Edit tour

Windows Analysis Report
file.exe

Overview

General Information

Sample name:	file.exe
Analysis ID:	1545817
MD5:	1d861b36e55e04fbc04ff38b5d152a08
SHA1:	f53ddbe7888dd7876cb8f6e8f8747444d360ec7f
SHA256:	70cc27da966c738d1b02fb80ce3743002343a8a7a4b8fe0a908114c723c683e5
Tags:	exeuser-Bitsight
Infos:

Detection

Credential Flusher

Score:	72
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

Yara detected Credential Flusher

AI detected suspicious sample

Binary is likely a compiled AutoIt script file

Found API chain indicative of sandbox detection

Machine Learning detection for sample

Connects to many different domains

Contains functionality for execution timing, often used to detect debuggers

Contains functionality for read data from the clipboard

Contains functionality to block mouse and keyboard input (often used to hinder debugging)

Contains functionality to call native functions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Contains functionality to communicate with device drivers

Contains functionality to dynamically determine API calls

Contains functionality to execute programs as a different user

Contains functionality to launch a process as a different user

Contains functionality to launch a program with higher privileges

Contains functionality to modify clipboard data

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to query CPU information (cpuid)

Contains functionality to read the PEB

Contains functionality to read the clipboard data

Contains functionality to retrieve information about pressed keystrokes

Contains functionality to shutdown / reboot the system

Contains functionality to simulate keystroke presses

Contains functionality to simulate mouse events

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Detected potential crypto function

Drops PE files

Enables debug privileges

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

OS version to string mapping found (often used in BOTs)

PE file contains sections with non-standard names

Potential key logger detected (key state polling based)

Sample execution stops while process was sleeping (likely an evasion)

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Uses taskkill to terminate processes

Classification

Process Tree

System is w10x64

file.exe (PID: 6576 cmdline: "C:\Users\user\Desktop\file.exe" MD5: 1D861B36E55E04FBC04FF38B5D152A08)

taskkill.exe (PID: 3440 cmdline: taskkill /F /IM firefox.exe /T MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD)

conhost.exe (PID: 2612 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

taskkill.exe (PID: 1532 cmdline: taskkill /F /IM chrome.exe /T MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD)

conhost.exe (PID: 3176 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

taskkill.exe (PID: 1868 cmdline: taskkill /F /IM msedge.exe /T MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD)

conhost.exe (PID: 6188 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

taskkill.exe (PID: 748 cmdline: taskkill /F /IM opera.exe /T MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD)

conhost.exe (PID: 5780 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

taskkill.exe (PID: 5440 cmdline: taskkill /F /IM brave.exe /T MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD)

conhost.exe (PID: 4788 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

firefox.exe (PID: 6380 cmdline: "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

firefox.exe (PID: 6768 cmdline: "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking --attempting-deelevation MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

firefox.exe (PID: 1288 cmdline: "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

firefox.exe (PID: 3356 cmdline: "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2180 -parentBuildID 20230927232528 -prefsHandle 2128 -prefMapHandle 2120 -prefsLen 25308 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {39515606-0953-4238-9f6b-6d6653a23c41} 1288 "\\.\pipe\gecko-crash-server-pipe.1288" 1fdff570310 socket MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

firefox.exe (PID: 7504 cmdline: "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4236 -parentBuildID 20230927232528 -prefsHandle 4656 -prefMapHandle 4648 -prefsLen 26273 -prefMapSize 237879 -appDir "C:\Program Files\Mozilla Firefox\browser" - {e71d3d03-5e0e-4be1-9e03-002cc7d7a404} 1288 "\\.\pipe\gecko-crash-server-pipe.1288" 1fd91c29910 rdd MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

firefox.exe (PID: 8032 cmdline: "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5036 -parentBuildID 20230927232528 -sandboxingKind 0 -prefsHandle 4940 -prefMapHandle 4952 -prefsLen 33119 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {04af4695-a06b-4c33-be4e-ae43f533d05c} 1288 "\\.\pipe\gecko-crash-server-pipe.1288" 1fd994d8510 utility MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

cleanup

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000000.00000003.2105717464.00000000016FF000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialFlusher	Yara detected Credential Flusher	Joe Security
Process Memory Space: file.exe PID: 6576	JoeSecurity_CredentialFlusher	Yara detected Credential Flusher	Joe Security

Code function: 0_2_0048EAFF OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,

0_2_0048EAFF

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_0048ED6A OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,

0_2_0048ED6A

Source: C:\Users\user\Desktop\file.exe

0_2_0048EAFF

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_0047AA57 GetKeyboardState,SetKeyboardState,PostMessageW,SendInput,

0_2_0047AA57

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_004A9576 DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,

0_2_004A9576

System Summary

Binary is likely a compiled AutoIt script file

Source: file.exe	String found in binary or memory: This is a third-party compiled AutoIt script.
Source: file.exe, 00000000.00000000.2043038621.00000000004D2000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_6644d52d-a
Source: file.exe, 00000000.00000000.2043038621.00000000004D2000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_5ef6373a-d
Source: file.exe	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_9c6be0b3-e
Source: file.exe	String found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_7dd155b8-7

Source: C:\Program Files\Mozilla Firefox\firefox.exe	Code function: 17_2_000001A859419B77 NtQuerySystemInformation,		17_2_000001A859419B77
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Code function: 17_2_000001A859435272 NtQuerySystemInformation,		17_2_000001A859435272

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_0047D5EB: CreateFileW,DeviceIoControl,CloseHandle,

0_2_0047D5EB

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00471201 LogonUserW,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcslen,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,GetProcessHeap,HeapFree,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,

0_2_00471201

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_0047E8F6 ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,

0_2_0047E8F6

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0041BF40	0_2_0041BF40
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00482046	0_2_00482046
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00418060	0_2_00418060
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00478298	0_2_00478298
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0044E4FF	0_2_0044E4FF
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0044676B	0_2_0044676B
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_004A4873	0_2_004A4873
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0041CAF0	0_2_0041CAF0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0043CAA0	0_2_0043CAA0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0042CC39	0_2_0042CC39
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00446DD9	0_2_00446DD9
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0042B119	0_2_0042B119
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_004191C0	0_2_004191C0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00431394	0_2_00431394
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00431706	0_2_00431706
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0043781B	0_2_0043781B
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0042997D	0_2_0042997D
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00417920	0_2_00417920
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_004319B0	0_2_004319B0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00437A4A	0_2_00437A4A
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00431C77	0_2_00431C77
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00437CA7	0_2_00437CA7
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0049BE44	0_2_0049BE44
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00449EEE	0_2_00449EEE
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00431F32	0_2_00431F32
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Code function: 17_2_000001A859419B77	17_2_000001A859419B77
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Code function: 17_2_000001A859435272	17_2_000001A859435272
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Code function: 17_2_000001A8594352B2	17_2_000001A8594352B2
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Code function: 17_2_000001A85943599C	17_2_000001A85943599C

Source: C:\Users\user\Desktop\file.exe	Code function: String function: 0042F9F2 appears 40 times
Source: C:\Users\user\Desktop\file.exe	Code function: String function: 00430A30 appears 46 times
Source: C:\Users\user\Desktop\file.exe	Code function: String function: 00419CB3 appears 31 times

Source: file.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source: classification engine

Classification label: mal72.troj.evad.winEXE@34/34@73/12

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_004837B5 GetLastError,FormatMessageW,

0_2_004837B5

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_004710BF AdjustTokenPrivileges,CloseHandle,		0_2_004710BF
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_004716C3 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,		0_2_004716C3

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_004851CD SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode,

0_2_004851CD

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_0047D4DC CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,

0_2_0047D4DC

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_0048648E _wcslen,CoInitialize,CoCreateInstance,CoUninitialize,

0_2_0048648E

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_004142A2 CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource,

0_2_004142A2

Source: C:\Program Files\Mozilla Firefox\firefox.exe

File created: C:\Users\user\AppData\Local\Mozilla\Firefox\SkeletonUILock-c388d246

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5780:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3176:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4788:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2612:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6188:120:WilError_03

Source: C:\Program Files\Mozilla Firefox\firefox.exe

File created: C:\Users\user\AppData\Local\Temp\firefox

Jump to behavior

Source: file.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Windows\SysWOW64\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process

Source: C:\Program Files\Mozilla Firefox\firefox.exe

File read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: firefox.exe, 0000000E.00000003.2237263389.000001FD99438000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2192710755.000001FD99442000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2263748819.000001FD99442000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SELECT * FROM events WHERE timestamp BETWEEN date(:dateFrom) AND date(:dateTo);
Source: firefox.exe, 0000000E.00000003.2237263389.000001FD99438000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2192710755.000001FD99442000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2263748819.000001FD99442000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE events (id INTEGER PRIMARY KEY, type INTEGER NOT NULL, count INTEGER NOT NULL, timestamp DATE );
Source: firefox.exe, 0000000E.00000003.2237263389.000001FD99438000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2192710755.000001FD99442000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2263748819.000001FD99442000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: INSERT INTO events (type, count, timestamp) VALUES (:type, 1, date(:date));
Source: firefox.exe, 0000000E.00000003.2237263389.000001FD99438000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2192710755.000001FD99442000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2263748819.000001FD99442000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SELECT timestamp FROM events ORDER BY timestamp ASC LIMIT 1;;
Source: firefox.exe, 0000000E.00000003.2237263389.000001FD99438000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2192710755.000001FD99442000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2263748819.000001FD99442000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SELECT timestamp FROM events ORDER BY timestamp ASC LIMIT 1;;Fy6
Source: firefox.exe, 0000000E.00000003.2237263389.000001FD99438000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2192710755.000001FD99442000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2263748819.000001FD99442000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: UPDATE events SET count = count + 1 WHERE id = :id;-
Source: firefox.exe, 0000000E.00000003.2237263389.000001FD99438000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2192710755.000001FD99442000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2263748819.000001FD99442000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SELECT sum(count) FROM events;9'
Source: firefox.exe, 0000000E.00000003.2237263389.000001FD99438000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2192710755.000001FD99442000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2263748819.000001FD99442000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SELECT sum(count) FROM events;9
Source: firefox.exe, 0000000E.00000003.2237263389.000001FD99438000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2192710755.000001FD99442000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2263748819.000001FD99442000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SELECT * FROM events WHERE type = :type AND timestamp = date(:date);

Source: file.exe

ReversingLabs: Detection: 47%

Source: unknown	Process created: C:\Users\user\Desktop\file.exe "C:\Users\user\Desktop\file.exe"
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM firefox.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM chrome.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM msedge.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM opera.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM brave.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking
Source: unknown	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking --attempting-deelevation
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2180 -parentBuildID 20230927232528 -prefsHandle 2128 -prefMapHandle 2120 -prefsLen 25308 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {39515606-0953-4238-9f6b-6d6653a23c41} 1288 "\\.\pipe\gecko-crash-server-pipe.1288" 1fdff570310 socket
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4236 -parentBuildID 20230927232528 -prefsHandle 4656 -prefMapHandle 4648 -prefsLen 26273 -prefMapSize 237879 -appDir "C:\Program Files\Mozilla Firefox\browser" - {e71d3d03-5e0e-4be1-9e03-002cc7d7a404} 1288 "\\.\pipe\gecko-crash-server-pipe.1288" 1fd91c29910 rdd
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5036 -parentBuildID 20230927232528 -sandboxingKind 0 -prefsHandle 4940 -prefMapHandle 4952 -prefsLen 33119 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {04af4695-a06b-4c33-be4e-ae43f533d05c} 1288 "\\.\pipe\gecko-crash-server-pipe.1288" 1fd994d8510 utility
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM firefox.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM chrome.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM msedge.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM opera.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM brave.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2180 -parentBuildID 20230927232528 -prefsHandle 2128 -prefMapHandle 2120 -prefsLen 25308 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {39515606-0953-4238-9f6b-6d6653a23c41} 1288 "\\.\pipe\gecko-crash-server-pipe.1288" 1fdff570310 socket	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4236 -parentBuildID 20230927232528 -prefsHandle 4656 -prefMapHandle 4648 -prefsLen 26273 -prefMapSize 237879 -appDir "C:\Program Files\Mozilla Firefox\browser" - {e71d3d03-5e0e-4be1-9e03-002cc7d7a404} 1288 "\\.\pipe\gecko-crash-server-pipe.1288" 1fd91c29910 rdd	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5036 -parentBuildID 20230927232528 -sandboxingKind 0 -prefsHandle 4940 -prefMapHandle 4952 -prefsLen 33119 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {04af4695-a06b-4c33-be4e-ae43f533d05c} 1288 "\\.\pipe\gecko-crash-server-pipe.1288" 1fd994d8510 utility	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown	Jump to behavior

Source: C:\Users\user\Desktop\file.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: profapi.dll	Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: file.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: webauthn.pdb source: firefox.exe, 0000000E.00000003.2179011092.000001FD8EF8B000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: z:\task_1551543573\build\openh264\gmpopenh264.pdbV source: gmpopenh264.dll.tmp.14.dr
Source:	Binary string: kbdus.pdb source: firefox.exe, 0000000E.00000003.2201290392.000001FD8F006000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2201017559.000001FD8EFF6000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: NapiNSP.pdbUGP source: firefox.exe, 0000000E.00000003.2206331487.000001FD8EFB3000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: pnrpnsp.pdb source: firefox.exe, 0000000E.00000003.2206910258.000001FD8EFAB000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: NapiNSP.pdb source: firefox.exe, 0000000E.00000003.2206331487.000001FD8EFB3000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: netprofm.pdb source: firefox.exe, 0000000E.00000003.2205010192.000001FD8EFAB000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: z:\task_1551543573\build\openh264\gmpopenh264.pdb source: gmpopenh264.dll.tmp.14.dr
Source:	Binary string: webauthn.pdbGCTL source: firefox.exe, 0000000E.00000003.2179011092.000001FD8EF8B000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: pnrpnsp.pdbUGP source: firefox.exe, 0000000E.00000003.2206910258.000001FD8EFAB000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: netprofm.pdbUGP source: firefox.exe, 0000000E.00000003.2205010192.000001FD8EFAB000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: kbdus.pdbGCTL source: firefox.exe, 0000000E.00000003.2201290392.000001FD8F006000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2201017559.000001FD8EFF6000.00000004.00000020.00020000.00000000.sdmp

Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_004142DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_004142DE

Source: gmpopenh264.dll.tmp.14.dr

Static PE information: section name: .rodata

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00430A76 push ecx; ret

0_2_00430A89

Source: C:\Program Files\Mozilla Firefox\firefox.exe	File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll.tmp			Jump to dropped file
Source: C:\Program Files\Mozilla Firefox\firefox.exe	File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll (copy)			Jump to dropped file

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0042F98E GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,		0_2_0042F98E
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_004A1C41 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,		0_2_004A1C41

Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Found API chain indicative of sandbox detection

Source: C:\Users\user\Desktop\file.exe

Sandbox detection routine: GetForegroundWindow, DecisionNode, Sleep

graph_0-95958

Source: C:\Program Files\Mozilla Firefox\firefox.exe

Code function: 17_2_000001A859419B77 rdtsc

17_2_000001A859419B77

Source: C:\Users\user\Desktop\file.exe

API coverage: 3.7 %

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0047DBBE lstrlenW,GetFileAttributesW,FindFirstFileW,FindClose,	0_2_0047DBBE
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0044C2A2 FindFirstFileExW,	0_2_0044C2A2
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_004868EE FindFirstFileW,FindClose,	0_2_004868EE
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0048698F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToSystemTime,FileTimeToSystemTime,	0_2_0048698F
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0047D076 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_0047D076
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0047D3A9 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_0047D3A9
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00489642 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_00489642
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0048979D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_0048979D
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00489B2B FindFirstFileW,Sleep,FindNextFileW,FindClose,	0_2_00489B2B
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00485C97 FindFirstFileW,FindNextFileW,FindClose,	0_2_00485C97

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_004142DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_004142DE

Source: firefox.exe, 00000010.00000002.3299022145.000001A4D4D00000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllw
Source: firefox.exe, 00000011.00000002.3297527766.000001A859A10000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll(*d
Source: firefox.exe, 00000010.00000002.3299022145.000001A4D4D00000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllr
Source: firefox.exe, 00000011.00000002.3297527766.000001A859A10000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWs
Source: firefox.exe, 00000010.00000002.3292274800.000001A4D479A000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000012.00000002.3296974329.000001DD4B000000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: firefox.exe, 00000010.00000002.3297966800.000001A4D4C17000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW : 2 : 34 : 1 : 1 : 0x20026 : 0x8 : %SystemRoot%\system32\mswsock.dll : : 1234191b-4bf7-4ca7-86e0-dfd7c32b5445
Source: firefox.exe, 00000011.00000002.3290463355.000001A85917A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: firefox.exe, 00000012.00000002.3290733379.000001DD4ABDA000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW`
Source: firefox.exe, 00000010.00000002.3299022145.000001A4D4D00000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000011.00000002.3297527766.000001A859A10000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\Desktop\file.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Program Files\Mozilla Firefox\firefox.exe

Code function: 17_2_000001A859419B77 rdtsc

17_2_000001A859419B77

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_0048EAA2 BlockInput,

0_2_0048EAA2

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00442622 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

0_2_00442622

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_004142DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_004142DE

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00434CE8 mov eax, dword ptr fs:[00000030h]

0_2_00434CE8

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00470B62 GetSecurityDescriptorDacl,GetAclInformation,GetLengthSid,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,

0_2_00470B62

Source: C:\Windows\SysWOW64\taskkill.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process token adjusted: Debug	Jump to behavior

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00442622 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00442622
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0043083F IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_0043083F
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_004309D5 SetUnhandledExceptionFilter,	0_2_004309D5
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00430C21 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_00430C21

Source: C:\Users\user\Desktop\file.exe

0_2_00471201

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00452BA5 KiUserCallbackDispatcher,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

0_2_00452BA5

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_0047B226 SendInput,keybd_event,

0_2_0047B226

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_004922DA GetForegroundWindow,GetDesktopWindow,GetWindowRect,mouse_event,GetCursorPos,mouse_event,

0_2_004922DA

Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM firefox.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM chrome.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM msedge.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM opera.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM brave.exe /T	Jump to behavior

Source: C:\Users\user\Desktop\file.exe

0_2_00470B62

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00471663 AllocateAndInitializeSid,CheckTokenMembership,FreeSid,

0_2_00471663

Source: file.exe	Binary or memory string: Run Script:AutoIt script files (.au3, .a3x).au3;.a3xAll files (.).au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
Source: file.exe	Binary or memory string: Shell_TrayWnd

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00430698 cpuid

0_2_00430698

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00488195 GetLocalTime,SystemTimeToFileTime,LocalFileTimeToFileTime,GetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,

0_2_00488195

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_0046D27A GetUserNameW,

0_2_0046D27A

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_0044B952 _free,_free,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,_free,

0_2_0044B952

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_004142DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_004142DE

Stealing of Sensitive Information

Yara detected Credential Flusher

Source: Yara match	File source: 00000000.00000003.2105717464.00000000016FF000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: file.exe PID: 6576, type: MEMORYSTR

Source: file.exe	Binary or memory string: WIN_81
Source: file.exe	Binary or memory string: WIN_XP
Source: file.exe	Binary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_11WIN_10WIN_2022WIN_2019WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\AppearanceUSERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte64HKEY_LOCAL_MACHINEHKLMHKEY_CLASSES_ROOTHKCRHKEY_CURRENT_CONFIGHKCCHKEY_CURRENT_USERHKCUHKEY_USERSHKUREG_EXPAND_SZREG_SZREG_MULTI_SZREG_DWORDREG_QWORDREG_BINARYRegDeleteKeyExWadvapi32.dll+.-.\\[\\nrt]\|%%\|%[-+ 0#]?([0-9]\|\)?(\.[0-9]\|\.\)?[hlL]?[diouxXeEfgGs](*UCP)\XISVISIBLEISENABLEDTABLEFTTABRIGHTCURRENTTABSHOWDROPDOWNHIDEDROPDOWNADDSTRINGDELSTRINGFINDSTRINGGETCOUNTSETCURRENTSELECTIONGETCURRENTSELECTIONSELECTSTRINGISCHECKEDCHECKUNCHECKGETSELECTEDGETLINECOUNTGETCURRENTLINEGETCURRENTCOLEDITPASTEGETLINESENDCOMMANDIDGETITEMCOUNTGETSUBITEMCOUNTGETTEXTGETSELECTEDCOUNTISSELECTEDSELECTALLSELECTCLEARSELECTINVERTDESELECTFINDITEMVIEWCHANGEGETTOTALCOUNTCOLLAPSEEXPANDmsctls_statusbar321tooltips_class32%d/%02d/%02dbuttonComboboxListboxSysDateTimePick32SysMonthCal32.icl.exe.dllMsctls_Progress32msctls_trackbar32SysAnimate32msctls_updown32SysTabControl32SysTreeView32SysListView32-----@GUI_DRAGID@GUI_DROPID@GUI_DRAGFILEError text not found (please report)Q\EDEFINEUTF16)UTF)UCP)NO_AUTO_POSSESS)NO_START_OPT)LIMIT_MATCH=LIMIT_RECURSION=CR)LF)CRLF)ANY)ANYCRLF)BSR_ANYCRLF)BSR_UNICODE)argument is not a compiled regular expressionargument not compiled in 16 bit modeinternal error: opcode not recognizedinternal error: missing capturing bracketfailed to get memory
Source: file.exe	Binary or memory string: WIN_XPe
Source: file.exe	Binary or memory string: WIN_VISTA
Source: file.exe	Binary or memory string: WIN_7
Source: file.exe	Binary or memory string: WIN_8

Remote Access Functionality

Yara detected Credential Flusher

Source: Yara match	File source: 00000000.00000003.2105717464.00000000016FF000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: file.exe PID: 6576, type: MEMORYSTR

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00491204 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,listen,WSAGetLastError,closesocket,		0_2_00491204
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00491806 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,		0_2_00491806

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	2 Valid Accounts	1 Windows Management Instrumentation	1 DLL Side-Loading	1 Exploitation for Privilege Escalation	2 Disable or Modify Tools	21 Input Capture	2 System Time Discovery	Remote Services	1 Archive Collected Data	2 Ingress Tool Transfer	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	1 Native API	2 Valid Accounts	1 DLL Side-Loading	1 Deobfuscate/Decode Files or Information	LSASS Memory	1 Account Discovery	Remote Desktop Protocol	21 Input Capture	12 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	1 Extra Window Memory Injection	2 Obfuscated Files or Information	Security Account Manager	2 File and Directory Discovery	SMB/Windows Admin Shares	3 Clipboard Data	2 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	2 Valid Accounts	1 DLL Side-Loading	NTDS	16 System Information Discovery	Distributed Component Object Model	Input Capture	3 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	21 Access Token Manipulation	1 Extra Window Memory Injection	LSA Secrets	131 Security Software Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	2 Process Injection	1 Masquerading	Cached Domain Credentials	1 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	2 Valid Accounts	DCSync	3 Process Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 Virtualization/Sandbox Evasion	Proc Filesystem	1 Application Window Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	21 Access Token Manipulation	/etc/passwd and /etc/shadow	1 System Owner/User Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement
IP Addresses	Compromise Infrastructure	Supply Chain Compromise	PowerShell	Cron	Cron	2 Process Injection	Network Sniffing	Network Service Discovery	Shared Webroot	Local Data Staging	File Transfer Protocols	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	External Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
file.exe	47%	ReversingLabs	Win32.Trojan.CredentialFlusher
file.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll (copy)	0%	ReversingLabs
C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll.tmp	0%	ReversingLabs

Unpacked PE Files

⊘No Antivirus matches

Domains

Source	Detection	Scanner	Link
example.org	0%	Virustotal	Browse
star-mini.c10r.facebook.com	0%	Virustotal	Browse
prod.balrog.prod.cloudops.mozgcp.net	0%	Virustotal	Browse
prod.classify-client.prod.webservices.mozgcp.net	0%	Virustotal	Browse

