStringW.USER32(00000000), ref: 00EEDA7B
GetModuleHandleW.KERNEL32(00000000,00001389,?,00000100), ref: 00EEDA91
LoadStringW.USER32(00000000), ref: 00EEDA98
MessageBoxW.USER32(00000000,?,?,00011010), ref: 00EEDADC

Strings

%s (%d) : ==> %s: %s %s, xrefs: 00EEDAB9

Memory Dump Source

Source File: 00000000.00000002.2209670476.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.2209637951.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210917413.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210917413.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2211217556.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2211312581.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_file.jbxd

Similarity

API ID: HandleLoadModuleString$Message
String ID: %s (%d) : ==> %s: %s %s
API String ID: 4072794657-3128320259
Opcode ID: 8bccd0d792eceaba8108f915135f8733967b18fc5001ad2256ac773f6f9da58b
Instruction ID: ce9f87ad3ac99b363389dcace2f6a19b1cd4142cfd5d002f203b60c2dafd855f
Opcode Fuzzy Hash: 8bccd0d792eceaba8108f915135f8733967b18fc5001ad2256ac773f6f9da58b
Instruction Fuzzy Hash: E30186F654020C7FE710DBA09D89EE7376CE708701F4154A1BB0AF2041E6749E845FB5

Function 00EF096B Relevance: 10.5, APIs: 7, Instructions: 35synchronizationthreadCOMMON

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(0123E3E0,0123E3E0), ref: 00EF097B
EnterCriticalSection.KERNEL32(0123E3C0,00000000), ref: 00EF098D
TerminateThread.KERNEL32(?,000001F6), ref: 00EF099B
WaitForSingleObject.KERNEL32(?,000003E8), ref: 00EF09A9
CloseHandle.KERNEL32(?), ref: 00EF09B8
InterlockedExchange.KERNEL32(0123E3E0,000001F6), ref: 00EF09C8
LeaveCriticalSection.KERNEL32(0123E3C0), ref: 00EF09CF

Memory Dump Source

Source File: 00000000.00000002.2209670476.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.2209637951.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210917413.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210917413.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2211217556.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2211312581.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_file.jbxd

Similarity

API ID: CriticalExchangeInterlockedSection$CloseEnterHandleLeaveObjectSingleTerminateThreadWait
String ID:
API String ID: 3495660284-0
Opcode ID: 58ecbb0507a0684a54d84dd9754a1bdfc517f9c0bbbf0de664df09a1d3f4f92f
Instruction ID: 38fc1676f270a8e82173cc2e000771877b98ca9708a5543dcf3c70a5b6b34dd4
Opcode Fuzzy Hash: 58ecbb0507a0684a54d84dd9754a1bdfc517f9c0bbbf0de664df09a1d3f4f92f
Instruction Fuzzy Hash: 8EF03C32482A16BBD7525FA4EE8CBE6BB39FF41702F416025F242A08A1D7B49465DFD0

Function 00F01C60 Relevance: 9.3, APIs: 6, Instructions: 298networkCOMMON

Download Yara Rule

APIs

__WSAFDIsSet.WSOCK32(00000000,?,00000000,00000000,?,00000064,00000000), ref: 00F01DC0
#17.WSOCK32(00000000,?,?,00000000,?,00000010), ref: 00F01DE1
WSAGetLastError.WSOCK32 ref: 00F01DF2
htons.WSOCK32(?,?,?,?,?), ref: 00F01EDB
inet_ntoa.WSOCK32(?), ref: 00F01E8C

Part of subcall function 00EE39E8: _strlen.LIBCMT ref: 00EE39F2

Part of subcall function 00F03224: MultiByteToWideChar.KERNEL32(00000000,00000001,?,?,00000000,00000000,00000000,?,?,?,?,00EFEC0C), ref: 00F03240

_strlen.LIBCMT ref: 00F01F35

Memory Dump Source

Source File: 00000000.00000002.2209670476.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.2209637951.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210917413.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210917413.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2211217556.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2211312581.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_file.jbxd

Similarity

API ID: _strlen$ByteCharErrorLastMultiWidehtonsinet_ntoa
String ID:
API String ID: 3203458085-0
Opcode ID: 795266b786efb80fc42f59036879bf7db30e867b181748a2c985fe72aff139e5
Instruction ID: 68c11ff0cbd7d96b08d631879c8729b1747590fe07c15f7bca7a80b4a49fa713
Opcode Fuzzy Hash: 795266b786efb80fc42f59036879bf7db30e867b181748a2c985fe72aff139e5
Instruction Fuzzy Hash: AAB1F131604301AFD724EF24C885E2A7BE5BF85328F54954CF45A6B2E2CB31ED42EB91

Function 00E85D0A Relevance: 9.3, APIs: 6, Instructions: 276COMMON

Download Yara Rule

APIs

GetClientRect.USER32(?,?), ref: 00E85D30
GetWindowRect.USER32(?,?), ref: 00E85D71
ScreenToClient.USER32(?,?), ref: 00E85D99
GetClientRect.USER32(?,?), ref: 00E85ED7
GetWindowRect.USER32(?,?), ref: 00E85EF8

Memory Dump Source

Source File: 00000000.00000002.2209670476.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.2209637951.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210917413.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210917413.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2211217556.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2211312581.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_file.jbxd

Similarity

API ID: Rect$Client$Window$Screen
String ID:
API String ID: 1296646539-0
Opcode ID: 94475841274945d782093cae84f05905def6e0da164da193e99996241031b968
Instruction ID: c879f15a3392af9218a9c1a5c8fb1b3b43980ba47fd5def805273ab014f63fb2
Opcode Fuzzy Hash: 94475841274945d782093cae84f05905def6e0da164da193e99996241031b968
Instruction Fuzzy Hash: 6BB18E76A0074ADBDB14DFA8C540BEEB7F1FF54314F14A41AE8A9E7290DB30AA41DB50

Function 00EB01B7 Relevance: 9.3, APIs: 6, Instructions: 269COMMON

Download Yara Rule

APIs

__allrem.LIBCMT ref: 00EB00BA
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00EB00D6
__allrem.LIBCMT ref: 00EB00ED
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00EB010B
__allrem.LIBCMT ref: 00EB0122
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00EB0140

Memory Dump Source

Source File: 00000000.00000002.2209670476.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.2209637951.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210917413.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210917413.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2211217556.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2211312581.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_file.jbxd

Similarity

API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@
String ID:
API String ID: 1992179935-0
Opcode ID: 8fbb49ba762f8ece8e29681380aa111ddf72d6c7443a1a5a7b6c612577c50f6c
Instruction ID: 50967f15ad26d6c6736a095a0dd7975d18b6a7c1aaacc319e06550d5e07abb57
Opcode Fuzzy Hash: 8fbb49ba762f8ece8e29681380aa111ddf72d6c7443a1a5a7b6c612577c50f6c
Instruction Fuzzy Hash: 1C81D775A017069FE724AF68CC41BAB73E9AF46364F24653EF551FB281E7B0E9008790

Function 00EB61FE Relevance: 9.2, APIs: 6, Instructions: 216COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000001,00000000,?,?,00000000,00000000,?,00EA82D9,00EA82D9,?,?,?,00EB644F,00000001,00000001,?), ref: 00EB6258
MultiByteToWideChar.KERNEL32(00000001,00000001,?,?,00000000,?,?,?,?,00EB644F,00000001,00000001,?,?,?,?), ref: 00EB62DE
WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,?,?,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 00EB63D8
__freea.LIBCMT ref: 00EB63E5

Part of subcall function 00EB3820: RtlAllocateHeap.NTDLL(00000000,?,00F51444,?,00E9FDF5,?,?,00E8A976,00000010,00F51440,00E813FC,?,00E813C6,?,00E81129), ref: 00EB3852

__freea.LIBCMT ref: 00EB63EE
__freea.LIBCMT ref: 00EB6413

Memory Dump Source

Source File: 00000000.00000002.2209670476.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.2209637951.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210917413.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210917413.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2211217556.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2211312581.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_file.jbxd

Similarity

API ID: ByteCharMultiWide__freea$AllocateHeap
String ID:
API String ID: 1414292761-0
Opcode ID: bed2eacf79a0ad9ec912400cac8a9f01a8a7095edde06ff781f06f9c055e14c7
Instruction ID: 9fdf1fd69afbe881fad37e6fd0f52c678d0366f5da249c108384007db3b6c097
Opcode Fuzzy Hash: bed2eacf79a0ad9ec912400cac8a9f01a8a7095edde06ff781f06f9c055e14c7
Instruction Fuzzy Hash: ED51E072A00216ABEB258F64DC81EEF7BE9EB94714F155629FC05F6150EB38DC40C6A0

Function 00F0BBDB Relevance: 9.2, APIs: 6, Instructions: 191registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00E89CB3: _wcslen.LIBCMT ref: 00E89CBD

Part of subcall function 00F0C998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00F0B6AE,?,?), ref: 00F0C9B5
Part of subcall function 00F0C998: _wcslen.LIBCMT ref: 00F0C9F1
Part of subcall function 00F0C998: _wcslen.LIBCMT ref: 00F0CA68
Part of subcall function 00F0C998: _wcslen.LIBCMT ref: 00F0CA9E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00F0BCCA
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00F0BD25
RegCloseKey.ADVAPI32(00000000), ref: 00F0BD6A
RegEnumValueW.ADVAPI32(?,-00000001,?,?,00000000,?,00000000,00000000), ref: 00F0BD99
RegCloseKey.ADVAPI32(?,?,00000000), ref: 00F0BDF3
RegCloseKey.ADVAPI32(?), ref: 00F0BDFF

Memory Dump Source

Source File: 00000000.00000002.2209670476.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.2209637951.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210917413.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210917413.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2211217556.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2211312581.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_file.jbxd

Similarity

API ID: _wcslen$Close$BuffCharConnectEnumOpenRegistryUpperValue
String ID:
API String ID: 1120388591-0
Opcode ID: 0215b840b0acb08f5e1fad4893adf15d3d7f93baf1fd32c181f9f906102792a6
Instruction ID: 7e567f73392c0c4f567bcc427bfd3c79b7d5e1ae557e8473835237d3180b34d6
Opcode Fuzzy Hash: 0215b840b0acb08f5e1fad4893adf15d3d7f93baf1fd32c181f9f906102792a6
Instruction Fuzzy Hash: 3B81D231608241EFD714EF24C885E2ABBE5FF84318F14895CF4599B2A2DB31ED45EB92

Function 00EDF7AD Relevance: 9.2, APIs: 6, Instructions: 183memoryCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(00000035), ref: 00EDF7B9
SysAllocString.OLEAUT32(00000001), ref: 00EDF860
VariantCopy.OLEAUT32(00EDFA64,00000000), ref: 00EDF889
VariantClear.OLEAUT32(00EDFA64), ref: 00EDF8AD
VariantCopy.OLEAUT32(00EDFA64,00000000), ref: 00EDF8B1
VariantClear.OLEAUT32(?), ref: 00EDF8BB

Memory Dump Source

Source File: 00000000.00000002.2209670476.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.2209637951.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210917413.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210917413.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2211217556.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2211312581.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_file.jbxd

Similarity

API ID: Variant$ClearCopy$AllocInitString
String ID:
API String ID: 3859894641-0
Opcode ID: 2124392a8b47c38aea764cd30e7d996257ac63e016119b1e5d943205317425f1
Instruction ID: c080b1b46962b37a5b87336866fc7f136a04d14779650f36b65d2f2437589e62
Opcode Fuzzy Hash: 2124392a8b47c38aea764cd30e7d996257ac63e016119b1e5d943205317425f1
Instruction Fuzzy Hash: 9151E435940310BACF14EBA5D8A5B69B3E8EF85310B24A467E807FF392DB708C41D796

Function 00EF910C Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 383COMMON

Download Yara Rule

APIs

Part of subcall function 00E87620: _wcslen.LIBCMT ref: 00E87625

Part of subcall function 00E86B57: _wcslen.LIBCMT ref: 00E86B6A

GetOpenFileNameW.COMDLG32(00000058), ref: 00EF94E5
_wcslen.LIBCMT ref: 00EF9506
_wcslen.LIBCMT ref: 00EF952D
GetSaveFileNameW.COMDLG32(00000058), ref: 00EF9585

Strings

X, xrefs: 00EF9412

Memory Dump Source

Source File: 00000000.00000002.2209670476.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.2209637951.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210917413.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210917413.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2211217556.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2211312581.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_file.jbxd

Similarity

API ID: _wcslen$FileName$OpenSave
String ID: X
API String ID: 83654149-3081909835
Opcode ID: e07de0f8df3eb164df989eabc807a2ca6335ad26b678304300ad9b6c0bf879d5
Instruction ID: b73ed2f485fbe950c8914949fc482ffc1f64241f89fa332b2ec875f4626786a3
Opcode Fuzzy Hash: e07de0f8df3eb164df989eabc807a2ca6335ad26b678304300ad9b6c0bf879d5
Instruction Fuzzy Hash: 80E1B1716083018FD714EF24C881B6AB7E4BF85314F14996DF99DAB2A2DB31ED05CB92

Function 00E9920C Relevance: 9.1, APIs: 6, Instructions: 113COMMON

Download Yara Rule

APIs

Part of subcall function 00E99BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00E99BB2

BeginPaint.USER32(?,?,?), ref: 00E99241
GetWindowRect.USER32(?,?), ref: 00E992A5
ScreenToClient.USER32(?,?), ref: 00E992C2
SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 00E992D3
EndPaint.USER32(?,?,?,?,?), ref: 00E99321
Rectangle.GDI32(00000000,00000000,00000000,?,?), ref: 00ED71EA

Part of subcall function 00E99339: BeginPath.GDI32(00000000), ref: 00E99357

Memory Dump Source

Source File: 00000000.00000002.2209670476.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.2209637951.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210917413.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210917413.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2211217556.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2211312581.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_file.jbxd

Similarity

API ID: BeginPaintWindow$ClientLongPathRectRectangleScreenViewport
String ID:
API String ID: 3050599898-0
Opcode ID: 9568f887494542e5f931ee34c3743f023ad2d2e984e735ce585e74f2eaca28e7
Instruction ID: 8ec13cfd721991a1eb9745f8267360aa3fa3e720ecd77426543385ecd4b06a0f
Opcode Fuzzy Hash: 9568f887494542e5f931ee34c3743f023ad2d2e984e735ce585e74f2eaca28e7
Instruction Fuzzy Hash: 8D41B370105304AFDB11DF28DC84FAA7BE8FB46725F04022DFA95A72E2D731A845EB61

Function 00EF07EF Relevance: 9.1, APIs: 6, Instructions: 107fileCOMMON

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(?,000001F5), ref: 00EF080C
ReadFile.KERNEL32(?,?,0000FFFF,?,00000000), ref: 00EF0847
EnterCriticalSection.KERNEL32(?), ref: 00EF0863
LeaveCriticalSection.KERNEL32(?), ref: 00EF08DC
ReadFile.KERNEL32(?,?,0000FFFF,00000000,00000000), ref: 00EF08F3
InterlockedExchange.KERNEL32(?,000001F6), ref: 00EF0921

Memory Dump Source

Source File: 00000000.00000002.2209670476.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.2209637951.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210917413.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210917413.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2211217556.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2211312581.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_file.jbxd

Similarity

API ID: CriticalExchangeFileInterlockedReadSection$EnterLeave
String ID:
API String ID: 3368777196-0
Opcode ID: 037a24ca7f2060acbbf362582a77776b83bd699716d9344f7adc4f0fcbcb8c8f
Instruction ID: ad7dba8a1b4752da86c37d766ddeaadc9ae7f3e47296a32ff74964eaf80dcdad
Opcode Fuzzy Hash: 037a24ca7f2060acbbf362582a77776b83bd699716d9344f7adc4f0fcbcb8c8f
Instruction Fuzzy Hash: FE417C71A00209EBDF14AF54DC85AAA77B8FF45310F1480A9ED00EE297DB30DE65DBA0

Function 00F181DB Relevance: 9.1, APIs: 6, Instructions: 104windowCOMMON

Download Yara Rule

APIs

ShowWindow.USER32(FFFFFFFF,00000000,?,00000000,00000000,?,00EDF3AB,00000000,?,?,00000000,?,00ED682C,00000004,00000000,00000000), ref: 00F1824C
EnableWindow.USER32(?,00000000), ref: 00F18272
ShowWindow.USER32(FFFFFFFF,00000000), ref: 00F182D1
ShowWindow.USER32(?,00000004), ref: 00F182E5
EnableWindow.USER32(?,00000001), ref: 00F1830B
SendMessageW.USER32(?,0000130C,00000000,00000000), ref: 00F1832F

Memory Dump Source

Source File: 00000000.00000002.2209670476.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.2209637951.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210917413.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210917413.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2211217556.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2211312581.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_file.jbxd

Similarity

API ID: Window$Show$Enable$MessageSend
String ID:
API String ID: 642888154-0
Opcode ID: 667545e83484202c39769d998f7132439ec5bb93ea080226176c568c58467494
Instruction ID: 4627757fea16b24074b0331d6eb28b390de1701c9b96fada016853140744ccc8
Opcode Fuzzy Hash: 667545e83484202c39769d998f7132439ec5bb93ea080226176c568c58467494
Instruction Fuzzy Hash: C041C834A01644AFDB12CF15CD95BE47BE0FB06765F184169E6184F2B2CB71AC82EF50

Function 00EE4C7D Relevance: 9.1, APIs: 6, Instructions: 87windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32(?), ref: 00EE4C95
SendMessageW.USER32(?,0000000E,00000000,00000000), ref: 00EE4CB2
SendMessageW.USER32(?,0000000D,00000001,00000000), ref: 00EE4CEA
_wcslen.LIBCMT ref: 00EE4D08
CharUpperBuffW.USER32(00000000,00000000,?,?,?,?), ref: 00EE4D10
_wcsstr.LIBVCRUNTIME ref: 00EE4D1A

Memory Dump Source

Source File: 00000000.00000002.2209670476.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.2209637951.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210917413.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210917413.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2211217556.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2211312581.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_file.jbxd

Similarity

API ID: MessageSend$BuffCharUpperVisibleWindow_wcslen_wcsstr
String ID:
API String ID: 72514467-0
Opcode ID: 85d44a8f24803006852c1f8d3a79d3913b5daaf718b49890c8fceb81ee7e921a
Instruction ID: 24673a70853e46d25d8132b28bb5cc8d3acb43658b9461f36d08b281c5622868
Opcode Fuzzy Hash: 85d44a8f24803006852c1f8d3a79d3913b5daaf718b49890c8fceb81ee7e921a
Instruction Fuzzy Hash: 362129B12042487BEB155B3ADC09E7B7BDCDF49750F119029F809EA1D1DA61DC0096A1

Function 00EF581E Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 336comCOMMON

Download Yara Rule

APIs

Part of subcall function 00E83AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00E83A97,?,?,00E82E7F,?,?,?,00000000), ref: 00E83AC2

_wcslen.LIBCMT ref: 00EF587B
CoInitialize.OLE32(00000000), ref: 00EF5995
CoCreateInstance.OLE32(00F1FCF8,00000000,00000001,00F1FB68,?), ref: 00EF59AE
CoUninitialize.OLE32 ref: 00EF59CC

Strings

.lnk, xrefs: 00EF5876, 00EF58C1, 00EF5985

Memory Dump Source

Source File: 00000000.00000002.2209670476.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.2209637951.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210917413.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210917413.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2211217556.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2211312581.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_file.jbxd

Similarity

API ID: CreateFullInitializeInstanceNamePathUninitialize_wcslen
String ID: .lnk
API String ID: 3172280962-24824748
Opcode ID: 4b3a4fa1ffa8b37b53d2837d766ec8efbc10fdfaff6ecd55dea8c10ab54c59b6
Instruction ID: fb106ccaae3eb3638e756f948009bd7b5923d6fbd8f2d3bf4c8df1317f7e074b
Opcode Fuzzy Hash: 4b3a4fa1ffa8b37b53d2837d766ec8efbc10fdfaff6ecd55dea8c10ab54c59b6
Instruction Fuzzy Hash: 9DD185726087059FC708EF24C48092ABBE1FF99714F14985DFA99AB361C731ED45CB92

Function 00EE175D Relevance: 9.1, APIs: 6, Instructions: 68memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00EE0FB4: GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 00EE0FCA
Part of subcall function 00EE0FB4: GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 00EE0FD6
Part of subcall function 00EE0FB4: GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 00EE0FE5
Part of subcall function 00EE0FB4: HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 00EE0FEC
Part of subcall function 00EE0FB4: GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 00EE1002

GetLengthSid.ADVAPI32(?,00000000,00EE1335), ref: 00EE17AE
GetProcessHeap.KERNEL32(00000008,00000000), ref: 00EE17BA
HeapAlloc.KERNEL32(00000000), ref: 00EE17C1
CopySid.ADVAPI32(00000000,00000000,?), ref: 00EE17DA
GetProcessHeap.KERNEL32(00000000,00000000,00EE1335), ref: 00EE17EE
HeapFree.KERNEL32(00000000), ref: 00EE17F5

Memory Dump Source

Source File: 00000000.00000002.2209670476.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.2209637951.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210917413.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210917413.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2211217556.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2211312581.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_file.jbxd

Similarity

API ID: Heap$Process$AllocInformationToken$CopyErrorFreeLastLength
String ID:
API String ID: 3008561057-0
Opcode ID: 70f18d428d4046a4d6620b47cd5df24fa3bd00edb114ce9bc885801a3ffcc87b
Instruction ID: 47387bb91f0461e9053fce4c0abc839439ab6ea77931b08e285d242f44eea03e
Opcode Fuzzy Hash: 70f18d428d4046a4d6620b47cd5df24fa3bd00edb114ce9bc885801a3ffcc87b
Instruction Fuzzy Hash: D011EE31684208FFDB108FA6CC48BEE7BB8EB46719F108059F481B7211C731A980DBA0

Function 00EE14CE Relevance: 9.1, APIs: 6, Instructions: 64processCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(0000000A,00000004), ref: 00EE14FF
OpenProcessToken.ADVAPI32(00000000), ref: 00EE1506
CreateEnvironmentBlock.USERENV(?,00000004,00000001), ref: 00EE1515
CloseHandle.KERNEL32(00000004), ref: 00EE1520
CreateProcessWithLogonW.ADVAPI32(?,?,?,00000000,00000000,?,?,00000000,?,?,?), ref: 00EE154F
DestroyEnvironmentBlock.USERENV(00000000), ref: 00EE1563

Memory Dump Source

Source File: 00000000.00000002.2209670476.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.2209637951.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210917413.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210917413.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2211217556.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2211312581.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_file.jbxd

Similarity

API ID: Process$BlockCreateEnvironment$CloseCurrentDestroyHandleLogonOpenTokenWith
String ID:
API String ID: 1413079979-0
Opcode ID: bb59a34c3a7ca66a512b5af7c1c39e17133e9b02ab966e6aae218b8e202071d3
Instruction ID: 78c76998d2b875b93ef382d010957e0a18e1c3096200226e1a8fc107be5a8309
Opcode Fuzzy Hash: bb59a34c3a7ca66a512b5af7c1c39e17133e9b02ab966e6aae218b8e202071d3
Instruction Fuzzy Hash: 9611597250024DABDF118F98DD49BDE7BA9EF48748F058054FA15A21A0C3718EA4EBA0

Function 00EA3382 Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,00EA3379,00EA2FE5), ref: 00EA3390
___vcrt_FlsGetValue.LIBVCRUNTIME ref: 00EA339E
___vcrt_FlsSetValue.LIBVCRUNTIME ref: 00EA33B7
SetLastError.KERNEL32(00000000,?,00EA3379,00EA2FE5), ref: 00EA3409

Memory Dump Source

Source File: 00000000.00000002.2209670476.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.2209637951.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210917413.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210917413.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2211217556.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2211312581.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_file.jbxd

Similarity

API ID: ErrorLastValue___vcrt_
String ID:
API String ID: 3852720340-0
Opcode ID: 6ca02c91e0fbbcbfc50d0955f51ee7c7dfd0cf38b9df467d251170b542fd1eec
Instruction ID: 923437a0e9d8bd8ec36708c21a284f14e19a1935b586443ba7a42e81c8014b0a
Opcode Fuzzy Hash: 6ca02c91e0fbbcbfc50d0955f51ee7c7dfd0cf38b9df467d251170b542fd1eec
Instruction Fuzzy Hash: 3D01243660E315BEAA6427787C855A73ED4EB6F3797203229F830EC1F0EF156E096184

Function 00EB2D74 Relevance: 9.0, APIs: 6, Instructions: 50COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,00EB5686,00EC3CD6,?,00000000,?,00EB5B6A,?,?,?,?,?,00EAE6D1,?,00F48A48), ref: 00EB2D78
_free.LIBCMT ref: 00EB2DAB
_free.LIBCMT ref: 00EB2DD3
SetLastError.KERNEL32(00000000,?,?,?,?,00EAE6D1,?,00F48A48,00000010,00E84F4A,?,?,00000000,00EC3CD6), ref: 00EB2DE0
SetLastError.KERNEL32(00000000,?,?,?,?,00EAE6D1,?,00F48A48,00000010,00E84F4A,?,?,00000000,00EC3CD6), ref: 00EB2DEC
_abort.LIBCMT ref: 00EB2DF2

Memory Dump Source

Source File: 00000000.00000002.2209670476.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.2209637951.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210917413.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210917413.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2211217556.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2211312581.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_file.jbxd

Similarity

API ID: ErrorLast$_free$_abort
String ID:
API String ID: 3160817290-0
Opcode ID: b2d02079a47ce7ac1abab4d4c7aad4b698547c8c349036e3dc4b4adbe4f081de
Instruction ID: c8533c8e697b9229720e3f33a4bde25289a192f4200a6505e7bf69d6860af726
Opcode Fuzzy Hash: b2d02079a47ce7ac1abab4d4c7aad4b698547c8c349036e3dc4b4adbe4f081de
Instruction Fuzzy Hash: 0EF0FC3554560037C6123739BC0AEDF3599AFC67A5F25651CFF38F21E6EF24880161A1

Function 00F18A24 Relevance: 9.0, APIs: 6, Instructions: 49COMMON

Download Yara Rule

APIs

Part of subcall function 00E99639: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00E99693
Part of subcall function 00E99639: SelectObject.GDI32(?,00000000), ref: 00E996A2
Part of subcall function 00E99639: BeginPath.GDI32(?), ref: 00E996B9
Part of subcall function 00E99639: SelectObject.GDI32(?,00000000), ref: 00E996E2

MoveToEx.GDI32(?,-00000002,00000000,00000000), ref: 00F18A4E
LineTo.GDI32(?,00000003,00000000), ref: 00F18A62
MoveToEx.GDI32(?,00000000,-00000002,00000000), ref: 00F18A70
LineTo.GDI32(?,00000000,00000003), ref: 00F18A80
EndPath.GDI32(?), ref: 00F18A90
StrokePath.GDI32(?), ref: 00F18AA0

Memory Dump Source

Source File: 00000000.00000002.2209670476.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.2209637951.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210917413.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210917413.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2211217556.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2211312581.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_file.jbxd

Similarity

API ID: Path$LineMoveObjectSelect$BeginCreateStroke
String ID:
API String ID: 43455801-0
Opcode ID: 23f7b067612c63bd4b66027f931baa228795f42e4ba5935b2c05a3b1c1e1c8dd
Instruction ID: 600ec098f6955ba4e1dc6c336672199af179e6af4b112aad06073b0a4279f996
Opcode Fuzzy Hash: 23f7b067612c63bd4b66027f931baa228795f42e4ba5935b2c05a3b1c1e1c8dd
Instruction Fuzzy Hash: 2211F77644010CFFDB129F94DC88EEA7FACEF08390F01C012BA199A1A1C771AD55EBA0

Function 00EE51FD Relevance: 9.0, APIs: 6, Instructions: 49COMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 00EE5218
GetDeviceCaps.GDI32(00000000,00000058), ref: 00EE5229
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00EE5230
ReleaseDC.USER32(00000000,00000000), ref: 00EE5238
MulDiv.KERNEL32(000009EC,?,00000000), ref: 00EE524F
MulDiv.KERNEL32(000009EC,00000001,?), ref: 00EE5261

Memory Dump Source

Source File: 00000000.00000002.2209670476.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.2209637951.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210917413.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210917413.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2211217556.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2211312581.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_file.jbxd

Similarity

API ID: CapsDevice$Release
String ID:
API String ID: 1035833867-0
Opcode ID: 16c27a0f95eb3f079fa4130189c9180d7174fcb986c949794ce8857069757de1
Instruction ID: 8b8780207aaf863f34fc4ee360cf32123c6dd98b6ab07699ac36dd2272df9349
Opcode Fuzzy Hash: 16c27a0f95eb3f079fa4130189c9180d7174fcb986c949794ce8857069757de1
Instruction Fuzzy Hash: 9D014875A40718BBEB105BA69C45A5E7F78EB48751F044065FA09A7291D6709900DB90

Function 00E81BC3 Relevance: 9.0, APIs: 6, Instructions: 44keyboardCOMMON

Download Yara Rule

APIs

MapVirtualKeyW.USER32(0000005B,00000000), ref: 00E81BF4
MapVirtualKeyW.USER32(00000010,00000000), ref: 00E81BFC
MapVirtualKeyW.USER32(000000A0,00000000), ref: 00E81C07
MapVirtualKeyW.USER32(000000A1,00000000), ref: 00E81C12
MapVirtualKeyW.USER32(00000011,00000000), ref: 00E81C1A
MapVirtualKeyW.USER32(00000012,00000000), ref: 00E81C22

Memory Dump Source

Source File: 00000000.00000002.2209670476.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.2209637951.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210917413.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210917413.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2211217556.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2211312581.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_file.jbxd

Similarity

API ID: Virtual
String ID:
API String ID: 4278518827-0
Opcode ID: 3eb8cdeeeeb9c2c672a36e3d1b69955c8f1113fe1a4591f44bc753547443b83f
Instruction ID: 1e6ba7abab5e3c87e841b3f34cc0bb31c7612f4dfbd31d1daafcdcc4f78c88c1
Opcode Fuzzy Hash: 3eb8cdeeeeb9c2c672a36e3d1b69955c8f1113fe1a4591f44bc753547443b83f
Instruction Fuzzy Hash: 0D0167B0942B5ABDE3008F6A8C85B52FFA8FF19354F00411BA15C4BA42C7F5A864CBE5

Function 00EEEB20 Relevance: 9.0, APIs: 6, Instructions: 42windowtimethreadCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,00000000), ref: 00EEEB30
SendMessageTimeoutW.USER32(?,00000010,00000000,00000000,00000002,000001F4,?), ref: 00EEEB46
GetWindowThreadProcessId.USER32(?,?), ref: 00EEEB55
OpenProcess.KERNEL32(001F0FFF,00000000,?,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00EEEB64
TerminateProcess.KERNEL32(00000000,00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00EEEB6E
CloseHandle.KERNEL32(00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00EEEB75

Memory Dump Source

Source File: 00000000.00000002.2209670476.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.2209637951.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210917413.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210917413.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2211217556.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2211312581.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_file.jbxd

Similarity

API ID: Process$Message$CloseHandleOpenPostSendTerminateThreadTimeoutWindow
String ID:
API String ID: 839392675-0
Opcode ID: 15e0a8599ef7323807f891a77cf5e3e3d2ee71ce1026d59e65a86475813c8d97
Instruction ID: f3b509680d1b01257f125b0298fcf710f0093acdacc4b60c7ab2520f5e62a043
Opcode Fuzzy Hash: 15e0a8599ef7323807f891a77cf5e3e3d2ee71ce1026d59e65a86475813c8d97
Instruction Fuzzy Hash: 97F0307258015CBBE72157529C0DEEF3A7CEFCAB11F018158F611E1191D7A05A01E6F5

Function 00ED7439 Relevance: 9.0, APIs: 6, Instructions: 37windowCOMMON

Download Yara Rule

APIs

GetClientRect.USER32(?), ref: 00ED7452
SendMessageW.USER32(?,00001328,00000000,?), ref: 00ED7469
GetWindowDC.USER32(?), ref: 00ED7475
GetPixel.GDI32(00000000,?,?), ref: 00ED7484
ReleaseDC.USER32(?,00000000), ref: 00ED7496
GetSysColor.USER32(00000005), ref: 00ED74B0

Memory Dump Source

Source File: 00000000.00000002.2209670476.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.2209637951.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210917413.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210917413.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2211217556.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2211312581.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_file.jbxd

Similarity

API ID: ClientColorMessagePixelRectReleaseSendWindow
String ID:
API String ID: 272304278-0
Opcode ID: 5567e17bb1cce8dd464424552cec6b0a06250203a84398cf94899039197ad443
Instruction ID: 35af826e6bb588a1132f5c21c673b3d9b8c3a59e666922af9d9b034f755bab3a
Opcode Fuzzy Hash: 5567e17bb1cce8dd464424552cec6b0a06250203a84398cf94899039197ad443
Instruction Fuzzy Hash: 1A018B31440219EFDB515F64DC08BEA7BB6FB04311F568064F929A21A1CB311E42EB90

Function 00EE1874 Relevance: 9.0, APIs: 6, Instructions: 23memorysynchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(?,000000FF), ref: 00EE187F
UnloadUserProfile.USERENV(?,?), ref: 00EE188B
CloseHandle.KERNEL32(?), ref: 00EE1894
CloseHandle.KERNEL32(?), ref: 00EE189C
GetProcessHeap.KERNEL32(00000000,?), ref: 00EE18A5
HeapFree.KERNEL32(00000000), ref: 00EE18AC

Memory Dump Source

Source File: 00000000.00000002.2209670476.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.2209637951.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210917413.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210917413.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2211217556.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2211312581.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_file.jbxd

Similarity

API ID: CloseHandleHeap$FreeObjectProcessProfileSingleUnloadUserWait
String ID:
API String ID: 146765662-0
Opcode ID: 622a03c4a0979d3e63830ef0e131f1f3b7808ad5a0bd126336a2da741213bd68
Instruction ID: 4ee0289d42603902a28a0e662f0f99c081448674beb7fe88841e4dcdb7e97fd4
Opcode Fuzzy Hash: 622a03c4a0979d3e63830ef0e131f1f3b7808ad5a0bd126336a2da741213bd68
Instruction Fuzzy Hash: 99E0ED36484219BBEB015FA2ED0C985BF39FF49721B11C220F22591071CB725420EF90

Function 00F07B7E Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 230COMMON

Download Yara Rule

APIs

Part of subcall function 00EA0242: EnterCriticalSection.KERNEL32(00F5070C,00F51884,?,?,00E9198B,00F52518,?,?,?,00E812F9,00000000), ref: 00EA024D
Part of subcall function 00EA0242: LeaveCriticalSection.KERNEL32(00F5070C,?,00E9198B,00F52518,?,?,?,00E812F9,00000000), ref: 00EA028A

Part of subcall function 00E89CB3: _wcslen.LIBCMT ref: 00E89CBD

Part of subcall function 00EA00A3: __onexit.LIBCMT ref: 00EA00A9

__Init_thread_footer.LIBCMT ref: 00F07BFB

Part of subcall function 00EA01F8: EnterCriticalSection.KERNEL32(00F5070C,?,?,00E98747,00F52514), ref: 00EA0202
Part of subcall function 00EA01F8: LeaveCriticalSection.KERNEL32(00F5070C,?,00E98747,00F52514), ref: 00EA0235

Strings

Variable must be of type 'Object'., xrefs: 00F07C3A
+T, xrefs: 00F07E2E
5, xrefs: 00F07C78
G, xrefs: 00F07C7F

Memory Dump Source

Source File: 00000000.00000002.2209670476.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.2209637951.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210917413.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210917413.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2211217556.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2211312581.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_file.jbxd

Similarity

API ID: CriticalSection$EnterLeave$Init_thread_footer__onexit_wcslen
String ID: +T$5$G$Variable must be of type 'Object'.
API String ID: 535116098-4125810065
Opcode ID: 919a0e2dd10ee3b3ba78cb7e9e9c1e096cba733fce2a70429884714c8dca5e52
Instruction ID: 034009552a71217a611b66c53dfed843769c96c0fe3c59e655392b9e692144a4
Opcode Fuzzy Hash: 919a0e2dd10ee3b3ba78cb7e9e9c1e096cba733fce2a70429884714c8dca5e52
Instruction Fuzzy Hash: 0A919A70E05309EFCB14EF54D8909BEB7B1BF49314F148099F80AAB292DB71AE41EB51

Function 00EEC5D0 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 191windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00E87620: _wcslen.LIBCMT ref: 00E87625

GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00EEC6EE
_wcslen.LIBCMT ref: 00EEC735
SetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00EEC79C
SetMenuDefaultItem.USER32(?,000000FF,00000000), ref: 00EEC7CA

Strings

0, xrefs: 00EEC6AF

Memory Dump Source

Source File: 00000000.00000002.2209670476.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.2209637951.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210917413.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210917413.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2211217556.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2211312581.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_file.jbxd

Similarity

API ID: ItemMenu$Info_wcslen$Default
String ID: 0
API String ID: 1227352736-4108050209
Opcode ID: a8492cc81a5fd5577c097cd63bcc9cae26509d51a9f7fc43c4e672b60428fb31
Instruction ID: 63f7a8790b2a0a2dedb3ab95816a47ec15a7826559ea5d32cc18f06bd8f8a8df
Opcode Fuzzy Hash: a8492cc81a5fd5577c097cd63bcc9cae26509d51a9f7fc43c4e672b60428fb31
Instruction Fuzzy Hash: 7E5124716043899BD7149F3AC844BAB77E4AF89318F242A2EF995F3190DB70DC06DB52

Function 00F0AD64 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 176COMMON

Download Yara Rule

APIs

ShellExecuteExW.SHELL32(0000003C), ref: 00F0AEA3

Part of subcall function 00E87620: _wcslen.LIBCMT ref: 00E87625

GetProcessId.KERNEL32(00000000), ref: 00F0AF38
CloseHandle.KERNEL32(00000000), ref: 00F0AF67

Strings

<, xrefs: 00F0AE6B
@, xrefs: 00F0AE72

Memory Dump Source

Source File: 00000000.00000002.2209670476.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.2209637951.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210917413.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210917413.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2211217556.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2211312581.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_file.jbxd

Similarity

API ID: CloseExecuteHandleProcessShell_wcslen
String ID: <$@
API String ID: 146682121-1426351568
Opcode ID: 5872f85e89e0421a0b83988ecba15e8ffe35199fa63328ee41b07cca7478ec10
Instruction ID: 8af8e321ac33e0517447991d999376d4e8ad9d468774e573f4ed04e0392a6c81
Opcode Fuzzy Hash: 5872f85e89e0421a0b83988ecba15e8ffe35199fa63328ee41b07cca7478ec10
Instruction Fuzzy Hash: EE718C71A00619DFCB14EF54C484A9EBBF1FF08314F148499E85AAB392C774ED45DB91

Function 00EE719E Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 120comlibraryloaderCOMMON

Download Yara Rule

APIs

CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 00EE7206
SetErrorMode.KERNEL32(00000001,?,?,?,?,?,?,?,?,?), ref: 00EE723C
GetProcAddress.KERNEL32(?,DllGetClassObject), ref: 00EE724D
SetErrorMode.KERNEL32(00000000,?,?,?,?,?,?,?,?,?), ref: 00EE72CF

Strings

DllGetClassObject, xrefs: 00EE7242

Memory Dump Source

Source File: 00000000.00000002.2209670476.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.2209637951.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210917413.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210917413.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2211217556.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2211312581.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_file.jbxd

Similarity

API ID: ErrorMode$AddressCreateInstanceProc
String ID: DllGetClassObject
API String ID: 753597075-1075368562
Opcode ID: 059d53fe902ec82ce3a08af626d2f10030c7bd1c9ebd44aba171a913a5d58aa0
Instruction ID: 831a2496d5cb72df5220f319185b0d0092803942dd7ff616dcf58ae6def8cbdf
Opcode Fuzzy Hash: 059d53fe902ec82ce3a08af626d2f10030c7bd1c9ebd44aba171a913a5d58aa0
Instruction Fuzzy Hash: 0241DFB1A04209EFDB15CF55C884A9A7BB9EF48314F1090A9BE45AF21AD7B0DD40DBA0

Function 00F13D7C Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 101windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00F13E35
IsMenu.USER32(?), ref: 00F13E4A
InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 00F13E92
DrawMenuBar.USER32 ref: 00F13EA5

Strings

0, xrefs: 00F13D89

Memory Dump Source

Source File: 00000000.00000002.2209670476.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.2209637951.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210917413.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210917413.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2211217556.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2211312581.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_file.jbxd

Similarity

API ID: Menu$Item$DrawInfoInsert
String ID: 0
API String ID: 3076010158-4108050209
Opcode ID: 16da9cd1b0bf380f177fff2130008652157eff7b284f1c0dcc8be2ebbd5f3c4b
Instruction ID: 1a355d4171bce9c8e14b1ea5f7cd890946961b8b78b93bcd6e8c2d6e32a8e3d2
Opcode Fuzzy Hash: 16da9cd1b0bf380f177fff2130008652157eff7b284f1c0dcc8be2ebbd5f3c4b
Instruction Fuzzy Hash: A3413A75A01309EFDB10DF54D884AEABBB9FF49364F044129E915A7290D730AE89EF90

Function 00EE1DE2 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 93windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00E89CB3: _wcslen.LIBCMT ref: 00E89CBD

Part of subcall function 00EE3CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00EE3CCA

SendMessageW.USER32(?,00000188,00000000,00000000), ref: 00EE1E66
SendMessageW.USER32(?,0000018A,00000000,00000000), ref: 00EE1E79
SendMessageW.USER32(?,00000189,?,00000000), ref: 00EE1EA9

Part of subcall function 00E86B57: _wcslen.LIBCMT ref: 00E86B6A

Strings

ListBox, xrefs: 00EE1E25
ComboBox, xrefs: 00EE1DF0

Memory Dump Source

Source File: 00000000.00000002.2209670476.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.2209637951.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210917413.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210917413.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2211217556.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2211312581.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_file.jbxd

Similarity

API ID: MessageSend$_wcslen$ClassName
String ID: ComboBox$ListBox
API String ID: 2081771294-1403004172
Opcode ID: 4951b1645b055a37371170d5122faa901c6c40210125fa560835b699712de904
Instruction ID: 9ee2f3c8e44727e31558c8ab0df9eefb7eb13f0918d1b5fc19083004d2f359ca
Opcode Fuzzy Hash: 4951b1645b055a37371170d5122faa901c6c40210125fa560835b699712de904
Instruction Fuzzy Hash: 23212371A00148AFDB18ABB1CC49CFFB7B8DF41364B146119F829B31E1DB3949499760

Function 00F12F17 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 78windowlibraryCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000467,00000000,?), ref: 00F12F8D
LoadLibraryW.KERNEL32(?), ref: 00F12F94
SendMessageW.USER32(?,00000467,00000000,00000000), ref: 00F12FA9
DestroyWindow.USER32(?), ref: 00F12FB1

Strings

SysAnimate32, xrefs: 00F12F68

Memory Dump Source

Source File: 00000000.00000002.2209670476.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.2209637951.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210917413.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210917413.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2211217556.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2211312581.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_file.jbxd

Similarity

API ID: MessageSend$DestroyLibraryLoadWindow
String ID: SysAnimate32
API String ID: 3529120543-1011021900
Opcode ID: 0a2155e9ea70584f7c6dc57a5e9a3d0dc09b4ba5cc913a776e624a5257713840
Instruction ID: b5d90947942effeabf09bbb6e382e48c13dcad7a5eff4be2b90007a770e2725a
Opcode Fuzzy Hash: 0a2155e9ea70584f7c6dc57a5e9a3d0dc09b4ba5cc913a776e624a5257713840
Instruction Fuzzy Hash: 83219D71600209ABEB604FA4EC84EFB37B9EB59374F104218F954D6190D771DCA2A760

Function 00EA4D6D Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,00EA4D1E,00EB28E9,(,00EA4CBE,00000000,00F488B8,0000000C,00EA4E15,(,00000002), ref: 00EA4D8D
GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 00EA4DA0
FreeLibrary.KERNEL32(00000000,?,?,?,00EA4D1E,00EB28E9,(,00EA4CBE,00000000,00F488B8,0000000C,00EA4E15,(,00000002,00000000), ref: 00EA4DC3

Strings

mscoree.dll, xrefs: 00EA4D86
CorExitProcess, xrefs: 00EA4D98

Memory Dump Source

Source File: 00000000.00000002.2209670476.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.2209637951.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210917413.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210917413.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2211217556.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2211312581.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_file.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: 65a3fce03ac37acebeb663e4875f0e400b6437aed71e3c3c684ef59bffe8f92d
Instruction ID: 9cdfe011f4d1aa24f56fbb0ede029d5ed54e0f7d834f0c96d2ba6750943daafa
Opcode Fuzzy Hash: 65a3fce03ac37acebeb663e4875f0e400b6437aed71e3c3c684ef59bffe8f92d
Instruction Fuzzy Hash: 43F0AF35A8021CBBDB109F94DC49BEDBFB4EF48716F0140A4F805B62A0CF70A940EAD1

Function 00E84E90 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 24libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,?,00E84EDD,?,00F51418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00E84E9C
GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 00E84EAE
FreeLibrary.KERNEL32(00000000,?,?,00E84EDD,?,00F51418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00E84EC0

Strings

kernel32.dll, xrefs: 00E84E94
Wow64DisableWow64FsRedirection, xrefs: 00E84EA8

Memory Dump Source

Source File: 00000000.00000002.2209670476.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.2209637951.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210917413.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210917413.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2211217556.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2211312581.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_file.jbxd

Similarity

API ID: Library$AddressFreeLoadProc
String ID: Wow64DisableWow64FsRedirection$kernel32.dll
API String ID: 145871493-3689287502
Opcode ID: aff9ee1e73ab682bebcf85669da8a745c6ffb57eabb2194c4ec4240e0e5c7269
Instruction ID: efe9d7358faeb83c732d6adadc7b0c458d4e5a86a9d4c495aa677ab673594d0b
Opcode Fuzzy Hash: aff9ee1e73ab682bebcf85669da8a745c6ffb57eabb2194c4ec4240e0e5c7269
Instruction Fuzzy Hash: 54E0CD35A815236BD2312B256C18F9F7654EFC1F667064115FC0CF7140DB60CD0161E1

Function 00E84E59 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 22libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,?,00EC3CDE,?,00F51418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00E84E62
GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 00E84E74
FreeLibrary.KERNEL32(00000000,?,?,00EC3CDE,?,00F51418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00E84E87

Strings

kernel32.dll, xrefs: 00E84E5B
Wow64RevertWow64FsRedirection, xrefs: 00E84E6E

Memory Dump Source

Source File: 00000000.00000002.2209670476.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.2209637951.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210917413.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210917413.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2211217556.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2211312581.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_file.jbxd

Similarity

API ID: Library$AddressFreeLoadProc
String ID: Wow64RevertWow64FsRedirection$kernel32.dll
API String ID: 145871493-1355242751
Opcode ID: c7eb216b503a56da958508bdf8a42650ec6a3ae13c2a7336d9f8e8a274ce9e58
Instruction ID: dd9804ecedeb1488a72a069fe29d2466dd3dac5535daafa36b132f224bf33a76
Opcode Fuzzy Hash: c7eb216b503a56da958508bdf8a42650ec6a3ae13c2a7336d9f8e8a274ce9e58
Instruction Fuzzy Hash: 61D012355826236757222B256C18DCB7A18EF85B593064515BD0DF6154CF60CD01A6D1

Function 00EF2947 Relevance: 7.8, APIs: 5, Instructions: 313fileCOMMON

Download Yara Rule

APIs

DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00EF2C05
DeleteFileW.KERNEL32(?), ref: 00EF2C87
CopyFileW.KERNEL32(?,?,00000000,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 00EF2C9D
DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00EF2CAE
DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00EF2CC0

Memory Dump Source

Source File: 00000000.00000002.2209670476.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.2209637951.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210917413.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210917413.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2211217556.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2211312581.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_file.jbxd

Similarity

API ID: File$Delete$Copy
String ID:
API String ID: 3226157194-0
Opcode ID: b7488692e672754019db668b7b2d212beae586e337b7affb77774be2c9f053d2
Instruction ID: 9e193032a7f88af0b703ba1ff65a8e2b51d1338ec1d70f6879d44e5e29155316
Opcode Fuzzy Hash: b7488692e672754019db668b7b2d212beae586e337b7affb77774be2c9f053d2
Instruction Fuzzy Hash: 3FB13D7290011DABDF11EBA4CC85EEEBBBDEF49350F1050AAF609F6151EB319A448B61