URLs

Source	Detection	Scanner	Label
https://getpocket.cdn.mozilla.net/v3/firefox/trending-topics?version=2&consumer_key=$apiKey&locale_l	0%	URL Reputation	safe
http://detectportal.firefox.com/	0%	URL Reputation	safe
https://services.addons.mozilla.org/api/v5/addons/browser-mappings/?browser=%BROWSER%	0%	URL Reputation	safe
https://datastudio.google.com/embed/reporting/	0%	URL Reputation	safe
http://www.mozilla.com0	0%	URL Reputation	safe
https://developer.mozilla.org/en-US/docs/Web/Web_Components/Using_custom_elements#using_the_lifecycl	0%	URL Reputation	safe
https://bridge.sfo1.admarketplace.net/ctp?version=16.0.0&key=1696425136400800000.2&ci=1696425136743.	0%	URL Reputation	safe
https://merino.services.mozilla.com/api/v1/suggest	0%	URL Reputation	safe
https://json-schema.org/draft/2019-09/schema.	0%	URL Reputation	safe
https://monitor.firefox.com/oauth/init?entrypoint=protection_report_monitor&utm_source=about-protect	0%	URL Reputation	safe
https://www.leboncoin.fr/	0%	URL Reputation	safe
https://spocs.getpocket.com/spocs	0%	URL Reputation	safe
https://shavar.services.mozilla.com	0%	URL Reputation	safe
https://completion.amazon.com/search/complete?q=	0%	URL Reputation	safe
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/social-media-tracking-report	0%	URL Reputation	safe
https://ads.stickyadstv.com/firefox-etp	0%	URL Reputation	safe
https://identity.mozilla.com/ids/ecosystem_telemetryU	0%	URL Reputation	safe
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/send-tab	0%	URL Reputation	safe
https://monitor.firefox.com/breach-details/	0%	URL Reputation	safe
https://versioncheck-bg.addons.mozilla.org/update/VersionCheck.php?reqVersion=%REQ_VERSION%&id=%ITEM	0%	URL Reputation	safe
https://xhr.spec.whatwg.org/#sync-warning	0%	URL Reputation	safe
https://services.addons.mozilla.org/api/v4/addons/addon/	0%	URL Reputation	safe
https://tracking-protection-issues.herokuapp.com/new	0%	URL Reputation	safe
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/password-manager-report	0%	URL Reputation	safe
https://content-signature-2.cdn.mozilla.net/	0%	URL Reputation	safe
https://json-schema.org/draft/2020-12/schema/=	0%	URL Reputation	safe
https://app.adjust.com/167k4ih?campaign=firefox-desktop&adgroup=pb&creative=focus-omc172&redirect=ht	0%	URL Reputation	safe
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/fingerprinters-report	0%	URL Reputation	safe
https://api.accounts.firefox.com/v1	0%	URL Reputation	safe
https://ok.ru/	0%	URL Reputation	safe
https://fpn.firefox.com	0%	URL Reputation	safe
https://shavar.services.mozilla.com/downloads?client=SAFEBROWSING_ID&appver=118.0&pver=2.2	0%	URL Reputation	safe
https://developer.mozilla.org/docs/Mozilla/Add-ons/WebExtensions/API/tabs/captureTabMozRequestFullSc	0%	URL Reputation	safe
https://monitor.firefox.com/?entrypoint=protection_report_monitor&utm_source=about-protections	0%	URL Reputation	safe
https://bugzilla.mozilla.org/show_bug.cgi?id=1283601	0%	URL Reputation	safe
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/shield	0%	URL Reputation	safe
https://MD8.mozilla.org/1/m	0%	URL Reputation	safe
https://getpocket.cdn.mozilla.net/v3/firefox/global-recs?version=3&consumer_key=$apiKey&locale_lang=	0%	URL Reputation	safe
https://bugzilla.mozilla.org/show_bug.cgi?id=1266220	0%	URL Reputation	safe
https://searchfox.org/mozilla-central/source/toolkit/components/search/SearchUtils.jsm#145-152	0%	URL Reputation	safe
https://bugzilla.mo	0%	URL Reputation	safe
https://mitmdetection.services.mozilla.com/	0%	URL Reputation	safe
https://static.adsafeprotected.com/firefox-etp-js	0%	URL Reputation	safe
https://shavar.services.mozilla.com/	0%	URL Reputation	safe
https://support.mozilla.org/products/firefoxgro.allizom.troppus.GVegJq3nFfBL	0%	URL Reputation	safe
https://www.bestbuy.com/site/electronics/top-deals/pcmcat1563299784494.c/?id=pcmcat1563299784494&ref	0%	URL Reputation	safe
https://developer.mozilla.org/docs/Web/API/Element/releasePointerCapture	0%	URL Reputation	safe
https://spocs.getpocket.com/	0%	URL Reputation	safe
https://services.addons.mozilla.org/api/v4/abuse/report/addon/	0%	URL Reputation	safe
https://services.addons.mozilla.org/api/v4/addons/search/?guid=%IDS%&lang=%LOCALE%	0%	URL Reputation	safe
https://color.firefox.com/?utm_source=firefox-browser&utm_medium=firefox-browser&utm_content=theme-f	0%	URL Reputation	safe
https://monitor.firefox.com/user/breach-stats?includeResolved=true	0%	URL Reputation	safe
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/cross-site-tracking-report	0%	URL Reputation	safe
http://a9.com/-/spec/opensearch/1.0/	0%	URL Reputation	safe
https://safebrowsing.google.com/safebrowsing/diagnostic?site=	0%	URL Reputation	safe
https://monitor.firefox.com/user/dashboard	0%	URL Reputation	safe
https://versioncheck.addons.mozilla.org/update/VersionCheck.php?reqVersion=%REQ_VERSION%&id=%ITEM_ID	0%	URL Reputation	safe
https://monitor.firefox.com/about	0%	URL Reputation	safe
https://coverage.mozilla.org	0%	URL Reputation	safe
http://crl.thawte.com/ThawteTimestampingCA.crl0	0%	URL Reputation	safe
https://www.zhihu.com/	0%	URL Reputation	safe
http://x1.c.lencr.org/0	0%	URL Reputation	safe
http://x1.i.lencr.org/0	0%	URL Reputation	safe
http://a9.com/-/spec/opensearch/1.1/	0%	URL Reputation	safe
https://infra.spec.whatwg.org/#ascii-whitespace	0%	URL Reputation	safe
https://blocked.cdn.mozilla.net/	0%	URL Reputation	safe
https://developer.mozilla.org/en-US/docs/Glossary/speculative_parsingDocumentWriteIgnored	0%	URL Reputation	safe
https://json-schema.org/draft/2019-09/schema	0%	URL Reputation	safe
http://developer.mozilla.org/en/docs/DOM:element.addEventListener	0%	URL Reputation	safe
https://duckduckgo.com/?t=ffab&q=	0%	URL Reputation	safe
https://profiler.firefox.com	0%	URL Reputation	safe
https://outlook.live.com/default.aspx?rru=compose&to=%s	0%	URL Reputation	safe
https://identity.mozilla.com/apps/relay	0%	URL Reputation	safe
https://mozilla.cloudflare-dns.com/dns-query	0%	URL Reputation	safe
https://support.mozilla.org/kb/refresh-firefox-reset-add-ons-and-settings2	0%	URL Reputation	safe
https://bugzilla.mozilla.org/show_bug.cgi?id=1678448	0%	URL Reputation	safe
https://contile.services.mozilla.com/v1/tiles	0%	URL Reputation	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
example.org	93.184.215.14	true	false	0%, Virustotal, Browse	unknown
star-mini.c10r.facebook.com	157.240.252.35	true	false	0%, Virustotal, Browse	unknown
prod.classify-client.prod.webservices.mozgcp.net	35.190.72.216	true	false	0%, Virustotal, Browse	unknown
prod.balrog.prod.cloudops.mozgcp.net	35.244.181.201	true	false	0%, Virustotal, Browse	unknown
twitter.com	104.244.42.193	true	false		unknown
prod.detectportal.prod.cloudops.mozgcp.net	34.107.221.82	true	false		unknown
services.addons.mozilla.org	151.101.65.91	true	false		unknown
dyna.wikimedia.org	185.15.59.224	true	false		unknown
prod.remote-settings.prod.webservices.mozgcp.net	34.149.100.209	true	false		unknown
contile.services.mozilla.com	34.117.188.166	true	false		unknown
youtube.com	142.250.185.238	true	false		unknown
prod.content-signature-chains.prod.webservices.mozgcp.net	34.160.144.191	true	false		unknown
youtube-ui.l.google.com	216.58.212.174	true	false		unknown
us-west1.prod.sumo.prod.webservices.mozgcp.net	34.149.128.2	true	false		unknown
reddit.map.fastly.net	151.101.193.140	true	false		unknown
ipv4only.arpa	192.0.0.170	true	false		unknown
prod.ads.prod.webservices.mozgcp.net	34.117.188.166	true	false		unknown
push.services.mozilla.com	34.107.243.93	true	false		unknown
normandy-cdn.services.mozilla.com	35.201.103.21	true	false		unknown
telemetry-incoming.r53-2.services.mozilla.com	34.120.208.123	true	false		unknown
www.reddit.com	unknown	unknown	false		unknown
spocs.getpocket.com	unknown	unknown	false		unknown
content-signature-2.cdn.mozilla.net	unknown	unknown	false		unknown
support.mozilla.org	unknown	unknown	false		unknown
firefox.settings.services.mozilla.com	unknown	unknown	false		unknown
www.youtube.com	unknown	unknown	false		unknown
www.facebook.com	unknown	unknown	false		unknown
detectportal.firefox.com	unknown	unknown	false		unknown
normandy.cdn.mozilla.net	unknown	unknown	false		unknown
shavar.services.mozilla.com	unknown	unknown	false		unknown
www.wikipedia.org	unknown	unknown	false		unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://play.google.com/store/apps/details?id=org.mozilla.firefox.vpn&referrer=utm_source%3Dfirefox-	firefox.exe, 00000010.00000002.3292033366.000001A4D4750000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3290852309.000001A8591B0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3291317654.000001DD4AE00000.00000002.10000000.00040000.00000000.sdmp	false		unknown
https://getpocket.cdn.mozilla.net/v3/firefox/trending-topics?version=2&consumer_key=$apiKey&locale_l	firefox.exe, 00000011.00000002.3291396322.000001A8593C7000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000002.3292273154.000001DD4AFC3000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://detectportal.firefox.com/	firefox.exe, 0000000E.00000003.2280481342.000001FD97DAB000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://services.addons.mozilla.org/api/v5/addons/browser-mappings/?browser=%BROWSER%	firefox.exe, 00000010.00000002.3292033366.000001A4D4750000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3290852309.000001A8591B0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3291317654.000001DD4AE00000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://datastudio.google.com/embed/reporting/	firefox.exe, 0000000E.00000003.2263922764.000001FD97D96000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2273039565.000001FD97D96000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.mozilla.com0	gmpopenh264.dll.tmp.14.dr	false	URL Reputation: safe	unknown
https://developer.mozilla.org/en-US/docs/Web/Web_Components/Using_custom_elements#using_the_lifecycl	firefox.exe, 0000000E.00000003.2126634596.000001FD97635000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2109116008.000001FD97636000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://bridge.sfo1.admarketplace.net/ctp?version=16.0.0&key=1696425136400800000.2&ci=1696425136743.	firefox.exe, 00000010.00000002.3293196445.000001A4D4ACA000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000011.00000002.3291396322.000001A8593EB000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000002.3297254883.000001DD4B104000.00000004.00000800.00020000.00000000.sdmp, prefs-1.js.14.dr	false	URL Reputation: safe	unknown
https://merino.services.mozilla.com/api/v1/suggest	firefox.exe, 00000011.00000002.3291396322.000001A859386000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000002.3292273154.000001DD4AF8E000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://json-schema.org/draft/2019-09/schema.	firefox.exe, 0000000E.00000003.2297109544.000001FD8FF3D000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://monitor.firefox.com/oauth/init?entrypoint=protection_report_monitor&utm_source=about-protect	firefox.exe, 00000010.00000002.3292033366.000001A4D4750000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3290852309.000001A8591B0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3291317654.000001DD4AE00000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.leboncoin.fr/	firefox.exe, 0000000E.00000003.2295473958.000001FD90643000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2115517369.000001FD90767000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://spocs.getpocket.com/spocs	firefox.exe, 0000000E.00000003.2300599656.000001FD975D8000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.amazon.com/exec/obidos/external-search/?field-keywords=&ie=UTF-8&mode=blended&tag=mozill	firefox.exe, 0000000E.00000003.2193309388.000001FD97A1D000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://shavar.services.mozilla.com	firefox.exe, 0000000E.00000003.2195089644.000001FD977A9000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2273039565.000001FD97DF7000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://completion.amazon.com/search/complete?q=	firefox.exe, 0000000E.00000003.2089242220.000001FD8F23E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2089354807.000001FD8F260000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2089121248.000001FD8F21D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2089500096.000001FD8F281000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2088967056.000001FD8F700000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/social-media-tracking-report	firefox.exe, 00000010.00000002.3292033366.000001A4D4750000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3290852309.000001A8591B0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3291317654.000001DD4AE00000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://ads.stickyadstv.com/firefox-etp	firefox.exe, 0000000E.00000003.2276833670.000001FD9118E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2296015826.000001FD8FFED000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2294026666.000001FD906A3000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://identity.mozilla.com/ids/ecosystem_telemetryU	firefox.exe, 0000000E.00000003.2268667172.000001FD9942C000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/send-tab	firefox.exe, 00000010.00000002.3292033366.000001A4D4750000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3290852309.000001A8591B0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3291317654.000001DD4AE00000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://monitor.firefox.com/breach-details/	firefox.exe, 00000010.00000002.3292033366.000001A4D4750000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3290852309.000001A8591B0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3291317654.000001DD4AE00000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://versioncheck-bg.addons.mozilla.org/update/VersionCheck.php?reqVersion=%REQ_VERSION%&id=%ITEM	firefox.exe, 00000010.00000002.3292033366.000001A4D4750000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3290852309.000001A8591B0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3291317654.000001DD4AE00000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://xhr.spec.whatwg.org/#sync-warning	firefox.exe, 0000000E.00000003.2278749884.000001FD91841000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.amazon.com/exec/obidos/external-search/	firefox.exe, 0000000E.00000003.2089242220.000001FD8F23E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2291838178.000001FD90E94000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2089354807.000001FD8F260000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2089121248.000001FD8F21D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2089500096.000001FD8F281000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2088967056.000001FD8F700000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://github.com/mozilla-services/screenshots	firefox.exe, 0000000E.00000003.2089242220.000001FD8F23E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2089354807.000001FD8F260000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2089121248.000001FD8F21D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2088967056.000001FD8F700000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://services.addons.mozilla.org/api/v4/addons/addon/	firefox.exe, 00000010.00000002.3292033366.000001A4D4750000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3290852309.000001A8591B0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3291317654.000001DD4AE00000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://tracking-protection-issues.herokuapp.com/new	firefox.exe, 00000010.00000002.3292033366.000001A4D4750000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3290852309.000001A8591B0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3291317654.000001DD4AE00000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/password-manager-report	firefox.exe, 00000010.00000002.3292033366.000001A4D4750000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3290852309.000001A8591B0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3291317654.000001DD4AE00000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://youtube.com/	firefox.exe, 0000000E.00000003.2263136345.000001FD9957C000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://content-signature-2.cdn.mozilla.net/	firefox.exe, 0000000E.00000003.2303671606.000001FD90A2A000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://json-schema.org/draft/2020-12/schema/=	firefox.exe, 0000000E.00000003.2297109544.000001FD8FF3D000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://app.adjust.com/167k4ih?campaign=firefox-desktop&adgroup=pb&creative=focus-omc172&redirect=ht	firefox.exe, 0000000E.00000003.2287718029.000001FD97C5F000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/fingerprinters-report	firefox.exe, 00000010.00000002.3292033366.000001A4D4750000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3290852309.000001A8591B0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3291317654.000001DD4AE00000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://api.accounts.firefox.com/v1	firefox.exe, 00000010.00000002.3292033366.000001A4D4750000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3290852309.000001A8591B0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3291317654.000001DD4AE00000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://ok.ru/	firefox.exe, 0000000E.00000003.2282425029.000001FD91BCB000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.amazon.com/	firefox.exe, 0000000E.00000003.2195089644.000001FD977A9000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://addons.mozilla.org/%LOCALE%/%APP%/blocked-addon/%addonID%/%addonVersion%/	firefox.exe, 00000010.00000002.3292033366.000001A4D4750000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3290852309.000001A8591B0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3291317654.000001DD4AE00000.00000002.10000000.00040000.00000000.sdmp	false		unknown
https://fpn.firefox.com	firefox.exe, 0000000E.00000003.2084397055.000001FD8D28E000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://shavar.services.mozilla.com/downloads?client=SAFEBROWSING_ID&appver=118.0&pver=2.2	firefox.exe, 0000000E.00000003.2246081876.000001FD915F4000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://developer.mozilla.org/docs/Mozilla/Add-ons/WebExtensions/API/tabs/captureTabMozRequestFullSc	firefox.exe, 0000000E.00000003.2278749884.000001FD91841000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://monitor.firefox.com/?entrypoint=protection_report_monitor&utm_source=about-protections	firefox.exe, 00000010.00000002.3292033366.000001A4D4750000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3290852309.000001A8591B0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3291317654.000001DD4AE00000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.youtube.com/	firefox.exe, 0000000E.00000003.2195089644.000001FD977A9000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000011.00000002.3291396322.000001A85930A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000002.3292273154.000001DD4AF0C000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://bugzilla.mozilla.org/show_bug.cgi?id=1283601	firefox.exe, 0000000E.00000003.2172497379.000001FD90341000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2173653833.000001FD90354000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/shield	firefox.exe, 00000010.00000002.3292033366.000001A4D4750000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3290852309.000001A8591B0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3291317654.000001DD4AE00000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://MD8.mozilla.org/1/m	firefox.exe, 0000000E.00000003.2303373479.000001FD90A43000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.bbc.co.uk/	firefox.exe, 0000000E.00000003.2295473958.000001FD90643000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://addons.mozilla.org/firefox/addon/to-google-translate/	firefox.exe, 0000000E.00000003.2287718029.000001FD97C5F000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://getpocket.cdn.mozilla.net/v3/firefox/global-recs?version=3&consumer_key=$apiKey&locale_lang=	firefox.exe, 0000000E.00000003.2300464844.000001FD9777F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000011.00000002.3291396322.000001A8593C7000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000002.3292273154.000001DD4AFC3000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://127.0.0.1:	firefox.exe, 0000000E.00000003.2288739944.000001FD96FD3000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2282425029.000001FD91BAA000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2293467148.000001FD908A6000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000002.3292033366.000001A4D4750000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3290852309.000001A8591B0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3291317654.000001DD4AE00000.00000002.10000000.00040000.00000000.sdmp	false		unknown
https://bugzilla.mozilla.org/show_bug.cgi?id=1266220	firefox.exe, 0000000E.00000003.2172497379.000001FD90341000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2173653833.000001FD90354000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://searchfox.org/mozilla-central/source/toolkit/components/search/SearchUtils.jsm#145-152	firefox.exe, 0000000E.00000003.2190536668.000001FD910E5000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://bugzilla.mo	firefox.exe, 0000000E.00000003.2290150058.000001FD91825000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://mitmdetection.services.mozilla.com/	firefox.exe, 00000010.00000002.3292033366.000001A4D4750000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3290852309.000001A8591B0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3291317654.000001DD4AE00000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://static.adsafeprotected.com/firefox-etp-js	firefox.exe, 0000000E.00000003.2296015826.000001FD8FFFB000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2276833670.000001FD9118E000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://youtube.com/account?=	recovery.jsonlz4.tmp.14.dr	false		unknown
https://shavar.services.mozilla.com/	firefox.exe, 0000000E.00000003.2273039565.000001FD97D96000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://support.mozilla.org/products/firefoxgro.allizom.troppus.GVegJq3nFfBL	firefox.exe, 0000000E.00000003.2302567081.000001FD90D81000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.bestbuy.com/site/electronics/top-deals/pcmcat1563299784494.c/?id=pcmcat1563299784494&ref	firefox.exe, 00000010.00000002.3293196445.000001A4D4ACA000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000011.00000002.3291396322.000001A8593EB000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000002.3297254883.000001DD4B104000.00000004.00000800.00020000.00000000.sdmp, prefs-1.js.14.dr	false	URL Reputation: safe	unknown
https://www.amazon.com/?tag=admarketus-20&ref=pd_sl_35787f1071928bc3a1aef90b79c9bee9c64ba6683fde7477	firefox.exe, 00000010.00000002.3293196445.000001A4D4ACA000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000011.00000002.3291396322.000001A8593EB000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000002.3297254883.000001DD4B104000.00000004.00000800.00020000.00000000.sdmp, prefs-1.js.14.dr	false		unknown
https://developer.mozilla.org/docs/Web/API/Element/releasePointerCapture	firefox.exe, 0000000E.00000003.2278749884.000001FD91841000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://spocs.getpocket.com/	firefox.exe, 00000011.00000002.3291396322.000001A859312000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000002.3292273154.000001DD4AF13000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://services.addons.mozilla.org/api/v4/abuse/report/addon/	firefox.exe, 00000010.00000002.3292033366.000001A4D4750000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3290852309.000001A8591B0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3291317654.000001DD4AE00000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://services.addons.mozilla.org/api/v4/addons/search/?guid=%IDS%&lang=%LOCALE%	firefox.exe, 00000010.00000002.3292033366.000001A4D4750000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3290852309.000001A8591B0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3291317654.000001DD4AE00000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://color.firefox.com/?utm_source=firefox-browser&utm_medium=firefox-browser&utm_content=theme-f	firefox.exe, 00000010.00000002.3292033366.000001A4D4750000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3290852309.000001A8591B0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3291317654.000001DD4AE00000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.iqiyi.com/	firefox.exe, 0000000E.00000003.2295473958.000001FD90643000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2282425029.000001FD91BCB000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://youtube.com/account?=https://accounts.google.co	firefox.exe, 00000012.00000002.3291593283.000001DD4AEB0000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://youtube.com/account?=https://accounts.google.co5l	firefox.exe, 00000011.00000002.3296933865.000001A8594C0000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://play.google.com/store/apps/details?id=org.mozilla.firefox&referrer=utm_source%3Dprotection_r	firefox.exe, 00000010.00000002.3292033366.000001A4D4750000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3290852309.000001A8591B0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3291317654.000001DD4AE00000.00000002.10000000.00040000.00000000.sdmp	false		unknown
https://monitor.firefox.com/user/breach-stats?includeResolved=true	firefox.exe, 00000010.00000002.3292033366.000001A4D4750000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3290852309.000001A8591B0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3291317654.000001DD4AE00000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/cross-site-tracking-report	firefox.exe, 00000010.00000002.3292033366.000001A4D4750000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3290852309.000001A8591B0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3291317654.000001DD4AE00000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://addons.mozilla.org/	firefox.exe, 0000000E.00000003.2237890601.000001FD97BC4000.00000004.00000800.00020000.00000000.sdmp	false		unknown
http://a9.com/-/spec/opensearch/1.0/	firefox.exe, 0000000E.00000003.2298822501.000001FD97AE1000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2269005294.000001FD97AE1000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2306085685.000001FD97AE1000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2193309388.000001FD97AE1000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4Qqm4p8dfCfm4pbW1pbWfpbW7ReNxR3UIG8zInwYIFIVs9eYi	prefs-1.js.14.dr	false		unknown
https://safebrowsing.google.com/safebrowsing/diagnostic?site=	firefox.exe, 00000010.00000002.3292033366.000001A4D4750000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3290852309.000001A8591B0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3291317654.000001DD4AE00000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://monitor.firefox.com/user/dashboard	firefox.exe, 00000010.00000002.3292033366.000001A4D4750000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3290852309.000001A8591B0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3291317654.000001DD4AE00000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://versioncheck.addons.mozilla.org/update/VersionCheck.php?reqVersion=%REQ_VERSION%&id=%ITEM_ID	firefox.exe, 00000010.00000002.3292033366.000001A4D4750000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3290852309.000001A8591B0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3291317654.000001DD4AE00000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://monitor.firefox.com/about	firefox.exe, 00000010.00000002.3292033366.000001A4D4750000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3290852309.000001A8591B0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3291317654.000001DD4AE00000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
http://mozilla.org/MPL/2.0/.	firefox.exe, 0000000E.00000003.2211882754.000001FD910DE000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2267266858.000001FD910DA000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2210633615.000001FD9123A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2205678417.000001FD8FBBE000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2250429028.000001FD8EB26000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2241895639.000001FD920BE000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2195728785.000001FD97717000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2204843090.000001FD97683000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2098160967.000001FD8FBE3000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2145181378.000001FD912C7000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2210633615.000001FD91231000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2240348611.000001FD92F50000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2098431592.000001FD8FB35000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2270818114.000001FD920BE000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2302141026.000001FD91CF7000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2260573060.000001FD91063000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2297356822.000001FD8FCD3000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2245101593.000001FD91CF7000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2272021060.000001FD90439000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2123403850.000001FD92461000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2221355036.000001FD8EB26000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://coverage.mozilla.org	firefox.exe, 00000010.00000002.3292033366.000001A4D4750000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3290852309.000001A8591B0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3291317654.000001DD4AE00000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
http://crl.thawte.com/ThawteTimestampingCA.crl0	gmpopenh264.dll.tmp.14.dr	false	URL Reputation: safe	unknown
https://www.zhihu.com/	firefox.exe, 0000000E.00000003.2273603265.000001FD9777D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2282425029.000001FD91BCB000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://x1.c.lencr.org/0	firefox.exe, 0000000E.00000003.2195495781.000001FD9774E000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://x1.i.lencr.org/0	firefox.exe, 0000000E.00000003.2195495781.000001FD9774E000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://a9.com/-/spec/opensearch/1.1/	firefox.exe, 0000000E.00000003.2298822501.000001FD97AE1000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2269005294.000001FD97AE1000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2306085685.000001FD97AE1000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2193309388.000001FD97AE1000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://infra.spec.whatwg.org/#ascii-whitespace	firefox.exe, 0000000E.00000003.2126634596.000001FD97635000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://blocked.cdn.mozilla.net/	firefox.exe, 00000010.00000002.3292033366.000001A4D4750000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3290852309.000001A8591B0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3291317654.000001DD4AE00000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://developer.mozilla.org/en-US/docs/Glossary/speculative_parsingDocumentWriteIgnored	firefox.exe, 0000000E.00000003.2293467148.000001FD90876000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://json-schema.org/draft/2019-09/schema	firefox.exe, 0000000E.00000003.2265348888.000001FD97A6D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2193309388.000001FD97A6C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2115517369.000001FD90767000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://developer.mozilla.org/en/docs/DOM:element.addEventListener	firefox.exe, 0000000E.00000003.2293467148.000001FD90876000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://duckduckgo.com/?t=ffab&q=	firefox.exe, 0000000E.00000003.2193309388.000001FD97AA5000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://profiler.firefox.com	firefox.exe, 00000010.00000002.3292033366.000001A4D4750000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3290852309.000001A8591B0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3291317654.000001DD4AE00000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://outlook.live.com/default.aspx?rru=compose&to=%s	firefox.exe, 0000000E.00000003.2197399778.000001FD8F56E000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://identity.mozilla.com/apps/relay	firefox.exe, 0000000E.00000003.2246269519.000001FD915B9000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2275498556.000001FD915B9000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://mozilla.cloudflare-dns.com/dns-query	firefox.exe, 00000010.00000002.3292033366.000001A4D4750000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3290852309.000001A8591B0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3291317654.000001DD4AE00000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://support.mozilla.org/kb/refresh-firefox-reset-add-ons-and-settings2	firefox.exe, 0000000E.00000003.2270818114.000001FD920D5000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2112170152.000001FD920E0000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2241895639.000001FD920D5000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://bugzilla.mozilla.org/show_bug.cgi?id=1678448	firefox.exe, 0000000E.00000003.2172497379.000001FD90341000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2173653833.000001FD90354000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://mail.yahoo.co.jp/compose/?To=%s	firefox.exe, 0000000E.00000003.2197399778.000001FD8F56E000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://addons.mozilla.org/firefox/addon/reddit-enhancement-suite/	firefox.exe, 0000000E.00000003.2287718029.000001FD97C5F000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://contile.services.mozilla.com/v1/tiles	firefox.exe, 0000000E.00000003.2281745466.000001FD97507000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000002.3292033366.000001A4D4750000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3290852309.000001A8591B0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3291317654.000001DD4AE00000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.amazon.co.uk/	firefox.exe, 0000000E.00000003.2295473958.000001FD90643000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2115517369.000001FD90767000.00000004.00000800.00020000.00000000.sdmp	false		unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
34.149.100.209	prod.remote-settings.prod.webservices.mozgcp.net	United States	2686	ATGS-MMD-ASUS	false
34.107.243.93	push.services.mozilla.com	United States	15169	GOOGLEUS	false
142.250.185.238	youtube.com	United States	15169	GOOGLEUS	false
151.101.65.91	services.addons.mozilla.org	United States	54113	FASTLYUS	false
34.107.221.82	prod.detectportal.prod.cloudops.mozgcp.net	United States	15169	GOOGLEUS	false
35.244.181.201	prod.balrog.prod.cloudops.mozgcp.net	United States	15169	GOOGLEUS	false
34.117.188.166	contile.services.mozilla.com	United States	139070	GOOGLE-AS-APGoogleAsiaPacificPteLtdSG	false
35.201.103.21	normandy-cdn.services.mozilla.com	United States	15169	GOOGLEUS	false
35.190.72.216	prod.classify-client.prod.webservices.mozgcp.net	United States	15169	GOOGLEUS	false
34.160.144.191	prod.content-signature-chains.prod.webservices.mozgcp.net	United States	2686	ATGS-MMD-ASUS	false
34.120.208.123	telemetry-incoming.r53-2.services.mozilla.com	United States	15169	GOOGLEUS	false