Function 00F0A387 Relevance: 7.8, APIs: 5, Instructions: 256COMMON

Download Yara Rule

APIs

GetCurrentProcessId.KERNEL32 ref: 00F0A427
OpenProcess.KERNEL32(00000410,00000000,00000000), ref: 00F0A435
GetProcessIoCounters.KERNEL32(00000000,?), ref: 00F0A468
CloseHandle.KERNEL32(?), ref: 00F0A63D

Memory Dump Source

Source File: 00000000.00000002.2209670476.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.2209637951.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210917413.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210917413.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2211217556.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2211312581.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_file.jbxd

Similarity

API ID: Process$CloseCountersCurrentHandleOpen
String ID:
API String ID: 3488606520-0
Opcode ID: 9923393ba5afedb1c73585d7c996a3589b400c76d1f2b4b2a2e4c5cc54c80cbc
Instruction ID: df3013ff38fddf7f1afcbcb17908627114dfa40056f238de71e18bea07985dd6
Opcode Fuzzy Hash: 9923393ba5afedb1c73585d7c996a3589b400c76d1f2b4b2a2e4c5cc54c80cbc
Instruction Fuzzy Hash: 68A1B3716043009FE720DF24D886F2AB7E5AF84714F14985CF56A9B2D2D771EC41DB92

Function 00EBBB27 Relevance: 7.7, APIs: 5, Instructions: 171timeCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetTimeZoneInformation.KERNEL32(?,00000000,00000000,00000000,?,00F23700), ref: 00EBBB91
WideCharToMultiByte.KERNEL32(00000000,00000000,00F5121C,000000FF,00000000,0000003F,00000000,?,?), ref: 00EBBC09
WideCharToMultiByte.KERNEL32(00000000,00000000,00F51270,000000FF,?,0000003F,00000000,?), ref: 00EBBC36
_free.LIBCMT ref: 00EBBB7F

Part of subcall function 00EB29C8: RtlFreeHeap.NTDLL(00000000,00000000,?,00EBD7D1,00000000,00000000,00000000,00000000,?,00EBD7F8,00000000,00000007,00000000,?,00EBDBF5,00000000), ref: 00EB29DE
Part of subcall function 00EB29C8: GetLastError.KERNEL32(00000000,?,00EBD7D1,00000000,00000000,00000000,00000000,?,00EBD7F8,00000000,00000007,00000000,?,00EBDBF5,00000000,00000000), ref: 00EB29F0

_free.LIBCMT ref: 00EBBD4B

Memory Dump Source

Source File: 00000000.00000002.2209670476.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.2209637951.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210917413.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210917413.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2211217556.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2211312581.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_file.jbxd

Similarity

API ID: ByteCharMultiWide_free$ErrorFreeHeapInformationLastTimeZone
String ID:
API String ID: 1286116820-0
Opcode ID: 92e474b2423d917aa182ebb34da78fda1c7608534703e00e4020d428e2dee313
Instruction ID: b9f3a916cd54e7be5d6d856a74a12000c594c159810b1303e0ae5c91564f972e
Opcode Fuzzy Hash: 92e474b2423d917aa182ebb34da78fda1c7608534703e00e4020d428e2dee313
Instruction Fuzzy Hash: 8F51C371900209AFDB10EF659C81AEFBBF8BF41314F10526AE554F71A1EBB09E419B90

Function 00EEE3FB Relevance: 7.7, APIs: 5, Instructions: 167filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 00EEDDE0: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,00EECF22,?), ref: 00EEDDFD

Part of subcall function 00EEDDE0: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,00EECF22,?), ref: 00EEDE16

Part of subcall function 00EEE199: GetFileAttributesW.KERNEL32(?,00EECF95), ref: 00EEE19A

lstrcmpiW.KERNEL32(?,?), ref: 00EEE473
MoveFileW.KERNEL32(?,?), ref: 00EEE4AC
_wcslen.LIBCMT ref: 00EEE5EB
_wcslen.LIBCMT ref: 00EEE603
SHFileOperationW.SHELL32(?,?,?,?,?,?), ref: 00EEE650

Memory Dump Source

Source File: 00000000.00000002.2209670476.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.2209637951.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210917413.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210917413.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2211217556.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2211312581.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_file.jbxd

Similarity

API ID: File$FullNamePath_wcslen$AttributesMoveOperationlstrcmpi
String ID:
API String ID: 3183298772-0
Opcode ID: 9b2906bc237f50b5c5b0576b99c59973038253efa6ff3948c24118aec3ccbd26
Instruction ID: 9cda126c0ea8f05d36d7bbfdf768423ac1d997f4b4104784d892463a3353fe9a
Opcode Fuzzy Hash: 9b2906bc237f50b5c5b0576b99c59973038253efa6ff3948c24118aec3ccbd26
Instruction Fuzzy Hash: 3A5175B24083895BC724EB90DC819DFB3ECAF85344F00591EF599E3291EF75A5888766

Function 00F0B9C9 Relevance: 7.7, APIs: 5, Instructions: 167registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00E89CB3: _wcslen.LIBCMT ref: 00E89CBD

Part of subcall function 00F0C998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00F0B6AE,?,?), ref: 00F0C9B5
Part of subcall function 00F0C998: _wcslen.LIBCMT ref: 00F0C9F1
Part of subcall function 00F0C998: _wcslen.LIBCMT ref: 00F0CA68
Part of subcall function 00F0C998: _wcslen.LIBCMT ref: 00F0CA9E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00F0BAA5
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00F0BB00
RegEnumKeyExW.ADVAPI32(?,-00000001,?,?,00000000,00000000,00000000,?), ref: 00F0BB63
RegCloseKey.ADVAPI32(?,?), ref: 00F0BBA6
RegCloseKey.ADVAPI32(00000000), ref: 00F0BBB3

Memory Dump Source

Source File: 00000000.00000002.2209670476.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.2209637951.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210917413.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210917413.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2211217556.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2211312581.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_file.jbxd

Similarity

API ID: _wcslen$Close$BuffCharConnectEnumOpenRegistryUpper
String ID:
API String ID: 826366716-0
Opcode ID: af423f2e021ec2edc595e71b8714672d93714bdec2d2ee1275b015ea401627cc
Instruction ID: 463c21bbbf535aa35fa9ed6d98bf28078e292cddab302b610317aa72d15df074
Opcode Fuzzy Hash: af423f2e021ec2edc595e71b8714672d93714bdec2d2ee1275b015ea401627cc
Instruction Fuzzy Hash: 5C61E271608201EFD314EF14C890E2ABBE5FF84318F14855CF4998B2A2DB35ED45EB92

Function 00EE8BB0 Relevance: 7.7, APIs: 5, Instructions: 159COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00EE8BCD
VariantClear.OLEAUT32 ref: 00EE8C3E
VariantClear.OLEAUT32 ref: 00EE8C9D
VariantClear.OLEAUT32(?), ref: 00EE8D10
VariantChangeType.OLEAUT32(?,?,00000000,00000013), ref: 00EE8D3B

Memory Dump Source

Source File: 00000000.00000002.2209670476.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.2209637951.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210917413.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210917413.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2211217556.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2211312581.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_file.jbxd

Similarity

API ID: Variant$Clear$ChangeInitType
String ID:
API String ID: 4136290138-0
Opcode ID: 548fce355257c28930d04a995d45dd92d1993021bfec6bb109b30689cbe66111
Instruction ID: 9ca722943a4166f2ae6bc8fedc0cf23cb47430d612fb755884fae47307a5886a
Opcode Fuzzy Hash: 548fce355257c28930d04a995d45dd92d1993021bfec6bb109b30689cbe66111
Instruction Fuzzy Hash: 6B5197B5A00219EFCB10CF29C884AAAB7F9FF89314B118559E909EB354E730E911CF90

Function 00EF8AFB Relevance: 7.6, APIs: 5, Instructions: 143COMMON

Download Yara Rule

APIs

GetPrivateProfileSectionW.KERNEL32(00000003,?,00007FFF,?), ref: 00EF8BAE
GetPrivateProfileSectionW.KERNEL32(?,00000003,00000003,?), ref: 00EF8BDA
WritePrivateProfileSectionW.KERNEL32(?,?,?), ref: 00EF8C32
WritePrivateProfileStringW.KERNEL32(00000003,00000000,00000000,?), ref: 00EF8C57
WritePrivateProfileStringW.KERNEL32(00000000,00000000,00000000,?), ref: 00EF8C5F

Memory Dump Source

Source File: 00000000.00000002.2209670476.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.2209637951.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210917413.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210917413.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2211217556.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2211312581.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_file.jbxd

Similarity

API ID: PrivateProfile$SectionWrite$String
String ID:
API String ID: 2832842796-0
Opcode ID: 5c592b55e5cd8dc4c872f5a9c42d3fd7c9bd742fed1baaeb905850b691adff01
Instruction ID: 084239e5d3c688924b1ebd861f38992397db59c6b1a4eb9940632f8127a1c6dc
Opcode Fuzzy Hash: 5c592b55e5cd8dc4c872f5a9c42d3fd7c9bd742fed1baaeb905850b691adff01
Instruction Fuzzy Hash: 0C515A35A002199FCB04EF64C880AADBBF5FF49314F189458E94DAB362CB31ED41CBA1

Function 00F08EE4 Relevance: 7.6, APIs: 5, Instructions: 143libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32(?,00000000,?), ref: 00F08F40
GetProcAddress.KERNEL32(00000000,?), ref: 00F08FD0
GetProcAddress.KERNEL32(00000000,00000000), ref: 00F08FEC
GetProcAddress.KERNEL32(00000000,?), ref: 00F09032
FreeLibrary.KERNEL32(00000000), ref: 00F09052

Part of subcall function 00E9F6C9: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,00000000,?,?,?,00EF1043,?,7644E610), ref: 00E9F6E6
Part of subcall function 00E9F6C9: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00EDFA64,00000000,00000000,?,?,00EF1043,?,7644E610,?,00EDFA64), ref: 00E9F70D

Memory Dump Source

Source File: 00000000.00000002.2209670476.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.2209637951.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210917413.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210917413.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2211217556.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2211312581.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_file.jbxd

Similarity

API ID: AddressProc$ByteCharLibraryMultiWide$FreeLoad
String ID:
API String ID: 666041331-0
Opcode ID: 59b31e521e79ca1029f86125c9d8741cb2ffa86f431b85b41cdf99bbea71f1bc
Instruction ID: b7f48e721fa331a2c2ddb0c451969f5e5df911610875152659f56f8c339564df
Opcode Fuzzy Hash: 59b31e521e79ca1029f86125c9d8741cb2ffa86f431b85b41cdf99bbea71f1bc
Instruction Fuzzy Hash: C9515F35A04205DFC715EF64C4848ADBBF1FF49324B058099E849AB3A2DB31ED86EB90

Function 00F16B76 Relevance: 7.6, APIs: 5, Instructions: 131windowCOMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(00000002,000000F0,?), ref: 00F16C33
SetWindowLongW.USER32(?,000000EC,?), ref: 00F16C4A
SendMessageW.USER32(00000002,00001036,00000000,?), ref: 00F16C73
ShowWindow.USER32(00000002,00000000,00000002,00000002,?,?,?,?,?,?,?,00EFAB79,00000000,00000000), ref: 00F16C98
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000027,00000002,?,00000001,00000002,00000002,?,?,?), ref: 00F16CC7

Memory Dump Source

Source File: 00000000.00000002.2209670476.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.2209637951.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210917413.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210917413.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2211217556.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2211312581.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_file.jbxd

Similarity

API ID: Window$Long$MessageSendShow
String ID:
API String ID: 3688381893-0
Opcode ID: 74469a50f10fea136281166bc5a863d6abfd66e07b101f610720f2a83e71dd60
Instruction ID: 9f096118a8421a3b3eb30ef96e542169c86ef72509371d25122c3d21e0033432
Opcode Fuzzy Hash: 74469a50f10fea136281166bc5a863d6abfd66e07b101f610720f2a83e71dd60
Instruction Fuzzy Hash: 0141D435A04104AFD724CF28CC58FE97BA5EB09361F154268F999E73E0C371AD81EAC0

Function 00EB2051 Relevance: 7.6, APIs: 5, Instructions: 129COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 00EB20C3
_free.LIBCMT ref: 00EB20E3

Memory Dump Source

Source File: 00000000.00000002.2209670476.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.2209637951.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210917413.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210917413.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2211217556.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2211312581.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_file.jbxd

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: 2159d089d822e0945c305497e196337f9aee3a6fe0f76249dd8bafc58dd7428d
Instruction ID: 7c4a852abbb0134f964d55b63c97aaa6e9ca47e3b82afb7c62f99d44f3df88c2
Opcode Fuzzy Hash: 2159d089d822e0945c305497e196337f9aee3a6fe0f76249dd8bafc58dd7428d
Instruction Fuzzy Hash: F241E272A00204AFCB24DF78C880A9EB7E5EF89714F1555ACEA15FB391DB31AD01DB80

Function 00E9912D Relevance: 7.6, APIs: 5, Instructions: 121keyboardCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 00E99141
ScreenToClient.USER32(00000000,?), ref: 00E9915E
GetAsyncKeyState.USER32(00000001), ref: 00E99183
GetAsyncKeyState.USER32(00000002), ref: 00E9919D

Memory Dump Source

Source File: 00000000.00000002.2209670476.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.2209637951.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210917413.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210917413.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2211217556.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2211312581.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_file.jbxd

Similarity

API ID: AsyncState$ClientCursorScreen
String ID:
API String ID: 4210589936-0
Opcode ID: 97bacb000af2e337ae363535999cfdc4b9db9af8f6102a034788e85b2b935238
Instruction ID: 00f7ba8c5d7dda81092c848cb6c8d76afd14e59f85e1c45fe9a1b87ac184b48b
Opcode Fuzzy Hash: 97bacb000af2e337ae363535999cfdc4b9db9af8f6102a034788e85b2b935238
Instruction Fuzzy Hash: 9D419F31A0821AFBDF099F68C844BEEB774FB05324F21931AE469B32D1D7346990DB91

Function 00EF3874 Relevance: 7.6, APIs: 5, Instructions: 101windowCOMMON

Download Yara Rule

APIs

GetInputState.USER32 ref: 00EF38CB
TranslateAcceleratorW.USER32(?,00000000,?), ref: 00EF3922
TranslateMessage.USER32(?), ref: 00EF394B
DispatchMessageW.USER32(?), ref: 00EF3955
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00EF3966

Memory Dump Source

Source File: 00000000.00000002.2209670476.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.2209637951.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210917413.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210917413.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2211217556.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2211312581.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_file.jbxd

Similarity

API ID: Message$Translate$AcceleratorDispatchInputPeekState
String ID:
API String ID: 2256411358-0
Opcode ID: 454a7f48fd1d22b4d45c53fc95908d4d0542a2fe7fdb81ccff2285f518ecd62e
Instruction ID: fc121fec41e9483548b9098fa5e903587147e86e8563ed1e1bd006855c93abaa
Opcode Fuzzy Hash: 454a7f48fd1d22b4d45c53fc95908d4d0542a2fe7fdb81ccff2285f518ecd62e
Instruction Fuzzy Hash: B631097050438E9EEB35CB34D808BB637E8AB41349F04156DE762E21E4E3F4AA85DB11

Function 00EFCF1A Relevance: 7.6, APIs: 5, Instructions: 93networkfileCOMMON

Download Yara Rule

APIs

InternetQueryDataAvailable.WININET(?,?,00000000,00000000,00000000,?,00000000,?,?,?,00EFC21E,00000000), ref: 00EFCF38
InternetReadFile.WININET(?,00000000,?,?), ref: 00EFCF6F
GetLastError.KERNEL32(?,00000000,?,?,?,00EFC21E,00000000), ref: 00EFCFB4
SetEvent.KERNEL32(?,?,00000000,?,?,?,00EFC21E,00000000), ref: 00EFCFC8
SetEvent.KERNEL32(?,?,00000000,?,?,?,00EFC21E,00000000), ref: 00EFCFF2

Memory Dump Source

Source File: 00000000.00000002.2209670476.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.2209637951.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210917413.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210917413.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2211217556.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2211312581.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_file.jbxd

Similarity

API ID: EventInternet$AvailableDataErrorFileLastQueryRead
String ID:
API String ID: 3191363074-0
Opcode ID: 467a446b2dd60ae956f9db3542e6db94254b0b635461fc22211ac2436af3df24
Instruction ID: e13ae8644e4f9f499dbe2b43a3efdbc703c67ad76bfd44745dfaad6464670ed5
Opcode Fuzzy Hash: 467a446b2dd60ae956f9db3542e6db94254b0b635461fc22211ac2436af3df24
Instruction Fuzzy Hash: F431417260420DAFDB20DFA5C984ABBBBF9EB14354B30942EF616E2150D730AD40DBA0

Function 00EE1901 Relevance: 7.6, APIs: 5, Instructions: 93sleepwindowCOMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 00EE1915
PostMessageW.USER32(00000001,00000201,00000001), ref: 00EE19C1
Sleep.KERNEL32(00000000,?,?,?), ref: 00EE19C9
PostMessageW.USER32(00000001,00000202,00000000), ref: 00EE19DA
Sleep.KERNEL32(00000000,?,?,?,?), ref: 00EE19E2

Memory Dump Source

Source File: 00000000.00000002.2209670476.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.2209637951.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210917413.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210917413.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2211217556.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2211312581.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_file.jbxd

Similarity

API ID: MessagePostSleep$RectWindow
String ID:
API String ID: 3382505437-0
Opcode ID: ef946c687abf766c6ad6dae79ee1efd0e2074da1061c53576325ee1cc213e06c
Instruction ID: 9c43fde59a2d1a65aaa38837d0a48be400fb88dde8fe3f08a5ce5783675b09e3
Opcode Fuzzy Hash: ef946c687abf766c6ad6dae79ee1efd0e2074da1061c53576325ee1cc213e06c
Instruction Fuzzy Hash: 2431D47190025DEFCB00CFA9CD99ADE3BB5EB44315F109265F925A72D2C7709D84DB90

Function 00F15706 Relevance: 7.6, APIs: 5, Instructions: 82windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001053,000000FF,?), ref: 00F15745
SendMessageW.USER32(?,00001074,?,00000001), ref: 00F1579D
_wcslen.LIBCMT ref: 00F157AF
_wcslen.LIBCMT ref: 00F157BA
SendMessageW.USER32(?,00001002,00000000,?), ref: 00F15816

Memory Dump Source

Source File: 00000000.00000002.2209670476.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.2209637951.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210917413.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210917413.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2211217556.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2211312581.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_file.jbxd

Similarity

API ID: MessageSend$_wcslen
String ID:
API String ID: 763830540-0
Opcode ID: b25b49115b129b8b6c1c7445430f6eb8aa7a4a9778325ccb69f3e46950f728a6
Instruction ID: 5cb43cf0bbcb6e828851a836cffa00459fba9c923b5b748c77ee169b94a5ea4d
Opcode Fuzzy Hash: b25b49115b129b8b6c1c7445430f6eb8aa7a4a9778325ccb69f3e46950f728a6
Instruction Fuzzy Hash: EF218F71D04618DADB209FA0CC85AEEB7B8FF84B35F108216E929AA1C0D77099C5DF50

Function 00F00930 Relevance: 7.6, APIs: 5, Instructions: 69COMMON

Download Yara Rule

APIs

IsWindow.USER32(00000000), ref: 00F00951
GetForegroundWindow.USER32 ref: 00F00968
GetDC.USER32(00000000), ref: 00F009A4
GetPixel.GDI32(00000000,?,00000003), ref: 00F009B0
ReleaseDC.USER32(00000000,00000003), ref: 00F009E8

Memory Dump Source

Source File: 00000000.00000002.2209670476.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.2209637951.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210917413.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210917413.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2211217556.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2211312581.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_file.jbxd

Similarity

API ID: Window$ForegroundPixelRelease
String ID:
API String ID: 4156661090-0
Opcode ID: eb0996aa485d9b4689e7ff59a0e25023a31cbf0996058aafc1724b90a7967dd6
Instruction ID: f4a00f352d517134909fc253ed72e82f5a0927ff484a3cdc6f0d386e59e5b6d7
Opcode Fuzzy Hash: eb0996aa485d9b4689e7ff59a0e25023a31cbf0996058aafc1724b90a7967dd6
Instruction Fuzzy Hash: 7A218175600208AFD704EF65D884AAEBBE9EF45700F058069F94AA7362CB70AC04DB90

Function 00EBCDBD Relevance: 7.6, APIs: 5, Instructions: 68COMMON

Download Yara Rule

APIs

GetEnvironmentStringsW.KERNEL32 ref: 00EBCDC6
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00EBCDE9

Part of subcall function 00EB3820: RtlAllocateHeap.NTDLL(00000000,?,00F51444,?,00E9FDF5,?,?,00E8A976,00000010,00F51440,00E813FC,?,00E813C6,?,00E81129), ref: 00EB3852

WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 00EBCE0F
_free.LIBCMT ref: 00EBCE22
FreeEnvironmentStringsW.KERNEL32(00000000), ref: 00EBCE31

Memory Dump Source

Source File: 00000000.00000002.2209670476.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.2209637951.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210917413.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210917413.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2211217556.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2211312581.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_file.jbxd

Similarity

API ID: ByteCharEnvironmentMultiStringsWide$AllocateFreeHeap_free
String ID:
API String ID: 336800556-0
Opcode ID: df47e33b5797338174eb2bf1f73e31f0a6faf3ed487929994314c22251abf1ed
Instruction ID: ef6518c3d0982f4c5c83d73f18076ec079eb16f854396b8acf1995ae3f05f6ca
Opcode Fuzzy Hash: df47e33b5797338174eb2bf1f73e31f0a6faf3ed487929994314c22251abf1ed
Instruction Fuzzy Hash: FC01F772605215BF23211AB66C8CCFB7A6DDEC6BA53255129FD05FB200EA60CD0191F1

Function 00E99639 Relevance: 7.6, APIs: 5, Instructions: 66COMMON

Download Yara Rule

APIs

ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00E99693
SelectObject.GDI32(?,00000000), ref: 00E996A2
BeginPath.GDI32(?), ref: 00E996B9
SelectObject.GDI32(?,00000000), ref: 00E996E2

Memory Dump Source

Source File: 00000000.00000002.2209670476.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.2209637951.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210917413.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210917413.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2211217556.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2211312581.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_file.jbxd

Similarity

API ID: ObjectSelect$BeginCreatePath
String ID:
API String ID: 3225163088-0
Opcode ID: 4c4ecab73376f05def7788b1a6323f9e7679ea52a2bfde24589aaa00f8911894
Instruction ID: f057d1776caa9f2667bf977e3fa3cb19ad994d6e6e00111764095a0ef046a451
Opcode Fuzzy Hash: 4c4ecab73376f05def7788b1a6323f9e7679ea52a2bfde24589aaa00f8911894
Instruction Fuzzy Hash: 4A215070802309EBDF119F68EC187ED3BA9BB5135AF10421AF611B61B2D3706895EB94

Function 00EE5711 Relevance: 7.6, APIs: 5, Instructions: 61COMMON

Download Yara Rule

APIs

_memcmp.LIBVCRUNTIME ref: 00EE5726
_memcmp.LIBVCRUNTIME ref: 00EE5744
_memcmp.LIBVCRUNTIME ref: 00EE5757
_memcmp.LIBVCRUNTIME ref: 00EE576F
_memcmp.LIBVCRUNTIME ref: 00EE5787

Memory Dump Source

Source File: 00000000.00000002.2209670476.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.2209637951.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210917413.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210917413.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2211217556.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2211312581.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_file.jbxd

Similarity

API ID: _memcmp
String ID:
API String ID: 2931989736-0
Opcode ID: d615334d32ee67e86b7fae1f2dcf59bf280268751d56a07e78891ef08442a522
Instruction ID: 1c77cfc27181406fd841567090c8039f86008b8d3f0d62947751726034e7140c
Opcode Fuzzy Hash: d615334d32ee67e86b7fae1f2dcf59bf280268751d56a07e78891ef08442a522
Instruction Fuzzy Hash: 0601D2A364160DFAD60896129D92EFB739C9B6539CF001022FD04BE241F660FD7892E1

Function 00EB2DF8 Relevance: 7.6, APIs: 5, Instructions: 53COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,?,00EAF2DE,00EB3863,00F51444,?,00E9FDF5,?,?,00E8A976,00000010,00F51440,00E813FC,?,00E813C6), ref: 00EB2DFD
_free.LIBCMT ref: 00EB2E32
_free.LIBCMT ref: 00EB2E59
SetLastError.KERNEL32(00000000,00E81129), ref: 00EB2E66
SetLastError.KERNEL32(00000000,00E81129), ref: 00EB2E6F