Private

IP
127.0.0.1

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1545817
Start date and time:	2024-10-31 04:15:06 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 6m 49s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	22
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	file.exe
Detection:	MAL
Classification:	mal72.troj.evad.winEXE@34/34@73/12
EGA Information:	Successful, ratio: 50%
HCA Information:	Successful, ratio: 94% Number of executed functions: 40 Number of non-executed functions: 312
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 52.11.191.138, 35.160.212.113, 54.185.230.140, 216.58.206.46, 2.22.61.59, 2.22.61.56, 2.18.121.79, 2.18.121.73, 142.250.185.170, 142.250.186.106
Excluded domains from analysis (whitelisted): fs.microsoft.com, shavar.prod.mozaws.net, ciscobinary.openh264.org, slscr.update.microsoft.com, otelrules.azureedge.net, incoming.telemetry.mozilla.org, ctldl.windowsupdate.com, a17.rackcdn.com.mdc.edgesuite.net, detectportal.prod.mozaws.net, aus5.mozilla.org, fe3cr.delivery.mp.microsoft.com, a19.dscg10.akamai.net, ocsp.digicert.com, redirector.gvt1.com, safebrowsing.googleapis.com, location.services.mozilla.com
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtCreateFile calls found.
Report size getting too big, too many NtOpenFile calls found.

Simulations

Behavior and APIs

Time	Type	Description
23:16:09	API Interceptor	1x Sleep call for process: firefox.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
34.117.188.166	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc, WhiteSnake Stealer	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
34.149.100.209	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc	Browse
34.160.144.191	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc, WhiteSnake Stealer	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
151.101.65.91	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
example.org	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc, WhiteSnake Stealer	Browse	93.184.215.14
	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc	Browse	93.184.215.14
	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
twitter.com	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.193
	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.129
	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.1
	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.193
	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.129
	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.193
	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.193
	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.129
	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.65
	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc	Browse	104.244.42.129
star-mini.c10r.facebook.com	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.251.35
	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.0.35
	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.253.35
	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.0.35
	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.253.35
	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.252.35
	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.252.35
	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.251.35
	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.253.35
	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc	Browse	157.240.252.35

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
GOOGLE-AS-APGoogleAsiaPacificPteLtdSG	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc, WhiteSnake Stealer	Browse	34.117.188.166
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.117.188.166
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.117.188.166
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.117.188.166
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.117.188.166
	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc	Browse	34.117.188.166
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.117.188.166
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.117.188.166
	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc	Browse	34.117.188.166
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.117.188.166
ATGS-MMD-ASUS	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc, WhiteSnake Stealer	Browse	34.160.144.191
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc	Browse	34.160.144.191
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
FASTLYUS	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.129.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.193.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.193.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.193.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.193.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.193.91
	Arquivo_4593167.msi	Get hash	malicious	AteraAgent	Browse	199.232.210.172
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.65.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.129.91
	V6QED2Q1WBYVOPE	Get hash	malicious	Unknown	Browse	151.101.67.6
ATGS-MMD-ASUS	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc, WhiteSnake Stealer	Browse	34.160.144.191
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc	Browse	34.160.144.191
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
fb0aa01abe9d8e4037eb3473ca6e2dca	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc, WhiteSnake Stealer	Browse	35.244.181.201 34.149.100.209 34.160.144.191 151.101.65.91 34.120.208.123
	file.exe	Get hash	malicious	Credential Flusher	Browse	35.244.181.201 34.149.100.209 34.160.144.191 151.101.65.91 34.120.208.123
	file.exe	Get hash	malicious	Credential Flusher	Browse	35.244.181.201 34.149.100.209 34.160.144.191 151.101.65.91 34.120.208.123
	file.exe	Get hash	malicious	Credential Flusher	Browse	35.244.181.201 34.149.100.209 34.160.144.191 151.101.65.91 34.120.208.123
	file.exe	Get hash	malicious	Credential Flusher	Browse	35.244.181.201 34.149.100.209 34.160.144.191 151.101.65.91 34.120.208.123
	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc	Browse	35.244.181.201 34.149.100.209 34.160.144.191 151.101.65.91 34.120.208.123
	file.exe	Get hash	malicious	Credential Flusher	Browse	35.244.181.201 34.149.100.209 34.160.144.191 151.101.65.91 34.120.208.123
	file.exe	Get hash	malicious	Credential Flusher	Browse	35.244.181.201 34.149.100.209 34.160.144.191 151.101.65.91 34.120.208.123
	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc	Browse	35.244.181.201 34.149.100.209 34.160.144.191 151.101.65.91 34.120.208.123
	file.exe	Get hash	malicious	Credential Flusher	Browse	35.244.181.201 34.149.100.209 34.160.144.191 151.101.65.91 34.120.208.123

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll.tmp	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll (copy)	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse

Created / dropped Files

C:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\uninstall_ping_308046B0AF4A39CB_b672c5e8-b960-444e-ac57-75a237ddab58.json (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	7813
Entropy (8bit):	5.1839207087507875
Encrypted:	false
SSDEEP:	192:QKMXfr8cbhbVbTbfbRbObtbyEl7nMrFJA6wnSrDtTkd/Sk:QPAcNhnzFSJsrAjnSrDhkd/x
MD5:	B40C16B19C50E6485D64D33152C7E83B
SHA1:	0EB50659875A65199297BFF546E4568CC032CC54
SHA-256:	AD322B5C4DEEA0B47E92D41E580703F34DE4220EEE70FE7B9B5268FF7E3F457C
SHA-512:	46B62D3D257DA6C728F14E0CF0BDE96708383288D50CF986B06EA0A1A9157677ED72D27D1B6FD7FCC1A8588DB93FC093CDB81A97C69A83F5E4E575B36EAAF1FE
Malicious:	false
Preview:	{"type":"uninstall","id":"b672c5e8-b960-444e-ac57-75a237ddab58","creationDate":"2024-10-31T04:56:26.062Z","version":4,"application":{"architecture":"x86-64","buildId":"20230927232528","name":"Firefox","version":"118.0.1","displayVersion":"118.0.1","vendor":"Mozilla","platformVersion":"118.0.1","xpcomAbi":"x86_64-msvc","channel":"release"},"payload":{"otherInstalls":0},"clientId":"1fca7bd2-7b44-4c45-b0ea-e0486850ce95","environment":{"build":{"applicationId":"{ec8030f7-c20a-464f-9b0e-13a3a9e97384}","applicationName":"Firefox","architecture":"x86-64","buildId":"20230927232528","version":"118.0.1","vendor":"Mozilla","displayVersion":"118.0.1","platformVersion":"118.0.1","xpcomAbi":"x86_64-msvc","updaterAvailable":true},"partner":{"distributionId":null,"distributionVersion":null,"partnerId":null,"distributor":null,"distributorChannel":null,"partnerNames":[]},"system":{"memoryMB":8191,"virtualMaxMB":134217728,"cpu":{"isWindowsSMode":false,"count":4,"cores":2,"vendor":"GenuineIntel","name":"I

C:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\uninstall_ping_308046B0AF4A39CB_b672c5e8-b960-444e-ac57-75a237ddab58.json.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	7813
Entropy (8bit):	5.1839207087507875
Encrypted:	false
SSDEEP:	192:QKMXfr8cbhbVbTbfbRbObtbyEl7nMrFJA6wnSrDtTkd/Sk:QPAcNhnzFSJsrAjnSrDhkd/x
MD5:	B40C16B19C50E6485D64D33152C7E83B
SHA1:	0EB50659875A65199297BFF546E4568CC032CC54
SHA-256:	AD322B5C4DEEA0B47E92D41E580703F34DE4220EEE70FE7B9B5268FF7E3F457C
SHA-512:	46B62D3D257DA6C728F14E0CF0BDE96708383288D50CF986B06EA0A1A9157677ED72D27D1B6FD7FCC1A8588DB93FC093CDB81A97C69A83F5E4E575B36EAAF1FE
Malicious:	false
Preview:	{"type":"uninstall","id":"b672c5e8-b960-444e-ac57-75a237ddab58","creationDate":"2024-10-31T04:56:26.062Z","version":4,"application":{"architecture":"x86-64","buildId":"20230927232528","name":"Firefox","version":"118.0.1","displayVersion":"118.0.1","vendor":"Mozilla","platformVersion":"118.0.1","xpcomAbi":"x86_64-msvc","channel":"release"},"payload":{"otherInstalls":0},"clientId":"1fca7bd2-7b44-4c45-b0ea-e0486850ce95","environment":{"build":{"applicationId":"{ec8030f7-c20a-464f-9b0e-13a3a9e97384}","applicationName":"Firefox","architecture":"x86-64","buildId":"20230927232528","version":"118.0.1","vendor":"Mozilla","displayVersion":"118.0.1","platformVersion":"118.0.1","xpcomAbi":"x86_64-msvc","updaterAvailable":true},"partner":{"distributionId":null,"distributionVersion":null,"partnerId":null,"distributor":null,"distributorChannel":null,"partnerNames":[]},"system":{"memoryMB":8191,"virtualMaxMB":134217728,"cpu":{"isWindowsSMode":false,"count":4,"cores":2,"vendor":"GenuineIntel","name":"I

C:\Users\user\AppData\Local\Temp\mozilla-temp-files\mozilla-temp-41

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	ISO Media, MP4 Base Media v1 [ISO 14496-12:2003]
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	0.4593089050301797
Encrypted:	false
SSDEEP:	48:9SP0nUgwyZXYI65yFRX2D3GNTTfyn0Mk1iA:9SDKaIjo3UzyE1L
MD5:	D910AD167F0217587501FDCDB33CC544
SHA1:	2F57441CEFDC781011B53C1C5D29AC54835AFC1D
SHA-256:	E3699D9404A3FFC1AFF0CA8A3972DC0EF38BDAB927741E9F627C7C55CEA42E81
SHA-512:	F1871BF28FF25EE52BDB99C7A80AB715C7CAC164DCD2FD87E681168EE927FD2C5E80E03C91BB638D955A4627213BF575FF4D9EECAEDA7718C128CF2CE8F7CB3D
Malicious:	false
Preview:	... ftypisom....isomiso2avc1mp41....free....mdat..........E...H..,. .#..x264 - core 152 r2851 ba24899 - H.264/MPEG-4 AVC codec - Copyleft 2003-2017 - http://www.videolan.org/x264.html - options: cabac=1 ref=3 deblock=1:0:0 analyse=0x3:0x113 me=hex subme=7 psy=1 psy_rd=1.00:0.00 mixed_ref=1 me_range=16 chroma_me=1 trellis=1 8x8dct=1 cqm=0 deadzone=21,11 fast_pskip=1 chroma_qp_offset=-2 threads=4 lookahead_threads=1 sliced_threads=0 nr=0 decimate=1 interlaced=0 bluray_compat=0 constrained_intra=0 bframes=3 b_pyramid=2 b_adapt=1 b_bias=0 direct=1 weightb=1 open_gop=0 weightp=2 keyint=250 keyint_min=25 scenecut=40 intra_refresh=0 rc_lookahead=40 rc=crf mbtree=1 crf=23.0 qcomp=0.60 qpmin=0 qpmax=69 qpstep=4 ip_ratio=1.40 aq=1:1.00......e...+...s\|.kG3...'.u.."...,J.w.~.d\..(K....!.+..;....h....(.T.*...M......0..~L..8..B..A.y..R..,.zBP.';j.@.].w..........c......C=.'f....gI.$^.......m5V.L...{U..%V[....8......B..i..^,....:...,..5.m.%dA....moov...lmvhd...................(...........

C:\Users\user\AppData\Local\Temp\tmpaddon

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Zip archive data, at least v2.0 to extract, compression method=deflate
Category:	dropped
Size (bytes):	453023
Entropy (8bit):	7.997718157581587
Encrypted:	true
SSDEEP:	12288:tESTeqTI2r4ZbCgUKWKNeRcPMb6qlV7hVZe3:tEsed2Xh9/bdzZe3
MD5:	85430BAED3398695717B0263807CF97C
SHA1:	FFFBEE923CEA216F50FCE5D54219A188A5100F41
SHA-256:	A9F4281F82B3579581C389E8583DC9F477C7FD0E20C9DFC91A2E611E21E3407E
SHA-512:	06511F1F6C6D44D076B3C593528C26A602348D9C41689DBF5FF716B671C3CA5756B12CB2E5869F836DEDCE27B1A5CFE79B93C707FD01F8E84B620923BB61B5F1
Malicious:	false
Preview:	PK.........bN...R..........gmpopenh264.dll..\|.E.0.=..I.....1....4f1q.`.........q.....'+....hm{.z..o_.{w........$..($A!...\|L...B&A2.s.{..Dd......c.U.U..9u.S...K.l`...../.d.-....\|.....&....9......wn..x......i.#O.+.Y.l......+....,3.3f..\..c.SSS,............N...GG...F.'.&.:'.K.Z&.>.@.g..M...M.`............ZR....^jg.G.Kb.o~va.....<Z..1.#.O.e.....D..X..i..$imBW..Q&.......P.....,M.,..:.c...-...\...........-i.K.I..4.a..6.....Ov=...W..F.CH.>...a.'.x...#@f...d..u.1....OV.1o}....g.5.._.3.J.Hi.Z.ipM....b.Z....%.G..F................/..3.q..J.....o...%.g.N..}..).3.N%.!..q........^I.m..~...6.#.~+.....A...I]r...x...<IYj....p0..`S.M@.E..f.=.;!.@.....E..E....... .0.n....Jd..d......uM.-.qI.lR..z..=}..r.D.XLZ....x.$..\|c.1.cUkM.&.Qn]..a]t.h...!.6 7..Jd.DvKJ"Wgd*%n...w...Jni.inmr.@M.$'Z.s....#)%..Rs..:.h....R....\..t.6..'.g.........Uj+F.cr:\|..!..K.W.Y...17......,....r.....>.N..3.R.Y.._\...Ir.DNJdM... .k...&V-....z.%...-...D..i..&...6....7.2T).>..0..%.&.

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\ExperimentStoreData.json (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	3621
Entropy (8bit):	4.925222878990726
Encrypted:	false
SSDEEP:	48:YnSwkmrOVPUFRbOdwNIOdoWLEWLtkDZuwpx5FBvipA6kb92the6LuhakNu96Oxeh:8S+OVPUFRbOdwNIOdYpjvY1Q6Ll38P
MD5:	30B90E0DF5F55043E884C6F93DE83415
SHA1:	02B7FB09240B958CF360857918F7B3FEEF1BFB83
SHA-256:	C5F720E12749FA0308EF757F8E02C007E07CA83BF1C4E834615D094AF23F0C2E
SHA-512:	ACEE5645AA790C0427508C505761F011771FF7BE27833A3ABB5864A78A431B2C5D231AA0F044B2EA2C0E87CC6DFA082C9EDEDEAF7D4CE1AC5337AFDA6B1A5624
Malicious:	false
Preview:	{"csv-import-release-rollout":{"slug":"csv-import-release-rollout","branch":{"slug":"enable-csv-import","ratio":1,"feature":{"value":{},"enabled":false,"featureId":"this-is-included-for-desktop-pre-95-support"},"features":[{"value":{"csvImport":true},"enabled":true,"featureId":"cm-csv-import"}]},"active":true,"enrollmentId":"3ba649bc-be47-4b92-8762-21cab57bda3b","experimentType":"rollout","source":"rs-loader","userFacingName":"CSV Import (Release Rollout)","userFacingDescription":"This rollout enables users to import logins from a CSV file from the about:logins page.","lastSeen":"2023-10-04T13:40:33.697Z","featureIds":["cm-csv-import"],"prefs":[{"name":"signon.management.page.fileImport.enabled","branch":"default","featureId":"cm-csv-import","variable":"csvImport","originalValue":false}],"isRollout":true},"serp-ad-telemetry-rollout":{"slug":"serp-ad-telemetry-rollout","branch":{"slug":"control","ratio":1,"feature":{"value":{},"enabled":false,"featureId":"this-is-included-for-desktop-pr

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\ExperimentStoreData.json.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	3621
Entropy (8bit):	4.925222878990726
Encrypted:	false
SSDEEP:	48:YnSwkmrOVPUFRbOdwNIOdoWLEWLtkDZuwpx5FBvipA6kb92the6LuhakNu96Oxeh:8S+OVPUFRbOdwNIOdYpjvY1Q6Ll38P
MD5:	30B90E0DF5F55043E884C6F93DE83415
SHA1:	02B7FB09240B958CF360857918F7B3FEEF1BFB83
SHA-256:	C5F720E12749FA0308EF757F8E02C007E07CA83BF1C4E834615D094AF23F0C2E
SHA-512:	ACEE5645AA790C0427508C505761F011771FF7BE27833A3ABB5864A78A431B2C5D231AA0F044B2EA2C0E87CC6DFA082C9EDEDEAF7D4CE1AC5337AFDA6B1A5624
Malicious:	false
Preview:	{"csv-import-release-rollout":{"slug":"csv-import-release-rollout","branch":{"slug":"enable-csv-import","ratio":1,"feature":{"value":{},"enabled":false,"featureId":"this-is-included-for-desktop-pre-95-support"},"features":[{"value":{"csvImport":true},"enabled":true,"featureId":"cm-csv-import"}]},"active":true,"enrollmentId":"3ba649bc-be47-4b92-8762-21cab57bda3b","experimentType":"rollout","source":"rs-loader","userFacingName":"CSV Import (Release Rollout)","userFacingDescription":"This rollout enables users to import logins from a CSV file from the about:logins page.","lastSeen":"2023-10-04T13:40:33.697Z","featureIds":["cm-csv-import"],"prefs":[{"name":"signon.management.page.fileImport.enabled","branch":"default","featureId":"cm-csv-import","variable":"csvImport","originalValue":false}],"isRollout":true},"serp-ad-telemetry-rollout":{"slug":"serp-ad-telemetry-rollout","branch":{"slug":"control","ratio":1,"feature":{"value":{},"enabled":false,"featureId":"this-is-included-for-desktop-pr

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\addonStartup.json.lz4 (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Mozilla lz4 compressed data, originally 22422 bytes
Category:	dropped
Size (bytes):	5308
Entropy (8bit):	6.599374203470186
Encrypted:	false
SSDEEP:	96:z2YbKsKNU2xWrp327tGmD4wBON6h6cHAHJVauvjZHjkTymdS1/qTMg6Uhm:zTx2x2t0FDJ4NpkuvjdeplTMohm
MD5:	EB56C2F4DA9435F3D5574161F414CD17
SHA1:	74A8FC3EC0559740FD9D835B638354985E2DEAB6
SHA-256:	394E803D5FF8E156DFA7D15E96B51A683F4624A1BCF88EAA532399AC2C9B0966
SHA-512:	DF90568D191C757392FB85BDDA5333C7FE7E3BB370C5DE8C50DD810B938D732E39B5608FB4494CAADAE99E1601989FDFC0FEBDCF70F27FFE581F904170A81E0F
Malicious:	false
Preview:	mozLz40..W....{"app-system-defaults":{"addon....formautofill@mozilla.org&..Gdependencies":[],"enabled":true,"lastModifiedTime":1695865283000,"loader":null,"path":s.....xpi","recommendationStateA...rootURI":"jar:file:///C:/Program%20Files/M.......refox/browser/features/...... !/...unInSafeMode..wsignedD...telemetryKey..7%40R...:1.0.1","version":"..`},"pic..#in.....T.n..w...........S.......(.[......0....0"},"screenshots..T.r.....[.......(.V....-39.......},"webcompat-reporter...Ofals..&.z.....[.......(.]....=1.5.............<.)....p....d......1.z.!18...5.....startupData...pX.astentL..!er...webRequest%..onBefore...[[{"incognitoi.UtabId..!yp...."main_frame"],"url...."://login.microsoftonline.com/","..@us/L.dwindows...},["blocking"]],...Iimag...https://smartT.".f.....etp/facebook.svg",...Aplay....8`script...P.....-....-testbed.herokuapp\.`shims_..3.jsh.bexampl\|.......Pexten{..Q../?..s...S.J/_2..@&_3U..s7.addthis . ic...officialK......-angularjs/current/dist(..t.min.js...track.adB...net/s

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\addonStartup.json.lz4.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Mozilla lz4 compressed data, originally 22422 bytes
Category:	dropped
Size (bytes):	5308
Entropy (8bit):	6.599374203470186
Encrypted:	false
SSDEEP:	96:z2YbKsKNU2xWrp327tGmD4wBON6h6cHAHJVauvjZHjkTymdS1/qTMg6Uhm:zTx2x2t0FDJ4NpkuvjdeplTMohm
MD5:	EB56C2F4DA9435F3D5574161F414CD17
SHA1:	74A8FC3EC0559740FD9D835B638354985E2DEAB6
SHA-256:	394E803D5FF8E156DFA7D15E96B51A683F4624A1BCF88EAA532399AC2C9B0966
SHA-512:	DF90568D191C757392FB85BDDA5333C7FE7E3BB370C5DE8C50DD810B938D732E39B5608FB4494CAADAE99E1601989FDFC0FEBDCF70F27FFE581F904170A81E0F
Malicious:	false
Preview:	mozLz40..W....{"app-system-defaults":{"addon....formautofill@mozilla.org&..Gdependencies":[],"enabled":true,"lastModifiedTime":1695865283000,"loader":null,"path":s.....xpi","recommendationStateA...rootURI":"jar:file:///C:/Program%20Files/M.......refox/browser/features/...... !/...unInSafeMode..wsignedD...telemetryKey..7%40R...:1.0.1","version":"..`},"pic..#in.....T.n..w...........S.......(.[......0....0"},"screenshots..T.r.....[.......(.V....-39.......},"webcompat-reporter...Ofals..&.z.....[.......(.]....=1.5.............<.)....p....d......1.z.!18...5.....startupData...pX.astentL..!er...webRequest%..onBefore...[[{"incognitoi.UtabId..!yp...."main_frame"],"url...."://login.microsoftonline.com/","..@us/L.dwindows...},["blocking"]],...Iimag...https://smartT.".f.....etp/facebook.svg",...Aplay....8`script...P.....-....-testbed.herokuapp\.`shims_..3.jsh.bexampl\|.......Pexten{..Q../?..s...S.J/_2..@&_3U..s7.addthis . ic...officialK......-angularjs/current/dist(..t.min.js...track.adB...net/s

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\addons.json (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	24
Entropy (8bit):	3.91829583405449
Encrypted:	false
SSDEEP:	3:YWGifTJE6iHQ:YWGif9EE
MD5:	3088F0272D29FAA42ED452C5E8120B08
SHA1:	C72AA542EF60AFA3DF5DFE1F9FCC06C0B135BE23
SHA-256:	D587CEC944023447DC91BC5F71E2291711BA5ADD337464837909A26F34BC5A06
SHA-512:	B662414EDD6DEF8589304904263584847586ECCA0B0E6296FB3ADB2192D92FB48697C99BD27C4375D192150E3F99102702AF2391117FFF50A9763C74C193D798
Malicious:	false
Preview:	{"schema":6,"addons":[]}

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\addons.json.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	24
Entropy (8bit):	3.91829583405449
Encrypted:	false
SSDEEP:	3:YWGifTJE6iHQ:YWGif9EE
MD5:	3088F0272D29FAA42ED452C5E8120B08
SHA1:	C72AA542EF60AFA3DF5DFE1F9FCC06C0B135BE23
SHA-256:	D587CEC944023447DC91BC5F71E2291711BA5ADD337464837909A26F34BC5A06
SHA-512:	B662414EDD6DEF8589304904263584847586ECCA0B0E6296FB3ADB2192D92FB48697C99BD27C4375D192150E3F99102702AF2391117FFF50A9763C74C193D798
Malicious:	false
Preview:	{"schema":6,"addons":[]}

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\content-prefs.sqlite

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	SQLite 3.x database, user version 5, last written using SQLite version 3042000, page size 32768, file counter 4, database pages 8, cookie 0x6, schema 4, largest root page 8, UTF-8, vacuum mode 1, version-valid-for 4
Category:	dropped
Size (bytes):	262144
Entropy (8bit):	0.04905141882491872
Encrypted:	false
SSDEEP:	24:DLSvwae+Q8Uu50xj0aWe9LxYkKA25Q5tvAA:DKwae+QtMImelekKDa5
MD5:	8736A542C5564A922C47B19D9CC5E0F2
SHA1:	CE9D58967DA9B5356D6C1D8A482F9CE74DA9097A
SHA-256:	97CE5D8AFBB0AA610219C4FAC3927E32C91BFFD9FD971AF68C718E7B27E40077
SHA-512:	99777325893DC7A95FD49B2DA18D32D65F97CC7A8E482D78EDC32F63245457FA5A52750800C074D552D20B6A215604161FDC88763D93C76A8703470C3064196B
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j......\|....~.}.}z}-\|.................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\crashes\store.json.mozlz4 (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Mozilla lz4 compressed data, originally 56 bytes
Category:	dropped
Size (bytes):	66
Entropy (8bit):	4.837595020998689
Encrypted:	false
SSDEEP:	3:3fX/xH8IXl/I3v0lb7iioW:vXpH1RPXt
MD5:	A6338865EB252D0EF8FCF11FA9AF3F0D
SHA1:	CECDD4C4DCAE10C2FFC8EB938121B6231DE48CD3
SHA-256:	078648C042B9B08483CE246B7F01371072541A2E90D1BEB0C8009A6118CBD965
SHA-512:	D950227AC83F4E8246D73F9F35C19E88CE65D0CA5F1EF8CCBB02ED6EFC66B1B7E683E2BA0200279D7CA4B49831FD8C3CEB0584265B10ACCFF2611EC1CA8C0C6C
Malicious:	false
Preview:	mozLz40.8.....{"v":1,"crashes":{},"countsByDay....rruptDate":null}

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\crashes\store.json.mozlz4.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Mozilla lz4 compressed data, originally 56 bytes
Category:	dropped
Size (bytes):	66
Entropy (8bit):	4.837595020998689
Encrypted:	false
SSDEEP:	3:3fX/xH8IXl/I3v0lb7iioW:vXpH1RPXt
MD5:	A6338865EB252D0EF8FCF11FA9AF3F0D
SHA1:	CECDD4C4DCAE10C2FFC8EB938121B6231DE48CD3
SHA-256:	078648C042B9B08483CE246B7F01371072541A2E90D1BEB0C8009A6118CBD965
SHA-512:	D950227AC83F4E8246D73F9F35C19E88CE65D0CA5F1EF8CCBB02ED6EFC66B1B7E683E2BA0200279D7CA4B49831FD8C3CEB0584265B10ACCFF2611EC1CA8C0C6C
Malicious:	false
Preview:	mozLz40.8.....{"v":1,"crashes":{},"countsByDay....rruptDate":null}

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\extensions.json (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	36830
Entropy (8bit):	5.1867463390487
Encrypted:	false
SSDEEP:	768:JI4avfWX94O6L4x4ME454N4ohvM4T4Pia4T4I4t54U:JI4KvG
MD5:	98875950B62B398FFE70C0A8D0998017
SHA1:	CFCFFF938402E53D341FE392E25D2E6C557E548F
SHA-256:	1B445C7E12712026D4E663426527CE58FD221D2E26545AEA699E67D60F16E7F0
SHA-512:	728FF6FF915A45B44D720F41F9545F41F1BF5FB218D58073BD27DB19145D2225488988BE80FB0F712922D7B661E1A64448E3F71F09A1480B6F20BD2480888ABF
Malicious:	false
Preview:	{"schemaVersion":35,"addons":[{"id":"formautofill@mozilla.org","syncGUID":"{7a5650ac-9a89-4807-a040-9f0832bf39a9}","version":"1.0.1","type":"extension","loader":null,"updateURL":null,"installOrigins":null,"manifestVersion":2,"optionsURL":null,"optionsType":null,"optionsBrowserStyle":true,"aboutURL":null,"defaultLocale":{"name":"Form Autofill","creator":null,"developers":null,"translators":null,"contributors":null},"visible":true,"active":true,"userDisabled":false,"appDisabled":false,"embedderDisabled":false,"installDate":1695865283000,"updateDate":1695865283000,"applyBackgroundUpdates":1,"path":"C:\\Program Files\\Mozilla Firefox\\browser\\features\\formautofill@mozilla.org.xpi","skinnable":false,"sourceURI":null,"releaseNotesURI":null,"softDisabled":false,"foreignInstall":false,"strictCompatibility":true,"locales":[],"targetApplications":[{"id":"toolkit@mozilla.org","minVersion":null,"maxVersion":null}],"targetPlatforms":[],"signedDate":null,"seen":true,"dependencies":[],"incognito":"

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\extensions.json.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	36830
Entropy (8bit):	5.1867463390487
Encrypted:	false
SSDEEP:	768:JI4avfWX94O6L4x4ME454N4ohvM4T4Pia4T4I4t54U:JI4KvG
MD5:	98875950B62B398FFE70C0A8D0998017
SHA1:	CFCFFF938402E53D341FE392E25D2E6C557E548F
SHA-256:	1B445C7E12712026D4E663426527CE58FD221D2E26545AEA699E67D60F16E7F0
SHA-512:	728FF6FF915A45B44D720F41F9545F41F1BF5FB218D58073BD27DB19145D2225488988BE80FB0F712922D7B661E1A64448E3F71F09A1480B6F20BD2480888ABF
Malicious:	false
Preview:	{"schemaVersion":35,"addons":[{"id":"formautofill@mozilla.org","syncGUID":"{7a5650ac-9a89-4807-a040-9f0832bf39a9}","version":"1.0.1","type":"extension","loader":null,"updateURL":null,"installOrigins":null,"manifestVersion":2,"optionsURL":null,"optionsType":null,"optionsBrowserStyle":true,"aboutURL":null,"defaultLocale":{"name":"Form Autofill","creator":null,"developers":null,"translators":null,"contributors":null},"visible":true,"active":true,"userDisabled":false,"appDisabled":false,"embedderDisabled":false,"installDate":1695865283000,"updateDate":1695865283000,"applyBackgroundUpdates":1,"path":"C:\\Program Files\\Mozilla Firefox\\browser\\features\\formautofill@mozilla.org.xpi","skinnable":false,"sourceURI":null,"releaseNotesURI":null,"softDisabled":false,"foreignInstall":false,"strictCompatibility":true,"locales":[],"targetApplications":[{"id":"toolkit@mozilla.org","minVersion":null,"maxVersion":null}],"targetPlatforms":[],"signedDate":null,"seen":true,"dependencies":[],"incognito":"

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\favicons.sqlite-shm

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	data
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	0.017262956703125623
Encrypted:	false
SSDEEP:	3:G8lQs2TSlElQs2TtPRp//:G0QjSaQjrpX
MD5:	B7C14EC6110FA820CA6B65F5AEC85911
SHA1:	608EEB7488042453C9CA40F7E1398FC1A270F3F4
SHA-256:	FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB
SHA-512:	D8D75760F29B1E27AC9430BC4F4FFCEC39F1590BE5AEF2BFB5A535850302E067C288EF59CF3B2C5751009A22A6957733F9F80FA18F2B0D33D90C068A3F08F3B0
Malicious:	false
Preview:	..-.....................................8...5.....-.....................................8...5...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1021904
Entropy (8bit):	6.648417932394748
Encrypted:	false
SSDEEP:	12288:vYLdTfFKbNSjv92eFN+3wH+NYriA0Iq6lh6VawYIpAvwHN/Uf1h47HAfg1oet:vYLdTZ923NYrjwNpgwef1hzfg1x
MD5:	FE3355639648C417E8307C6D051E3E37
SHA1:	F54602D4B4778DA21BC97C7238FC66AA68C8EE34
SHA-256:	1ED7877024BE63A049DA98733FD282C16BD620530A4FB580DACEC3A78ACE914E
SHA-512:	8F4030BB2464B98ECCBEA6F06EB186D7216932702D94F6B84C56419E9CF65A18309711AB342D1513BF85AED402BC3535A70DB4395874828F0D35C278DD2EAC9C
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......NH...)...)...)..eM...)..eM...)..eM..)..eM...)...)..i)..XA...)..XA..;)..XA...)...)..g)..cA...)..cA...)..Rich.)..........PE..d....z\.........." .....t................................................................`.........................................P...,...\|...(............P...H...z.................T...........................0...................p............................text...$s.......t.................. ..`.rdata...~...........x..............@..@.data....3..........................@....pdata...H...P...J..................@..@.rodata..............^..............@..@.reloc...............j..............@..B........................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1021904
Entropy (8bit):	6.648417932394748
Encrypted:	false
SSDEEP:	12288:vYLdTfFKbNSjv92eFN+3wH+NYriA0Iq6lh6VawYIpAvwHN/Uf1h47HAfg1oet:vYLdTZ923NYrjwNpgwef1hzfg1x
MD5:	FE3355639648C417E8307C6D051E3E37
SHA1:	F54602D4B4778DA21BC97C7238FC66AA68C8EE34
SHA-256:	1ED7877024BE63A049DA98733FD282C16BD620530A4FB580DACEC3A78ACE914E
SHA-512:	8F4030BB2464B98ECCBEA6F06EB186D7216932702D94F6B84C56419E9CF65A18309711AB342D1513BF85AED402BC3535A70DB4395874828F0D35C278DD2EAC9C
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......NH...)...)...)..eM...)..eM...)..eM..)..eM...)...)..i)..XA...)..XA..;)..XA...)...)..g)..cA...)..cA...)..Rich.)..........PE..d....z\.........." .....t................................................................`.........................................P...,...\|...(............P...H...z.................T...........................0...................p............................text...$s.......t.................. ..`.rdata...~...........x..............@..@.data....3..........................@....pdata...H...P...J..................@..@.rodata..............^..............@..@.reloc...............j..............@..B........................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.info (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	116
Entropy (8bit):	4.968220104601006
Encrypted:	false
SSDEEP:	3:C3OuN9RAM7VDXcEzq+rEakOvTMBv+FdBAIABv+FEn:0BDUmHlvAWeWEn
MD5:	3D33CDC0B3D281E67DD52E14435DD04F
SHA1:	4DB88689282FD4F9E9E6AB95FCBB23DF6E6485DB
SHA-256:	F526E9F98841D987606EFEAFF7F3E017BA9FD516C4BE83890C7F9A093EA4C47B
SHA-512:	A4A96743332CC8EF0F86BC2E6122618BFC75ED46781DADBAC9E580CD73DF89E74738638A2CCCB4CAA4CBBF393D771D7F2C73F825737CDB247362450A0D4A4BC1
Malicious:	false
Preview:	Name: gmpopenh264.Description: GMP Plugin for OpenH264..Version: 1.8.1.APIs: encode-video[h264], decode-video[h264].

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.info.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	116
Entropy (8bit):	4.968220104601006
Encrypted:	false
SSDEEP:	3:C3OuN9RAM7VDXcEzq+rEakOvTMBv+FdBAIABv+FEn:0BDUmHlvAWeWEn
MD5:	3D33CDC0B3D281E67DD52E14435DD04F
SHA1:	4DB88689282FD4F9E9E6AB95FCBB23DF6E6485DB
SHA-256:	F526E9F98841D987606EFEAFF7F3E017BA9FD516C4BE83890C7F9A093EA4C47B
SHA-512:	A4A96743332CC8EF0F86BC2E6122618BFC75ED46781DADBAC9E580CD73DF89E74738638A2CCCB4CAA4CBBF393D771D7F2C73F825737CDB247362450A0D4A4BC1
Malicious:	false
Preview:	Name: gmpopenh264.Description: GMP Plugin for OpenH264..Version: 1.8.1.APIs: encode-video[h264], decode-video[h264].

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\permissions.sqlite

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	SQLite 3.x database, user version 12, last written using SQLite version 3042000, page size 32768, file counter 4, database pages 3, cookie 0x2, schema 4, UTF-8, version-valid-for 4
Category:	dropped
Size (bytes):	98304
Entropy (8bit):	0.07334626169256728
Encrypted:	false
SSDEEP:	12:DBl/A0OWla0mwPxRymgObsCVR45wcYR4fmnsCVR4zki0:DLhesh7Owd4+ji
MD5:	08F44E2EBE4A4F095198FDAF86DD9195
SHA1:	7BDD78EF2CF5C09C606171A191227BFB7CAA6E4D
SHA-256:	599253B3088A673B2F9110E2BFDE9FF7DA3EBAD2B1EC354CE2A88997EB7B23B5
SHA-512:	974F89163B119289D7879F6DC04D6D343C357F3C221E100D7CF42DE628BCF7FBD1B31932937F51157A5209EA1D2F8444502CF2630C49CB59E11839D7927FFE8F
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j......~s..F~s........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\places.sqlite-shm

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	data
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	0.035577876577226504
Encrypted:	false
SSDEEP:	3:GtlstFnQtjq9EZQFVAmHPlstFnQtjq9EZQFVAm8x89//alEl:GtWtStjG9vAoPWtStjG9vAB89XuM
MD5:	ACB9CD28B71D4DFEF3B22082D0D8E218
SHA1:	420F3E934E9887183642EB0138325C354B90EEA3
SHA-256:	67716C9B0E6A0112157FC9D91A4511EC14F086F0222FCCBD92BA42163602A35C
SHA-512:	5AAD1291CEB6B8887CEAC63FA5C8060F5B567A8A013B0FB717EA2C8625A54794E6A3123F5F3B685A3F4B994AF4922CC99A325685E3237C8F69C61DC5DEFE63AD
Malicious:	false
Preview:	..-.....................0L.Hg...!..VM......G.T...-.....................0L.Hg...!..VM......G.T.........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\places.sqlite-wal

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	SQLite Write-Ahead Log, version 3007000
Category:	dropped
Size (bytes):	32824
Entropy (8bit):	0.03989923340053625
Encrypted:	false
SSDEEP:	3:Ol1ULQzlofEdUxVdrwl8rEXsxdwhml8XW3R2:Kikzl4xVdUl8dMhm93w
MD5:	2DC2F1D1D2CA0EFE5F87988612C64831
SHA1:	DA352DB575A960B78FC352249530CCFD5CDC3687
SHA-256:	C1BE96FF6B018DD16AF71478B84AB88A9D1F618B0BFA4C49DB04F7DFEF38EEFA
SHA-512:	2D02027F6D4EB6F9024EC417D8CA4F72FF5E8DF43C599C1BF2F4178E32CCED605B4F0C7C21971576864D996501424DCF09311002EB3F2CF8FFFB0B701F052C92
Malicious:	false
Preview:	7....-..........!..VM.....4Q../........!..VM..H.L0..g................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\prefs-1.js

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	ASCII text, with very long lines (1743), with CRLF line terminators
Category:	dropped
Size (bytes):	13187
Entropy (8bit):	5.478845128646723
Encrypted:	false
SSDEEP:	192:2nPOeRnLYbBp6cJ0aX+s6SEXKQL1NVa5RHWNBw8dRSl:8DeRJU/JzsHEwu0
MD5:	6840A41183DC21EC5E58677DB01ED122
SHA1:	809CE3E882D44DB2612346E70711E3D7D0E39B72
SHA-256:	5D51E787066CFCE50A0E77ADFDE901C6FBD652FB256E14C4107E1029FC06FF06
SHA-512:	5258B3E4282849DCB2853E20EF1C26B8AF18F495941009117843C6604B760823CEAD46E1FE1647FBE51177908E564927B12C7066304CE1C18E35C8DF06AA720A
Malicious:	false
Preview:	// Mozilla User Preferences....// DO NOT EDIT THIS FILE...//..// If you make changes to this file while the application is running,..// the changes will be overwritten when the application exits...//..// To change a preference value, you can either:..// - modify it via the UI (e.g. via about:config in the browser); or..// - set it within a user.js file in your profile.....user_pref("app.normandy.first_run", false);..user_pref("app.normandy.migrationsApplied", 12);..user_pref("app.normandy.user_id", "9e34c6e7-cbed-40a0-ba63-35488e171013");..user_pref("app.update.auto.migrated", true);..user_pref("app.update.background.rolledout", true);..user_pref("app.update.backgroundErrors", 2);..user_pref("app.update.lastUpdateTime.addon-background-update-timer", 1730350555);..user_pref("app.update.lastUpdateTime.background-update-timer", 1730350555);..user_pref("app.update.lastUpdateTime.browser-cleanup-thumbnails", 1730350555);..user_pref("app.update.lastUpdateTime.recipe-client-addon-run", 173035

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\prefs.js (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	ASCII text, with very long lines (1743), with CRLF line terminators
Category:	dropped
Size (bytes):	13187
Entropy (8bit):	5.478845128646723
Encrypted:	false
SSDEEP:	192:2nPOeRnLYbBp6cJ0aX+s6SEXKQL1NVa5RHWNBw8dRSl:8DeRJU/JzsHEwu0
MD5:	6840A41183DC21EC5E58677DB01ED122
SHA1:	809CE3E882D44DB2612346E70711E3D7D0E39B72
SHA-256:	5D51E787066CFCE50A0E77ADFDE901C6FBD652FB256E14C4107E1029FC06FF06
SHA-512:	5258B3E4282849DCB2853E20EF1C26B8AF18F495941009117843C6604B760823CEAD46E1FE1647FBE51177908E564927B12C7066304CE1C18E35C8DF06AA720A
Malicious:	false
Preview:	// Mozilla User Preferences....// DO NOT EDIT THIS FILE...//..// If you make changes to this file while the application is running,..// the changes will be overwritten when the application exits...//..// To change a preference value, you can either:..// - modify it via the UI (e.g. via about:config in the browser); or..// - set it within a user.js file in your profile.....user_pref("app.normandy.first_run", false);..user_pref("app.normandy.migrationsApplied", 12);..user_pref("app.normandy.user_id", "9e34c6e7-cbed-40a0-ba63-35488e171013");..user_pref("app.update.auto.migrated", true);..user_pref("app.update.background.rolledout", true);..user_pref("app.update.backgroundErrors", 2);..user_pref("app.update.lastUpdateTime.addon-background-update-timer", 1730350555);..user_pref("app.update.lastUpdateTime.background-update-timer", 1730350555);..user_pref("app.update.lastUpdateTime.browser-cleanup-thumbnails", 1730350555);..user_pref("app.update.lastUpdateTime.recipe-client-addon-run", 173035

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\protections.sqlite

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	SQLite 3.x database, user version 1, last written using SQLite version 3042000, page size 32768, file counter 4, database pages 2, cookie 0x1, schema 4, UTF-8, version-valid-for 4
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.04062825861060003
Encrypted:	false
SSDEEP:	3:lSGBl/l/zl9l/AltllPltlnKollzvulJOlzALRWemFxu7TuRjBFbrl58lcV+wgn8:ltBl/lqN1K4BEJYqWvLue3FMOrMZ0l
MD5:	60C09456D6362C6FBED48C69AA342C3C
SHA1:	58B6E22DAA48C75958B429F662DEC1C011AE74D3
SHA-256:	FE1A432A2CD096B7EEA870D46D07F5197E34B4D10666E6E1C357FAA3F2FE2389
SHA-512:	936DBC887276EF07732783B50EAFE450A8598B0492B8F6C838B337EF3E8A6EA595E7C7A2FA4B3E881887FAAE2D207B953A4C65ED8C964D93118E00D3E03882BD
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.......x..x..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\sessionCheckpoints.json (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	90
Entropy (8bit):	4.194538242412464
Encrypted:	false
SSDEEP:	3:YVXKQJAyiVLQwJtJDBA+AJ2LKZXJ3YFwHY:Y9KQOy6Lb1BA+m2L69Yr
MD5:	C4AB2EE59CA41B6D6A6EA911F35BDC00
SHA1:	5942CD6505FC8A9DABA403B082067E1CDEFDFBC4
SHA-256:	00AD9799527C3FD21F3A85012565EAE817490F3E0D417413BF9567BB5909F6A2
SHA-512:	71EA16900479E6AF161E0AAD08C8D1E9DED5868A8D848E7647272F3002E2F2013E16382B677ABE3C6F17792A26293B9E27EC78E16F00BD24BA3D21072BD1CAE2
Malicious:	false
Preview:	{"profile-after-change":true,"final-ui-startup":true,"sessionstore-windows-restored":true}

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\sessionCheckpoints.json.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	90
Entropy (8bit):	4.194538242412464
Encrypted:	false
SSDEEP:	3:YVXKQJAyiVLQwJtJDBA+AJ2LKZXJ3YFwHY:Y9KQOy6Lb1BA+m2L69Yr
MD5:	C4AB2EE59CA41B6D6A6EA911F35BDC00
SHA1:	5942CD6505FC8A9DABA403B082067E1CDEFDFBC4
SHA-256:	00AD9799527C3FD21F3A85012565EAE817490F3E0D417413BF9567BB5909F6A2
SHA-512:	71EA16900479E6AF161E0AAD08C8D1E9DED5868A8D848E7647272F3002E2F2013E16382B677ABE3C6F17792A26293B9E27EC78E16F00BD24BA3D21072BD1CAE2
Malicious:	false
Preview:	{"profile-after-change":true,"final-ui-startup":true,"sessionstore-windows-restored":true}

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\sessionstore-backups\recovery.baklz4 (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Mozilla lz4 compressed data, originally 5861 bytes
Category:	dropped
Size (bytes):	1559
Entropy (8bit):	6.343612963698701
Encrypted:	false
SSDEEP:	24:v+USUGlcAxScyHLXnIrv/pnxQwRcRK5sKmgb63eHVpjO+QamhujJwO2c0TiVm0BC:GUpOxzyHcnRcR4egm3erjxQ4Jwc3zBtg
MD5:	C17E3CFE0F1DE717FCBE7C39AD2FDE59
SHA1:	F2860897212158A088FEDCE4B45499F14A5CAF0D
SHA-256:	2482F174D5595B090F1207BFA0A7C3425872E50BC72F69F4E8F4C44764370865
SHA-512:	EC089F708D976606F4BBBECB9470D0C5B8A832490427A740E7AD03ADB99E14624E63D4BBB45D1C8B7487E0202837A30BA74F106AFACA55BFE958BC56D08FC121
Malicious:	false
Preview:	mozLz40.......{"version":["ses....restore",1],"windows":[{"tab..bentrie....url":"https://youtube.com/account?=.....rs.googl%...v3/signin/challenge/pwd","title[.C..cacheKey":0,"ID":7,"docshellUU...D"{cb262a7f-a44e-4477-9d41-38af3bc8c22b}","resultPrincipalURI":null,"hasUserInteracte...true,"triggering8.p_base64z..\"3\":{}^...docIdentifier":8,"persistK..+}],"lastAccessed":1730350562491,"hidden":false,"searchMode...userContextId...attribut...{},"index":1...questedI..p0,"imag....chrome://global/skin/icons/warning.svg"..aselect...,"_closedTZ.@],"_...C..`GroupCF..":-1,"busy...t...Flags":2150633470....dth":1164,"height":8...screenX":4...Y..Aizem..."maximize......BeforeMin...&..workspace9...98952893-68ff-4a5d-a164-705c709ed3db","zD..1...Wm..l........j..:....1":{..mUpdate...startTim..P25190...centCrash..B0},".....Dcook.. hoc..."addons.mozilla.org","valu...'b03116d8508741e1c0453eca6046028f71c7c2b904be5e0a0d4686...b1764f","pa..p"/","na..a"taarI\|.Tecure2..C.Donly..fexpiry...31194,"originA...."first