Memory Dump Source

Source File: 00000000.00000002.2209670476.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.2209637951.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210917413.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210917413.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2211217556.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2211312581.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_file.jbxd

Similarity

API ID: ErrorLast$_free
String ID:
API String ID: 3170660625-0
Opcode ID: aa2b18b08856ae9f96f99c5a6dd7830bbc891c89d83a2cbe37c78b5898d9db0b
Instruction ID: 5eb13f38501a17367b748f328ebd335f704c64418b6ddf2a34d0f1986b03bf5c
Opcode Fuzzy Hash: aa2b18b08856ae9f96f99c5a6dd7830bbc891c89d83a2cbe37c78b5898d9db0b
Instruction Fuzzy Hash: 3801283624560477C61327766C46DEB36ADAFD57B9B21B42CFB25B21E2EF34CC016060

Function 00EE000E Relevance: 7.5, APIs: 5, Instructions: 47stringCOMMON

Download Yara Rule

APIs

CLSIDFromProgID.OLE32(?,?,?,00000000,?,?,?,-C000001E,00000001,?,00EDFF41,80070057,?,?,?,00EE035E), ref: 00EE002B
ProgIDFromCLSID.OLE32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,00EDFF41,80070057,?,?), ref: 00EE0046
lstrcmpiW.KERNEL32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,00EDFF41,80070057,?,?), ref: 00EE0054
CoTaskMemFree.OLE32(00000000,?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,00EDFF41,80070057,?), ref: 00EE0064
CLSIDFromString.OLE32(?,?,?,?,?,00000000,?,?,?,-C000001E,00000001,?,00EDFF41,80070057,?,?), ref: 00EE0070

Memory Dump Source

Source File: 00000000.00000002.2209670476.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.2209637951.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210917413.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210917413.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2211217556.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2211312581.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_file.jbxd

Similarity

API ID: From$Prog$FreeStringTasklstrcmpi
String ID:
API String ID: 3897988419-0
Opcode ID: 50af3deb5ef9fd2a8cfc24cf470104a1257aa6930f03df03f010ba538eb78dc6
Instruction ID: c317af615e2a2fbb41ea3f78cd61747be8efa5eca071a475745bd1d7e7c2d873
Opcode Fuzzy Hash: 50af3deb5ef9fd2a8cfc24cf470104a1257aa6930f03df03f010ba538eb78dc6
Instruction Fuzzy Hash: 3D01A27264020CBFDB119F6AEC44BEA7AEDEF44761F159524F905E2210D7B1DD80ABA0

Function 00EEE97B Relevance: 7.5, APIs: 5, Instructions: 47sleepCOMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?), ref: 00EEE997
QueryPerformanceFrequency.KERNEL32(?), ref: 00EEE9A5
Sleep.KERNEL32(00000000), ref: 00EEE9AD
QueryPerformanceCounter.KERNEL32(?), ref: 00EEE9B7
Sleep.KERNEL32 ref: 00EEE9F3

Memory Dump Source

Source File: 00000000.00000002.2209670476.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.2209637951.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210917413.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210917413.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2211217556.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2211312581.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_file.jbxd

Similarity

API ID: PerformanceQuery$CounterSleep$Frequency
String ID:
API String ID: 2833360925-0
Opcode ID: 924f4b58e4a0268f67713f419056ed5784b1e70712d6cdd8f4ad041d3f9bc36e
Instruction ID: e7888592bf893b2f6740be7c4c9c68cfcee54e37c1d614462949895aafa017f9
Opcode Fuzzy Hash: 924f4b58e4a0268f67713f419056ed5784b1e70712d6cdd8f4ad041d3f9bc36e
Instruction Fuzzy Hash: 3A016931C4162DEBCF04AFE6DC59AEDBBB8FF48300F015586E502B2242CB319550DBA1

Function 00EE10F9 Relevance: 7.5, APIs: 5, Instructions: 46memoryCOMMON

Download Yara Rule

APIs

GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00EE1114
GetLastError.KERNEL32(?,00000000,00000000,?,?,00EE0B9B,?,?,?), ref: 00EE1120
GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,00EE0B9B,?,?,?), ref: 00EE112F
HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,00EE0B9B,?,?,?), ref: 00EE1136
GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 00EE114D

Memory Dump Source

Source File: 00000000.00000002.2209670476.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.2209637951.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210917413.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210917413.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2211217556.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2211312581.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_file.jbxd

Similarity

API ID: HeapObjectSecurityUser$AllocErrorLastProcess
String ID:
API String ID: 842720411-0
Opcode ID: 914fe0c79364df9f651c1fc4cc51e2d4bc01db1839bf5b0b4cfcc483e0aead57
Instruction ID: f3fe1825dc8f82e73eab37e59a91f847fa0bf82931e6f9b5e25555c88432c76c
Opcode Fuzzy Hash: 914fe0c79364df9f651c1fc4cc51e2d4bc01db1839bf5b0b4cfcc483e0aead57
Instruction Fuzzy Hash: 8901D179140308BFDB010F65DC08EAA3F6EEF85364B124014FA00D3350DB31CC409AA0

Function 00EE0FB4 Relevance: 7.5, APIs: 5, Instructions: 43memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 00EE0FCA
GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 00EE0FD6
GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 00EE0FE5
HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 00EE0FEC
GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 00EE1002

Memory Dump Source

Source File: 00000000.00000002.2209670476.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.2209637951.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210917413.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210917413.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2211217556.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2211312581.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_file.jbxd

Similarity

API ID: HeapInformationToken$AllocErrorLastProcess
String ID:
API String ID: 44706859-0
Opcode ID: d4c03d2025d35acbc03d8ad7f7f1f66e051b4dd1c40cfd4360edb597c6fde294
Instruction ID: fa3112e529b00070ea201cf922ddda8be6bcfc78a54b96fecf6808bcb317c57f
Opcode Fuzzy Hash: d4c03d2025d35acbc03d8ad7f7f1f66e051b4dd1c40cfd4360edb597c6fde294
Instruction Fuzzy Hash: 38F0C239180309FBD7210FA5DC4DF963B6EEF89761F128414F945D7291CA30DC809AA0

Function 00EE1014 Relevance: 7.5, APIs: 5, Instructions: 43memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 00EE102A
GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 00EE1036
GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00EE1045
HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 00EE104C
GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00EE1062

Memory Dump Source

Source File: 00000000.00000002.2209670476.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.2209637951.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210917413.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210917413.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2211217556.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2211312581.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_file.jbxd

Similarity

API ID: HeapInformationToken$AllocErrorLastProcess
String ID:
API String ID: 44706859-0
Opcode ID: f4a6ac56226f3138956a7205dcd9c99794b51d085aebb4f5c236f88074212331
Instruction ID: 0b4228d72b911552c5d80383e33ef571725cffc063a8d25edafd838971f7967b
Opcode Fuzzy Hash: f4a6ac56226f3138956a7205dcd9c99794b51d085aebb4f5c236f88074212331
Instruction Fuzzy Hash: 89F0C239180309FBD7211FA5EC48F963B6EEF89761F124414F945D7250CA30D8809AA0

Function 00EF030F Relevance: 7.5, APIs: 6, Instructions: 41COMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32(?,?,?,?,00EF017D,?,00EF32FC,?,00000001,00EC2592,?), ref: 00EF0324
CloseHandle.KERNEL32(?,?,?,?,00EF017D,?,00EF32FC,?,00000001,00EC2592,?), ref: 00EF0331
CloseHandle.KERNEL32(?,?,?,?,00EF017D,?,00EF32FC,?,00000001,00EC2592,?), ref: 00EF033E
CloseHandle.KERNEL32(?,?,?,?,00EF017D,?,00EF32FC,?,00000001,00EC2592,?), ref: 00EF034B
CloseHandle.KERNEL32(?,?,?,?,00EF017D,?,00EF32FC,?,00000001,00EC2592,?), ref: 00EF0358
CloseHandle.KERNEL32(?,?,?,?,00EF017D,?,00EF32FC,?,00000001,00EC2592,?), ref: 00EF0365

Memory Dump Source

Source File: 00000000.00000002.2209670476.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.2209637951.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210917413.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210917413.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2211217556.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2211312581.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_file.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: 60450389931351649fd59ee8ab6a1331cae63e6c846c158edd4dab90b42daece
Instruction ID: 3376b8dbd0bcd4176b225ed6a871eb16d786a7dfd4d82cd503570a0d4d5dd0b8
Opcode Fuzzy Hash: 60450389931351649fd59ee8ab6a1331cae63e6c846c158edd4dab90b42daece
Instruction Fuzzy Hash: 7F01A272801B199FC7309F66D880822F7F5BF503193159A3FD29662932C371A954DF80

Function 00EBD73A Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 00EBD752

Part of subcall function 00EB29C8: RtlFreeHeap.NTDLL(00000000,00000000,?,00EBD7D1,00000000,00000000,00000000,00000000,?,00EBD7F8,00000000,00000007,00000000,?,00EBDBF5,00000000), ref: 00EB29DE
Part of subcall function 00EB29C8: GetLastError.KERNEL32(00000000,?,00EBD7D1,00000000,00000000,00000000,00000000,?,00EBD7F8,00000000,00000007,00000000,?,00EBDBF5,00000000,00000000), ref: 00EB29F0

_free.LIBCMT ref: 00EBD764
_free.LIBCMT ref: 00EBD776
_free.LIBCMT ref: 00EBD788
_free.LIBCMT ref: 00EBD79A

Memory Dump Source

Source File: 00000000.00000002.2209670476.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.2209637951.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210917413.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210917413.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2211217556.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2211312581.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_file.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: f371c16240a4cc63eba11fe92474ed5c01774740d64cbb9a014f62cfe0189d4d
Instruction ID: f28d9b7be1d4e68d922f8357fdc61bd5563f03dacf553ee89d149b37444489b3
Opcode Fuzzy Hash: f371c16240a4cc63eba11fe92474ed5c01774740d64cbb9a014f62cfe0189d4d
Instruction Fuzzy Hash: 40F04F32509218BB8661EB64FDC5CD77BDDBF453147942C0AF548F7501DB20FC8086A4

Function 00EE5C44 Relevance: 7.5, APIs: 5, Instructions: 40windowtimeCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003E9), ref: 00EE5C58
GetWindowTextW.USER32(00000000,?,00000100), ref: 00EE5C6F
MessageBeep.USER32(00000000), ref: 00EE5C87
KillTimer.USER32(?,0000040A), ref: 00EE5CA3
EndDialog.USER32(?,00000001), ref: 00EE5CBD

Memory Dump Source

Source File: 00000000.00000002.2209670476.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.2209637951.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210917413.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210917413.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2211217556.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2211312581.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_file.jbxd

Similarity

API ID: BeepDialogItemKillMessageTextTimerWindow
String ID:
API String ID: 3741023627-0
Opcode ID: 1fcea3afd1d01a54884390e153d8521cf1729ac4b621a70125dd08c55b0995b1
Instruction ID: 6e0a30ae0333356255b8a5fd3aca4bd0a839869a9b9ccf57cd334edae9c398f1
Opcode Fuzzy Hash: 1fcea3afd1d01a54884390e153d8521cf1729ac4b621a70125dd08c55b0995b1
Instruction Fuzzy Hash: B101D131540B08ABEB205B11DD5EFE6B7B8BF04B09F052159A287B10E1DBF0A984DF90

Function 00EB22A0 Relevance: 7.5, APIs: 5, Instructions: 30COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00EB22BE

Part of subcall function 00EB29C8: RtlFreeHeap.NTDLL(00000000,00000000,?,00EBD7D1,00000000,00000000,00000000,00000000,?,00EBD7F8,00000000,00000007,00000000,?,00EBDBF5,00000000), ref: 00EB29DE
Part of subcall function 00EB29C8: GetLastError.KERNEL32(00000000,?,00EBD7D1,00000000,00000000,00000000,00000000,?,00EBD7F8,00000000,00000007,00000000,?,00EBDBF5,00000000,00000000), ref: 00EB29F0

_free.LIBCMT ref: 00EB22D0
_free.LIBCMT ref: 00EB22E3
_free.LIBCMT ref: 00EB22F4
_free.LIBCMT ref: 00EB2305

Memory Dump Source

Source File: 00000000.00000002.2209670476.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.2209637951.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210917413.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210917413.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2211217556.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2211312581.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_file.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: e567145a2a60dd5f8f905fe3ad01b4b9cfb05f331f4fe6949df55b5b48566356
Instruction ID: f9cc511cc351bb7d6798bac614a8a09ae2ca29a3583ee5a8154e16fbf6f41688
Opcode Fuzzy Hash: e567145a2a60dd5f8f905fe3ad01b4b9cfb05f331f4fe6949df55b5b48566356
Instruction Fuzzy Hash: 41F054744013189B8652AF54BC0199A3BE4FB59752B012A0EFB18E2271CB301411BFE5

Function 00E995C5 Relevance: 7.5, APIs: 5, Instructions: 29COMMON

Download Yara Rule

APIs

EndPath.GDI32(?), ref: 00E995D4
StrokeAndFillPath.GDI32(?,?,00ED71F7,00000000,?,?,?), ref: 00E995F0
SelectObject.GDI32(?,00000000), ref: 00E99603
DeleteObject.GDI32 ref: 00E99616
StrokePath.GDI32(?), ref: 00E99631

Memory Dump Source

Source File: 00000000.00000002.2209670476.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.2209637951.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210917413.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210917413.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2211217556.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2211312581.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_file.jbxd

Similarity

API ID: Path$ObjectStroke$DeleteFillSelect
String ID:
API String ID: 2625713937-0
Opcode ID: ef7a5b2c5c9791d7d0cf750cbe4e419c8e5606db15044bf9b248bc35ae35cf7f
Instruction ID: 2a076157f774ca9a6356edebb7380731270c734b5425133c4110b20202158dcb
Opcode Fuzzy Hash: ef7a5b2c5c9791d7d0cf750cbe4e419c8e5606db15044bf9b248bc35ae35cf7f
Instruction Fuzzy Hash: 16F0373004630CEBDB225F69ED1CBA93B61BB15327F058258F665A50F2C7309995EFA4

Function 00EB0F47 Relevance: 7.4, APIs: 2, Strings: 2, Instructions: 389COMMONLIBRARYCODE

Download Yara Rule

APIs

__freea.LIBCMT ref: 00EB10F9
__freea.LIBCMT ref: 00EB1117

Part of subcall function 00EB1537: _free.LIBCMT ref: 00EB154F

Strings

a/p, xrefs: 00EB11DE
am/pm, xrefs: 00EB117A

Memory Dump Source

Source File: 00000000.00000002.2209670476.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.2209637951.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210917413.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210917413.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2211217556.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2211312581.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_file.jbxd

Similarity

API ID: __freea$_free
String ID: a/p$am/pm
API String ID: 3432400110-3206640213
Opcode ID: dc57967ba496cb9fa87c876900bc4ec708939eb30f216a426589b6743f8f5489
Instruction ID: c1d2c26e88aa94980ffe67dfac6bd7d50a295345ee777a766fb4e460deb72057
Opcode Fuzzy Hash: dc57967ba496cb9fa87c876900bc4ec708939eb30f216a426589b6743f8f5489
Instruction Fuzzy Hash: 2BD11831900206CADB249F68C865BFFB7F1FF05724F992199E601BB650E3759D80CB91

Function 00EB5AA9 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 186COMMONLIBRARYCODE

Download Yara Rule

Strings

JO, xrefs: 00EB5BA8, 00EB5C6C

Memory Dump Source

Source File: 00000000.00000002.2209670476.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.2209637951.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210917413.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210917413.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2211217556.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2211312581.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_file.jbxd

Similarity

API ID:
String ID: JO
API String ID: 0-1663374661
Opcode ID: a511482d45667dd96f8b332f3eba26e2f2ee7bcbc8ae635dca77e4af467e065d
Instruction ID: 7ad9559d7db4585837eec8fa9204c3c6a3369178b62ba129d91d7dc4b937a653
Opcode Fuzzy Hash: a511482d45667dd96f8b332f3eba26e2f2ee7bcbc8ae635dca77e4af467e065d
Instruction Fuzzy Hash: 8A5191729006099BCB11AFA4C885FEFBFF9AF49314F14215AF405BB291D73199019BA1

Function 00EB8A61 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 124COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,00000002,00000000,?,?,?,00000000,?,?,?,?), ref: 00EB8B6E
GetLastError.KERNEL32(?,?,00000000,?,?,?,?,?,?,?,?,00000000,00001000,?), ref: 00EB8B7A
__dosmaperr.LIBCMT ref: 00EB8B81

Strings

., xrefs: 00EB8A63

Memory Dump Source

Source File: 00000000.00000002.2209670476.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.2209637951.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210917413.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210917413.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2211217556.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2211312581.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_file.jbxd

Similarity

API ID: ByteCharErrorLastMultiWide__dosmaperr
String ID: .
API String ID: 2434981716-3963672497
Opcode ID: 32aea55759372622fc553463aab4a84ca4088e0854476d22e5198de3f90b4c3e
Instruction ID: df7c54745d8ebaca2dfe85e899c3d72eb90f90c0a4d8638daaea3d1671e68e3d
Opcode Fuzzy Hash: 32aea55759372622fc553463aab4a84ca4088e0854476d22e5198de3f90b4c3e
Instruction Fuzzy Hash: 06414B74604145AFD7249F64D9D0AFB7FE9DB85304B28A19AE885A7352DE318C02D790

Function 00EE2716 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 121windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00EEB403: WriteProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,00EE21D0,?,?,00000034,00000800,?,00000034), ref: 00EEB42D

SendMessageW.USER32(?,00001104,00000000,00000000), ref: 00EE2760

Part of subcall function 00EEB3CE: ReadProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,00EE21FF,?,?,00000800,?,00001073,00000000,?,?), ref: 00EEB3F8

Part of subcall function 00EEB32A: GetWindowThreadProcessId.USER32(?,?), ref: 00EEB355
Part of subcall function 00EEB32A: OpenProcess.KERNEL32(00000438,00000000,?,?,?,00EE2194,00000034,?,?,00001004,00000000,00000000), ref: 00EEB365
Part of subcall function 00EEB32A: VirtualAllocEx.KERNEL32(00000000,00000000,?,00001000,00000004,?,?,00EE2194,00000034,?,?,00001004,00000000,00000000), ref: 00EEB37B

SendMessageW.USER32(?,00001111,00000000,00000000), ref: 00EE27CD
SendMessageW.USER32(?,00001111,00000000,00000000), ref: 00EE281A

Strings

@, xrefs: 00EE2832

Memory Dump Source

Source File: 00000000.00000002.2209670476.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.2209637951.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210917413.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210917413.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2211217556.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2211312581.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_file.jbxd

Similarity

API ID: Process$MessageSend$Memory$AllocOpenReadThreadVirtualWindowWrite
String ID: @
API String ID: 4150878124-2766056989
Opcode ID: c3299a7b624988c416c30892a543e1678236bfa3bdd742e97386f8b66a9ef123
Instruction ID: 14c6d6f77e3ef91f3ccaf0e9543a6a5c46c8196e902e6350390198c2327c42c8
Opcode Fuzzy Hash: c3299a7b624988c416c30892a543e1678236bfa3bdd742e97386f8b66a9ef123
Instruction Fuzzy Hash: DA412F7290021CAFDB10DFA5CD46ADEBBB8EF09700F105099FA55B7181DB706E45CBA1

Function 00EB172E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 115COMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\Desktop\file.exe,00000104), ref: 00EB1769
_free.LIBCMT ref: 00EB1834
_free.LIBCMT ref: 00EB183E

Strings

C:\Users\user\Desktop\file.exe, xrefs: 00EB1760, 00EB1767, 00EB1796, 00EB17CE

Memory Dump Source

Source File: 00000000.00000002.2209670476.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.2209637951.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210917413.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210917413.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2211217556.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2211312581.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_file.jbxd

Similarity

API ID: _free$FileModuleName
String ID: C:\Users\user\Desktop\file.exe
API String ID: 2506810119-3695852857
Opcode ID: 3d4a1a2c01b467bbacd80e4b809ffb79bd8e3dec9b5e3244d3453fed18a22fbf
Instruction ID: c34b9d31b4f03b636a5780b2dcf09427660d0a7d24ec7fa907aa102ef9f33f7d
Opcode Fuzzy Hash: 3d4a1a2c01b467bbacd80e4b809ffb79bd8e3dec9b5e3244d3453fed18a22fbf
Instruction Fuzzy Hash: B8319F71A00218ABDB21DB999885EDFBBFCFF85320F5051AAF904E7211DA709A40DB90

Function 00EEC27D Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 114windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(00000004,00000000,00000000,?), ref: 00EEC306
DeleteMenu.USER32(?,00000007,00000000), ref: 00EEC34C
DeleteMenu.USER32(?,00000000,00000000,?,00000000,00000000,00F51990,01244C30), ref: 00EEC395

Strings

0, xrefs: 00EEC2DF

Memory Dump Source

Source File: 00000000.00000002.2209670476.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.2209637951.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210917413.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210917413.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2211217556.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2211312581.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_file.jbxd

Similarity

API ID: Menu$Delete$InfoItem
String ID: 0
API String ID: 135850232-4108050209
Opcode ID: b07a151fd8af8519277f928f727d93dbf5420e51a43ebd25734a789ea7714b83
Instruction ID: 76fa497f68d7079874aa8b79d36d67cdf338e29614be13c3c0309db23efa43ed
Opcode Fuzzy Hash: b07a151fd8af8519277f928f727d93dbf5420e51a43ebd25734a789ea7714b83
Instruction Fuzzy Hash: E341E3312043859FD720DF26D844F5ABBE8AF85314F24966DF9A5A72D2C730E805CB62

Function 00F14416 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 106COMMON

Download Yara Rule

APIs

SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000013,?,?,SysTreeView32,00F1CC08,00000000,?,?,?,?), ref: 00F144AA
GetWindowLongW.USER32 ref: 00F144C7
SetWindowLongW.USER32(?,000000F0,00000000), ref: 00F144D7

Strings

SysTreeView32, xrefs: 00F1447C

Memory Dump Source

Source File: 00000000.00000002.2209670476.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.2209637951.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210917413.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210917413.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2211217556.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2211312581.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_file.jbxd

Similarity

API ID: Window$Long
String ID: SysTreeView32
API String ID: 847901565-1698111956
Opcode ID: b21de93615a3f6497cd43ece17677f0e7c7dde2e01c8db2bab3b0da5290bd017
Instruction ID: 52f3ba7f47aa1436409d3d681819c39c0456dccc901811cbca41e9ff3b94bfdb
Opcode Fuzzy Hash: b21de93615a3f6497cd43ece17677f0e7c7dde2e01c8db2bab3b0da5290bd017
Instruction Fuzzy Hash: CC31AF31610205AFDF209E38DC45BDA7BA9EB48334F254315F979A31D0D771EC90AB50

Function 00EE6E71 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 92memoryCOMMON

Download Yara Rule

APIs

SysReAllocString.OLEAUT32(?,?), ref: 00EE6EED
VariantCopyInd.OLEAUT32(?,?), ref: 00EE6F08
VariantClear.OLEAUT32(?), ref: 00EE6F12

Strings

*j, xrefs: 00EE6E8B, 00EE6E90, 00EE6EF8

Memory Dump Source

Source File: 00000000.00000002.2209670476.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.2209637951.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210917413.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210917413.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2211217556.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2211312581.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_file.jbxd

Similarity

API ID: Variant$AllocClearCopyString
String ID: *j
API String ID: 2173805711-1845181700
Opcode ID: 938d3c73fb4081564cd84bb1ddf2718c6055481939f13202dae1c06711b45a7c
Instruction ID: 91c2de3dacfa72adfec1524abc3805e5221fcd465731a5212a13c821bd54fe4b
Opcode Fuzzy Hash: 938d3c73fb4081564cd84bb1ddf2718c6055481939f13202dae1c06711b45a7c
Instruction Fuzzy Hash: 6431B171708299DFCB04EFA5E8909FD37B6FFA5344B101498F8066B2A1CB309912DBD0

Function 00F0304E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 90networkCOMMON

Download Yara Rule

APIs

Part of subcall function 00F0335B: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,?,?,?,?,00F03077,?,?), ref: 00F03378

inet_addr.WSOCK32(?,?,?,?,?,00000000), ref: 00F0307A
_wcslen.LIBCMT ref: 00F0309B
htons.WSOCK32(00000000,?,?,00000000), ref: 00F03106

Strings

255.255.255.255, xrefs: 00F03095, 00F0309A

Memory Dump Source

Source File: 00000000.00000002.2209670476.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.2209637951.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210917413.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210917413.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2211217556.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2211312581.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_file.jbxd

Similarity

API ID: ByteCharMultiWide_wcslenhtonsinet_addr
String ID: 255.255.255.255
API String ID: 946324512-2422070025
Opcode ID: 728429a04a20bf207a423b8af3bb0e8e701f51e17d08ccdc3f4e3e8ad9687f4e
Instruction ID: e4de6c6174fdb2a76a2cb79be05be17ee02697a2405bdd599342bbb4e7791271
Opcode Fuzzy Hash: 728429a04a20bf207a423b8af3bb0e8e701f51e17d08ccdc3f4e3e8ad9687f4e
Instruction Fuzzy Hash: DA31E735A04205DFCB10CF28C585EAA77E8EF54328F258059E8159B3D2D772EE45F761

Function 00F13EB8 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 89windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00001009,00000000,?), ref: 00F13F40
SetWindowPos.USER32(?,00000000,?,?,?,?,00000004), ref: 00F13F54
SendMessageW.USER32(?,00001002,00000000,?), ref: 00F13F78

Strings

SysMonthCal32, xrefs: 00F13F0B

Memory Dump Source

Source File: 00000000.00000002.2209670476.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.2209637951.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210917413.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210917413.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2211217556.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2211312581.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_file.jbxd

Similarity

API ID: MessageSend$Window
String ID: SysMonthCal32
API String ID: 2326795674-1439706946
Opcode ID: ea2d689f29535d9d54b103a808f04b97b84954bb56cf4d8c0be3791c3388d781
Instruction ID: 536bf78137ab55012fd36e764e381c207b4cd0221cfb5b069e279ec9130ffa35
Opcode Fuzzy Hash: ea2d689f29535d9d54b103a808f04b97b84954bb56cf4d8c0be3791c3388d781
Instruction Fuzzy Hash: 0921BF32A00219BFDF259F50CC46FEA3B75EB48724F110214FA197B1D0D6B1A895EB90

Function 00F14653 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 87windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000469,?,00000000), ref: 00F14705
SendMessageW.USER32(00000000,00000465,00000000,80017FFF), ref: 00F14713
DestroyWindow.USER32(00000000,00000000,?,?,?,00000000,msctls_updown32,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 00F1471A

Strings

msctls_updown32, xrefs: 00F14684

Memory Dump Source

Source File: 00000000.00000002.2209670476.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.2209637951.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210917413.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210917413.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2211217556.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2211312581.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_file.jbxd

Similarity

API ID: MessageSend$DestroyWindow
String ID: msctls_updown32
API String ID: 4014797782-2298589950
Opcode ID: b50fe182dbe659a0f97ca10810efc31b9f742706a4c113fe7390cb35f0be6f4c
Instruction ID: 068b5aabf4ece2595e26a5e3af8c9ee09667ef1827ce8b4a2fc81939775ee1f6
Opcode Fuzzy Hash: b50fe182dbe659a0f97ca10810efc31b9f742706a4c113fe7390cb35f0be6f4c
Instruction Fuzzy Hash: 6B2160B5600208AFEB11DF64DCC1DA737EDEB9A7A4B140059FA049B291CB71FC51EB60

Function 00EE95AD Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 85COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00EE961D

Strings

#OnAutoItStartRegister, xrefs: 00EE95F3
#requireadmin, xrefs: 00EE95D9
#notrayicon, xrefs: 00EE95B7

Memory Dump Source

Source File: 00000000.00000002.2209670476.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.2209637951.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210917413.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210917413.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2211217556.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2211312581.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_file.jbxd

Similarity

API ID: _wcslen
String ID: #OnAutoItStartRegister$#notrayicon$#requireadmin
API String ID: 176396367-2734436370
Opcode ID: 8c61eaeda9cdc398176d2583c1c85ae13ff638836eb10ac7f6c4aab83b188dae
Instruction ID: 79d12625038d8fbaae03eded12b79c8a1ae5c59c8e9f961edfa9ea8472df6b14
Opcode Fuzzy Hash: 8c61eaeda9cdc398176d2583c1c85ae13ff638836eb10ac7f6c4aab83b188dae
Instruction Fuzzy Hash: 7C218B72204696A6C331BB269C02FFB73E89F95304F106427F949BB083EB51ED85C3A1

Function 00F137B7 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000180,00000000,?), ref: 00F13840
SendMessageW.USER32(?,00000186,00000000,00000000), ref: 00F13850
MoveWindow.USER32(00000000,?,?,?,?,00000000,?,?,Listbox,00000000,00000000,?,?,?,?,?), ref: 00F13876

Strings

Listbox, xrefs: 00F1380F

Memory Dump Source

Source File: 00000000.00000002.2209670476.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.2209637951.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210917413.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210917413.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2211217556.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2211312581.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_file.jbxd

Similarity

API ID: MessageSend$MoveWindow
String ID: Listbox
API String ID: 3315199576-2633736733
Opcode ID: b8639a02e3d57be488092afe7e0a86590a8b05eb5c6bd34a1f59ad655b99321a
Instruction ID: 6d72a87f726a8a995fa3398c1d1a9f015b4b40ef8f3861e49ba887ac6c2872e6
Opcode Fuzzy Hash: b8639a02e3d57be488092afe7e0a86590a8b05eb5c6bd34a1f59ad655b99321a
Instruction Fuzzy Hash: E0219272A14218BBEF219F54DC45FFB376EEF89760F118124F9049B190C675DC92A7A0

Function 00EF49F4 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 78COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 00EF4A08
GetVolumeInformationW.KERNEL32(?,?,00007FFF,?,00000000,00000000,00000000,00000000), ref: 00EF4A5C
SetErrorMode.KERNEL32(00000000,?,?,00F1CC08), ref: 00EF4AD0

Strings

%lu, xrefs: 00EF4A6F

Memory Dump Source

Source File: 00000000.00000002.2209670476.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.2209637951.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210917413.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210917413.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2211217556.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2211312581.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_file.jbxd

Similarity

API ID: ErrorMode$InformationVolume
String ID: %lu
API String ID: 2507767853-685833217
Opcode ID: 794e4aedf737ad0dfa295492ca26009987290e831157622e67237ae753479fb6
Instruction ID: cc97321c52c6226d41ec9ac6b560e97d11ba2619a159f88a8be6edc5a9d25226
Opcode Fuzzy Hash: 794e4aedf737ad0dfa295492ca26009987290e831157622e67237ae753479fb6
Instruction Fuzzy Hash: 74318575A40109AFDB10DF54C885EBA7BF8EF05308F148099F909EB252D771ED45CBA1

Function 00F141EB Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 67windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000405,00000000,00000000), ref: 00F1424F
SendMessageW.USER32(?,00000406,00000000,00640000), ref: 00F14264
SendMessageW.USER32(?,00000414,0000000A,00000000), ref: 00F14271

Strings

msctls_trackbar32, xrefs: 00F14226

Memory Dump Source

Source File: 00000000.00000002.2209670476.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.2209637951.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210917413.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210917413.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2211217556.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2211312581.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_file.jbxd

Similarity

API ID: MessageSend
String ID: msctls_trackbar32
API String ID: 3850602802-1010561917
Opcode ID: 66842b70543a4fe48206a46b767fdfefabab3353ba377633417ddf562e6b6816
Instruction ID: 5daec33638e5d281114f7bd988d1571bd14669899e1dfb57a40a7cd417b12c22
Opcode Fuzzy Hash: 66842b70543a4fe48206a46b767fdfefabab3353ba377633417ddf562e6b6816
Instruction Fuzzy Hash: E6110631640248BEEF205F29CC06FEB3BACEFD5B64F110114FA55E2090D271EC91AB10

Function 00EE2F52 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 67windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00E86B57: _wcslen.LIBCMT ref: 00E86B6A

Part of subcall function 00EE2DA7: SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,?), ref: 00EE2DC5
Part of subcall function 00EE2DA7: GetWindowThreadProcessId.USER32(?,00000000), ref: 00EE2DD6
Part of subcall function 00EE2DA7: GetCurrentThreadId.KERNEL32 ref: 00EE2DDD
Part of subcall function 00EE2DA7: AttachThreadInput.USER32(00000000,?,00000000,00000000), ref: 00EE2DE4

GetFocus.USER32 ref: 00EE2F78

Part of subcall function 00EE2DEE: GetParent.USER32(00000000), ref: 00EE2DF9

GetClassNameW.USER32(?,?,00000100), ref: 00EE2FC3
EnumChildWindows.USER32(?,00EE303B), ref: 00EE2FEB

Strings

%s%d, xrefs: 00EE2FFF

Memory Dump Source

Source File: 00000000.00000002.2209670476.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.2209637951.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210917413.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210917413.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2211217556.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2211312581.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_file.jbxd

Similarity

API ID: Thread$AttachChildClassCurrentEnumFocusInputMessageNameParentProcessSendTimeoutWindowWindows_wcslen
String ID: %s%d
API String ID: 1272988791-1110647743
Opcode ID: 758e08fc9a89e7229a282cd4cd16d107f70b2fcc420368ba1a68c364b5208e9f
Instruction ID: 4a874baa2bd35a6b4c3327a3fe8e66fbe42b00a2941b6c8a0925899fc9d7fc3e
Opcode Fuzzy Hash: 758e08fc9a89e7229a282cd4cd16d107f70b2fcc420368ba1a68c364b5208e9f
Instruction Fuzzy Hash: F711B7756002496BCF147F718C89EED77AAAF94318F049079FA0DBB252DE3099459B60

Function 00F15882 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(?,?,?,00000030), ref: 00F158C1
SetMenuItemInfoW.USER32(?,?,?,00000030), ref: 00F158EE
DrawMenuBar.USER32(?), ref: 00F158FD

Strings

0, xrefs: 00F1588F

Memory Dump Source

Source File: 00000000.00000002.2209670476.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.2209637951.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210917413.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210917413.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2211217556.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2211312581.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_file.jbxd

Similarity

API ID: Menu$InfoItem$Draw
String ID: 0
API String ID: 3227129158-4108050209
Opcode ID: 5fab902839ba09a05d95c48dd46b2e38e831d4a0b7caf04e86ae43c4962c536b
Instruction ID: 6241660ca2b519e4c092a6c6818b4ff7fadaaec7e9d1013c98a26ee92464f2b4
Opcode Fuzzy Hash: 5fab902839ba09a05d95c48dd46b2e38e831d4a0b7caf04e86ae43c4962c536b
Instruction Fuzzy Hash: D2016D32500218EFDB219F11DC44BEEBBB9FB85760F148099E849D6151DB308AC4EF62

Function 00EDD3A0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 30libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32(?,GetSystemWow64DirectoryW), ref: 00EDD3BF
FreeLibrary.KERNEL32 ref: 00EDD3E5

Strings

GetSystemWow64DirectoryW, xrefs: 00EDD3B9
X64, xrefs: 00EDD2A8

Memory Dump Source

Source File: 00000000.00000002.2209670476.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.2209637951.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210917413.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210917413.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2211217556.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2211312581.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_file.jbxd

Similarity

API ID: AddressFreeLibraryProc
String ID: GetSystemWow64DirectoryW$X64
API String ID: 3013587201-2590602151
Opcode ID: 3ff562fc48cf142836d19ab786144dfede0505a1aef5f22584692a0ef032837f
Instruction ID: 25249b3b2fd4db5e1726f8f84903397c3c8b556ac02147c6b462ae118e7f9fd0
Opcode Fuzzy Hash: 3ff562fc48cf142836d19ab786144dfede0505a1aef5f22584692a0ef032837f
Instruction Fuzzy Hash: 70F02B318CD621EBDB7516108C64EE97324EF10705F5AB56BFC02F2315E720CD86A6D2

Function 00EE007F Relevance: 6.3, APIs: 4, Instructions: 322COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2209670476.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.2209637951.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210917413.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210917413.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2211217556.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2211312581.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bcf875f035842e1fe8c32e0c037b783c869980f6f4d0589949335bceb0bf5261
Instruction ID: 422b0ff8e81a640b5ae0819a801a44d96df48af9712c6595ff1785831b7eb0d8
Opcode Fuzzy Hash: bcf875f035842e1fe8c32e0c037b783c869980f6f4d0589949335bceb0bf5261
Instruction Fuzzy Hash: 2DC16B75A0024AEFDB14CFA5C894EAEB7B5FF48304F209598E505EB251D771EE81CB90

Function 00F0342E Relevance: 6.3, APIs: 4, Instructions: 257COMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 00F03459
CoUninitialize.OLE32 ref: 00F03463
VariantInit.OLEAUT32(?), ref: 00F0346E
VariantClear.OLEAUT32(?), ref: 00F0371B

Memory Dump Source

Source File: 00000000.00000002.2209670476.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.2209637951.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210917413.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210917413.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2211217556.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2211312581.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_file.jbxd

Similarity

API ID: Variant$ClearInitInitializeUninitialize
String ID:
API String ID: 1998397398-0
Opcode ID: 94aa99bf6c4d9c82eeaed3de5555012fa0e4ec873e18c7708a7d664f5f96cea6
Instruction ID: 059c44219a7594832bc00f4a6ccac819a997449372cde660ad7d6a59882aee84
Opcode Fuzzy Hash: 94aa99bf6c4d9c82eeaed3de5555012fa0e4ec873e18c7708a7d664f5f96cea6
Instruction Fuzzy Hash: 61A14F756043019FC710EF24C485A2AB7E9FF89714F148859F999AB3A2DB31ED01DB51

Function 00EE0436 Relevance: 6.2, APIs: 4, Instructions: 230COMMON

Download Yara Rule

APIs

ProgIDFromCLSID.OLE32(?,00000000,?,00000000,00000800,00000000,?,00F1FC08,?), ref: 00EE05F0
CoTaskMemFree.OLE32(00000000,00000000,?,00000000,00000800,00000000,?,00F1FC08,?), ref: 00EE0608
CLSIDFromProgID.OLE32(?,?,00000000,00F1CC40,000000FF,?,00000000,00000800,00000000,?,00F1FC08,?), ref: 00EE062D
_memcmp.LIBVCRUNTIME ref: 00EE064E

Memory Dump Source

Source File: 00000000.00000002.2209670476.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.2209637951.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210917413.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210917413.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2211217556.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2211312581.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_file.jbxd

Similarity

API ID: FromProg$FreeTask_memcmp
String ID:
API String ID: 314563124-0
Opcode ID: 6855709527d1878755104cfb8b14126fa30a9a935d33a15fa35a03afa2033daa
Instruction ID: 6934dbbf17f06018e19bfe838d0380f0b6fe40c4a2a5e955d74438a30084d824
Opcode Fuzzy Hash: 6855709527d1878755104cfb8b14126fa30a9a935d33a15fa35a03afa2033daa
Instruction Fuzzy Hash: 3D810971A0010AEFCB04DF94C984EEEB7B9FF89315F205558E516BB250DB71AE46CBA0

Function 00F0A67C Relevance: 6.2, APIs: 4, Instructions: 175processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 00F0A6AC
Process32FirstW.KERNEL32(00000000,?), ref: 00F0A6BA

Part of subcall function 00E89CB3: _wcslen.LIBCMT ref: 00E89CBD

Process32NextW.KERNEL32(00000000,?), ref: 00F0A79C
CloseHandle.KERNEL32(00000000), ref: 00F0A7AB

Part of subcall function 00E9CE60: CompareStringW.KERNEL32(00000409,00000001,?,00000000,00000000,?,?,00000000,?,00EC3303,?), ref: 00E9CE8A

Memory Dump Source

Source File: 00000000.00000002.2209670476.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.2209637951.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210917413.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210917413.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2211217556.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2211312581.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_file.jbxd

Similarity

API ID: Process32$CloseCompareCreateFirstHandleNextSnapshotStringToolhelp32_wcslen
String ID:
API String ID: 1991900642-0
Opcode ID: 252cde6d4d1f735d5faeddbccea607a5bbef08ddd2ec1ab87d9ce8479c7292ad
Instruction ID: 7b146743f9bc791d617b12bde52b0f05e6d6f1af55e94e201a197a80dd9765ce
Opcode Fuzzy Hash: 252cde6d4d1f735d5faeddbccea607a5bbef08ddd2ec1ab87d9ce8479c7292ad
Instruction Fuzzy Hash: 08518F71508300AFD714EF24C885E6BBBE8FF89754F04991DF589A7292EB30D904DB92

Function 00EC1391 Relevance: 6.2, APIs: 4, Instructions: 152COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 00EC14C0

Memory Dump Source

Source File: 00000000.00000002.2209670476.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.2209637951.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210917413.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210917413.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2211217556.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2211312581.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_file.jbxd

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: 88b2151fbd2ceb4dd35556312a5158fc4cfc2a078bcb54eebcf5d15ac378b3a0
Instruction ID: 61665c490442227b7884e0f065ee1abd6d82ddcb5d134ca824dfdab4f16032b5
Opcode Fuzzy Hash: 88b2151fbd2ceb4dd35556312a5158fc4cfc2a078bcb54eebcf5d15ac378b3a0
Instruction Fuzzy Hash: 1C412A31500100AADB296BF88D45FEE3AE5FF47374F1462ADF829F6293E63648425261

Function 00F16278 Relevance: 6.1, APIs: 4, Instructions: 138COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 00F162E2
ScreenToClient.USER32(?,?), ref: 00F16315
MoveWindow.USER32(?,?,?,?,000000FF,00000001,?,?,?,?,?), ref: 00F16382

Memory Dump Source

Source File: 00000000.00000002.2209670476.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.2209637951.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210917413.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210917413.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2211217556.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2211312581.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_file.jbxd

Similarity

API ID: Window$ClientMoveRectScreen
String ID:
API String ID: 3880355969-0
Opcode ID: 958e087ce0d41a30be4852daea3e73d1aa4380e2bea12548b0242c8470b9172e
Instruction ID: 2273d28715747dbad9e4f3d9fb8d9d25963457038195e74ad6a20fa1d4e9ea72
Opcode Fuzzy Hash: 958e087ce0d41a30be4852daea3e73d1aa4380e2bea12548b0242c8470b9172e
Instruction Fuzzy Hash: ED512974A00249AFDF14DF68D880AEE7BB5FB45360F108169F925DB2A0D770ED81EB90

Function 00F01AD6 Relevance: 6.1, APIs: 4, Instructions: 138networkCOMMON

Download Yara Rule

APIs

socket.WSOCK32(00000002,00000002,00000011), ref: 00F01AFD
WSAGetLastError.WSOCK32 ref: 00F01B0B
#21.WSOCK32(?,0000FFFF,00000020,00000002,00000004), ref: 00F01B8A
WSAGetLastError.WSOCK32 ref: 00F01B94

Memory Dump Source

Source File: 00000000.00000002.2209670476.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.2209637951.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210917413.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210917413.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2211217556.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2211312581.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_file.jbxd

Similarity

API ID: ErrorLast$socket
String ID:
API String ID: 1881357543-0
Opcode ID: 32ee1bd559ee091309886e006bcb27b899b1acc3bbe2b1d67ed94cce90788fd9
Instruction ID: c11673be1ccb46cba034390742a08b4f2964ff309b40fb03a3dfa744bb32ff03
Opcode Fuzzy Hash: 32ee1bd559ee091309886e006bcb27b899b1acc3bbe2b1d67ed94cce90788fd9
Instruction Fuzzy Hash: 4941B274640200AFEB20AF24C886F6977E5AF84718F54D488FA1AAF7D2D772DD41DB90

Function 00EBB41F Relevance: 6.1, APIs: 4, Instructions: 133COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2209670476.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.2209637951.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210917413.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210917413.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2211217556.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2211312581.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9739a614e682005f893c8f5fd1ee1a1fb8d15371de6a3568eb6a8f85ff7bdbc1
Instruction ID: f71e6b8f2ea340793ae57eee59f7d8d0216c930fbcb09e61f94734ab23c42fd9
Opcode Fuzzy Hash: 9739a614e682005f893c8f5fd1ee1a1fb8d15371de6a3568eb6a8f85ff7bdbc1
Instruction Fuzzy Hash: 5E412871A00714AFD7249F78CC41BEBBBE9EF89710F10566EF151EB292E7B1A9018790

Function 00EF56D9 Relevance: 6.1, APIs: 4, Instructions: 110fileCOMMON

Download Yara Rule

APIs

CreateHardLinkW.KERNEL32(00000002,?,00000000), ref: 00EF5783
GetLastError.KERNEL32(?,00000000), ref: 00EF57A9
DeleteFileW.KERNEL32(00000002,?,00000000), ref: 00EF57CE
CreateHardLinkW.KERNEL32(00000002,?,00000000,?,00000000), ref: 00EF57FA

Memory Dump Source

Source File: 00000000.00000002.2209670476.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.2209637951.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210917413.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210917413.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2211217556.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2211312581.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_file.jbxd

Similarity

API ID: CreateHardLink$DeleteErrorFileLast
String ID:
API String ID: 3321077145-0
Opcode ID: 4adfefa824aa020f17a701aa3011f81796561b71aa81055d1b5d227f57009ae2
Instruction ID: b92d1a2c4fc02383badd263a9a62d8c23b0d0a715a52f0779d56b33c564eae1c
Opcode Fuzzy Hash: 4adfefa824aa020f17a701aa3011f81796561b71aa81055d1b5d227f57009ae2
Instruction Fuzzy Hash: D1412B39600654DFCB11EF15C444A5EBBE2AF89724B19D498EA5EAB362CB30FD40CB91

Function 00EBD8C3 Relevance: 6.1, APIs: 4, Instructions: 110COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,00000000,?,?,00000000,00000000,00EA82D9,?,00EA82D9,?,00000001,?,?,00000001,00EA82D9,00EA82D9), ref: 00EBD910
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 00EBD999
GetStringTypeW.KERNEL32(?,00000000,00000000,?), ref: 00EBD9AB
__freea.LIBCMT ref: 00EBD9B4

Part of subcall function 00EB3820: RtlAllocateHeap.NTDLL(00000000,?,00F51444,?,00E9FDF5,?,?,00E8A976,00000010,00F51440,00E813FC,?,00E813C6,?,00E81129), ref: 00EB3852

Memory Dump Source

Source File: 00000000.00000002.2209670476.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.2209637951.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210917413.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210917413.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2211217556.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2211312581.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_file.jbxd

Similarity

API ID: ByteCharMultiWide$AllocateHeapStringType__freea
String ID:
API String ID: 2652629310-0
Opcode ID: 078a28f19451c3425de94234e829cae7bd06271845305c27342ab9d09cbd230d
Instruction ID: 188a5191824f86fb7547bce7adb0df0cee26fdee329192d6581a9171feac039d
Opcode Fuzzy Hash: 078a28f19451c3425de94234e829cae7bd06271845305c27342ab9d09cbd230d
Instruction Fuzzy Hash: 5131AB72A0020AABDF289F65DC41EEF7BA5EB81714F054168FC04EA290EB75DD54CBA0

Function 00F152C1 Relevance: 6.1, APIs: 4, Instructions: 104windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001024,00000000,?), ref: 00F15352
GetWindowLongW.USER32(?,000000F0), ref: 00F15375
SetWindowLongW.USER32(?,000000F0,00000000), ref: 00F15382
InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 00F153A8

Memory Dump Source

Source File: 00000000.00000002.2209670476.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.2209637951.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210917413.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210917413.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2211217556.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2211312581.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_file.jbxd

Similarity

API ID: LongWindow$InvalidateMessageRectSend
String ID:
API String ID: 3340791633-0
Opcode ID: d4d113b2e134b80f64c5a798d5e5dc0145c100e9649eed64020fa1d78ec93596
Instruction ID: 4e7ab216a5f996dbe93eb4c5f8ef6518a62ce3266865bbaf02e1f1bc90b17fd8
Opcode Fuzzy Hash: d4d113b2e134b80f64c5a798d5e5dc0145c100e9649eed64020fa1d78ec93596
Instruction Fuzzy Hash: 8831C435E55A0CEFEB349E54CC15BE83767AB84BA0F584106FA24971E1C7B1ADC0BB41

Function 00EEAB9C Relevance: 6.1, APIs: 4, Instructions: 103keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,7694C0D0,?,00008000), ref: 00EEABF1
SetKeyboardState.USER32(00000080,?,00008000), ref: 00EEAC0D
PostMessageW.USER32(00000000,00000101,00000000), ref: 00EEAC74
SendInput.USER32(00000001,?,0000001C,7694C0D0,?,00008000), ref: 00EEACC6