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\sessionstore-backups\recovery.jsonlz4 (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Mozilla lz4 compressed data, originally 5861 bytes
Category:	dropped
Size (bytes):	1559
Entropy (8bit):	6.343612963698701
Encrypted:	false
SSDEEP:	24:v+USUGlcAxScyHLXnIrv/pnxQwRcRK5sKmgb63eHVpjO+QamhujJwO2c0TiVm0BC:GUpOxzyHcnRcR4egm3erjxQ4Jwc3zBtg
MD5:	C17E3CFE0F1DE717FCBE7C39AD2FDE59
SHA1:	F2860897212158A088FEDCE4B45499F14A5CAF0D
SHA-256:	2482F174D5595B090F1207BFA0A7C3425872E50BC72F69F4E8F4C44764370865
SHA-512:	EC089F708D976606F4BBBECB9470D0C5B8A832490427A740E7AD03ADB99E14624E63D4BBB45D1C8B7487E0202837A30BA74F106AFACA55BFE958BC56D08FC121
Malicious:	false
Preview:	mozLz40.......{"version":["ses....restore",1],"windows":[{"tab..bentrie....url":"https://youtube.com/account?=.....rs.googl%...v3/signin/challenge/pwd","title[.C..cacheKey":0,"ID":7,"docshellUU...D"{cb262a7f-a44e-4477-9d41-38af3bc8c22b}","resultPrincipalURI":null,"hasUserInteracte...true,"triggering8.p_base64z..\"3\":{}^...docIdentifier":8,"persistK..+}],"lastAccessed":1730350562491,"hidden":false,"searchMode...userContextId...attribut...{},"index":1...questedI..p0,"imag....chrome://global/skin/icons/warning.svg"..aselect...,"_closedTZ.@],"_...C..`GroupCF..":-1,"busy...t...Flags":2150633470....dth":1164,"height":8...screenX":4...Y..Aizem..."maximize......BeforeMin...&..workspace9...98952893-68ff-4a5d-a164-705c709ed3db","zD..1...Wm..l........j..:....1":{..mUpdate...startTim..P25190...centCrash..B0},".....Dcook.. hoc..."addons.mozilla.org","valu...'b03116d8508741e1c0453eca6046028f71c7c2b904be5e0a0d4686...b1764f","pa..p"/","na..a"taarI\|.Tecure2..C.Donly..fexpiry...31194,"originA...."first

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\sessionstore-backups\recovery.jsonlz4.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Mozilla lz4 compressed data, originally 5861 bytes
Category:	dropped
Size (bytes):	1559
Entropy (8bit):	6.343612963698701
Encrypted:	false
SSDEEP:	24:v+USUGlcAxScyHLXnIrv/pnxQwRcRK5sKmgb63eHVpjO+QamhujJwO2c0TiVm0BC:GUpOxzyHcnRcR4egm3erjxQ4Jwc3zBtg
MD5:	C17E3CFE0F1DE717FCBE7C39AD2FDE59
SHA1:	F2860897212158A088FEDCE4B45499F14A5CAF0D
SHA-256:	2482F174D5595B090F1207BFA0A7C3425872E50BC72F69F4E8F4C44764370865
SHA-512:	EC089F708D976606F4BBBECB9470D0C5B8A832490427A740E7AD03ADB99E14624E63D4BBB45D1C8B7487E0202837A30BA74F106AFACA55BFE958BC56D08FC121
Malicious:	false
Preview:	mozLz40.......{"version":["ses....restore",1],"windows":[{"tab..bentrie....url":"https://youtube.com/account?=.....rs.googl%...v3/signin/challenge/pwd","title[.C..cacheKey":0,"ID":7,"docshellUU...D"{cb262a7f-a44e-4477-9d41-38af3bc8c22b}","resultPrincipalURI":null,"hasUserInteracte...true,"triggering8.p_base64z..\"3\":{}^...docIdentifier":8,"persistK..+}],"lastAccessed":1730350562491,"hidden":false,"searchMode...userContextId...attribut...{},"index":1...questedI..p0,"imag....chrome://global/skin/icons/warning.svg"..aselect...,"_closedTZ.@],"_...C..`GroupCF..":-1,"busy...t...Flags":2150633470....dth":1164,"height":8...screenX":4...Y..Aizem..."maximize......BeforeMin...&..workspace9...98952893-68ff-4a5d-a164-705c709ed3db","zD..1...Wm..l........j..:....1":{..mUpdate...startTim..P25190...centCrash..B0},".....Dcook.. hoc..."addons.mozilla.org","valu...'b03116d8508741e1c0453eca6046028f71c7c2b904be5e0a0d4686...b1764f","pa..p"/","na..a"taarI\|.Tecure2..C.Donly..fexpiry...31194,"originA...."first

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\storage.sqlite

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	SQLite 3.x database, user version 131075, last written using SQLite version 3042000, page size 512, file counter 6, database pages 8, cookie 0x4, schema 4, UTF-8, version-valid-for 6
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	2.0836444556178684
Encrypted:	false
SSDEEP:	24:JBwdh/cEUcR9PzNFPFHx/GJRBdkOrDcRB1trwDeAq2gRMyxr3:jnEUo9LXtR+JdkOnohYsl
MD5:	8B40B1534FF0F4B533AF767EB5639A05
SHA1:	63EDB539EA39AD09D701A36B535C4C087AE08CC9
SHA-256:	AF275A19A5C2C682139266065D90C237282274D11C5619A121B7BDBDB252861B
SHA-512:	54AF707698CED33C206B1B193DA414D630901762E88E37E99885A50D4D5F8DDC28367C9B401DFE251CF0552B4FA446EE28F78A97C9096AFB0F2898BFBB673B53
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\targeting.snapshot.json (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	4537
Entropy (8bit):	5.029137815476115
Encrypted:	false
SSDEEP:	96:ycdMTEr5/lLmI2Ac1zzcxvbw6Kkgrc2Rn27:MTEr5NX0z3DhRe
MD5:	CDE29D7A6A530879FA8C3698B609DDAB
SHA1:	FCF6020063EB6409B154DB91E2A2E442E8C274E5
SHA-256:	BCC32F10464F6A4BFB39AB9B4F47D1E7ACF9A1E0B5185B763816E833D41E2006
SHA-512:	8186D1214897B8AE42D4B80FCE91928A2174909F86978DCFC03B1B01B68BB25D408470F696095188A75ACDA69A731CDA20C9E33020E746F6D03DF0AF1E40B39F
Malicious:	false
Preview:	{"environment":{"locale":"en-US","localeLanguageCode":"en","browserSettings":{"update":{"channel":"release","enabled":true,"autoDownload":true,"background":true}},"attributionData":{"campaign":"%2528not%2Bset%2529","content":"%2528not%2Bset%2529","dlsource":"mozorg","dltoken":"cd09ae95-e2cf-4b8b-8929-791b0dd48cdd","experiment":"%2528not%2Bset%2529","medium":"referral","source":"www.google.com","ua":"chrome","variation":"%2528not%2Bset%2529"},"currentDate":"2024-10-31T04:55:40.311Z","profileAgeCreated":1696426830133,"usesFirefoxSync":false,"isFxAEnabled":true,"isFxASignedIn":false,"sync":{"desktopDevices":0,"mobileDevices":0,"totalDevices":0},"xpinstallEnabled":true,"addonsInfo":{"addons":{"formautofill@mozilla.org":{"version":"1.0.1","type":"extension","isSystem":true,"isWebExtension":true,"name":"Form Autofill","userDisabled":false,"installDate":"2023-09-28T01:41:23.000Z"},"pictureinpicture@mozilla.org":{"version":"1.0.0","type":"extension","isSystem":true,"isWebExtension":true,"name"

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\targeting.snapshot.json.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	4537
Entropy (8bit):	5.029137815476115
Encrypted:	false
SSDEEP:	96:ycdMTEr5/lLmI2Ac1zzcxvbw6Kkgrc2Rn27:MTEr5NX0z3DhRe
MD5:	CDE29D7A6A530879FA8C3698B609DDAB
SHA1:	FCF6020063EB6409B154DB91E2A2E442E8C274E5
SHA-256:	BCC32F10464F6A4BFB39AB9B4F47D1E7ACF9A1E0B5185B763816E833D41E2006
SHA-512:	8186D1214897B8AE42D4B80FCE91928A2174909F86978DCFC03B1B01B68BB25D408470F696095188A75ACDA69A731CDA20C9E33020E746F6D03DF0AF1E40B39F
Malicious:	false
Preview:	{"environment":{"locale":"en-US","localeLanguageCode":"en","browserSettings":{"update":{"channel":"release","enabled":true,"autoDownload":true,"background":true}},"attributionData":{"campaign":"%2528not%2Bset%2529","content":"%2528not%2Bset%2529","dlsource":"mozorg","dltoken":"cd09ae95-e2cf-4b8b-8929-791b0dd48cdd","experiment":"%2528not%2Bset%2529","medium":"referral","source":"www.google.com","ua":"chrome","variation":"%2528not%2Bset%2529"},"currentDate":"2024-10-31T04:55:40.311Z","profileAgeCreated":1696426830133,"usesFirefoxSync":false,"isFxAEnabled":true,"isFxASignedIn":false,"sync":{"desktopDevices":0,"mobileDevices":0,"totalDevices":0},"xpinstallEnabled":true,"addonsInfo":{"addons":{"formautofill@mozilla.org":{"version":"1.0.1","type":"extension","isSystem":true,"isWebExtension":true,"name":"Form Autofill","userDisabled":false,"installDate":"2023-09-28T01:41:23.000Z"},"pictureinpicture@mozilla.org":{"version":"1.0.0","type":"extension","isSystem":true,"isWebExtension":true,"name"

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	6.584673658927549
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	file.exe
File size:	919'552 bytes
MD5:	1d861b36e55e04fbc04ff38b5d152a08
SHA1:	f53ddbe7888dd7876cb8f6e8f8747444d360ec7f
SHA256:	70cc27da966c738d1b02fb80ce3743002343a8a7a4b8fe0a908114c723c683e5
SHA512:	835b66032834d8a98af4debda8360f9000088bbce67c949474d413b0be020626d835678cefd6f2c02d2d763e29eb14442e3b129f85113098a9d114e88d7e3fa1
SSDEEP:	12288:FqDEvFo+yo4DdbbMWu/jrQu4M9lBAlKhQcDGB3cuBNGE6iOrpfe4JdaDga/Tb:FqDEvCTbMWu7rQYlBQcBiT6rprG8abb
TLSH:	A8159E0273D1C062FFAB92334B5AF6515BBC69260123E61F13981DB9BE701B1563E7A3
File Content Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......................j:......j:..C...j:......@.*...............................n.......~.............{.......{.......{.........z....

File Icon


Icon Hash:	aaf3e3e3938382a0

Static PE Info

General

Entrypoint:	0x420577
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, TERMINAL_SERVER_AWARE
Time Stamp:	0x6722F248 [Thu Oct 31 02:58:16 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	1
File Version Major:	5
File Version Minor:	1
Subsystem Version Major:	5
Subsystem Version Minor:	1
Import Hash:	948cc502fe9226992dce9417f952fce3

Entrypoint Preview

Instruction
call 00007FC2009484D3h
jmp 00007FC200947DDFh
push ebp
mov ebp, esp
push esi
push dword ptr [ebp+08h]
mov esi, ecx
call 00007FC200947FBDh
mov dword ptr [esi], 0049FDF0h
mov eax, esi
pop esi
pop ebp
retn 0004h
and dword ptr [ecx+04h], 00000000h
mov eax, ecx
and dword ptr [ecx+08h], 00000000h
mov dword ptr [ecx+04h], 0049FDF8h
mov dword ptr [ecx], 0049FDF0h
ret
push ebp
mov ebp, esp
push esi
push dword ptr [ebp+08h]
mov esi, ecx
call 00007FC200947F8Ah
mov dword ptr [esi], 0049FE0Ch
mov eax, esi
pop esi
pop ebp
retn 0004h
and dword ptr [ecx+04h], 00000000h
mov eax, ecx
and dword ptr [ecx+08h], 00000000h
mov dword ptr [ecx+04h], 0049FE14h
mov dword ptr [ecx], 0049FE0Ch
ret
push ebp
mov ebp, esp
push esi
mov esi, ecx
lea eax, dword ptr [esi+04h]
mov dword ptr [esi], 0049FDD0h
and dword ptr [eax], 00000000h
and dword ptr [eax+04h], 00000000h
push eax
mov eax, dword ptr [ebp+08h]
add eax, 04h
push eax
call 00007FC20094AB7Dh
pop ecx
pop ecx
mov eax, esi
pop esi
pop ebp
retn 0004h
lea eax, dword ptr [ecx+04h]
mov dword ptr [ecx], 0049FDD0h
push eax
call 00007FC20094ABC8h
pop ecx
ret
push ebp
mov ebp, esp
push esi
mov esi, ecx
lea eax, dword ptr [esi+04h]
mov dword ptr [esi], 0049FDD0h
push eax
call 00007FC20094ABB1h
test byte ptr [ebp+08h], 00000001h
pop ecx

Rich Headers

Programming Language:

[ C ] VS2008 SP1 build 30729
[IMP] VS2008 SP1 build 30729

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xc8e64	0x17c	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xd4000	0x9c28	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xde000	0x7594	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0xb0ff0	0x1c	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0xc3400	0x18	.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0xb1010	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x9c000	0x894	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x9ab1d	0x9ac00	0a1473f3064dcbc32ef93c5c8a90f3a6	False	0.565500681542811	data	6.668273581389308	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x9c000	0x2fb82	0x2fc00	c9cf2468b60bf4f80f136ed54b3989fb	False	0.35289185209424084	data	5.691811547483722	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0xcc000	0x706c	0x4800	53b9025d545d65e23295e30afdbd16d9	False	0.04356553819444445	DOS executable (block device driver @\273\)	0.5846666986982398	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0xd4000	0x9c28	0x9e00	603fcb1c6e7eb07994892f74caf9a040	False	0.31561511075949367	data	5.374018991945516	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0xde000	0x7594	0x7600	c68ee8931a32d45eb82dc450ee40efc3	False	0.7628111758474576	data	6.7972128181359786	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0xd45a8	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain	0.7466216216216216
RT_ICON	0xd46d0	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 128, 16 important colors	English	Great Britain	0.3277027027027027
RT_ICON	0xd47f8	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain	0.3885135135135135
RT_ICON	0xd4920	0x2e8	Device independent bitmap graphic, 32 x 64 x 4, image size 0	English	Great Britain	0.3333333333333333
RT_ICON	0xd4c08	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 0	English	Great Britain	0.5
RT_ICON	0xd4d30	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 0	English	Great Britain	0.2835820895522388
RT_ICON	0xd5bd8	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 0	English	Great Britain	0.37906137184115524
RT_ICON	0xd6480	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 0	English	Great Britain	0.23699421965317918
RT_ICON	0xd69e8	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0	English	Great Britain	0.13858921161825727
RT_ICON	0xd8f90	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 0	English	Great Britain	0.25070356472795496
RT_ICON	0xda038	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	English	Great Britain	0.3173758865248227
RT_MENU	0xda4a0	0x50	data	English	Great Britain	0.9
RT_STRING	0xda4f0	0x594	data	English	Great Britain	0.3333333333333333
RT_STRING	0xdaa84	0x68a	data	English	Great Britain	0.2735961768219833
RT_STRING	0xdb110	0x490	data	English	Great Britain	0.3715753424657534
RT_STRING	0xdb5a0	0x5fc	data	English	Great Britain	0.3087467362924282
RT_STRING	0xdbb9c	0x65c	data	English	Great Britain	0.34336609336609336
RT_STRING	0xdc1f8	0x466	data	English	Great Britain	0.3605683836589698
RT_STRING	0xdc660	0x158	Matlab v4 mat-file (little endian) n, numeric, rows 0, columns 0	English	Great Britain	0.502906976744186
RT_RCDATA	0xdc7b8	0xef0	data			1.0028765690376569
RT_GROUP_ICON	0xdd6a8	0x76	data	English	Great Britain	0.6610169491525424
RT_GROUP_ICON	0xdd720	0x14	data	English	Great Britain	1.25
RT_GROUP_ICON	0xdd734	0x14	data	English	Great Britain	1.15
RT_GROUP_ICON	0xdd748	0x14	data	English	Great Britain	1.25
RT_VERSION	0xdd75c	0xdc	data	English	Great Britain	0.6181818181818182
RT_MANIFEST	0xdd838	0x3ef	ASCII text, with CRLF line terminators	English	Great Britain	0.5074478649453823

Imports

DLL	Import
WSOCK32.dll	gethostbyname, recv, send, socket, inet_ntoa, setsockopt, ntohs, WSACleanup, WSAStartup, sendto, htons, __WSAFDIsSet, select, accept, listen, bind, inet_addr, ioctlsocket, recvfrom, WSAGetLastError, closesocket, gethostname, connect
VERSION.dll	GetFileVersionInfoW, VerQueryValueW, GetFileVersionInfoSizeW
WINMM.dll	timeGetTime, waveOutSetVolume, mciSendStringW
COMCTL32.dll	ImageList_ReplaceIcon, ImageList_Destroy, ImageList_Remove, ImageList_SetDragCursorImage, ImageList_BeginDrag, ImageList_DragEnter, ImageList_DragLeave, ImageList_EndDrag, ImageList_DragMove, InitCommonControlsEx, ImageList_Create
MPR.dll	WNetGetConnectionW, WNetCancelConnection2W, WNetUseConnectionW, WNetAddConnection2W
WININET.dll	HttpOpenRequestW, InternetCloseHandle, InternetOpenW, InternetSetOptionW, InternetCrackUrlW, HttpQueryInfoW, InternetQueryOptionW, InternetConnectW, HttpSendRequestW, FtpOpenFileW, FtpGetFileSize, InternetOpenUrlW, InternetReadFile, InternetQueryDataAvailable
PSAPI.DLL	GetProcessMemoryInfo
IPHLPAPI.DLL	IcmpSendEcho, IcmpCloseHandle, IcmpCreateFile
USERENV.dll	DestroyEnvironmentBlock, LoadUserProfileW, CreateEnvironmentBlock, UnloadUserProfile
UxTheme.dll	IsThemeActive
KERNEL32.dll	DuplicateHandle, CreateThread, WaitForSingleObject, HeapAlloc, GetProcessHeap, HeapFree, Sleep, GetCurrentThreadId, MultiByteToWideChar, MulDiv, GetVersionExW, IsWow64Process, GetSystemInfo, FreeLibrary, LoadLibraryA, GetProcAddress, SetErrorMode, GetModuleFileNameW, WideCharToMultiByte, lstrcpyW, lstrlenW, GetModuleHandleW, QueryPerformanceCounter, VirtualFreeEx, OpenProcess, VirtualAllocEx, WriteProcessMemory, ReadProcessMemory, CreateFileW, SetFilePointerEx, SetEndOfFile, ReadFile, WriteFile, FlushFileBuffers, TerminateProcess, CreateToolhelp32Snapshot, Process32FirstW, Process32NextW, SetFileTime, GetFileAttributesW, FindFirstFileW, FindClose, GetLongPathNameW, GetShortPathNameW, DeleteFileW, IsDebuggerPresent, CopyFileExW, MoveFileW, CreateDirectoryW, RemoveDirectoryW, SetSystemPowerState, QueryPerformanceFrequency, LoadResource, LockResource, SizeofResource, OutputDebugStringW, GetTempPathW, GetTempFileNameW, DeviceIoControl, LoadLibraryW, GetLocalTime, CompareStringW, GetCurrentThread, EnterCriticalSection, LeaveCriticalSection, GetStdHandle, CreatePipe, InterlockedExchange, TerminateThread, LoadLibraryExW, FindResourceExW, CopyFileW, VirtualFree, FormatMessageW, GetExitCodeProcess, GetPrivateProfileStringW, WritePrivateProfileStringW, GetPrivateProfileSectionW, WritePrivateProfileSectionW, GetPrivateProfileSectionNamesW, FileTimeToLocalFileTime, FileTimeToSystemTime, SystemTimeToFileTime, LocalFileTimeToFileTime, GetDriveTypeW, GetDiskFreeSpaceExW, GetDiskFreeSpaceW, GetVolumeInformationW, SetVolumeLabelW, CreateHardLinkW, SetFileAttributesW, CreateEventW, SetEvent, GetEnvironmentVariableW, SetEnvironmentVariableW, GlobalLock, GlobalUnlock, GlobalAlloc, GetFileSize, GlobalFree, GlobalMemoryStatusEx, Beep, GetSystemDirectoryW, HeapReAlloc, HeapSize, GetComputerNameW, GetWindowsDirectoryW, GetCurrentProcessId, GetProcessIoCounters, CreateProcessW, GetProcessId, SetPriorityClass, VirtualAlloc, GetCurrentDirectoryW, lstrcmpiW, DecodePointer, GetLastError, RaiseException, InitializeCriticalSectionAndSpinCount, DeleteCriticalSection, InterlockedDecrement, InterlockedIncrement, ResetEvent, WaitForSingleObjectEx, IsProcessorFeaturePresent, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetCurrentProcess, CloseHandle, GetFullPathNameW, GetStartupInfoW, GetSystemTimeAsFileTime, InitializeSListHead, RtlUnwind, SetLastError, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, EncodePointer, ExitProcess, GetModuleHandleExW, ExitThread, ResumeThread, FreeLibraryAndExitThread, GetACP, GetDateFormatW, GetTimeFormatW, LCMapStringW, GetStringTypeW, GetFileType, SetStdHandle, GetConsoleCP, GetConsoleMode, ReadConsoleW, GetTimeZoneInformation, FindFirstFileExW, IsValidCodePage, GetOEMCP, GetCPInfo, GetCommandLineA, GetCommandLineW, GetEnvironmentStringsW, FreeEnvironmentStringsW, SetEnvironmentVariableA, SetCurrentDirectoryW, FindNextFileW, WriteConsoleW
USER32.dll	GetKeyboardLayoutNameW, IsCharAlphaW, IsCharAlphaNumericW, IsCharLowerW, IsCharUpperW, GetMenuStringW, GetSubMenu, GetCaretPos, IsZoomed, GetMonitorInfoW, SetWindowLongW, SetLayeredWindowAttributes, FlashWindow, GetClassLongW, TranslateAcceleratorW, IsDialogMessageW, GetSysColor, InflateRect, DrawFocusRect, DrawTextW, FrameRect, DrawFrameControl, FillRect, PtInRect, DestroyAcceleratorTable, CreateAcceleratorTableW, SetCursor, GetWindowDC, GetSystemMetrics, GetActiveWindow, CharNextW, wsprintfW, RedrawWindow, DrawMenuBar, DestroyMenu, SetMenu, GetWindowTextLengthW, CreateMenu, IsDlgButtonChecked, DefDlgProcW, CallWindowProcW, ReleaseCapture, SetCapture, PeekMessageW, GetInputState, UnregisterHotKey, CharLowerBuffW, MonitorFromPoint, MonitorFromRect, LoadImageW, mouse_event, ExitWindowsEx, SetActiveWindow, FindWindowExW, EnumThreadWindows, SetMenuDefaultItem, InsertMenuItemW, IsMenu, ClientToScreen, GetCursorPos, DeleteMenu, CheckMenuRadioItem, GetMenuItemID, GetMenuItemCount, SetMenuItemInfoW, GetMenuItemInfoW, SetForegroundWindow, IsIconic, FindWindowW, SystemParametersInfoW, LockWindowUpdate, SendInput, GetAsyncKeyState, SetKeyboardState, GetKeyboardState, GetKeyState, VkKeyScanW, LoadStringW, DialogBoxParamW, MessageBeep, EndDialog, SendDlgItemMessageW, GetDlgItem, SetWindowTextW, CopyRect, ReleaseDC, GetDC, EndPaint, BeginPaint, GetClientRect, GetMenu, DestroyWindow, EnumWindows, GetDesktopWindow, IsWindow, IsWindowEnabled, IsWindowVisible, EnableWindow, InvalidateRect, GetWindowLongW, GetWindowThreadProcessId, AttachThreadInput, GetFocus, GetWindowTextW, SendMessageTimeoutW, EnumChildWindows, CharUpperBuffW, GetClassNameW, GetParent, GetDlgCtrlID, SendMessageW, MapVirtualKeyW, PostMessageW, GetWindowRect, SetUserObjectSecurity, CloseDesktop, CloseWindowStation, OpenDesktopW, RegisterHotKey, GetCursorInfo, SetWindowPos, CopyImage, AdjustWindowRectEx, SetRect, SetClipboardData, EmptyClipboard, CountClipboardFormats, CloseClipboard, GetClipboardData, IsClipboardFormatAvailable, OpenClipboard, BlockInput, TrackPopupMenuEx, GetMessageW, SetProcessWindowStation, GetProcessWindowStation, OpenWindowStationW, GetUserObjectSecurity, MessageBoxW, DefWindowProcW, MoveWindow, SetFocus, PostQuitMessage, KillTimer, CreatePopupMenu, RegisterWindowMessageW, SetTimer, ShowWindow, CreateWindowExW, RegisterClassExW, LoadIconW, LoadCursorW, GetSysColorBrush, GetForegroundWindow, MessageBoxA, DestroyIcon, DispatchMessageW, keybd_event, TranslateMessage, ScreenToClient
GDI32.dll	EndPath, DeleteObject, GetTextExtentPoint32W, ExtCreatePen, StrokeAndFillPath, GetDeviceCaps, SetPixel, CloseFigure, LineTo, AngleArc, MoveToEx, Ellipse, CreateCompatibleBitmap, CreateCompatibleDC, PolyDraw, BeginPath, Rectangle, SetViewportOrgEx, GetObjectW, SetBkMode, RoundRect, SetBkColor, CreatePen, SelectObject, StretchBlt, CreateSolidBrush, SetTextColor, CreateFontW, GetTextFaceW, GetStockObject, CreateDCW, GetPixel, DeleteDC, GetDIBits, StrokePath
COMDLG32.dll	GetSaveFileNameW, GetOpenFileNameW
ADVAPI32.dll	GetAce, RegEnumValueW, RegDeleteValueW, RegDeleteKeyW, RegEnumKeyExW, RegSetValueExW, RegOpenKeyExW, RegCloseKey, RegQueryValueExW, RegConnectRegistryW, InitializeSecurityDescriptor, InitializeAcl, AdjustTokenPrivileges, OpenThreadToken, OpenProcessToken, LookupPrivilegeValueW, DuplicateTokenEx, CreateProcessAsUserW, CreateProcessWithLogonW, GetLengthSid, CopySid, LogonUserW, AllocateAndInitializeSid, CheckTokenMembership, FreeSid, GetTokenInformation, RegCreateKeyExW, GetSecurityDescriptorDacl, GetAclInformation, GetUserNameW, AddAce, SetSecurityDescriptorDacl, InitiateSystemShutdownExW
SHELL32.dll	DragFinish, DragQueryPoint, ShellExecuteExW, DragQueryFileW, SHEmptyRecycleBinW, SHGetPathFromIDListW, SHBrowseForFolderW, SHCreateShellItem, SHGetDesktopFolder, SHGetSpecialFolderLocation, SHGetFolderPathW, SHFileOperationW, ExtractIconExW, Shell_NotifyIconW, ShellExecuteW
ole32.dll	CoTaskMemAlloc, CoTaskMemFree, CLSIDFromString, ProgIDFromCLSID, CLSIDFromProgID, OleSetMenuDescriptor, MkParseDisplayName, OleSetContainedObject, CoCreateInstance, IIDFromString, StringFromGUID2, CreateStreamOnHGlobal, OleInitialize, OleUninitialize, CoInitialize, CoUninitialize, GetRunningObjectTable, CoGetInstanceFromFile, CoGetObject, CoInitializeSecurity, CoCreateInstanceEx, CoSetProxyBlanket
OLEAUT32.dll	CreateStdDispatch, CreateDispTypeInfo, UnRegisterTypeLib, UnRegisterTypeLibForUser, RegisterTypeLibForUser, RegisterTypeLib, LoadTypeLibEx, VariantCopyInd, SysReAllocString, SysFreeString, VariantChangeType, SafeArrayDestroyData, SafeArrayUnaccessData, SafeArrayAccessData, SafeArrayAllocData, SafeArrayAllocDescriptorEx, SafeArrayCreateVector, SysStringLen, QueryPathOfRegTypeLib, SysAllocString, VariantInit, VariantClear, DispCallFunc, VariantTimeToSystemTime, VarR8FromDec, SafeArrayGetVartype, SafeArrayDestroyDescriptor, VariantCopy, OleLoadPicture

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	Great Britain

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 31, 2024 04:16:03.813560009 CET	49710	443	192.168.2.5	35.190.72.216
Oct 31, 2024 04:16:03.813607931 CET	443	49710	35.190.72.216	192.168.2.5
Oct 31, 2024 04:16:03.813724041 CET	49710	443	192.168.2.5	35.190.72.216
Oct 31, 2024 04:16:03.817617893 CET	49710	443	192.168.2.5	35.190.72.216
Oct 31, 2024 04:16:03.817634106 CET	443	49710	35.190.72.216	192.168.2.5
Oct 31, 2024 04:16:04.339184999 CET	49711	443	192.168.2.5	142.250.185.238
Oct 31, 2024 04:16:04.339199066 CET	443	49711	142.250.185.238	192.168.2.5
Oct 31, 2024 04:16:04.339385986 CET	49711	443	192.168.2.5	142.250.185.238
Oct 31, 2024 04:16:04.340987921 CET	49711	443	192.168.2.5	142.250.185.238
Oct 31, 2024 04:16:04.341007948 CET	443	49711	142.250.185.238	192.168.2.5
Oct 31, 2024 04:16:04.479712963 CET	49712	443	192.168.2.5	142.250.185.238
Oct 31, 2024 04:16:04.479794025 CET	443	49712	142.250.185.238	192.168.2.5
Oct 31, 2024 04:16:04.479891062 CET	49712	443	192.168.2.5	142.250.185.238
Oct 31, 2024 04:16:04.481328011 CET	49712	443	192.168.2.5	142.250.185.238
Oct 31, 2024 04:16:04.481364012 CET	443	49712	142.250.185.238	192.168.2.5
Oct 31, 2024 04:16:04.483361959 CET	49713	80	192.168.2.5	34.107.221.82
Oct 31, 2024 04:16:04.488317966 CET	80	49713	34.107.221.82	192.168.2.5
Oct 31, 2024 04:16:04.490777969 CET	49713	80	192.168.2.5	34.107.221.82
Oct 31, 2024 04:16:04.490940094 CET	49713	80	192.168.2.5	34.107.221.82
Oct 31, 2024 04:16:04.495930910 CET	80	49713	34.107.221.82	192.168.2.5
Oct 31, 2024 04:16:04.732512951 CET	49714	443	192.168.2.5	34.117.188.166
Oct 31, 2024 04:16:04.732537031 CET	443	49714	34.117.188.166	192.168.2.5
Oct 31, 2024 04:16:04.732803106 CET	49714	443	192.168.2.5	34.117.188.166
Oct 31, 2024 04:16:04.734317064 CET	49714	443	192.168.2.5	34.117.188.166
Oct 31, 2024 04:16:04.734328985 CET	443	49714	34.117.188.166	192.168.2.5
Oct 31, 2024 04:16:04.736047029 CET	49715	443	192.168.2.5	34.117.188.166
Oct 31, 2024 04:16:04.736059904 CET	443	49715	34.117.188.166	192.168.2.5
Oct 31, 2024 04:16:04.736340046 CET	49715	443	192.168.2.5	34.117.188.166
Oct 31, 2024 04:16:04.737737894 CET	49715	443	192.168.2.5	34.117.188.166
Oct 31, 2024 04:16:04.737751007 CET	443	49715	34.117.188.166	192.168.2.5
Oct 31, 2024 04:16:04.971348047 CET	443	49710	35.190.72.216	192.168.2.5
Oct 31, 2024 04:16:04.972642899 CET	49710	443	192.168.2.5	35.190.72.216
Oct 31, 2024 04:16:04.981262922 CET	49710	443	192.168.2.5	35.190.72.216
Oct 31, 2024 04:16:04.981276035 CET	443	49710	35.190.72.216	192.168.2.5
Oct 31, 2024 04:16:04.981475115 CET	443	49710	35.190.72.216	192.168.2.5
Oct 31, 2024 04:16:04.981476068 CET	49710	443	192.168.2.5	35.190.72.216
Oct 31, 2024 04:16:04.981492996 CET	443	49710	35.190.72.216	192.168.2.5
Oct 31, 2024 04:16:04.981859922 CET	49716	443	192.168.2.5	35.190.72.216
Oct 31, 2024 04:16:04.981884956 CET	443	49716	35.190.72.216	192.168.2.5
Oct 31, 2024 04:16:04.984246016 CET	49716	443	192.168.2.5	35.190.72.216
Oct 31, 2024 04:16:04.984251022 CET	49710	443	192.168.2.5	35.190.72.216
Oct 31, 2024 04:16:04.989552975 CET	49716	443	192.168.2.5	35.190.72.216
Oct 31, 2024 04:16:04.989567995 CET	443	49716	35.190.72.216	192.168.2.5
Oct 31, 2024 04:16:05.018393040 CET	49717	443	192.168.2.5	35.244.181.201
Oct 31, 2024 04:16:05.018413067 CET	443	49717	35.244.181.201	192.168.2.5
Oct 31, 2024 04:16:05.021929026 CET	49717	443	192.168.2.5	35.244.181.201
Oct 31, 2024 04:16:05.022149086 CET	49717	443	192.168.2.5	35.244.181.201
Oct 31, 2024 04:16:05.022171021 CET	443	49717	35.244.181.201	192.168.2.5
Oct 31, 2024 04:16:05.132070065 CET	80	49713	34.107.221.82	192.168.2.5
Oct 31, 2024 04:16:05.179781914 CET	49713	80	192.168.2.5	34.107.221.82
Oct 31, 2024 04:16:05.209898949 CET	443	49711	142.250.185.238	192.168.2.5
Oct 31, 2024 04:16:05.209990978 CET	49711	443	192.168.2.5	142.250.185.238
Oct 31, 2024 04:16:05.210761070 CET	443	49711	142.250.185.238	192.168.2.5
Oct 31, 2024 04:16:05.211072922 CET	49711	443	192.168.2.5	142.250.185.238
Oct 31, 2024 04:16:05.220586061 CET	49711	443	192.168.2.5	142.250.185.238
Oct 31, 2024 04:16:05.220597029 CET	443	49711	142.250.185.238	192.168.2.5
Oct 31, 2024 04:16:05.220698118 CET	49711	443	192.168.2.5	142.250.185.238
Oct 31, 2024 04:16:05.220720053 CET	443	49711	142.250.185.238	192.168.2.5
Oct 31, 2024 04:16:05.222007036 CET	49711	443	192.168.2.5	142.250.185.238
Oct 31, 2024 04:16:05.347560883 CET	443	49712	142.250.185.238	192.168.2.5
Oct 31, 2024 04:16:05.348572016 CET	443	49712	142.250.185.238	192.168.2.5
Oct 31, 2024 04:16:05.355846882 CET	443	49715	34.117.188.166	192.168.2.5
Oct 31, 2024 04:16:05.357809067 CET	49712	443	192.168.2.5	142.250.185.238
Oct 31, 2024 04:16:05.357853889 CET	443	49712	142.250.185.238	192.168.2.5
Oct 31, 2024 04:16:05.357888937 CET	49715	443	192.168.2.5	34.117.188.166
Oct 31, 2024 04:16:05.361726046 CET	443	49714	34.117.188.166	192.168.2.5
Oct 31, 2024 04:16:05.371330023 CET	443	49714	34.117.188.166	192.168.2.5
Oct 31, 2024 04:16:05.378005981 CET	49714	443	192.168.2.5	34.117.188.166
Oct 31, 2024 04:16:05.418381929 CET	49712	443	192.168.2.5	142.250.185.238
Oct 31, 2024 04:16:05.450640917 CET	49715	443	192.168.2.5	34.117.188.166
Oct 31, 2024 04:16:05.450668097 CET	443	49715	34.117.188.166	192.168.2.5
Oct 31, 2024 04:16:05.450769901 CET	49715	443	192.168.2.5	34.117.188.166
Oct 31, 2024 04:16:05.450900078 CET	443	49715	34.117.188.166	192.168.2.5
Oct 31, 2024 04:16:05.451174974 CET	49718	443	192.168.2.5	34.117.188.166
Oct 31, 2024 04:16:05.451200962 CET	443	49718	34.117.188.166	192.168.2.5
Oct 31, 2024 04:16:05.453505993 CET	49712	443	192.168.2.5	142.250.185.238
Oct 31, 2024 04:16:05.453521013 CET	443	49712	142.250.185.238	192.168.2.5
Oct 31, 2024 04:16:05.453608990 CET	49712	443	192.168.2.5	142.250.185.238
Oct 31, 2024 04:16:05.453917980 CET	49719	443	192.168.2.5	142.250.185.238
Oct 31, 2024 04:16:05.453941107 CET	443	49719	142.250.185.238	192.168.2.5
Oct 31, 2024 04:16:05.454050064 CET	443	49712	142.250.185.238	192.168.2.5
Oct 31, 2024 04:16:05.456171989 CET	49714	443	192.168.2.5	34.117.188.166
Oct 31, 2024 04:16:05.456177950 CET	443	49714	34.117.188.166	192.168.2.5
Oct 31, 2024 04:16:05.456268072 CET	49714	443	192.168.2.5	34.117.188.166
Oct 31, 2024 04:16:05.456351042 CET	443	49714	34.117.188.166	192.168.2.5
Oct 31, 2024 04:16:05.456573009 CET	49720	443	192.168.2.5	34.117.188.166
Oct 31, 2024 04:16:05.456605911 CET	443	49720	34.117.188.166	192.168.2.5
Oct 31, 2024 04:16:05.458657026 CET	49715	443	192.168.2.5	34.117.188.166
Oct 31, 2024 04:16:05.458704948 CET	49712	443	192.168.2.5	142.250.185.238
Oct 31, 2024 04:16:05.458715916 CET	49718	443	192.168.2.5	34.117.188.166
Oct 31, 2024 04:16:05.458913088 CET	49719	443	192.168.2.5	142.250.185.238
Oct 31, 2024 04:16:05.460304022 CET	49718	443	192.168.2.5	34.117.188.166
Oct 31, 2024 04:16:05.460323095 CET	443	49718	34.117.188.166	192.168.2.5
Oct 31, 2024 04:16:05.461653948 CET	49719	443	192.168.2.5	142.250.185.238
Oct 31, 2024 04:16:05.461663961 CET	443	49719	142.250.185.238	192.168.2.5
Oct 31, 2024 04:16:05.472677946 CET	49714	443	192.168.2.5	34.117.188.166
Oct 31, 2024 04:16:05.472769022 CET	49720	443	192.168.2.5	34.117.188.166
Oct 31, 2024 04:16:05.482142925 CET	49720	443	192.168.2.5	34.117.188.166
Oct 31, 2024 04:16:05.482156992 CET	443	49720	34.117.188.166	192.168.2.5
Oct 31, 2024 04:16:05.585591078 CET	443	49716	35.190.72.216	192.168.2.5
Oct 31, 2024 04:16:05.588450909 CET	49716	443	192.168.2.5	35.190.72.216
Oct 31, 2024 04:16:05.593055964 CET	49716	443	192.168.2.5	35.190.72.216
Oct 31, 2024 04:16:05.593063116 CET	443	49716	35.190.72.216	192.168.2.5
Oct 31, 2024 04:16:05.593153000 CET	49716	443	192.168.2.5	35.190.72.216
Oct 31, 2024 04:16:05.593175888 CET	443	49716	35.190.72.216	192.168.2.5
Oct 31, 2024 04:16:05.593978882 CET	49716	443	192.168.2.5	35.190.72.216
Oct 31, 2024 04:16:05.595240116 CET	49722	443	192.168.2.5	34.160.144.191
Oct 31, 2024 04:16:05.595268011 CET	443	49722	34.160.144.191	192.168.2.5
Oct 31, 2024 04:16:05.595494032 CET	49722	443	192.168.2.5	34.160.144.191
Oct 31, 2024 04:16:05.595633984 CET	49722	443	192.168.2.5	34.160.144.191
Oct 31, 2024 04:16:05.595647097 CET	443	49722	34.160.144.191	192.168.2.5
Oct 31, 2024 04:16:05.651292086 CET	443	49717	35.244.181.201	192.168.2.5
Oct 31, 2024 04:16:05.651482105 CET	49717	443	192.168.2.5	35.244.181.201
Oct 31, 2024 04:16:05.654582024 CET	49717	443	192.168.2.5	35.244.181.201
Oct 31, 2024 04:16:05.654592037 CET	443	49717	35.244.181.201	192.168.2.5
Oct 31, 2024 04:16:05.654840946 CET	443	49717	35.244.181.201	192.168.2.5
Oct 31, 2024 04:16:05.656491041 CET	49717	443	192.168.2.5	35.244.181.201
Oct 31, 2024 04:16:05.656579971 CET	49717	443	192.168.2.5	35.244.181.201
Oct 31, 2024 04:16:05.656712055 CET	443	49717	35.244.181.201	192.168.2.5
Oct 31, 2024 04:16:05.656814098 CET	49717	443	192.168.2.5	35.244.181.201
Oct 31, 2024 04:16:05.656827927 CET	49717	443	192.168.2.5	35.244.181.201
Oct 31, 2024 04:16:05.815470934 CET	49723	80	192.168.2.5	34.107.221.82
Oct 31, 2024 04:16:05.820359945 CET	80	49723	34.107.221.82	192.168.2.5
Oct 31, 2024 04:16:05.820417881 CET	49723	80	192.168.2.5	34.107.221.82
Oct 31, 2024 04:16:05.820558071 CET	49723	80	192.168.2.5	34.107.221.82
Oct 31, 2024 04:16:05.825351954 CET	80	49723	34.107.221.82	192.168.2.5
Oct 31, 2024 04:16:06.051846981 CET	49713	80	192.168.2.5	34.107.221.82
Oct 31, 2024 04:16:06.057179928 CET	80	49713	34.107.221.82	192.168.2.5
Oct 31, 2024 04:16:06.065259933 CET	443	49718	34.117.188.166	192.168.2.5
Oct 31, 2024 04:16:06.065274000 CET	443	49718	34.117.188.166	192.168.2.5
Oct 31, 2024 04:16:06.067641020 CET	49724	80	192.168.2.5	34.107.221.82
Oct 31, 2024 04:16:06.072614908 CET	80	49724	34.107.221.82	192.168.2.5
Oct 31, 2024 04:16:06.074887991 CET	49713	80	192.168.2.5	34.107.221.82
Oct 31, 2024 04:16:06.074898958 CET	49718	443	192.168.2.5	34.117.188.166
Oct 31, 2024 04:16:06.074937105 CET	49724	80	192.168.2.5	34.107.221.82
Oct 31, 2024 04:16:06.077680111 CET	49724	80	192.168.2.5	34.107.221.82
Oct 31, 2024 04:16:06.079360008 CET	49718	443	192.168.2.5	34.117.188.166
Oct 31, 2024 04:16:06.079368114 CET	443	49718	34.117.188.166	192.168.2.5
Oct 31, 2024 04:16:06.079451084 CET	49718	443	192.168.2.5	34.117.188.166
Oct 31, 2024 04:16:06.079530001 CET	443	49718	34.117.188.166	192.168.2.5
Oct 31, 2024 04:16:06.080023050 CET	49718	443	192.168.2.5	34.117.188.166
Oct 31, 2024 04:16:06.082453966 CET	80	49724	34.107.221.82	192.168.2.5
Oct 31, 2024 04:16:06.205442905 CET	443	49722	34.160.144.191	192.168.2.5
Oct 31, 2024 04:16:06.207897902 CET	49722	443	192.168.2.5	34.160.144.191
Oct 31, 2024 04:16:06.210988998 CET	49722	443	192.168.2.5	34.160.144.191
Oct 31, 2024 04:16:06.211011887 CET	443	49722	34.160.144.191	192.168.2.5
Oct 31, 2024 04:16:06.211231947 CET	443	49722	34.160.144.191	192.168.2.5
Oct 31, 2024 04:16:06.214354992 CET	49722	443	192.168.2.5	34.160.144.191
Oct 31, 2024 04:16:06.214447975 CET	49722	443	192.168.2.5	34.160.144.191
Oct 31, 2024 04:16:06.214483976 CET	443	49722	34.160.144.191	192.168.2.5
Oct 31, 2024 04:16:06.214663029 CET	49722	443	192.168.2.5	34.160.144.191
Oct 31, 2024 04:16:06.236931086 CET	49725	443	192.168.2.5	34.117.188.166
Oct 31, 2024 04:16:06.236953020 CET	443	49725	34.117.188.166	192.168.2.5
Oct 31, 2024 04:16:06.237396955 CET	49725	443	192.168.2.5	34.117.188.166
Oct 31, 2024 04:16:06.238864899 CET	49725	443	192.168.2.5	34.117.188.166
Oct 31, 2024 04:16:06.238876104 CET	443	49725	34.117.188.166	192.168.2.5
Oct 31, 2024 04:16:06.323288918 CET	443	49719	142.250.185.238	192.168.2.5
Oct 31, 2024 04:16:06.323379993 CET	49719	443	192.168.2.5	142.250.185.238
Oct 31, 2024 04:16:06.324307919 CET	443	49719	142.250.185.238	192.168.2.5
Oct 31, 2024 04:16:06.326807022 CET	49719	443	192.168.2.5	142.250.185.238
Oct 31, 2024 04:16:06.330399990 CET	49719	443	192.168.2.5	142.250.185.238
Oct 31, 2024 04:16:06.330419064 CET	443	49719	142.250.185.238	192.168.2.5
Oct 31, 2024 04:16:06.330509901 CET	49719	443	192.168.2.5	142.250.185.238
Oct 31, 2024 04:16:06.330744028 CET	443	49719	142.250.185.238	192.168.2.5
Oct 31, 2024 04:16:06.330811024 CET	49719	443	192.168.2.5	142.250.185.238
Oct 31, 2024 04:16:06.364101887 CET	443	49720	34.117.188.166	192.168.2.5
Oct 31, 2024 04:16:06.364115000 CET	443	49720	34.117.188.166	192.168.2.5
Oct 31, 2024 04:16:06.364212990 CET	49720	443	192.168.2.5	34.117.188.166
Oct 31, 2024 04:16:06.368035078 CET	49720	443	192.168.2.5	34.117.188.166
Oct 31, 2024 04:16:06.368041992 CET	443	49720	34.117.188.166	192.168.2.5
Oct 31, 2024 04:16:06.368128061 CET	49720	443	192.168.2.5	34.117.188.166
Oct 31, 2024 04:16:06.368165970 CET	443	49720	34.117.188.166	192.168.2.5
Oct 31, 2024 04:16:06.368381023 CET	49720	443	192.168.2.5	34.117.188.166
Oct 31, 2024 04:16:06.661689997 CET	80	49724	34.107.221.82	192.168.2.5
Oct 31, 2024 04:16:06.706074953 CET	49723	80	192.168.2.5	34.107.221.82
Oct 31, 2024 04:16:06.709599018 CET	49724	80	192.168.2.5	34.107.221.82
Oct 31, 2024 04:16:06.711532116 CET	80	49723	34.107.221.82	192.168.2.5
Oct 31, 2024 04:16:06.725217104 CET	49723	80	192.168.2.5	34.107.221.82
Oct 31, 2024 04:16:06.848031044 CET	49726	80	192.168.2.5	34.107.221.82
Oct 31, 2024 04:16:06.852909088 CET	80	49726	34.107.221.82	192.168.2.5
Oct 31, 2024 04:16:06.856770039 CET	49726	80	192.168.2.5	34.107.221.82
Oct 31, 2024 04:16:06.857050896 CET	49726	80	192.168.2.5	34.107.221.82
Oct 31, 2024 04:16:06.860050917 CET	443	49725	34.117.188.166	192.168.2.5
Oct 31, 2024 04:16:06.862529039 CET	80	49726	34.107.221.82	192.168.2.5
Oct 31, 2024 04:16:06.870955944 CET	49725	443	192.168.2.5	34.117.188.166
Oct 31, 2024 04:16:06.877443075 CET	49725	443	192.168.2.5	34.117.188.166
Oct 31, 2024 04:16:06.877455950 CET	443	49725	34.117.188.166	192.168.2.5
Oct 31, 2024 04:16:06.877561092 CET	49725	443	192.168.2.5	34.117.188.166
Oct 31, 2024 04:16:06.877568960 CET	443	49725	34.117.188.166	192.168.2.5
Oct 31, 2024 04:16:06.877945900 CET	49727	443	192.168.2.5	34.117.188.166
Oct 31, 2024 04:16:06.877962112 CET	443	49727	34.117.188.166	192.168.2.5
Oct 31, 2024 04:16:06.878896952 CET	49725	443	192.168.2.5	34.117.188.166
Oct 31, 2024 04:16:06.878923893 CET	49727	443	192.168.2.5	34.117.188.166
Oct 31, 2024 04:16:06.880532980 CET	49727	443	192.168.2.5	34.117.188.166
Oct 31, 2024 04:16:06.880543947 CET	443	49727	34.117.188.166	192.168.2.5
Oct 31, 2024 04:16:07.452804089 CET	80	49726	34.107.221.82	192.168.2.5
Oct 31, 2024 04:16:07.476826906 CET	443	49727	34.117.188.166	192.168.2.5
Oct 31, 2024 04:16:07.482604980 CET	49727	443	192.168.2.5	34.117.188.166
Oct 31, 2024 04:16:07.489283085 CET	49727	443	192.168.2.5	34.117.188.166
Oct 31, 2024 04:16:07.489294052 CET	443	49727	34.117.188.166	192.168.2.5
Oct 31, 2024 04:16:07.489372969 CET	49727	443	192.168.2.5	34.117.188.166
Oct 31, 2024 04:16:07.489422083 CET	443	49727	34.117.188.166	192.168.2.5
Oct 31, 2024 04:16:07.498605967 CET	49727	443	192.168.2.5	34.117.188.166
Oct 31, 2024 04:16:07.498606920 CET	49726	80	192.168.2.5	34.107.221.82
Oct 31, 2024 04:16:08.155033112 CET	49724	80	192.168.2.5	34.107.221.82
Oct 31, 2024 04:16:08.160100937 CET	80	49724	34.107.221.82	192.168.2.5
Oct 31, 2024 04:16:08.277972937 CET	80	49724	34.107.221.82	192.168.2.5
Oct 31, 2024 04:16:08.325495005 CET	49724	80	192.168.2.5	34.107.221.82
Oct 31, 2024 04:16:10.801772118 CET	49726	80	192.168.2.5	34.107.221.82
Oct 31, 2024 04:16:10.806586981 CET	80	49726	34.107.221.82	192.168.2.5
Oct 31, 2024 04:16:10.808263063 CET	49724	80	192.168.2.5	34.107.221.82
Oct 31, 2024 04:16:10.813059092 CET	80	49724	34.107.221.82	192.168.2.5
Oct 31, 2024 04:16:10.926076889 CET	80	49726	34.107.221.82	192.168.2.5
Oct 31, 2024 04:16:10.930860996 CET	80	49724	34.107.221.82	192.168.2.5
Oct 31, 2024 04:16:10.971848965 CET	49726	80	192.168.2.5	34.107.221.82
Oct 31, 2024 04:16:10.976660967 CET	80	49726	34.107.221.82	192.168.2.5
Oct 31, 2024 04:16:10.979914904 CET	49724	80	192.168.2.5	34.107.221.82
Oct 31, 2024 04:16:10.983926058 CET	49731	443	192.168.2.5	34.120.208.123
Oct 31, 2024 04:16:10.983942986 CET	443	49731	34.120.208.123	192.168.2.5
Oct 31, 2024 04:16:10.984935045 CET	49731	443	192.168.2.5	34.120.208.123
Oct 31, 2024 04:16:10.986515045 CET	49731	443	192.168.2.5	34.120.208.123
Oct 31, 2024 04:16:10.986526966 CET	443	49731	34.120.208.123	192.168.2.5
Oct 31, 2024 04:16:11.002454042 CET	49732	443	192.168.2.5	34.107.243.93
Oct 31, 2024 04:16:11.002516031 CET	443	49732	34.107.243.93	192.168.2.5
Oct 31, 2024 04:16:11.017431021 CET	49732	443	192.168.2.5	34.107.243.93
Oct 31, 2024 04:16:11.018953085 CET	49732	443	192.168.2.5	34.107.243.93
Oct 31, 2024 04:16:11.018961906 CET	443	49732	34.107.243.93	192.168.2.5
Oct 31, 2024 04:16:11.022860050 CET	49733	443	192.168.2.5	35.244.181.201
Oct 31, 2024 04:16:11.022876978 CET	443	49733	35.244.181.201	192.168.2.5
Oct 31, 2024 04:16:11.023876905 CET	49734	443	192.168.2.5	34.149.100.209
Oct 31, 2024 04:16:11.023888111 CET	443	49734	34.149.100.209	192.168.2.5
Oct 31, 2024 04:16:11.024441957 CET	49733	443	192.168.2.5	35.244.181.201
Oct 31, 2024 04:16:11.024646044 CET	49734	443	192.168.2.5	34.149.100.209
Oct 31, 2024 04:16:11.035398006 CET	49733	443	192.168.2.5	35.244.181.201
Oct 31, 2024 04:16:11.035412073 CET	443	49733	35.244.181.201	192.168.2.5
Oct 31, 2024 04:16:11.037672043 CET	49734	443	192.168.2.5	34.149.100.209
Oct 31, 2024 04:16:11.037683010 CET	443	49734	34.149.100.209	192.168.2.5
Oct 31, 2024 04:16:11.095999002 CET	80	49726	34.107.221.82	192.168.2.5
Oct 31, 2024 04:16:11.149352074 CET	49726	80	192.168.2.5	34.107.221.82
Oct 31, 2024 04:16:11.587394953 CET	443	49731	34.120.208.123	192.168.2.5
Oct 31, 2024 04:16:11.589025021 CET	49731	443	192.168.2.5	34.120.208.123
Oct 31, 2024 04:16:11.606461048 CET	49731	443	192.168.2.5	34.120.208.123
Oct 31, 2024 04:16:11.606472969 CET	443	49731	34.120.208.123	192.168.2.5
Oct 31, 2024 04:16:11.606576920 CET	49731	443	192.168.2.5	34.120.208.123
Oct 31, 2024 04:16:11.606597900 CET	443	49731	34.120.208.123	192.168.2.5
Oct 31, 2024 04:16:11.609071970 CET	49731	443	192.168.2.5	34.120.208.123
Oct 31, 2024 04:16:11.610589027 CET	49724	80	192.168.2.5	34.107.221.82
Oct 31, 2024 04:16:11.615412951 CET	80	49724	34.107.221.82	192.168.2.5
Oct 31, 2024 04:16:11.626837969 CET	443	49732	34.107.243.93	192.168.2.5
Oct 31, 2024 04:16:11.626852989 CET	443	49732	34.107.243.93	192.168.2.5
Oct 31, 2024 04:16:11.626929045 CET	49732	443	192.168.2.5	34.107.243.93
Oct 31, 2024 04:16:11.641715050 CET	49735	443	192.168.2.5	34.120.208.123
Oct 31, 2024 04:16:11.641731024 CET	443	49735	34.120.208.123	192.168.2.5
Oct 31, 2024 04:16:11.641910076 CET	49735	443	192.168.2.5	34.120.208.123
Oct 31, 2024 04:16:11.643276930 CET	49735	443	192.168.2.5	34.120.208.123
Oct 31, 2024 04:16:11.643291950 CET	443	49735	34.120.208.123	192.168.2.5
Oct 31, 2024 04:16:11.655014038 CET	443	49733	35.244.181.201	192.168.2.5
Oct 31, 2024 04:16:11.655083895 CET	49733	443	192.168.2.5	35.244.181.201
Oct 31, 2024 04:16:11.657294989 CET	49733	443	192.168.2.5	35.244.181.201
Oct 31, 2024 04:16:11.657308102 CET	443	49733	35.244.181.201	192.168.2.5
Oct 31, 2024 04:16:11.657627106 CET	443	49733	35.244.181.201	192.168.2.5
Oct 31, 2024 04:16:11.679697037 CET	49732	443	192.168.2.5	34.107.243.93
Oct 31, 2024 04:16:11.679725885 CET	443	49732	34.107.243.93	192.168.2.5
Oct 31, 2024 04:16:11.679796934 CET	49732	443	192.168.2.5	34.107.243.93
Oct 31, 2024 04:16:11.679867983 CET	443	49732	34.107.243.93	192.168.2.5
Oct 31, 2024 04:16:11.679881096 CET	49733	443	192.168.2.5	35.244.181.201
Oct 31, 2024 04:16:11.679948092 CET	49733	443	192.168.2.5	35.244.181.201
Oct 31, 2024 04:16:11.680083036 CET	49732	443	192.168.2.5	34.107.243.93
Oct 31, 2024 04:16:11.680274010 CET	443	49733	35.244.181.201	192.168.2.5
Oct 31, 2024 04:16:11.680346012 CET	49733	443	192.168.2.5	35.244.181.201
Oct 31, 2024 04:16:11.733038902 CET	80	49724	34.107.221.82	192.168.2.5
Oct 31, 2024 04:16:11.741445065 CET	49726	80	192.168.2.5	34.107.221.82
Oct 31, 2024 04:16:11.746635914 CET	80	49726	34.107.221.82	192.168.2.5
Oct 31, 2024 04:16:11.768095016 CET	443	49734	34.149.100.209	192.168.2.5
Oct 31, 2024 04:16:11.768161058 CET	49734	443	192.168.2.5	34.149.100.209
Oct 31, 2024 04:16:11.778374910 CET	49724	80	192.168.2.5	34.107.221.82
Oct 31, 2024 04:16:11.795641899 CET	49734	443	192.168.2.5	34.149.100.209
Oct 31, 2024 04:16:11.795653105 CET	443	49734	34.149.100.209	192.168.2.5
Oct 31, 2024 04:16:11.795747042 CET	49734	443	192.168.2.5	34.149.100.209
Oct 31, 2024 04:16:11.795778990 CET	443	49734	34.149.100.209	192.168.2.5
Oct 31, 2024 04:16:11.798799038 CET	49734	443	192.168.2.5	34.149.100.209
Oct 31, 2024 04:16:11.799549103 CET	49724	80	192.168.2.5	34.107.221.82
Oct 31, 2024 04:16:11.804318905 CET	80	49724	34.107.221.82	192.168.2.5
Oct 31, 2024 04:16:11.808516026 CET	49736	443	192.168.2.5	34.120.208.123
Oct 31, 2024 04:16:11.808557034 CET	443	49736	34.120.208.123	192.168.2.5
Oct 31, 2024 04:16:11.809160948 CET	49736	443	192.168.2.5	34.120.208.123
Oct 31, 2024 04:16:11.809324026 CET	49736	443	192.168.2.5	34.120.208.123
Oct 31, 2024 04:16:11.809336901 CET	443	49736	34.120.208.123	192.168.2.5
Oct 31, 2024 04:16:11.811813116 CET	49737	443	192.168.2.5	34.120.208.123
Oct 31, 2024 04:16:11.811834097 CET	443	49737	34.120.208.123	192.168.2.5
Oct 31, 2024 04:16:11.812819004 CET	49737	443	192.168.2.5	34.120.208.123
Oct 31, 2024 04:16:11.812920094 CET	49737	443	192.168.2.5	34.120.208.123
Oct 31, 2024 04:16:11.812932968 CET	443	49737	34.120.208.123	192.168.2.5
Oct 31, 2024 04:16:11.866267920 CET	80	49726	34.107.221.82	192.168.2.5
Oct 31, 2024 04:16:11.909909010 CET	49726	80	192.168.2.5	34.107.221.82
Oct 31, 2024 04:16:11.922040939 CET	80	49724	34.107.221.82	192.168.2.5
Oct 31, 2024 04:16:11.937062979 CET	49726	80	192.168.2.5	34.107.221.82
Oct 31, 2024 04:16:11.941867113 CET	80	49726	34.107.221.82	192.168.2.5
Oct 31, 2024 04:16:11.978940964 CET	49724	80	192.168.2.5	34.107.221.82
Oct 31, 2024 04:16:12.061336040 CET	80	49726	34.107.221.82	192.168.2.5
Oct 31, 2024 04:16:12.110713005 CET	49726	80	192.168.2.5	34.107.221.82
Oct 31, 2024 04:16:12.266385078 CET	443	49735	34.120.208.123	192.168.2.5
Oct 31, 2024 04:16:12.275332928 CET	443	49735	34.120.208.123	192.168.2.5
Oct 31, 2024 04:16:12.283478975 CET	49735	443	192.168.2.5	34.120.208.123
Oct 31, 2024 04:16:12.408314943 CET	443	49736	34.120.208.123	192.168.2.5
Oct 31, 2024 04:16:12.410567045 CET	49736	443	192.168.2.5	34.120.208.123
Oct 31, 2024 04:16:12.419079065 CET	443	49737	34.120.208.123	192.168.2.5
Oct 31, 2024 04:16:12.419799089 CET	49737	443	192.168.2.5	34.120.208.123
Oct 31, 2024 04:16:12.551898956 CET	49736	443	192.168.2.5	34.120.208.123
Oct 31, 2024 04:16:12.551922083 CET	443	49736	34.120.208.123	192.168.2.5
Oct 31, 2024 04:16:12.552148104 CET	443	49736	34.120.208.123	192.168.2.5
Oct 31, 2024 04:16:12.554469109 CET	49737	443	192.168.2.5	34.120.208.123
Oct 31, 2024 04:16:12.554485083 CET	443	49737	34.120.208.123	192.168.2.5
Oct 31, 2024 04:16:12.555335999 CET	443	49737	34.120.208.123	192.168.2.5
Oct 31, 2024 04:16:12.606785059 CET	49737	443	192.168.2.5	34.120.208.123
Oct 31, 2024 04:16:12.606786966 CET	49736	443	192.168.2.5	34.120.208.123
Oct 31, 2024 04:16:12.647469044 CET	49735	443	192.168.2.5	34.120.208.123
Oct 31, 2024 04:16:12.647483110 CET	443	49735	34.120.208.123	192.168.2.5
Oct 31, 2024 04:16:12.647665977 CET	49735	443	192.168.2.5	34.120.208.123