Memory Dump Source

Source File: 00000000.00000002.2209670476.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.2209637951.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210917413.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210917413.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2211217556.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2211312581.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_file.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: e67cf3bb54fb0488cac4f7069c4ec0ff89bef7cded830ef151388320628a7b45
Instruction ID: 2451d05a732cf722efaf123722c1ade529aa7ee806587d901a889faa74140c5f
Opcode Fuzzy Hash: e67cf3bb54fb0488cac4f7069c4ec0ff89bef7cded830ef151388320628a7b45
Instruction Fuzzy Hash: 32312A30A4039C6FEF34CB668C047FAFBA5AB85314F2C622EE485721D1C375A9859792

Function 00F17674 Relevance: 6.1, APIs: 4, Instructions: 102windowCOMMON

Download Yara Rule

APIs

ClientToScreen.USER32(?,?), ref: 00F1769A
GetWindowRect.USER32(?,?), ref: 00F17710
PtInRect.USER32(?,?,00F18B89), ref: 00F17720
MessageBeep.USER32(00000000), ref: 00F1778C

Memory Dump Source

Source File: 00000000.00000002.2209670476.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.2209637951.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210917413.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210917413.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2211217556.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2211312581.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_file.jbxd

Similarity

API ID: Rect$BeepClientMessageScreenWindow
String ID:
API String ID: 1352109105-0
Opcode ID: 27b982ec435353934ec7deff76445c0a3d149b64aff898e698b31673a6c6010e
Instruction ID: cb72e16f0dc677fbf0bd07e3d9bf15d28472499780b0fe35f467528fa3865c81
Opcode Fuzzy Hash: 27b982ec435353934ec7deff76445c0a3d149b64aff898e698b31673a6c6010e
Instruction Fuzzy Hash: 73417E35A053189FDB01EF59C894FE9BBF5BB49314F1581A8E5189B2A1C730A981EF90

Function 00F116DA Relevance: 6.1, APIs: 4, Instructions: 101COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32 ref: 00F116EB

Part of subcall function 00EE3A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 00EE3A57
Part of subcall function 00EE3A3D: GetCurrentThreadId.KERNEL32 ref: 00EE3A5E
Part of subcall function 00EE3A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,00EE25B3), ref: 00EE3A65

GetCaretPos.USER32(?), ref: 00F116FF
ClientToScreen.USER32(00000000,?), ref: 00F1174C
GetForegroundWindow.USER32 ref: 00F11752

Memory Dump Source

Source File: 00000000.00000002.2209670476.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.2209637951.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210917413.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210917413.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2211217556.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2211312581.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_file.jbxd

Similarity

API ID: ThreadWindow$Foreground$AttachCaretClientCurrentInputProcessScreen
String ID:
API String ID: 2759813231-0
Opcode ID: 0c418e968ddaa48320b64bc624393f127460b240dc64ae5410e0eb97ad601187
Instruction ID: efe26b5ec941fb38c0228bf6e5327c25e67412af95d4b1b95bbab39eaaaf8986
Opcode Fuzzy Hash: 0c418e968ddaa48320b64bc624393f127460b240dc64ae5410e0eb97ad601187
Instruction Fuzzy Hash: 84316F71E00149AFDB00EFA9C881CEEBBF9EF48304B6490A9E519E7251D731DE45CBA0

Function 00EEDF95 Relevance: 6.1, APIs: 4, Instructions: 87COMMON

Download Yara Rule

APIs

Part of subcall function 00E87620: _wcslen.LIBCMT ref: 00E87625

_wcslen.LIBCMT ref: 00EEDFCB
_wcslen.LIBCMT ref: 00EEDFE2
_wcslen.LIBCMT ref: 00EEE00D
GetTextExtentPoint32W.GDI32(?,00000000,00000000,?), ref: 00EEE018

Memory Dump Source

Source File: 00000000.00000002.2209670476.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.2209637951.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210917413.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210917413.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2211217556.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2211312581.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_file.jbxd

Similarity

API ID: _wcslen$ExtentPoint32Text
String ID:
API String ID: 3763101759-0
Opcode ID: 9dc711b5026c166cfdf54d50b6b932b828296ec6ccc17d4c1de8f21241c80ed3
Instruction ID: 77b2a3c4d10394b4c2ccce415aa413bfab86b97f83fde7e8364f20ff58ce374d
Opcode Fuzzy Hash: 9dc711b5026c166cfdf54d50b6b932b828296ec6ccc17d4c1de8f21241c80ed3
Instruction Fuzzy Hash: 7E21A671900218AFCB10DFA4D981BAEB7F8EF89750F145065E805BB385D7709D40CBA1

Function 00F18FC9 Relevance: 6.1, APIs: 4, Instructions: 78windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00E99BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00E99BB2

GetCursorPos.USER32(?), ref: 00F19001
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000,?,00ED7711,?,?,?,?,?), ref: 00F19016
GetCursorPos.USER32(?), ref: 00F1905E
DefDlgProcW.USER32(?,0000007B,?,?,?,?,?,?,?,?,?,?,00ED7711,?,?,?), ref: 00F19094

Memory Dump Source

Source File: 00000000.00000002.2209670476.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.2209637951.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210917413.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210917413.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2211217556.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2211312581.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_file.jbxd

Similarity

API ID: Cursor$LongMenuPopupProcTrackWindow
String ID:
API String ID: 2864067406-0
Opcode ID: a2d7ac685e38b3b352603b3f11af77395615da72d75771e9e3a3614d7bb0050b
Instruction ID: 2f4584668dca944b6820a170f7dbfbc0ea8f2cc8bcd68a83c059714357eaa1c6
Opcode Fuzzy Hash: a2d7ac685e38b3b352603b3f11af77395615da72d75771e9e3a3614d7bb0050b
Instruction Fuzzy Hash: 32218035A00118AFDB25CFA5C868FEA7BB9FB49361F044065F90557261C371AD90FBA0

Function 00EED2C1 Relevance: 6.1, APIs: 4, Instructions: 78COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNEL32(?,00F1CB68), ref: 00EED2FB
GetLastError.KERNEL32 ref: 00EED30A
CreateDirectoryW.KERNEL32(?,00000000), ref: 00EED319
CreateDirectoryW.KERNEL32(?,00000000,00000000,000000FF,00F1CB68), ref: 00EED376

Memory Dump Source

Source File: 00000000.00000002.2209670476.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.2209637951.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210917413.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210917413.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2211217556.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2211312581.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_file.jbxd

Similarity

API ID: CreateDirectory$AttributesErrorFileLast
String ID:
API String ID: 2267087916-0
Opcode ID: 2e3a6f9078da8bdfe6cf7cdcac1fc0b4f1d14d0ed27267a3df5e4ba5741356ab
Instruction ID: dbae974abfbf6cd560fc85c35cf99fcffb4adf10a6ee8b25ea7a9baca61515bb
Opcode Fuzzy Hash: 2e3a6f9078da8bdfe6cf7cdcac1fc0b4f1d14d0ed27267a3df5e4ba5741356ab
Instruction Fuzzy Hash: 5C21A1745482459F8310EF29CC818AEB7E4EE5A328F105A1DF499E72E1D731D945CB93

Function 00EE1571 Relevance: 6.1, APIs: 4, Instructions: 78memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00EE1014: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 00EE102A
Part of subcall function 00EE1014: GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 00EE1036
Part of subcall function 00EE1014: GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00EE1045
Part of subcall function 00EE1014: HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 00EE104C
Part of subcall function 00EE1014: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00EE1062

LookupPrivilegeValueW.ADVAPI32(00000000,?,?), ref: 00EE15BE
_memcmp.LIBVCRUNTIME ref: 00EE15E1
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00EE1617
HeapFree.KERNEL32(00000000), ref: 00EE161E

Memory Dump Source

Source File: 00000000.00000002.2209670476.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.2209637951.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210917413.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210917413.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2211217556.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2211312581.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_file.jbxd

Similarity

API ID: Heap$InformationProcessToken$AllocErrorFreeLastLookupPrivilegeValue_memcmp
String ID:
API String ID: 1592001646-0
Opcode ID: e61c7594c72009b40d12d89ad5c477c5cf371bde8b93b8e0c30e8ca29254e5d8
Instruction ID: 84fb9ca719b468c1c0fac546f2d2e7e7d2ef2306150f7efc9166af6c1393f1e7
Opcode Fuzzy Hash: e61c7594c72009b40d12d89ad5c477c5cf371bde8b93b8e0c30e8ca29254e5d8
Instruction Fuzzy Hash: BC218E31E40109EFDF00DFA6C945BEEB7B8EF44354F099499E445BB241E730AA45DB90

Function 00F12782 Relevance: 6.1, APIs: 4, Instructions: 75COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000EC), ref: 00F1280A
SetWindowLongW.USER32(?,000000EC,00000000), ref: 00F12824
SetWindowLongW.USER32(?,000000EC,00000000), ref: 00F12832
SetLayeredWindowAttributes.USER32(?,00000000,?,00000002), ref: 00F12840

Memory Dump Source

Source File: 00000000.00000002.2209670476.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.2209637951.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210917413.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210917413.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2211217556.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2211312581.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_file.jbxd

Similarity

API ID: Window$Long$AttributesLayered
String ID:
API String ID: 2169480361-0
Opcode ID: 006f73737abea68d12897d7e1dd8b0c4441e13cc134c225835985397c0ffb077
Instruction ID: 785ccd2bad7e075b0421f15bdfc14022064d879b37aa0000f45fb9800e5ee992
Opcode Fuzzy Hash: 006f73737abea68d12897d7e1dd8b0c4441e13cc134c225835985397c0ffb077
Instruction Fuzzy Hash: 78210331604114AFD7149B64CC44FEA7B9AEF45324F198158F42A8B2E2CB75FC92DBD0

Function 00EE78F5 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 71stringCOMMON

Download Yara Rule

APIs

Part of subcall function 00EE8D7D: lstrlenW.KERNEL32(?,00000002,000000FF,?,?,?,00EE790A,?,000000FF,?,00EE8754,00000000,?,0000001C,?,?), ref: 00EE8D8C
Part of subcall function 00EE8D7D: lstrcpyW.KERNEL32(00000000,?,?,00EE790A,?,000000FF,?,00EE8754,00000000,?,0000001C,?,?,00000000), ref: 00EE8DB2
Part of subcall function 00EE8D7D: lstrcmpiW.KERNEL32(00000000,?,00EE790A,?,000000FF,?,00EE8754,00000000,?,0000001C,?,?), ref: 00EE8DE3

lstrlenW.KERNEL32(?,00000002,000000FF,?,000000FF,?,00EE8754,00000000,?,0000001C,?,?,00000000), ref: 00EE7923
lstrcpyW.KERNEL32(00000000,?,?,00EE8754,00000000,?,0000001C,?,?,00000000), ref: 00EE7949
lstrcmpiW.KERNEL32(00000002,cdecl,?,00EE8754,00000000,?,0000001C,?,?,00000000), ref: 00EE7984

Strings

cdecl, xrefs: 00EE797B

Memory Dump Source

Source File: 00000000.00000002.2209670476.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.2209637951.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210917413.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210917413.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2211217556.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2211312581.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_file.jbxd

Similarity

API ID: lstrcmpilstrcpylstrlen
String ID: cdecl
API String ID: 4031866154-3896280584
Opcode ID: 3c3c00c5d5fd6a303c25fd8b34552a5e4ee8a9454d62c1a63a5193f4106e61f4
Instruction ID: 8a4f561b3d343929d49c5365e23ebe98ed362204f6a25ce3a32d7b64be9d8dca
Opcode Fuzzy Hash: 3c3c00c5d5fd6a303c25fd8b34552a5e4ee8a9454d62c1a63a5193f4106e61f4
Instruction Fuzzy Hash: 2711293A200389ABCB155F35DC44E7A77E9FF85354B11902AF886D7265EB32D801D791

Function 00F17CC2 Relevance: 6.1, APIs: 4, Instructions: 70COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000F0), ref: 00F17D0B
SetWindowLongW.USER32(00000000,000000F0,?), ref: 00F17D2A
SetWindowLongW.USER32(00000000,000000EC,000000FF), ref: 00F17D42
SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,?,?,?,?,?,?,?,?,00EFB7AD,00000000), ref: 00F17D6B

Part of subcall function 00E99BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00E99BB2

Memory Dump Source

Source File: 00000000.00000002.2209670476.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.2209637951.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210917413.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210917413.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2211217556.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2211312581.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_file.jbxd

Similarity

API ID: Window$Long
String ID:
API String ID: 847901565-0
Opcode ID: 8a3d7c369d5fb5fdf2f95066d7604faab2b1bdccfb88bfbbeee1a5e2613799c9
Instruction ID: ade470fd91f9c26888bc3bb2eded90a97c16a74ec3f215eec0af830f36298cf4
Opcode Fuzzy Hash: 8a3d7c369d5fb5fdf2f95066d7604faab2b1bdccfb88bfbbeee1a5e2613799c9
Instruction Fuzzy Hash: 7D11C032604718AFCB10AF28DC04AE63BA5BF45375B158724F939D72F0D7309991EB80

Function 00F15660 Relevance: 6.1, APIs: 4, Instructions: 67windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001060,?,00000004), ref: 00F156BB
_wcslen.LIBCMT ref: 00F156CD
_wcslen.LIBCMT ref: 00F156D8
SendMessageW.USER32(?,00001002,00000000,?), ref: 00F15816

Memory Dump Source

Source File: 00000000.00000002.2209670476.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.2209637951.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210917413.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210917413.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2211217556.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2211312581.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_file.jbxd

Similarity

API ID: MessageSend_wcslen
String ID:
API String ID: 455545452-0
Opcode ID: e64ac3bc59e9cf7a8323e4b295e8fac6091f8b92197ef27747c499aee8e4ba50
Instruction ID: 5b1387672ce0836cf80a79ced7c3562f31502839b0f3febf881f6371ead7ea50
Opcode Fuzzy Hash: e64ac3bc59e9cf7a8323e4b295e8fac6091f8b92197ef27747c499aee8e4ba50
Instruction Fuzzy Hash: 38110672A00609D6DF20DF61CC81AEE77ACEF95B74F504026F905D6081E770D9C4EBA0

Function 00EB1D09 Relevance: 6.1, APIs: 4, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2209670476.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.2209637951.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210917413.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210917413.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2211217556.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2211312581.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6396e4bb1d5f5b460b275f54ff45ddc8e1f17d0688ea0978cafa99c8a2ae1f76
Instruction ID: 4bb58f5e53b1f6a28db80564c666ddfa0010aad2e1074fd90af741d7c3c1eeab
Opcode Fuzzy Hash: 6396e4bb1d5f5b460b275f54ff45ddc8e1f17d0688ea0978cafa99c8a2ae1f76
Instruction Fuzzy Hash: C901D1B220A71A7EF62126786CD0FE7665CDF817BAF71236AF621B11D2DB60CC005170

Function 00EE1A27 Relevance: 6.1, APIs: 4, Instructions: 56windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,000000B0,?,?), ref: 00EE1A47
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00EE1A59
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00EE1A6F
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00EE1A8A

Memory Dump Source

Source File: 00000000.00000002.2209670476.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.2209637951.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210917413.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210917413.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2211217556.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2211312581.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_file.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: e8458578bff4c0d02f341ed023a363ed220c9d8f448fbc6ec00cbd9f31fd7881
Instruction ID: 5abddd354d64ec08bc4d07f5e3519d71ffe37cc5f92bae33b9900bec6c367070
Opcode Fuzzy Hash: e8458578bff4c0d02f341ed023a363ed220c9d8f448fbc6ec00cbd9f31fd7881
Instruction Fuzzy Hash: 6411393AD01219FFEB10DBA5CD85FADBB78EB08750F2000A1EA04B7290D6716E90DB94

Function 00EEE1D6 Relevance: 6.1, APIs: 4, Instructions: 55synchronizationthreadwindowCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 00EEE1FD
MessageBoxW.USER32(?,?,?,?), ref: 00EEE230
WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?), ref: 00EEE246
CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 00EEE24D

Memory Dump Source

Source File: 00000000.00000002.2209670476.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.2209637951.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210917413.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210917413.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2211217556.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2211312581.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_file.jbxd

Similarity

API ID: CloseCurrentHandleMessageObjectSingleThreadWait
String ID:
API String ID: 2880819207-0
Opcode ID: 18dea5b8bd84c964ff53c0abe86d9c7f4ea9445c841a4a6979e04d69e52a8d74
Instruction ID: 3677ff9e5816c609f8665c3316ea0f4424cbc048425b18c45559f774b0b79f0c
Opcode Fuzzy Hash: 18dea5b8bd84c964ff53c0abe86d9c7f4ea9445c841a4a6979e04d69e52a8d74
Instruction Fuzzy Hash: 7911087690435CBBC7019FA9AC05BDE7FACAB4A315F008215FA24F3390D2B0DD0497A0

Function 00EAD1CC Relevance: 6.1, APIs: 4, Instructions: 55threadCOMMON

Download Yara Rule

APIs

CreateThread.KERNEL32(00000000,?,00EACFF9,00000000,00000004,00000000), ref: 00EAD218
GetLastError.KERNEL32 ref: 00EAD224
__dosmaperr.LIBCMT ref: 00EAD22B
ResumeThread.KERNEL32(00000000), ref: 00EAD249

Memory Dump Source

Source File: 00000000.00000002.2209670476.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.2209637951.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210917413.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210917413.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2211217556.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2211312581.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_file.jbxd

Similarity

API ID: Thread$CreateErrorLastResume__dosmaperr
String ID:
API String ID: 173952441-0
Opcode ID: a683300a6ac407c6a291c6fe9e4e36c5d8f1a3c5967c6601dfbd58c13f602fed
Instruction ID: ccf7ae5ef13e857f3d72857207330d6fd625219843e3b03fcb7a115017d45ce6
Opcode Fuzzy Hash: a683300a6ac407c6a291c6fe9e4e36c5d8f1a3c5967c6601dfbd58c13f602fed
Instruction Fuzzy Hash: EE010876409108BBC7115BA5DC05BAA7A99DF8B330F105219F926BA0E0CB70A800C6B0

Function 00F19EF3 Relevance: 6.1, APIs: 4, Instructions: 55COMMON

Download Yara Rule

APIs

Part of subcall function 00E99BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00E99BB2

GetClientRect.USER32(?,?), ref: 00F19F31
GetCursorPos.USER32(?), ref: 00F19F3B
ScreenToClient.USER32(?,?), ref: 00F19F46
DefDlgProcW.USER32(?,00000020,?,00000000,?,?,?), ref: 00F19F7A

Memory Dump Source

Source File: 00000000.00000002.2209670476.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.2209637951.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210917413.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210917413.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2211217556.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2211312581.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_file.jbxd

Similarity

API ID: Client$CursorLongProcRectScreenWindow
String ID:
API String ID: 4127811313-0
Opcode ID: 15df21134d517df35c306c2160f170576388e1e14d629004ec0748efa696d877
Instruction ID: 85ea5d9d7ce9be1a865d4e8c9a279d888df6c484e6f5c322e21f2bbc86f4f611
Opcode Fuzzy Hash: 15df21134d517df35c306c2160f170576388e1e14d629004ec0748efa696d877
Instruction Fuzzy Hash: AB11333290421ABBDB10EFA8C8999EE77B9FB05321F004455F911E3141D3B4BA82EBE1

Function 00E8600E Relevance: 6.1, APIs: 4, Instructions: 53windowCOMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 00E8604C
GetStockObject.GDI32(00000011), ref: 00E86060
SendMessageW.USER32(00000000,00000030,00000000), ref: 00E8606A

Memory Dump Source

Source File: 00000000.00000002.2209670476.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.2209637951.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210917413.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210917413.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2211217556.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2211312581.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_file.jbxd

Similarity

API ID: CreateMessageObjectSendStockWindow
String ID:
API String ID: 3970641297-0
Opcode ID: 3275e6093f68b1fb18f682e3e5a6143928f986588410b03581c41c67292171ce
Instruction ID: 3ca37400110e4a5d5696e9e5160cfa489887569780892c7e9872214bf0f298b0
Opcode Fuzzy Hash: 3275e6093f68b1fb18f682e3e5a6143928f986588410b03581c41c67292171ce
Instruction Fuzzy Hash: 8211AD7210150CBFEF225FA48C54EEABB69FF083A8F015205FA0866150C732DC60EBA0

Function 00EA3B3C Relevance: 6.1, APIs: 4, Instructions: 53COMMONLIBRARYCODE

Download Yara Rule

APIs

___BuildCatchObject.LIBVCRUNTIME ref: 00EA3B56

Part of subcall function 00EA3AA3: BuildCatchObjectHelperInternal.LIBVCRUNTIME ref: 00EA3AD2
Part of subcall function 00EA3AA3: ___AdjustPointer.LIBCMT ref: 00EA3AED

_UnwindNestedFrames.LIBCMT ref: 00EA3B6B
__FrameHandler3::FrameUnwindToState.LIBVCRUNTIME ref: 00EA3B7C
CallCatchBlock.LIBVCRUNTIME ref: 00EA3BA4

Memory Dump Source

Source File: 00000000.00000002.2209670476.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.2209637951.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210917413.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210917413.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2211217556.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2211312581.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_file.jbxd

Similarity

API ID: Catch$BuildFrameObjectUnwind$AdjustBlockCallFramesHandler3::HelperInternalNestedPointerState
String ID:
API String ID: 737400349-0
Opcode ID: 12ea49abee573113f57dbd3ec3a577afcc9c348439d29e6cbe32e78011ac24d3
Instruction ID: aced855509fe34021b5ebc2758200dfd440bc381eb152b1439bbc9d61a48e809
Opcode Fuzzy Hash: 12ea49abee573113f57dbd3ec3a577afcc9c348439d29e6cbe32e78011ac24d3
Instruction Fuzzy Hash: 0E012D72100148BBDF115EA5DC42EEB7FAAEF8E754F045014FE586A121C772E961DBA0

Function 00EB3073 Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(00000000,00000000,00000800,00E813C6,00000000,00000000,?,00EB301A,00E813C6,00000000,00000000,00000000,?,00EB328B,00000006,FlsSetValue), ref: 00EB30A5
GetLastError.KERNEL32(?,00EB301A,00E813C6,00000000,00000000,00000000,?,00EB328B,00000006,FlsSetValue,00F22290,FlsSetValue,00000000,00000364,?,00EB2E46), ref: 00EB30B1
LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,00EB301A,00E813C6,00000000,00000000,00000000,?,00EB328B,00000006,FlsSetValue,00F22290,FlsSetValue,00000000), ref: 00EB30BF

Memory Dump Source

Source File: 00000000.00000002.2209670476.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.2209637951.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210917413.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210917413.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2211217556.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2211312581.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_file.jbxd

Similarity

API ID: LibraryLoad$ErrorLast
String ID:
API String ID: 3177248105-0
Opcode ID: 25b63cc8c5d96c9d247592402890c4033f3100de8ed497a41acf60989c3c66cb
Instruction ID: 5128057b5c68b63a735d8ca15ea0f461fc26a78923802421b9a0058200c5e58e
Opcode Fuzzy Hash: 25b63cc8c5d96c9d247592402890c4033f3100de8ed497a41acf60989c3c66cb
Instruction Fuzzy Hash: CA01F236785336ABCB315B79AC46AE77B98AF05BA5B215620F906F3140CB21D901C6E0

Function 00EE7464 Relevance: 6.1, APIs: 4, Instructions: 51registryCOMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(?,?,00000104,00000000), ref: 00EE747F
LoadTypeLibEx.OLEAUT32(?,00000002,?), ref: 00EE7497
RegisterTypeLib.OLEAUT32(?,?,00000000), ref: 00EE74AC
RegisterTypeLibForUser.OLEAUT32(?,?,00000000), ref: 00EE74CA

Memory Dump Source

Source File: 00000000.00000002.2209670476.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.2209637951.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210917413.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210917413.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2211217556.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2211312581.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_file.jbxd

Similarity

API ID: Type$Register$FileLoadModuleNameUser
String ID:
API String ID: 1352324309-0
Opcode ID: 3e0dd9de953d340fa912edf48c0e232590ec8444cbc250c07e54b66fa35fc458
Instruction ID: d13c4004dbf12b7cf7c3e304f132041dd003bb93fcbc89b2f82c015f36177acd
Opcode Fuzzy Hash: 3e0dd9de953d340fa912edf48c0e232590ec8444cbc250c07e54b66fa35fc458
Instruction Fuzzy Hash: 2E11A1B5249358ABE720CF55DC08FD27FFCEB00B04F109569A6A6E6191D770E904DB90