Oct 31, 2024 04:16:12.647679090 CET	443	49735	34.120.208.123	192.168.2.5
Oct 31, 2024 04:16:12.647783041 CET	49736	443	192.168.2.5	34.120.208.123
Oct 31, 2024 04:16:12.647851944 CET	49736	443	192.168.2.5	34.120.208.123
Oct 31, 2024 04:16:12.647903919 CET	49737	443	192.168.2.5	34.120.208.123
Oct 31, 2024 04:16:12.647955894 CET	443	49736	34.120.208.123	192.168.2.5
Oct 31, 2024 04:16:12.648201942 CET	49735	443	192.168.2.5	34.120.208.123
Oct 31, 2024 04:16:12.648226976 CET	49736	443	192.168.2.5	34.120.208.123
Oct 31, 2024 04:16:12.648422956 CET	443	49737	34.120.208.123	192.168.2.5
Oct 31, 2024 04:16:12.648518085 CET	49737	443	192.168.2.5	34.120.208.123
Oct 31, 2024 04:16:13.295368910 CET	49737	443	192.168.2.5	34.120.208.123
Oct 31, 2024 04:16:13.295388937 CET	443	49737	34.120.208.123	192.168.2.5
Oct 31, 2024 04:16:17.293745041 CET	49724	80	192.168.2.5	34.107.221.82
Oct 31, 2024 04:16:17.297369957 CET	49744	443	192.168.2.5	34.120.208.123
Oct 31, 2024 04:16:17.297390938 CET	443	49744	34.120.208.123	192.168.2.5
Oct 31, 2024 04:16:17.298512936 CET	80	49724	34.107.221.82	192.168.2.5
Oct 31, 2024 04:16:17.300966024 CET	49744	443	192.168.2.5	34.120.208.123
Oct 31, 2024 04:16:17.302642107 CET	49744	443	192.168.2.5	34.120.208.123
Oct 31, 2024 04:16:17.302654028 CET	443	49744	34.120.208.123	192.168.2.5
Oct 31, 2024 04:16:17.417252064 CET	80	49724	34.107.221.82	192.168.2.5
Oct 31, 2024 04:16:17.464255095 CET	49724	80	192.168.2.5	34.107.221.82
Oct 31, 2024 04:16:17.907561064 CET	443	49744	34.120.208.123	192.168.2.5
Oct 31, 2024 04:16:17.907638073 CET	49744	443	192.168.2.5	34.120.208.123
Oct 31, 2024 04:16:18.244774103 CET	49744	443	192.168.2.5	34.120.208.123
Oct 31, 2024 04:16:18.244807959 CET	443	49744	34.120.208.123	192.168.2.5
Oct 31, 2024 04:16:18.244862080 CET	49744	443	192.168.2.5	34.120.208.123
Oct 31, 2024 04:16:18.244986057 CET	443	49744	34.120.208.123	192.168.2.5
Oct 31, 2024 04:16:18.245050907 CET	49744	443	192.168.2.5	34.120.208.123
Oct 31, 2024 04:16:18.472322941 CET	49756	443	192.168.2.5	34.107.243.93
Oct 31, 2024 04:16:18.472336054 CET	443	49756	34.107.243.93	192.168.2.5
Oct 31, 2024 04:16:18.474860907 CET	49726	80	192.168.2.5	34.107.221.82
Oct 31, 2024 04:16:18.479078054 CET	49756	443	192.168.2.5	34.107.243.93
Oct 31, 2024 04:16:18.480026960 CET	80	49726	34.107.221.82	192.168.2.5
Oct 31, 2024 04:16:18.480556965 CET	49756	443	192.168.2.5	34.107.243.93
Oct 31, 2024 04:16:18.480567932 CET	443	49756	34.107.243.93	192.168.2.5
Oct 31, 2024 04:16:18.600122929 CET	80	49726	34.107.221.82	192.168.2.5
Oct 31, 2024 04:16:18.652020931 CET	49726	80	192.168.2.5	34.107.221.82
Oct 31, 2024 04:16:19.090313911 CET	443	49756	34.107.243.93	192.168.2.5
Oct 31, 2024 04:16:19.090327978 CET	443	49756	34.107.243.93	192.168.2.5
Oct 31, 2024 04:16:19.099838972 CET	49756	443	192.168.2.5	34.107.243.93
Oct 31, 2024 04:16:19.119419098 CET	49756	443	192.168.2.5	34.107.243.93
Oct 31, 2024 04:16:19.119431973 CET	443	49756	34.107.243.93	192.168.2.5
Oct 31, 2024 04:16:19.119508982 CET	49756	443	192.168.2.5	34.107.243.93
Oct 31, 2024 04:16:19.119600058 CET	443	49756	34.107.243.93	192.168.2.5
Oct 31, 2024 04:16:19.126439095 CET	49756	443	192.168.2.5	34.107.243.93
Oct 31, 2024 04:16:20.329293966 CET	49724	80	192.168.2.5	34.107.221.82
Oct 31, 2024 04:16:20.336703062 CET	80	49724	34.107.221.82	192.168.2.5
Oct 31, 2024 04:16:20.451797009 CET	80	49724	34.107.221.82	192.168.2.5
Oct 31, 2024 04:16:20.501832962 CET	49724	80	192.168.2.5	34.107.221.82
Oct 31, 2024 04:16:20.866981983 CET	49726	80	192.168.2.5	34.107.221.82
Oct 31, 2024 04:16:20.871751070 CET	80	49726	34.107.221.82	192.168.2.5
Oct 31, 2024 04:16:20.991241932 CET	80	49726	34.107.221.82	192.168.2.5
Oct 31, 2024 04:16:21.034527063 CET	49726	80	192.168.2.5	34.107.221.82
Oct 31, 2024 04:16:30.346914053 CET	49816	443	192.168.2.5	34.107.243.93
Oct 31, 2024 04:16:30.346951008 CET	443	49816	34.107.243.93	192.168.2.5
Oct 31, 2024 04:16:30.347021103 CET	49816	443	192.168.2.5	34.107.243.93
Oct 31, 2024 04:16:30.348573923 CET	49816	443	192.168.2.5	34.107.243.93
Oct 31, 2024 04:16:30.348586082 CET	443	49816	34.107.243.93	192.168.2.5
Oct 31, 2024 04:16:30.466525078 CET	49724	80	192.168.2.5	34.107.221.82
Oct 31, 2024 04:16:30.471301079 CET	80	49724	34.107.221.82	192.168.2.5
Oct 31, 2024 04:16:30.958106041 CET	443	49816	34.107.243.93	192.168.2.5
Oct 31, 2024 04:16:30.959008932 CET	49816	443	192.168.2.5	34.107.243.93
Oct 31, 2024 04:16:30.963351965 CET	49816	443	192.168.2.5	34.107.243.93
Oct 31, 2024 04:16:30.963368893 CET	443	49816	34.107.243.93	192.168.2.5
Oct 31, 2024 04:16:30.963505030 CET	49816	443	192.168.2.5	34.107.243.93
Oct 31, 2024 04:16:30.963577032 CET	443	49816	34.107.243.93	192.168.2.5
Oct 31, 2024 04:16:30.963701963 CET	49816	443	192.168.2.5	34.107.243.93
Oct 31, 2024 04:16:30.966762066 CET	49724	80	192.168.2.5	34.107.221.82
Oct 31, 2024 04:16:30.971713066 CET	80	49724	34.107.221.82	192.168.2.5
Oct 31, 2024 04:16:30.999250889 CET	49726	80	192.168.2.5	34.107.221.82
Oct 31, 2024 04:16:31.004192114 CET	80	49726	34.107.221.82	192.168.2.5
Oct 31, 2024 04:16:31.095901012 CET	80	49724	34.107.221.82	192.168.2.5
Oct 31, 2024 04:16:31.100138903 CET	49726	80	192.168.2.5	34.107.221.82
Oct 31, 2024 04:16:31.105091095 CET	80	49726	34.107.221.82	192.168.2.5
Oct 31, 2024 04:16:31.137361050 CET	49724	80	192.168.2.5	34.107.221.82
Oct 31, 2024 04:16:31.224455118 CET	80	49726	34.107.221.82	192.168.2.5
Oct 31, 2024 04:16:31.268882036 CET	49726	80	192.168.2.5	34.107.221.82
Oct 31, 2024 04:16:32.450582027 CET	49828	443	192.168.2.5	35.244.181.201
Oct 31, 2024 04:16:32.450606108 CET	443	49828	35.244.181.201	192.168.2.5
Oct 31, 2024 04:16:32.452831030 CET	49828	443	192.168.2.5	35.244.181.201
Oct 31, 2024 04:16:32.453005075 CET	49828	443	192.168.2.5	35.244.181.201
Oct 31, 2024 04:16:32.453018904 CET	443	49828	35.244.181.201	192.168.2.5
Oct 31, 2024 04:16:32.474637985 CET	49829	443	192.168.2.5	34.149.100.209
Oct 31, 2024 04:16:32.474668980 CET	443	49829	34.149.100.209	192.168.2.5
Oct 31, 2024 04:16:32.475081921 CET	49829	443	192.168.2.5	34.149.100.209
Oct 31, 2024 04:16:32.475243092 CET	49829	443	192.168.2.5	34.149.100.209
Oct 31, 2024 04:16:32.475259066 CET	443	49829	34.149.100.209	192.168.2.5
Oct 31, 2024 04:16:32.483306885 CET	49830	443	192.168.2.5	151.101.65.91
Oct 31, 2024 04:16:32.483336926 CET	443	49830	151.101.65.91	192.168.2.5
Oct 31, 2024 04:16:32.483658075 CET	49830	443	192.168.2.5	151.101.65.91
Oct 31, 2024 04:16:32.483808994 CET	49830	443	192.168.2.5	151.101.65.91
Oct 31, 2024 04:16:32.483824968 CET	443	49830	151.101.65.91	192.168.2.5
Oct 31, 2024 04:16:32.548680067 CET	49831	443	192.168.2.5	35.190.72.216
Oct 31, 2024 04:16:32.548719883 CET	443	49831	35.190.72.216	192.168.2.5
Oct 31, 2024 04:16:32.550122023 CET	49831	443	192.168.2.5	35.190.72.216
Oct 31, 2024 04:16:32.551651955 CET	49831	443	192.168.2.5	35.190.72.216
Oct 31, 2024 04:16:32.551671982 CET	443	49831	35.190.72.216	192.168.2.5
Oct 31, 2024 04:16:32.563854933 CET	49832	443	192.168.2.5	35.201.103.21
Oct 31, 2024 04:16:32.563877106 CET	443	49832	35.201.103.21	192.168.2.5
Oct 31, 2024 04:16:32.564785957 CET	49832	443	192.168.2.5	35.201.103.21
Oct 31, 2024 04:16:32.566260099 CET	49832	443	192.168.2.5	35.201.103.21
Oct 31, 2024 04:16:32.566270113 CET	443	49832	35.201.103.21	192.168.2.5
Oct 31, 2024 04:16:33.066344023 CET	443	49828	35.244.181.201	192.168.2.5
Oct 31, 2024 04:16:33.066440105 CET	49828	443	192.168.2.5	35.244.181.201
Oct 31, 2024 04:16:33.070146084 CET	49828	443	192.168.2.5	35.244.181.201
Oct 31, 2024 04:16:33.070159912 CET	443	49828	35.244.181.201	192.168.2.5
Oct 31, 2024 04:16:33.070449114 CET	443	49828	35.244.181.201	192.168.2.5
Oct 31, 2024 04:16:33.072880030 CET	49828	443	192.168.2.5	35.244.181.201
Oct 31, 2024 04:16:33.072994947 CET	49828	443	192.168.2.5	35.244.181.201
Oct 31, 2024 04:16:33.073092937 CET	443	49828	35.244.181.201	192.168.2.5
Oct 31, 2024 04:16:33.073633909 CET	49828	443	192.168.2.5	35.244.181.201
Oct 31, 2024 04:16:33.077172995 CET	49724	80	192.168.2.5	34.107.221.82
Oct 31, 2024 04:16:33.081957102 CET	80	49724	34.107.221.82	192.168.2.5
Oct 31, 2024 04:16:33.095779896 CET	443	49830	151.101.65.91	192.168.2.5
Oct 31, 2024 04:16:33.095866919 CET	49830	443	192.168.2.5	151.101.65.91
Oct 31, 2024 04:16:33.099152088 CET	49830	443	192.168.2.5	151.101.65.91
Oct 31, 2024 04:16:33.099163055 CET	443	49830	151.101.65.91	192.168.2.5
Oct 31, 2024 04:16:33.099419117 CET	443	49830	151.101.65.91	192.168.2.5
Oct 31, 2024 04:16:33.102034092 CET	49830	443	192.168.2.5	151.101.65.91
Oct 31, 2024 04:16:33.102154970 CET	49830	443	192.168.2.5	151.101.65.91
Oct 31, 2024 04:16:33.102185011 CET	443	49830	151.101.65.91	192.168.2.5
Oct 31, 2024 04:16:33.102390051 CET	49830	443	192.168.2.5	151.101.65.91
Oct 31, 2024 04:16:33.103889942 CET	443	49829	34.149.100.209	192.168.2.5
Oct 31, 2024 04:16:33.103976965 CET	49829	443	192.168.2.5	34.149.100.209
Oct 31, 2024 04:16:33.107069016 CET	49829	443	192.168.2.5	34.149.100.209
Oct 31, 2024 04:16:33.107074976 CET	443	49829	34.149.100.209	192.168.2.5
Oct 31, 2024 04:16:33.107341051 CET	443	49829	34.149.100.209	192.168.2.5
Oct 31, 2024 04:16:33.109477997 CET	49829	443	192.168.2.5	34.149.100.209
Oct 31, 2024 04:16:33.109554052 CET	49829	443	192.168.2.5	34.149.100.209
Oct 31, 2024 04:16:33.111964941 CET	49837	443	192.168.2.5	35.244.181.201
Oct 31, 2024 04:16:33.112005949 CET	443	49837	35.244.181.201	192.168.2.5
Oct 31, 2024 04:16:33.112406015 CET	49837	443	192.168.2.5	35.244.181.201
Oct 31, 2024 04:16:33.112548113 CET	49837	443	192.168.2.5	35.244.181.201
Oct 31, 2024 04:16:33.112560987 CET	443	49837	35.244.181.201	192.168.2.5
Oct 31, 2024 04:16:33.113719940 CET	49838	443	192.168.2.5	35.244.181.201
Oct 31, 2024 04:16:33.113730907 CET	443	49838	35.244.181.201	192.168.2.5
Oct 31, 2024 04:16:33.113991976 CET	49838	443	192.168.2.5	35.244.181.201
Oct 31, 2024 04:16:33.114097118 CET	49838	443	192.168.2.5	35.244.181.201
Oct 31, 2024 04:16:33.114114046 CET	443	49838	35.244.181.201	192.168.2.5
Oct 31, 2024 04:16:33.116067886 CET	49839	443	192.168.2.5	35.244.181.201
Oct 31, 2024 04:16:33.116101980 CET	443	49839	35.244.181.201	192.168.2.5
Oct 31, 2024 04:16:33.116331100 CET	49839	443	192.168.2.5	35.244.181.201
Oct 31, 2024 04:16:33.116461992 CET	49839	443	192.168.2.5	35.244.181.201
Oct 31, 2024 04:16:33.116475105 CET	443	49839	35.244.181.201	192.168.2.5
Oct 31, 2024 04:16:33.174037933 CET	443	49831	35.190.72.216	192.168.2.5
Oct 31, 2024 04:16:33.174127102 CET	49831	443	192.168.2.5	35.190.72.216
Oct 31, 2024 04:16:33.175702095 CET	443	49832	35.201.103.21	192.168.2.5
Oct 31, 2024 04:16:33.177757025 CET	49831	443	192.168.2.5	35.190.72.216
Oct 31, 2024 04:16:33.177767992 CET	443	49831	35.190.72.216	192.168.2.5
Oct 31, 2024 04:16:33.177849054 CET	49831	443	192.168.2.5	35.190.72.216
Oct 31, 2024 04:16:33.177961111 CET	443	49831	35.190.72.216	192.168.2.5
Oct 31, 2024 04:16:33.178565979 CET	49831	443	192.168.2.5	35.190.72.216
Oct 31, 2024 04:16:33.178574085 CET	49832	443	192.168.2.5	35.201.103.21
Oct 31, 2024 04:16:33.182001114 CET	49832	443	192.168.2.5	35.201.103.21
Oct 31, 2024 04:16:33.182005882 CET	443	49832	35.201.103.21	192.168.2.5
Oct 31, 2024 04:16:33.182080984 CET	49832	443	192.168.2.5	35.201.103.21
Oct 31, 2024 04:16:33.182163000 CET	443	49832	35.201.103.21	192.168.2.5
Oct 31, 2024 04:16:33.185852051 CET	49832	443	192.168.2.5	35.201.103.21
Oct 31, 2024 04:16:33.198462963 CET	49841	443	192.168.2.5	34.149.100.209
Oct 31, 2024 04:16:33.198493004 CET	443	49841	34.149.100.209	192.168.2.5
Oct 31, 2024 04:16:33.199242115 CET	49841	443	192.168.2.5	34.149.100.209
Oct 31, 2024 04:16:33.199361086 CET	49841	443	192.168.2.5	34.149.100.209
Oct 31, 2024 04:16:33.199374914 CET	443	49841	34.149.100.209	192.168.2.5
Oct 31, 2024 04:16:33.200179100 CET	80	49724	34.107.221.82	192.168.2.5
Oct 31, 2024 04:16:33.203059912 CET	49726	80	192.168.2.5	34.107.221.82
Oct 31, 2024 04:16:33.207813025 CET	80	49726	34.107.221.82	192.168.2.5
Oct 31, 2024 04:16:33.243541956 CET	49724	80	192.168.2.5	34.107.221.82
Oct 31, 2024 04:16:33.327461004 CET	80	49726	34.107.221.82	192.168.2.5
Oct 31, 2024 04:16:33.375056982 CET	49726	80	192.168.2.5	34.107.221.82
Oct 31, 2024 04:16:33.723159075 CET	443	49839	35.244.181.201	192.168.2.5
Oct 31, 2024 04:16:33.723280907 CET	49839	443	192.168.2.5	35.244.181.201
Oct 31, 2024 04:16:33.726013899 CET	49839	443	192.168.2.5	35.244.181.201
Oct 31, 2024 04:16:33.726025105 CET	443	49839	35.244.181.201	192.168.2.5
Oct 31, 2024 04:16:33.726269007 CET	443	49839	35.244.181.201	192.168.2.5
Oct 31, 2024 04:16:33.728082895 CET	49839	443	192.168.2.5	35.244.181.201
Oct 31, 2024 04:16:33.728185892 CET	49839	443	192.168.2.5	35.244.181.201
Oct 31, 2024 04:16:33.728228092 CET	443	49839	35.244.181.201	192.168.2.5
Oct 31, 2024 04:16:33.728349924 CET	49839	443	192.168.2.5	35.244.181.201
Oct 31, 2024 04:16:33.728812933 CET	443	49838	35.244.181.201	192.168.2.5
Oct 31, 2024 04:16:33.729017019 CET	49838	443	192.168.2.5	35.244.181.201
Oct 31, 2024 04:16:33.731632948 CET	49838	443	192.168.2.5	35.244.181.201
Oct 31, 2024 04:16:33.731638908 CET	443	49838	35.244.181.201	192.168.2.5
Oct 31, 2024 04:16:33.732104063 CET	49724	80	192.168.2.5	34.107.221.82
Oct 31, 2024 04:16:33.732472897 CET	443	49838	35.244.181.201	192.168.2.5
Oct 31, 2024 04:16:33.734462976 CET	49838	443	192.168.2.5	35.244.181.201
Oct 31, 2024 04:16:33.734548092 CET	49838	443	192.168.2.5	35.244.181.201
Oct 31, 2024 04:16:33.734613895 CET	443	49838	35.244.181.201	192.168.2.5
Oct 31, 2024 04:16:33.735524893 CET	49838	443	192.168.2.5	35.244.181.201
Oct 31, 2024 04:16:33.737237930 CET	80	49724	34.107.221.82	192.168.2.5
Oct 31, 2024 04:16:33.737997055 CET	443	49837	35.244.181.201	192.168.2.5
Oct 31, 2024 04:16:33.738527060 CET	49837	443	192.168.2.5	35.244.181.201
Oct 31, 2024 04:16:33.741569996 CET	49837	443	192.168.2.5	35.244.181.201
Oct 31, 2024 04:16:33.741576910 CET	443	49837	35.244.181.201	192.168.2.5
Oct 31, 2024 04:16:33.741821051 CET	443	49837	35.244.181.201	192.168.2.5
Oct 31, 2024 04:16:33.743027925 CET	49837	443	192.168.2.5	35.244.181.201
Oct 31, 2024 04:16:33.743100882 CET	49837	443	192.168.2.5	35.244.181.201
Oct 31, 2024 04:16:33.806106091 CET	443	49841	34.149.100.209	192.168.2.5
Oct 31, 2024 04:16:33.806189060 CET	49841	443	192.168.2.5	34.149.100.209
Oct 31, 2024 04:16:33.809336901 CET	49841	443	192.168.2.5	34.149.100.209
Oct 31, 2024 04:16:33.809346914 CET	443	49841	34.149.100.209	192.168.2.5
Oct 31, 2024 04:16:33.809662104 CET	443	49841	34.149.100.209	192.168.2.5
Oct 31, 2024 04:16:33.811130047 CET	49841	443	192.168.2.5	34.149.100.209
Oct 31, 2024 04:16:33.811217070 CET	49841	443	192.168.2.5	34.149.100.209
Oct 31, 2024 04:16:33.811325073 CET	443	49841	34.149.100.209	192.168.2.5
Oct 31, 2024 04:16:33.812055111 CET	49841	443	192.168.2.5	34.149.100.209
Oct 31, 2024 04:16:33.812072992 CET	49841	443	192.168.2.5	34.149.100.209
Oct 31, 2024 04:16:33.855052948 CET	80	49724	34.107.221.82	192.168.2.5
Oct 31, 2024 04:16:33.858331919 CET	49726	80	192.168.2.5	34.107.221.82
Oct 31, 2024 04:16:33.863256931 CET	80	49726	34.107.221.82	192.168.2.5
Oct 31, 2024 04:16:33.907816887 CET	49724	80	192.168.2.5	34.107.221.82
Oct 31, 2024 04:16:33.982350111 CET	80	49726	34.107.221.82	192.168.2.5
Oct 31, 2024 04:16:34.023772955 CET	49726	80	192.168.2.5	34.107.221.82
Oct 31, 2024 04:16:38.408710957 CET	49724	80	192.168.2.5	34.107.221.82
Oct 31, 2024 04:16:38.413561106 CET	80	49724	34.107.221.82	192.168.2.5
Oct 31, 2024 04:16:38.702791929 CET	80	49724	34.107.221.82	192.168.2.5
Oct 31, 2024 04:16:38.706188917 CET	49726	80	192.168.2.5	34.107.221.82
Oct 31, 2024 04:16:38.710993052 CET	80	49726	34.107.221.82	192.168.2.5
Oct 31, 2024 04:16:38.759079933 CET	49724	80	192.168.2.5	34.107.221.82
Oct 31, 2024 04:16:38.830389023 CET	80	49726	34.107.221.82	192.168.2.5
Oct 31, 2024 04:16:38.875019073 CET	49726	80	192.168.2.5	34.107.221.82
Oct 31, 2024 04:16:48.703628063 CET	49724	80	192.168.2.5	34.107.221.82
Oct 31, 2024 04:16:48.708432913 CET	80	49724	34.107.221.82	192.168.2.5
Oct 31, 2024 04:16:48.835223913 CET	49726	80	192.168.2.5	34.107.221.82
Oct 31, 2024 04:16:48.840276003 CET	80	49726	34.107.221.82	192.168.2.5
Oct 31, 2024 04:16:51.220856905 CET	49939	443	192.168.2.5	34.107.243.93
Oct 31, 2024 04:16:51.220896959 CET	443	49939	34.107.243.93	192.168.2.5
Oct 31, 2024 04:16:51.220963001 CET	49939	443	192.168.2.5	34.107.243.93
Oct 31, 2024 04:16:51.222287893 CET	49939	443	192.168.2.5	34.107.243.93
Oct 31, 2024 04:16:51.222301960 CET	443	49939	34.107.243.93	192.168.2.5
Oct 31, 2024 04:16:51.827061892 CET	443	49939	34.107.243.93	192.168.2.5
Oct 31, 2024 04:16:51.827145100 CET	49939	443	192.168.2.5	34.107.243.93
Oct 31, 2024 04:16:51.831410885 CET	49939	443	192.168.2.5	34.107.243.93
Oct 31, 2024 04:16:51.831425905 CET	443	49939	34.107.243.93	192.168.2.5
Oct 31, 2024 04:16:51.831435919 CET	49939	443	192.168.2.5	34.107.243.93
Oct 31, 2024 04:16:51.831617117 CET	443	49939	34.107.243.93	192.168.2.5
Oct 31, 2024 04:16:51.832035065 CET	49939	443	192.168.2.5	34.107.243.93
Oct 31, 2024 04:16:51.834117889 CET	49724	80	192.168.2.5	34.107.221.82
Oct 31, 2024 04:16:51.838931084 CET	80	49724	34.107.221.82	192.168.2.5
Oct 31, 2024 04:16:51.956518888 CET	80	49724	34.107.221.82	192.168.2.5
Oct 31, 2024 04:16:51.959731102 CET	49726	80	192.168.2.5	34.107.221.82
Oct 31, 2024 04:16:51.964586020 CET	80	49726	34.107.221.82	192.168.2.5
Oct 31, 2024 04:16:51.997281075 CET	49724	80	192.168.2.5	34.107.221.82
Oct 31, 2024 04:16:52.083987951 CET	80	49726	34.107.221.82	192.168.2.5
Oct 31, 2024 04:16:52.128740072 CET	49726	80	192.168.2.5	34.107.221.82
Oct 31, 2024 04:17:01.957245111 CET	49724	80	192.168.2.5	34.107.221.82
Oct 31, 2024 04:17:01.962078094 CET	80	49724	34.107.221.82	192.168.2.5
Oct 31, 2024 04:17:02.088769913 CET	49726	80	192.168.2.5	34.107.221.82
Oct 31, 2024 04:17:02.093599081 CET	80	49726	34.107.221.82	192.168.2.5
Oct 31, 2024 04:17:02.961348057 CET	50001	443	192.168.2.5	34.120.208.123
Oct 31, 2024 04:17:02.961373091 CET	443	50001	34.120.208.123	192.168.2.5
Oct 31, 2024 04:17:02.963038921 CET	50001	443	192.168.2.5	34.120.208.123
Oct 31, 2024 04:17:02.963291883 CET	50001	443	192.168.2.5	34.120.208.123
Oct 31, 2024 04:17:02.963304996 CET	443	50001	34.120.208.123	192.168.2.5
Oct 31, 2024 04:17:02.982343912 CET	50002	443	192.168.2.5	34.120.208.123
Oct 31, 2024 04:17:02.982367039 CET	443	50002	34.120.208.123	192.168.2.5
Oct 31, 2024 04:17:02.982443094 CET	50002	443	192.168.2.5	34.120.208.123
Oct 31, 2024 04:17:02.982573986 CET	50002	443	192.168.2.5	34.120.208.123
Oct 31, 2024 04:17:02.982592106 CET	443	50002	34.120.208.123	192.168.2.5
Oct 31, 2024 04:17:03.570019960 CET	443	50001	34.120.208.123	192.168.2.5
Oct 31, 2024 04:17:03.577549934 CET	50001	443	192.168.2.5	34.120.208.123
Oct 31, 2024 04:17:03.580204964 CET	443	50002	34.120.208.123	192.168.2.5
Oct 31, 2024 04:17:03.580914021 CET	50001	443	192.168.2.5	34.120.208.123
Oct 31, 2024 04:17:03.580920935 CET	443	50001	34.120.208.123	192.168.2.5
Oct 31, 2024 04:17:03.581249952 CET	443	50001	34.120.208.123	192.168.2.5
Oct 31, 2024 04:17:03.582864046 CET	50001	443	192.168.2.5	34.120.208.123
Oct 31, 2024 04:17:03.582972050 CET	50001	443	192.168.2.5	34.120.208.123
Oct 31, 2024 04:17:03.583134890 CET	443	50001	34.120.208.123	192.168.2.5
Oct 31, 2024 04:17:03.585521936 CET	50001	443	192.168.2.5	34.120.208.123
Oct 31, 2024 04:17:03.585545063 CET	50001	443	192.168.2.5	34.120.208.123
Oct 31, 2024 04:17:03.585547924 CET	50002	443	192.168.2.5	34.120.208.123
Oct 31, 2024 04:17:03.588536024 CET	50002	443	192.168.2.5	34.120.208.123
Oct 31, 2024 04:17:03.588541985 CET	443	50002	34.120.208.123	192.168.2.5
Oct 31, 2024 04:17:03.588891029 CET	443	50002	34.120.208.123	192.168.2.5
Oct 31, 2024 04:17:03.590425968 CET	50002	443	192.168.2.5	34.120.208.123
Oct 31, 2024 04:17:03.590517998 CET	50002	443	192.168.2.5	34.120.208.123
Oct 31, 2024 04:17:03.590612888 CET	443	50002	34.120.208.123	192.168.2.5
Oct 31, 2024 04:17:03.592091084 CET	50002	443	192.168.2.5	34.120.208.123
Oct 31, 2024 04:17:03.597094059 CET	49724	80	192.168.2.5	34.107.221.82
Oct 31, 2024 04:17:03.602018118 CET	80	49724	34.107.221.82	192.168.2.5
Oct 31, 2024 04:17:03.720046043 CET	80	49724	34.107.221.82	192.168.2.5
Oct 31, 2024 04:17:03.723238945 CET	49726	80	192.168.2.5	34.107.221.82
Oct 31, 2024 04:17:03.728110075 CET	80	49726	34.107.221.82	192.168.2.5
Oct 31, 2024 04:17:03.762408018 CET	49724	80	192.168.2.5	34.107.221.82
Oct 31, 2024 04:17:03.848611116 CET	80	49726	34.107.221.82	192.168.2.5
Oct 31, 2024 04:17:03.893956900 CET	49726	80	192.168.2.5	34.107.221.82
Oct 31, 2024 04:17:13.722182989 CET	49724	80	192.168.2.5	34.107.221.82
Oct 31, 2024 04:17:13.727144003 CET	80	49724	34.107.221.82	192.168.2.5
Oct 31, 2024 04:17:13.860306025 CET	49726	80	192.168.2.5	34.107.221.82
Oct 31, 2024 04:17:13.865246058 CET	80	49726	34.107.221.82	192.168.2.5
Oct 31, 2024 04:17:23.735863924 CET	49724	80	192.168.2.5	34.107.221.82
Oct 31, 2024 04:17:23.740766048 CET	80	49724	34.107.221.82	192.168.2.5
Oct 31, 2024 04:17:23.867305040 CET	49726	80	192.168.2.5	34.107.221.82
Oct 31, 2024 04:17:23.872128010 CET	80	49726	34.107.221.82	192.168.2.5
Oct 31, 2024 04:17:32.155822039 CET	50027	443	192.168.2.5	34.107.243.93
Oct 31, 2024 04:17:32.155889034 CET	443	50027	34.107.243.93	192.168.2.5
Oct 31, 2024 04:17:32.155977011 CET	50027	443	192.168.2.5	34.107.243.93
Oct 31, 2024 04:17:32.157494068 CET	50027	443	192.168.2.5	34.107.243.93
Oct 31, 2024 04:17:32.157531023 CET	443	50027	34.107.243.93	192.168.2.5
Oct 31, 2024 04:17:32.754290104 CET	443	50027	34.107.243.93	192.168.2.5
Oct 31, 2024 04:17:32.756792068 CET	50027	443	192.168.2.5	34.107.243.93
Oct 31, 2024 04:17:32.761466980 CET	50027	443	192.168.2.5	34.107.243.93
Oct 31, 2024 04:17:32.761487961 CET	443	50027	34.107.243.93	192.168.2.5
Oct 31, 2024 04:17:32.761562109 CET	50027	443	192.168.2.5	34.107.243.93
Oct 31, 2024 04:17:32.761616945 CET	443	50027	34.107.243.93	192.168.2.5
Oct 31, 2024 04:17:32.761713982 CET	50027	443	192.168.2.5	34.107.243.93
Oct 31, 2024 04:17:32.765064955 CET	49724	80	192.168.2.5	34.107.221.82
Oct 31, 2024 04:17:32.769973993 CET	80	49724	34.107.221.82	192.168.2.5
Oct 31, 2024 04:17:32.888245106 CET	80	49724	34.107.221.82	192.168.2.5
Oct 31, 2024 04:17:32.893255949 CET	49726	80	192.168.2.5	34.107.221.82
Oct 31, 2024 04:17:32.898291111 CET	80	49726	34.107.221.82	192.168.2.5
Oct 31, 2024 04:17:32.931206942 CET	49724	80	192.168.2.5	34.107.221.82
Oct 31, 2024 04:17:33.017858982 CET	80	49726	34.107.221.82	192.168.2.5
Oct 31, 2024 04:17:33.062731028 CET	49726	80	192.168.2.5	34.107.221.82
Oct 31, 2024 04:17:42.891840935 CET	49724	80	192.168.2.5	34.107.221.82
Oct 31, 2024 04:17:42.896713972 CET	80	49724	34.107.221.82	192.168.2.5
Oct 31, 2024 04:17:43.023025036 CET	49726	80	192.168.2.5	34.107.221.82
Oct 31, 2024 04:17:43.027987003 CET	80	49726	34.107.221.82	192.168.2.5
Oct 31, 2024 04:17:52.903639078 CET	49724	80	192.168.2.5	34.107.221.82
Oct 31, 2024 04:17:52.908504963 CET	80	49724	34.107.221.82	192.168.2.5
Oct 31, 2024 04:17:53.034810066 CET	49726	80	192.168.2.5	34.107.221.82
Oct 31, 2024 04:17:53.039645910 CET	80	49726	34.107.221.82	192.168.2.5
Oct 31, 2024 04:18:02.911277056 CET	49724	80	192.168.2.5	34.107.221.82
Oct 31, 2024 04:18:02.916125059 CET	80	49724	34.107.221.82	192.168.2.5
Oct 31, 2024 04:18:03.042835951 CET	49726	80	192.168.2.5	34.107.221.82
Oct 31, 2024 04:18:03.047616959 CET	80	49726	34.107.221.82	192.168.2.5