Function 00EEB0A8 Relevance: 6.0, APIs: 4, Instructions: 50sleepCOMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,00EEACD3,?,00008000), ref: 00EEB0C4
Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,00EEACD3,?,00008000), ref: 00EEB0E9
QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,00EEACD3,?,00008000), ref: 00EEB0F3
Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,00EEACD3,?,00008000), ref: 00EEB126

Memory Dump Source

Source File: 00000000.00000002.2209670476.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.2209637951.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210917413.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210917413.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2211217556.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2211312581.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_file.jbxd

Similarity

API ID: CounterPerformanceQuerySleep
String ID:
API String ID: 2875609808-0
Opcode ID: 38c92656510a48282648102248e9da6f50d32c2244e78e0e7119948e2d22b54e
Instruction ID: dec3061355e6b8f2970068d8751ec77724b201de5b16d7423135d2a417e1dae2
Opcode Fuzzy Hash: 38c92656510a48282648102248e9da6f50d32c2244e78e0e7119948e2d22b54e
Instruction Fuzzy Hash: FC115B31C4166CE7CF04AFE6E9A87EFBB78FF49721F119086D941B2281CB305650AB91

Function 00F17E14 Relevance: 6.0, APIs: 4, Instructions: 46COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 00F17E33
ScreenToClient.USER32(?,?), ref: 00F17E4B
ScreenToClient.USER32(?,?), ref: 00F17E6F
InvalidateRect.USER32(?,?,?,?,?,?,?,?,?,?,?,?), ref: 00F17E8A

Memory Dump Source

Source File: 00000000.00000002.2209670476.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.2209637951.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210917413.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210917413.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2211217556.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2211312581.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_file.jbxd

Similarity

API ID: ClientRectScreen$InvalidateWindow
String ID:
API String ID: 357397906-0
Opcode ID: fa5a01660b8709eb4702a1d69bd8cb73d1fd369ab6a9885bee8e50bcbd18c93c
Instruction ID: 274af1b8cfe5e42378b4646aaf8ce672d11d791852db8e6581f645868412d7b4
Opcode Fuzzy Hash: fa5a01660b8709eb4702a1d69bd8cb73d1fd369ab6a9885bee8e50bcbd18c93c
Instruction Fuzzy Hash: B11140B9D0020AAFDB41DF98C884AEEBBF9FB08310F509066E915E3210D775AA54DF90

Function 00EE2DA7 Relevance: 6.0, APIs: 4, Instructions: 34threadwindowtimeCOMMON

Download Yara Rule

APIs

SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,?), ref: 00EE2DC5
GetWindowThreadProcessId.USER32(?,00000000), ref: 00EE2DD6
GetCurrentThreadId.KERNEL32 ref: 00EE2DDD
AttachThreadInput.USER32(00000000,?,00000000,00000000), ref: 00EE2DE4

Memory Dump Source

Source File: 00000000.00000002.2209670476.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.2209637951.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210917413.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210917413.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2211217556.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2211312581.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_file.jbxd

Similarity

API ID: Thread$AttachCurrentInputMessageProcessSendTimeoutWindow
String ID:
API String ID: 2710830443-0
Opcode ID: f88e93e500a6fbde8d4c1489a34c9984d2d6a37deab5e3443c2c5e9e517908bb
Instruction ID: ed8b24a3bb138f5b5102ad63b35aa37f4c7d0cec4957ad7ff4a95c8a03ef7475
Opcode Fuzzy Hash: f88e93e500a6fbde8d4c1489a34c9984d2d6a37deab5e3443c2c5e9e517908bb
Instruction Fuzzy Hash: 9EE06D7158122C7BD7201BA39C0DEEB3E6CEB42BA1F015119B309E1080DBA08840D6F0

Function 00F18863 Relevance: 6.0, APIs: 4, Instructions: 31COMMON

Download Yara Rule

APIs

Part of subcall function 00E99639: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00E99693
Part of subcall function 00E99639: SelectObject.GDI32(?,00000000), ref: 00E996A2
Part of subcall function 00E99639: BeginPath.GDI32(?), ref: 00E996B9
Part of subcall function 00E99639: SelectObject.GDI32(?,00000000), ref: 00E996E2

MoveToEx.GDI32(?,00000000,00000000,00000000), ref: 00F18887
LineTo.GDI32(?,?,?), ref: 00F18894
EndPath.GDI32(?), ref: 00F188A4
StrokePath.GDI32(?), ref: 00F188B2

Memory Dump Source

Source File: 00000000.00000002.2209670476.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.2209637951.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210917413.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210917413.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2211217556.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2211312581.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_file.jbxd

Similarity

API ID: Path$ObjectSelect$BeginCreateLineMoveStroke
String ID:
API String ID: 1539411459-0
Opcode ID: 66e39c1d00017e79fc0a041de3764904e632343a027c0cdf865e466b55a8ca0a
Instruction ID: 407deb4269c702cde8323bf5a7fb3415053090d2231a11ff727375b73c8a02bb
Opcode Fuzzy Hash: 66e39c1d00017e79fc0a041de3764904e632343a027c0cdf865e466b55a8ca0a
Instruction Fuzzy Hash: B6F05E3608125CFADB125F94AC0AFCE3F59AF0A321F058000FB11A50E2C7755551EFE9

Function 00E998B0 Relevance: 6.0, APIs: 4, Instructions: 23COMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000008), ref: 00E998CC
SetTextColor.GDI32(?,?), ref: 00E998D6
SetBkMode.GDI32(?,00000001), ref: 00E998E9
GetStockObject.GDI32(00000005), ref: 00E998F1

Memory Dump Source

Source File: 00000000.00000002.2209670476.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.2209637951.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210917413.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210917413.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2211217556.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2211312581.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_file.jbxd

Similarity

API ID: Color$ModeObjectStockText
String ID:
API String ID: 4037423528-0
Opcode ID: 4acbffce2b59a095cd2e8f25643f12b21fbd4bdc997f84f705cfe0c386207a5a
Instruction ID: 3650c6d357416f47ce8a7ffb5b6500e60aee7ec8b2ad2c123cfa296a37d6e39e
Opcode Fuzzy Hash: 4acbffce2b59a095cd2e8f25643f12b21fbd4bdc997f84f705cfe0c386207a5a
Instruction Fuzzy Hash: 1EE065312C4244BADB215B74BC09BD83F11EB11736F14C21AF6F5640E1C3714641AB11

Function 00EE162B Relevance: 6.0, APIs: 4, Instructions: 22threadCOMMON

Download Yara Rule

APIs

GetCurrentThread.KERNEL32 ref: 00EE1634
OpenThreadToken.ADVAPI32(00000000,?,?,?,00EE11D9), ref: 00EE163B
GetCurrentProcess.KERNEL32(00000028,?,?,?,?,00EE11D9), ref: 00EE1648
OpenProcessToken.ADVAPI32(00000000,?,?,?,00EE11D9), ref: 00EE164F

Memory Dump Source

Source File: 00000000.00000002.2209670476.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.2209637951.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210917413.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210917413.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2211217556.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2211312581.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_file.jbxd

Similarity

API ID: CurrentOpenProcessThreadToken
String ID:
API String ID: 3974789173-0
Opcode ID: 5034fad71d28fdbe7a4ceaab07e358875c28c15cc37b78f0c7ec1a716f31ee8f
Instruction ID: 946708fcb0dd44ee688651b9b2d2d0a4732a9ed6b58a24804d1dd4fd8685e3df
Opcode Fuzzy Hash: 5034fad71d28fdbe7a4ceaab07e358875c28c15cc37b78f0c7ec1a716f31ee8f
Instruction Fuzzy Hash: 95E08631641215DBD7201FA19D0DBC63B7CBF44795F16C848F245D9080D6344580DB90

Function 00EDD858 Relevance: 6.0, APIs: 4, Instructions: 19COMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 00EDD858
GetDC.USER32(00000000), ref: 00EDD862
GetDeviceCaps.GDI32(00000000,0000000C), ref: 00EDD882
ReleaseDC.USER32(?), ref: 00EDD8A3

Memory Dump Source

Source File: 00000000.00000002.2209670476.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.2209637951.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210917413.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210917413.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2211217556.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2211312581.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_file.jbxd

Similarity

API ID: CapsDesktopDeviceReleaseWindow
String ID:
API String ID: 2889604237-0
Opcode ID: 3274c60a97a140cbe530fbbe026d6ee627906668dcf4c99981a8fe4eec202f75
Instruction ID: 2691e23c50ad36f45d8ad22de96ab0f7cc821ce52ff8b36eedc434c084ad8667
Opcode Fuzzy Hash: 3274c60a97a140cbe530fbbe026d6ee627906668dcf4c99981a8fe4eec202f75
Instruction Fuzzy Hash: 5AE01AB4844208EFCF41AFA0D8086ADBBF2FB08310F25E009E80EE7250C7384901BF90

Function 00EDD86C Relevance: 6.0, APIs: 4, Instructions: 18COMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 00EDD86C
GetDC.USER32(00000000), ref: 00EDD876
GetDeviceCaps.GDI32(00000000,0000000C), ref: 00EDD882
ReleaseDC.USER32(?), ref: 00EDD8A3

Memory Dump Source

Source File: 00000000.00000002.2209670476.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.2209637951.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210917413.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210917413.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2211217556.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2211312581.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_file.jbxd

Similarity

API ID: CapsDesktopDeviceReleaseWindow
String ID:
API String ID: 2889604237-0
Opcode ID: 97878f561f7fc4fbb5b47c32a2f18dabd8ae17e72c2c4e9987068377367424b5
Instruction ID: 7569b16628a86b25e83d5ab81bbb6298a9e3b66534f16e85a186659e8b8200ce
Opcode Fuzzy Hash: 97878f561f7fc4fbb5b47c32a2f18dabd8ae17e72c2c4e9987068377367424b5
Instruction Fuzzy Hash: 51E09A75D44208DFCF51AFA0D8086ADBBF5BB08311B15A449E94EE7250C7385901AF90

Function 00EF4D87 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 230shareCOMMON

Download Yara Rule

APIs

Part of subcall function 00E87620: _wcslen.LIBCMT ref: 00E87625

WNetUseConnectionW.MPR(00000000,?,0000002A,00000000,?,?,0000002A,?), ref: 00EF4ED4

Strings

*, xrefs: 00EF4E10
LPT, xrefs: 00EF4DFB

Memory Dump Source

Source File: 00000000.00000002.2209670476.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.2209637951.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210917413.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210917413.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2211217556.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2211312581.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_file.jbxd

Similarity

API ID: Connection_wcslen
String ID: *$LPT
API String ID: 1725874428-3443410124
Opcode ID: ced8f9932fcf563f934494521f28dd5f1ef2e4361cbea695bd0274aab849c2ab
Instruction ID: 2dd5478f788eed110d0b51068e8e4d9784d63ca2a9cbf93f4bcf5c86c8b12dfb
Opcode Fuzzy Hash: ced8f9932fcf563f934494521f28dd5f1ef2e4361cbea695bd0274aab849c2ab
Instruction Fuzzy Hash: 759163B5A002089FCB14DF54C484EBABBF1BF45318F19A099E549AF3A2D731ED85CB91

Function 00E9E187 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 184COMMON

Download Yara Rule

Strings

#, xrefs: 00E9E1B1

Memory Dump Source

Source File: 00000000.00000002.2209670476.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.2209637951.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210917413.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210917413.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2211217556.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2211312581.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_file.jbxd

Similarity

API ID:
String ID: #
API String ID: 0-1885708031
Opcode ID: 4bf7b3e3b5a9a6fb33020abcd601f399acc1ea1d9e32383c243f2a9c7f43a4e9
Instruction ID: ab430129ea2e2b6c74bd9bf34df5eed4c5f5ebc24d6e107b1bcd04e1f170aa0d
Opcode Fuzzy Hash: 4bf7b3e3b5a9a6fb33020abcd601f399acc1ea1d9e32383c243f2a9c7f43a4e9
Instruction Fuzzy Hash: F0510F35900246DFDF19EF68C4856FA7BA8EF15314F246056E891BF3A0D6309D43CBA0

Function 00E9F291 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 144sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(00000000), ref: 00E9F2A2
GlobalMemoryStatusEx.KERNEL32(?), ref: 00E9F2BB

Strings

@, xrefs: 00E9F2AF

Memory Dump Source

Source File: 00000000.00000002.2209670476.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.2209637951.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210917413.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210917413.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2211217556.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2211312581.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_file.jbxd

Similarity

API ID: GlobalMemorySleepStatus
String ID: @
API String ID: 2783356886-2766056989
Opcode ID: 9fac522cde3f8a2285dfedf2f1ad4f78febf5dc90b7a4005c73283bddbbc87ea
Instruction ID: e9536d5f82764b6782aee01dc97b0d5f123515965278f3c83ca0fbbfea5738c9
Opcode Fuzzy Hash: 9fac522cde3f8a2285dfedf2f1ad4f78febf5dc90b7a4005c73283bddbbc87ea
Instruction Fuzzy Hash: D25158715087489BE320AF10EC86BAFBBF8FF85314F91884DF1D961195EB308529CB66

Function 00F05745 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 125COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,?,00000003,?,?), ref: 00F057E0
_wcslen.LIBCMT ref: 00F057EC

Strings

CALLARGARRAY, xrefs: 00F057E6, 00F057EB

Memory Dump Source

Source File: 00000000.00000002.2209670476.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.2209637951.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210917413.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210917413.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2211217556.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2211312581.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_file.jbxd

Similarity

API ID: BuffCharUpper_wcslen
String ID: CALLARGARRAY
API String ID: 157775604-1150593374
Opcode ID: a4108b78045115ada8d60eb2d4384916e9656eead625e3e09ecf345fb1b0488e
Instruction ID: 29d41d436f490faf058f4e880d571d73d1c6830caf156f6596b50dd018c59e63
Opcode Fuzzy Hash: a4108b78045115ada8d60eb2d4384916e9656eead625e3e09ecf345fb1b0488e
Instruction Fuzzy Hash: 74418F31E002099FCB14DFA9C8819BEBBF5EF59720F149069E905A7292E7709D81EF90

Function 00EFD0F4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 98networkCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00EFD130
InternetCrackUrlW.WININET(?,00000000,00000000,0000007C), ref: 00EFD13A

Strings

|, xrefs: 00EFD10B

Memory Dump Source

Source File: 00000000.00000002.2209670476.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.2209637951.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210917413.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210917413.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2211217556.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2211312581.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_file.jbxd

Similarity

API ID: CrackInternet_wcslen
String ID: |
API String ID: 596671847-2343686810
Opcode ID: c21b64ce75f0f5158e8da50d7c0cd853a365ad76945c003f4c301487fcdddf43
Instruction ID: 48937a569583d5ff393ec80bb51349e46e0cb91368ae70f979029f2d044a79fb
Opcode Fuzzy Hash: c21b64ce75f0f5158e8da50d7c0cd853a365ad76945c003f4c301487fcdddf43
Instruction Fuzzy Hash: EB313E71D01219ABCF15EFA4CC85AEEBFBAFF05304F001059F919B6162E731AA16DB60

Function 00F1356C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 96COMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?,?,?), ref: 00F13621
MoveWindow.USER32(?,?,?,?,?,00000001,?,?,?), ref: 00F1365C

Strings

static, xrefs: 00F135BC

Memory Dump Source

Source File: 00000000.00000002.2209670476.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.2209637951.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210917413.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210917413.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2211217556.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2211312581.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_file.jbxd

Similarity

API ID: Window$DestroyMove
String ID: static
API String ID: 2139405536-2160076837
Opcode ID: 2f577a30bbf56495057902ba1d7f86604b0747b2ed8882b2d590568481dba6dd
Instruction ID: 6d9ad86155f40873c570b6e1570f89870a70e8dcf9d29ff9e8cfb5ad4aec75c6
Opcode Fuzzy Hash: 2f577a30bbf56495057902ba1d7f86604b0747b2ed8882b2d590568481dba6dd
Instruction Fuzzy Hash: 0C318D71500204AEDB209F28DC80EFB73A9FF88764F10961DF9A997280DA35AD91E760

Function 00F14537 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 95windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000027,00001132,00000000,?), ref: 00F1461F
SendMessageW.USER32(?,00001105,00000000,00000000), ref: 00F14634

Strings

', xrefs: 00F1458E

Memory Dump Source

Source File: 00000000.00000002.2209670476.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.2209637951.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210917413.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210917413.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2211217556.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2211312581.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_file.jbxd

Similarity

API ID: MessageSend
String ID: '
API String ID: 3850602802-1997036262
Opcode ID: c105b27aba3936f0a26e3a45180192131c1f8283602fe23a19aa3d1ddc8f1004
Instruction ID: fa6b251d15cde91ee2e2ad59dc00260e1e68d332b4c59e480bf7729d21b7a276
Opcode Fuzzy Hash: c105b27aba3936f0a26e3a45180192131c1f8283602fe23a19aa3d1ddc8f1004
Instruction Fuzzy Hash: FC313975A0030A9FDF14CFA9C990BDABBB6FF49314F14406AE904AB381D770A981DF90

Function 00F131EF Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000143,00000000,?), ref: 00F1327C
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00F13287

Strings

Combobox, xrefs: 00F13249

Memory Dump Source

Source File: 00000000.00000002.2209670476.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.2209637951.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210917413.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210917413.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2211217556.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2211312581.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_file.jbxd

Similarity

API ID: MessageSend
String ID: Combobox
API String ID: 3850602802-2096851135
Opcode ID: ab162c40ad7e4c1c14a892601d28c9e3a6dccac9fd69c1864cc7e7960b72d4e3
Instruction ID: b7f5a3a828d63ac67e0d85b8869cf21a2fa9f6041ce12fbe39a259925de6d162
Opcode Fuzzy Hash: ab162c40ad7e4c1c14a892601d28c9e3a6dccac9fd69c1864cc7e7960b72d4e3
Instruction Fuzzy Hash: 1F11B2717002487FEF21AE54DC80EFB3BABEB983A4F104128F918A7290D6319D91A760

Function 00F13710 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 67COMMON

Download Yara Rule

APIs

Part of subcall function 00E8600E: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 00E8604C
Part of subcall function 00E8600E: GetStockObject.GDI32(00000011), ref: 00E86060
Part of subcall function 00E8600E: SendMessageW.USER32(00000000,00000030,00000000), ref: 00E8606A

GetWindowRect.USER32(00000000,?), ref: 00F1377A
GetSysColor.USER32(00000012), ref: 00F13794

Strings

static, xrefs: 00F13757

Memory Dump Source

Source File: 00000000.00000002.2209670476.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.2209637951.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210917413.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210917413.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2211217556.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2211312581.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_file.jbxd

Similarity

API ID: Window$ColorCreateMessageObjectRectSendStock
String ID: static
API String ID: 1983116058-2160076837
Opcode ID: ec4ad39a7388f6167a150114d47722748eb96fc3aadb8292a0711c8601c03150
Instruction ID: e431fca8ab70442329150aa6c2a77732c21614e7e3e846610a36da72c6d12ce1
Opcode Fuzzy Hash: ec4ad39a7388f6167a150114d47722748eb96fc3aadb8292a0711c8601c03150
Instruction Fuzzy Hash: 131126B261020AAFDF11DFA8CC46AEA7BB9FB08354F014914F955E2250E735E851ABA0

Function 00EFCD1E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66networkCOMMON

Download Yara Rule

APIs

InternetOpenW.WININET(?,00000000,00000000,00000000,00000000), ref: 00EFCD7D
InternetSetOptionW.WININET(00000000,00000032,?,00000008), ref: 00EFCDA6

Strings

<local>, xrefs: 00EFCD66

Memory Dump Source

Source File: 00000000.00000002.2209670476.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.2209637951.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210917413.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210917413.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2211217556.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2211312581.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_file.jbxd

Similarity

API ID: Internet$OpenOption
String ID: <local>
API String ID: 942729171-4266983199
Opcode ID: 622736f424601c43d3b63fcb92d370dbb662abf8d1e18e7a0b8dec1a604306eb
Instruction ID: 5ebfdba4e108f4cc52866a1fe6e946e6534c2c1de0ed1e356286f913dcd6cee6
Opcode Fuzzy Hash: 622736f424601c43d3b63fcb92d370dbb662abf8d1e18e7a0b8dec1a604306eb
Instruction Fuzzy Hash: 2A11CA7124563D79D7344B668C45EFBBE5CEF127A4F705225B209A3080D7719941D6F0

Function 00F13429 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 64windowCOMMON

Download Yara Rule

APIs

GetWindowTextLengthW.USER32(00000000), ref: 00F134AB
SendMessageW.USER32(?,000000B1,00000000,00000000), ref: 00F134BA

Strings

edit, xrefs: 00F1348F

Memory Dump Source

Source File: 00000000.00000002.2209670476.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.2209637951.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210917413.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210917413.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2211217556.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2211312581.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_file.jbxd

Similarity

API ID: LengthMessageSendTextWindow
String ID: edit
API String ID: 2978978980-2167791130
Opcode ID: 9e7e24f9072bcaab3f192fd6220e417b91647759d73be5649f956b21a8b3e5ab
Instruction ID: c892485430c2709bccf9f57297b3c74950d866c1420c27b5ce15aff143be680e
Opcode Fuzzy Hash: 9e7e24f9072bcaab3f192fd6220e417b91647759d73be5649f956b21a8b3e5ab
Instruction Fuzzy Hash: 92118F71500208AFEF218E64DC44AEB37AAEB15374F504324FA65931D4C771EC91A750

Function 00EE6C86 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 56COMMON

Download Yara Rule

APIs

Part of subcall function 00E89CB3: _wcslen.LIBCMT ref: 00E89CBD

CharUpperBuffW.USER32(?,?,?), ref: 00EE6CB6
_wcslen.LIBCMT ref: 00EE6CC2

Strings

STOP, xrefs: 00EE6CBC, 00EE6CC1

Memory Dump Source

Source File: 00000000.00000002.2209670476.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.2209637951.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210917413.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210917413.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2211217556.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2211312581.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_file.jbxd

Similarity

API ID: _wcslen$BuffCharUpper
String ID: STOP
API String ID: 1256254125-2411985666
Opcode ID: 47a913f9ceb15619160299a668eab4eddd7fb98eb92a75517b63c129406ca393
Instruction ID: ed29957438f18279a2ba7bdc0d22c145b7d5da31d6d99bee9a96703528cf63fd
Opcode Fuzzy Hash: 47a913f9ceb15619160299a668eab4eddd7fb98eb92a75517b63c129406ca393
Instruction Fuzzy Hash: 4401E532A0056A8A8B10AEBECC409BFB7E5EA717547501924E856B6195EA31D8008750

Function 00EE1CDE Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 52windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00E89CB3: _wcslen.LIBCMT ref: 00E89CBD

Part of subcall function 00EE3CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00EE3CCA

SendMessageW.USER32(?,000001A2,000000FF,?), ref: 00EE1D4C

Strings

ListBox, xrefs: 00EE1D16
ComboBox, xrefs: 00EE1CEB

Memory Dump Source

Source File: 00000000.00000002.2209670476.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.2209637951.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210917413.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210917413.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2211217556.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2211312581.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_file.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: be1298466d5ed07a756341eaa80a0f6e95630c14a370476d71820c5a6b54fcb9
Instruction ID: 5abf238541fa495c24b40a81edc998e23d6e6a7a4d3e64ad0b6471e074b50252
Opcode Fuzzy Hash: be1298466d5ed07a756341eaa80a0f6e95630c14a370476d71820c5a6b54fcb9
Instruction Fuzzy Hash: A1012831A0121CABCB08FBA0CC15CFEB7A8EB42350B141549F83A772C2EA3199488760

Function 00EE1BD8 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00E89CB3: _wcslen.LIBCMT ref: 00E89CBD

Part of subcall function 00EE3CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00EE3CCA

SendMessageW.USER32(?,00000180,00000000,?), ref: 00EE1C46

Strings

ListBox, xrefs: 00EE1C10
ComboBox, xrefs: 00EE1BE5

Memory Dump Source

Source File: 00000000.00000002.2209670476.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.2209637951.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210917413.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210917413.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2211217556.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2211312581.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_file.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: c27ced3c4face63e725f4641741acc5ef0591a72c5565f80eb814d4e2e4cbf34
Instruction ID: 80aec641248c1338f65fdfe9b778907aa37e379964ed33abd4107c0d56202f11
Opcode Fuzzy Hash: c27ced3c4face63e725f4641741acc5ef0591a72c5565f80eb814d4e2e4cbf34
Instruction Fuzzy Hash: 0501FC71B8114C67CB08F7A1C955AFFB7E89B11340F241055B80AB3182EA359E4897B1