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 31, 2024 04:16:03.829900980 CET	58791	53	192.168.2.5	1.1.1.1
Oct 31, 2024 04:16:03.836994886 CET	53	58791	1.1.1.1	192.168.2.5
Oct 31, 2024 04:16:03.844537020 CET	60341	53	192.168.2.5	1.1.1.1
Oct 31, 2024 04:16:03.851675987 CET	53	60341	1.1.1.1	192.168.2.5
Oct 31, 2024 04:16:04.302046061 CET	64024	53	192.168.2.5	1.1.1.1
Oct 31, 2024 04:16:04.338279963 CET	53	64024	1.1.1.1	192.168.2.5
Oct 31, 2024 04:16:04.339848042 CET	54679	53	192.168.2.5	1.1.1.1
Oct 31, 2024 04:16:04.346551895 CET	53	54679	1.1.1.1	192.168.2.5
Oct 31, 2024 04:16:04.347031116 CET	55673	53	192.168.2.5	1.1.1.1
Oct 31, 2024 04:16:04.353841066 CET	53	55673	1.1.1.1	192.168.2.5
Oct 31, 2024 04:16:04.396779060 CET	64497	53	192.168.2.5	1.1.1.1
Oct 31, 2024 04:16:04.406301022 CET	55200	53	192.168.2.5	1.1.1.1
Oct 31, 2024 04:16:04.413044930 CET	53	55200	1.1.1.1	192.168.2.5
Oct 31, 2024 04:16:04.414012909 CET	64990	53	192.168.2.5	1.1.1.1
Oct 31, 2024 04:16:04.422494888 CET	53	64990	1.1.1.1	192.168.2.5
Oct 31, 2024 04:16:04.723747015 CET	54458	53	192.168.2.5	1.1.1.1
Oct 31, 2024 04:16:04.728163004 CET	62166	53	192.168.2.5	1.1.1.1
Oct 31, 2024 04:16:04.730776072 CET	53	54458	1.1.1.1	192.168.2.5
Oct 31, 2024 04:16:04.732712984 CET	58240	53	192.168.2.5	1.1.1.1
Oct 31, 2024 04:16:04.735347986 CET	53	62166	1.1.1.1	192.168.2.5
Oct 31, 2024 04:16:04.736263990 CET	62001	53	192.168.2.5	1.1.1.1
Oct 31, 2024 04:16:04.739291906 CET	53	58240	1.1.1.1	192.168.2.5
Oct 31, 2024 04:16:04.742996931 CET	53	62001	1.1.1.1	192.168.2.5
Oct 31, 2024 04:16:04.743127108 CET	58422	53	192.168.2.5	1.1.1.1
Oct 31, 2024 04:16:04.743499041 CET	56173	53	192.168.2.5	1.1.1.1
Oct 31, 2024 04:16:04.749761105 CET	53	58422	1.1.1.1	192.168.2.5
Oct 31, 2024 04:16:04.750305891 CET	53	56173	1.1.1.1	192.168.2.5
Oct 31, 2024 04:16:05.019109964 CET	57336	53	192.168.2.5	1.1.1.1
Oct 31, 2024 04:16:05.025867939 CET	53	57336	1.1.1.1	192.168.2.5
Oct 31, 2024 04:16:05.038887024 CET	49365	53	192.168.2.5	1.1.1.1
Oct 31, 2024 04:16:05.045885086 CET	53	49365	1.1.1.1	