Function 00EE1C5C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 49windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00E89CB3: _wcslen.LIBCMT ref: 00E89CBD

Part of subcall function 00EE3CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00EE3CCA

SendMessageW.USER32(?,00000182,?,00000000), ref: 00EE1CC8

Strings

ListBox, xrefs: 00EE1C94
ComboBox, xrefs: 00EE1C69

Memory Dump Source

Source File: 00000000.00000002.2209670476.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.2209637951.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210917413.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210917413.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2211217556.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2211312581.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_file.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: 2cc80c99e0fa1cf2bca9843582408d37dc2c4dad5fcc75390deb4f642c68c0b6
Instruction ID: fe9a2471b851ba2db00959c643e64d76591834e4c7a56bc1a6ac9f3ed2ea5db3
Opcode Fuzzy Hash: 2cc80c99e0fa1cf2bca9843582408d37dc2c4dad5fcc75390deb4f642c68c0b6
Instruction Fuzzy Hash: 5101DB71A8115C67CB08F7A1CA15AFEF7E89B11740F342015B80AB3282EA35DF48D771

Function 00EE1D68 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 46windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00E89CB3: _wcslen.LIBCMT ref: 00E89CBD

Part of subcall function 00EE3CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00EE3CCA

SendMessageW.USER32(?,0000018B,00000000,00000000), ref: 00EE1DD3

Strings

ListBox, xrefs: 00EE1DA0
ComboBox, xrefs: 00EE1D75

Memory Dump Source

Source File: 00000000.00000002.2209670476.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.2209637951.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210917413.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210917413.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2211217556.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2211312581.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_file.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: d496d63026a5901306d0a61bc7e1122ee1e04953ccd8caf87cf4a7446bb34509
Instruction ID: 02fba8cb5a020c3aa9f7d5347d0e36273d37ca9c4d3532c71be5744046891be7
Opcode Fuzzy Hash: d496d63026a5901306d0a61bc7e1122ee1e04953ccd8caf87cf4a7446bb34509
Instruction Fuzzy Hash: 2EF0F471E4121C67CB08F7A5CC56AFEB7A8AB01740F182915B82A732C2EB7199088360

Function 00F0747E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 36COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00F07493
_wcslen.LIBCMT ref: 00F074B9

Strings

3, 3, 16, 1, xrefs: 00F07483

Memory Dump Source

Source File: 00000000.00000002.2209670476.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.2209637951.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210917413.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210917413.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2211217556.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2211312581.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_file.jbxd

Similarity

API ID: _wcslen
String ID: 3, 3, 16, 1
API String ID: 176396367-3042988571
Opcode ID: 87004348170733393fb80d77aa4f94cad547fba39139f76ae50d21b2d09fe956
Instruction ID: a393cf95b76cf57307fedc1841e28a26db0a47753625b188f0545061f4e3e646
Opcode Fuzzy Hash: 87004348170733393fb80d77aa4f94cad547fba39139f76ae50d21b2d09fe956
Instruction Fuzzy Hash: ECE02B4AE0436190D33136799CC197F96CDCFCA760710286BF981D62E6EAD4EDA1B3A1

Function 00EE0B15 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 28windowCOMMON

Download Yara Rule

APIs

MessageBoxW.USER32(00000000,Error allocating memory.,AutoIt,00000010), ref: 00EE0B23

Strings

AutoIt, xrefs: 00EE0B17
Error allocating memory., xrefs: 00EE0B1C

Memory Dump Source

Source File: 00000000.00000002.2209670476.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.2209637951.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210917413.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210917413.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2211217556.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2211312581.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_file.jbxd

Similarity

API ID: Message
String ID: AutoIt$Error allocating memory.
API String ID: 2030045667-4017498283
Opcode ID: 898abf93d51aadf9aab48c560f9f668ff81318e20f02321bca944850ff11787c
Instruction ID: 9c95ca6d58d2c1e4cf332af3faebd04de6a0d8913e0fdf9eed9b02219be006ee
Opcode Fuzzy Hash: 898abf93d51aadf9aab48c560f9f668ff81318e20f02321bca944850ff11787c
Instruction Fuzzy Hash: D9E0D83128430827D21036547C03FC97AC48F06F20F10542AFB48B94C38AD2649016EA

Function 00EA0D42 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22COMMON

Download Yara Rule

APIs

Part of subcall function 00E9F7C9: InitializeCriticalSectionAndSpinCount.KERNEL32(?,00000000,?,00EA0D71,?,?,?,00E8100A), ref: 00E9F7CE

IsDebuggerPresent.KERNEL32(?,?,?,00E8100A), ref: 00EA0D75
OutputDebugStringW.KERNEL32(ERROR : Unable to initialize critical section in CAtlBaseModule,?,?,?,00E8100A), ref: 00EA0D84

Strings

ERROR : Unable to initialize critical section in CAtlBaseModule, xrefs: 00EA0D7F

Memory Dump Source

Source File: 00000000.00000002.2209670476.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.2209637951.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210917413.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210917413.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2211217556.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2211312581.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_file.jbxd

Similarity

API ID: CountCriticalDebugDebuggerInitializeOutputPresentSectionSpinString
String ID: ERROR : Unable to initialize critical section in CAtlBaseModule
API String ID: 55579361-631824599
Opcode ID: c4e72b18b879daaca39c75f7c782402b3ddde4901883e21e3bf11ebdad927325
Instruction ID: f03007771bf3f38d19915193f385efa6a80a7a4af81ae043513c254409a003b3
Opcode Fuzzy Hash: c4e72b18b879daaca39c75f7c782402b3ddde4901883e21e3bf11ebdad927325
Instruction Fuzzy Hash: BCE092742007418BD3709FB8D4083827BE0BF05744F008D2DE486DA651DBF4F4889BD1

Function 00EF3017 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 18COMMON

Download Yara Rule

APIs

GetTempPathW.KERNEL32(00000104,?,00000001), ref: 00EF302F
GetTempFileNameW.KERNEL32(?,aut,00000000,?), ref: 00EF3044

Strings

aut, xrefs: 00EF3038

Memory Dump Source

Source File: 00000000.00000002.2209670476.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.2209637951.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210917413.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210917413.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2211217556.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2211312581.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_file.jbxd

Similarity

API ID: Temp$FileNamePath
String ID: aut
API String ID: 3285503233-3010740371
Opcode ID: 485be7ee63fc9e0d1f83b324680a85d4374bb6033cb724bf3775a043ea2fc2a1
Instruction ID: b1dae01cee86c5264dfcd6383f3634925e040678e4a6e32d9a6c4b7a5db013ce
Opcode Fuzzy Hash: 485be7ee63fc9e0d1f83b324680a85d4374bb6033cb724bf3775a043ea2fc2a1
Instruction Fuzzy Hash: 61D05EB254032867DA20A7A4AC0EFCB3A6CDB05750F0002A1BA55E2091DAF4D984CAD1

Function 00EDD21C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 17timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?), ref: 00EDD220

Strings

X64, xrefs: 00EDD2A8
%.3d, xrefs: 00EDD22B

Memory Dump Source

Source File: 00000000.00000002.2209670476.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.2209637951.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210917413.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210917413.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2211217556.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2211312581.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_file.jbxd

Similarity

API ID: LocalTime
String ID: %.3d$X64
API String ID: 481472006-1077770165
Opcode ID: fb0ffa0cdd192fe6954bfe2cd78b9cc4ba5cb212446aedb11e22dd4d6ae7a1c8
Instruction ID: 7c21b72076794662e09b988aff28b202543b6ef335a20dc6ffcde9473289aa99
Opcode Fuzzy Hash: fb0ffa0cdd192fe6954bfe2cd78b9cc4ba5cb212446aedb11e22dd4d6ae7a1c8
Instruction Fuzzy Hash: 12D012A184C118EACF509AD0CC458F9B3BCEB18341F50A453FC06F1150E634C50A6B61

Function 00F12356 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON

Download Yara Rule

APIs

FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 00F1236C
PostMessageW.USER32(00000000), ref: 00F12373

Part of subcall function 00EEE97B: Sleep.KERNEL32 ref: 00EEE9F3

Strings

Shell_TrayWnd, xrefs: 00F12365

Memory Dump Source

Source File: 00000000.00000002.2209670476.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.2209637951.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210917413.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210917413.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2211217556.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2211312581.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_file.jbxd

Similarity

API ID: FindMessagePostSleepWindow
String ID: Shell_TrayWnd
API String ID: 529655941-2988720461
Opcode ID: 4c18ca3b7bd4c29faaca404e60194f322ea447e43d166870e678318b60e332cd
Instruction ID: a0826131f315b1bab49423be98027003c920da7b980866f331c5285d3a3edf94
Opcode Fuzzy Hash: 4c18ca3b7bd4c29faaca404e60194f322ea447e43d166870e678318b60e332cd
Instruction Fuzzy Hash: 8CD022323C03047BE264B370DC0FFC6BA449B00B00F0189027705EA1D0C8F0B800DA84

Function 00F12322 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON

Download Yara Rule

APIs

FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 00F1232C
PostMessageW.USER32(00000000,00000111,00000197,00000000), ref: 00F1233F

Part of subcall function 00EEE97B: Sleep.KERNEL32 ref: 00EEE9F3

Strings

Shell_TrayWnd, xrefs: 00F12325

Memory Dump Source

Source File: 00000000.00000002.2209670476.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.2209637951.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210917413.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210917413.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2211217556.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2211312581.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_file.jbxd

Similarity

API ID: FindMessagePostSleepWindow
String ID: Shell_TrayWnd
API String ID: 529655941-2988720461
Opcode ID: 8eb8753f7ade3384be188a91229e3a021fa3afe5c26e61d14c17ec998a1782fa
Instruction ID: 4351db4346060e745275b6525bd591625e5c134b4379c31f5aee8b3a06211bdc
Opcode Fuzzy Hash: 8eb8753f7ade3384be188a91229e3a021fa3afe5c26e61d14c17ec998a1782fa
Instruction Fuzzy Hash: 22D022323C0304BBE264B370DC0FFC6BA449B00B00F0189027709EA1D0C8F0A800DA80

Function 00EBBDFD Relevance: 5.1, APIs: 4, Instructions: 139COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,00000009,?,00000000,00000000,?,?,?,00000000,?,?,?,?,?,00000000,?), ref: 00EBBE93
GetLastError.KERNEL32 ref: 00EBBEA1
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 00EBBEFC

Memory Dump Source

Source File: 00000000.00000002.2209670476.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.2209637951.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210917413.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2210917413.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2211217556.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2211312581.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_file.jbxd

Similarity

API ID: ByteCharMultiWide$ErrorLast
String ID:
API String ID: 1717984340-0
Opcode ID: fa08bae52517edc0efb6b3e10be7b5daf1ad0e9fd9fb2aa3b62c917a0993b42e
Instruction ID: 4a22cbc09a886a1a4b22e192855deae39f580b613f8502dfa6c1bad48c9b8425
Opcode Fuzzy Hash: fa08bae52517edc0efb6b3e10be7b5daf1ad0e9fd9fb2aa3b62c917a0993b42e
Instruction Fuzzy Hash: 0841F73470020AAFCF218FA5CC44AFB7BA9EF42314F156169F959BB1A1DBB09D01DB60

Analysis Process: firefox.exePID: 7624, Parent PID: 3196COMMON

Execution Graph

Execution Coverage:	0.3%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	100%
Total number of Nodes:	6
Total number of Limit Nodes:	0

Callgraph

Executed
Not Executed
Opacity -> Relevance
Disassembly available

Executed Functions

Function 000001F24EB75C32 Relevance: 26.1, APIs: 1, Strings: 10, Instructions: 6826nativeCOMMON

Download Yara Rule

APIs

NtQuerySystemInformation.NTDLL ref: 000001F24EB75C97

Strings

z, xrefs: 000001F24EB77276
#, xrefs: 000001F24EB75CC2
#, xrefs: 000001F24EB74005
>, xrefs: 000001F24EB75CF9
A, xrefs: 000001F24EB75C8F
#, xrefs: 000001F24EB76D71
4, xrefs: 000001F24EB79D19
>, xrefs: 000001F24EB79D3F
z, xrefs: 000001F24EB75CCB
>, xrefs: 000001F24EB76A9C

Memory Dump Source

Source File: 00000012.00000002.3408856649.000001F24EB73000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001F24EB73000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_1f24eb73000_firefox.jbxd

Similarity

API ID: InformationQuerySystem
String ID: #$#$#$4$>$>$>$A$z$z
API String ID: 3562636166-3072146587
Opcode ID: a7beeb6ed6d4bd1c13836e24e4a4bf8602c8d7752103ee20adf8d6ea9f6b849f
Instruction ID: 5bbb13ddc41b1a3a2a30a025c78bf1cb864e371f6e6e5629105877e7f97ba27e
Opcode Fuzzy Hash: a7beeb6ed6d4bd1c13836e24e4a4bf8602c8d7752103ee20adf8d6ea9f6b849f
Instruction Fuzzy Hash: 57A3D331618E598BEB2EDF28DC966F977E5FB94300F10423ED84AC7655DE70E9028AC1

Function 000001F24EB5D979 Relevance: 1.1, Instructions: 1118
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000012.00000002.3408592604.000001F24EB5C000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001F24EB5C000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_1f24eb5c000_firefox.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8aa3efc101bd4a3548313bd16c11459352c5b2ce945ac07cd5127d382387a6fc
Instruction ID: 5d3f8df2561fe360a5368876451f35cb44c7566726a09d7883c127f15a3f1ccd
Opcode Fuzzy Hash: 8aa3efc101bd4a3548313bd16c11459352c5b2ce945ac07cd5127d382387a6fc
Instruction Fuzzy Hash: 7231B93120CB4C4FE759EF18D845AA67BE1FB5A310F0506AFE489C7292EB34D9458782

Function 000001F24EB5D9B5 Relevance: 1.1, Instructions: 1060
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000012.00000002.3408592604.000001F24EB5C000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001F24EB5C000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_1f24eb5c000_firefox.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9497c60229e84edd2716b2bbba815d8da82104f5e6a6c3721aac065821d86664
Instruction ID: 298c05e43163abe8daaa755c9be0d47a031b092ecc28da6815604c2803ddf9d7
Opcode Fuzzy Hash: 9497c60229e84edd2716b2bbba815d8da82104f5e6a6c3721aac065821d86664
Instruction Fuzzy Hash: 51019E3250CB4D8FDB45DF18C884A96BBE4FB59310F04066FE099C3291E774DA448781

Source: Joe Sandbox View	IP Address: 34.149.100.209 34.149.100.209
Source: Joe Sandbox View	IP Address: 34.117.188.166 34.117.188.166
Source: Joe Sandbox View	IP Address: 151.101.193.91 151.101.193.91
Source: Joe Sandbox View	IP Address: 34.160.144.191 34.160.144.191

Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache

Source: firefox.exe, 0000000E.00000003.2385108052.00000230BC227000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: 8://www.facebook.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000E.00000003.2360829823.00000230BC286000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2288591342.00000230BC276000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: 8://www.youtube.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000E.00000003.2292329861.00000230BA6B1000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2361806862.00000230BA84A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: 8https://www.facebook.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000E.00000003.2361509651.00000230BC0A1000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2292329861.00000230BA6B1000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2289712975.00000230BC0A1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: 8https://www.youtube.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000E.00000003.2385108052.00000230BC227000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2216771346.00000230B34FD000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2216771346.00000230B34CF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: 8www.facebook.com equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000E.00000003.2382376341.00000230BC2B6000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2288591342.00000230BC2B6000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2288591342.00000230BC276000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: 8www.youtube.com equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000E.00000003.2218574130.00000230B2764000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2292329861.00000230BA6B1000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2361806862.00000230BA84A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.facebook.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000E.00000003.2361509651.00000230BC0A1000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2292329861.00000230BA6B1000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2289712975.00000230BC0A1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000E.00000003.2294748075.00000230B5985000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2374371012.00000230B5985000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000002.3403864633.000001F24E50A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000E.00000003.2294748075.00000230B5985000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2374371012.00000230B5985000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000002.3403864633.000001F24E50A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/ equals www.twitter.com (Twitter)
Source: firefox.exe, 0000000E.00000003.2294748075.00000230B5985000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2374371012.00000230B5985000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000002.3403864633.000001F24E50A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000E.00000003.2288591342.00000230BC2BC000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2360829823.00000230BC2BC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: moz-extension://6edd4cbe-8a9f-4158-beca-90f5feba9c8c/injections/js/bug1842437-www.youtube.com-performance-now-precision.js equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000E.00000003.2330095816.00000230B374E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2385108052.00000230BC227000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2216771346.00000230B34FD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: www.facebook.com equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000E.00000003.2400421128.00000230AFA69000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: www.facebook.comx equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000E.00000003.2382376341.00000230BC2B6000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2288591342.00000230BC2B6000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2288591342.00000230BC276000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: www.youtube.com equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000E.00000003.2400421128.00000230AFA69000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: www.youtube.comb equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000E.00000003.2216771346.00000230B3470000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2216771346.00000230B34B9000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2216771346.00000230B34CF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: x://www.facebook.com/platform/impression.php equals www.facebook.com (Facebook)

Source: global traffic	DNS traffic detected: DNS query: youtube.com
Source: global traffic	DNS traffic detected: DNS query: detectportal.firefox.com
Source: global traffic	DNS traffic detected: DNS query: prod.classify-client.prod.webservices.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: prod.detectportal.prod.cloudops.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: contile.services.mozilla.com
Source: global traffic	DNS traffic detected: DNS query: spocs.getpocket.com
Source: global traffic	DNS traffic detected: DNS query: prod.ads.prod.webservices.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: example.org
Source: global traffic	DNS traffic detected: DNS query: ipv4only.arpa
Source: global traffic	DNS traffic detected: DNS query: prod.balrog.prod.cloudops.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: content-signature-2.cdn.mozilla.net
Source: global traffic	DNS traffic detected: DNS query: prod.content-signature-chains.prod.webservices.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: shavar.services.mozilla.com
Source: global traffic	DNS traffic detected: DNS query: push.services.mozilla.com
Source: global traffic	DNS traffic detected: DNS query: support.mozilla.org
Source: global traffic	DNS traffic detected: DNS query: us-west1.prod.sumo.prod.webservices.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: telemetry-incoming.r53-2.services.mozilla.com
Source: global traffic	DNS traffic detected: DNS query: firefox.settings.services.mozilla.com
Source: global traffic	DNS traffic detected: DNS query: prod.remote-settings.prod.webservices.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: www.wikipedia.org
Source: global traffic	DNS traffic detected: DNS query: www.youtube.com
Source: global traffic	DNS traffic detected: DNS query: www.facebook.com
Source: global traffic	DNS traffic detected: DNS query: dyna.wikimedia.org
Source: global traffic	DNS traffic detected: DNS query: youtube-ui.l.google.com
Source: global traffic	DNS traffic detected: DNS query: star-mini.c10r.facebook.com
Source: global traffic	DNS traffic detected: DNS query: www.reddit.com
Source: global traffic	DNS traffic detected: DNS query: twitter.com
Source: global traffic	DNS traffic detected: DNS query: reddit.map.fastly.net
Source: global traffic	DNS traffic detected: DNS query: services.addons.mozilla.org
Source: global traffic	DNS traffic detected: DNS query: normandy.cdn.mozilla.net
Source: global traffic	DNS traffic detected: DNS query: normandy-cdn.services.mozilla.com

Source: unknown	HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.6:49725 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.160.144.191:443 -> 192.168.2.6:49727 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.160.144.191:443 -> 192.168.2.6:49732 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.6:49772 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.6:49822 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.6:49821 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.149.100.209:443 -> 192.168.2.6:49901 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.6:49902 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 151.101.193.91:443 -> 192.168.2.6:49903 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.6:49910 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.6:49911 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.6:49909 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.149.100.209:443 -> 192.168.2.6:49912 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.6:50035 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.6:50037 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.6:50039 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.6:50040 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.6:50038 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.6:50036 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.6:50042 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.6:50041 version: TLS 1.2

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49821
Source: unknown	Network traffic detected: HTTP traffic on port 49817 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50036 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49741
Source: unknown	Network traffic detected: HTTP traffic on port 50042 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49727 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49912 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49720 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49817
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49739
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49816
Source: unknown	Network traffic detected: HTTP traffic on port 49906 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49902 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49772 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49816 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49732
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49730
Source: unknown	Network traffic detected: HTTP traffic on port 49732 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49774
Source: unknown	Network traffic detected: HTTP traffic on port 50039 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49773
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49772
Source: unknown	Network traffic detected: HTTP traffic on port 50035 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49724 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49728 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49911 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49909 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49729
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49728
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49727
Source: unknown	Network traffic detected: HTTP traffic on port 49773 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49725
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49724
Source: unknown	Network traffic detected: HTTP traffic on port 49901 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49739 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49723
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49722
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49721
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50039
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49720
Source: unknown	Network traffic detected: HTTP traffic on port 50038 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49883
Source: unknown	Network traffic detected: HTTP traffic on port 49821 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50040 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49725 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49741 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49729 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50036
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50035
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50038
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50037
Source: unknown	Network traffic detected: HTTP traffic on port 49722 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49824 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50041
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50040
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49718
Source: unknown	Network traffic detected: HTTP traffic on port 49883 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49904 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49912
Source: unknown	Network traffic detected: HTTP traffic on port 49774 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49911
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49910
Source: unknown	Network traffic detected: HTTP traffic on port 50037 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49730 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50041 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49750
Source: unknown	Network traffic detected: HTTP traffic on port 49822 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50042
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50044
Source: unknown	Network traffic detected: HTTP traffic on port 49910 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50002
Source: unknown	Network traffic detected: HTTP traffic on port 50002 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49909
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49906
Source: unknown	Network traffic detected: HTTP traffic on port 50044 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49750 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49904
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49903
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49902
Source: unknown	Network traffic detected: HTTP traffic on port 49903 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49824
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49901
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49822

Description:	Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access, network devices, and remote desktop.Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence.
Tactics:	Defense Evasion, Initial Access, Persistence, Privilege Escalation
Data Sources:	Logon Session: Logon Session Creation, Logon Session: Logon Session Metadata, User Account: User Account Authentication
Platforms:	Azure AD, Containers, Google Workspace, IaaS, Linux, macOS, Network, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in an attempt to elevate privileges. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. Security constructs such as permission levels will often hinder access to information and use of certain techniques, so adversaries will likely need to perform privilege escalation to include use of software exploitation to circumvent those restrictions.
Tactics:	Privilege Escalation
Data Sources:	Driver: Driver Load, Process: Process Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject malicious code into process via Extra Window Memory (EWM) in order to evade process-based defenses as well as possibly elevate privileges. EWM injection is a method of executing arbitrary code in the address space of a separate live process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Process: OS API Execution
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of valid accounts, usernames, or email addresses on a system or within a compromised environment. This information can help adversaries determine which accounts exist, which can aid in follow-on behavior such as brute-forcing, spear-phishing attacks, or account takeovers (e.g., Valid Accounts ).
Tactics:	Discovery
Data Sources:	Command: Command Execution, File: File Access, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report file.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Memory Dumps

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\uninstall_ping_308046B0AF4A39CB_98b256db-8edc-4665-a906-46cc0b924b85.json (copy)

C:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\uninstall_ping_308046B0AF4A39CB_98b256db-8edc-4665-a906-46cc0b924b85.json.tmp

C:\Users\user\AppData\Local\Temp\mozilla-temp-files\mozilla-temp-41

C:\Users\user\AppData\Local\Temp\tmpaddon

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\ExperimentStoreData.json (copy)

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\ExperimentStoreData.json.tmp

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\addonStartup.json.lz4 (copy)

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\addonStartup.json.lz4.tmp

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\addons.json (copy)

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\addons.json.tmp

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\content-prefs.sqlite

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\crashes\store.json.mozlz4 (copy)

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\crashes\store.json.mozlz4.tmp

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\extensions.json (copy)

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\extensions.json.tmp

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\favicons.sqlite-shm

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll (copy)

Windows Analysis Report
file.exe

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems. Operating systems may contain commands to initiate a shutdown/reboot of a machine or network device. In some cases, these commands may also be used to initiate a shutdown/reboot of a remote computer or network device via Network Device CLI (e.g. `reload` ).
Tactics:	Impact
Data Sources:	Command: Command Execution, Process: Process Creation, Sensor Health: Host Status
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre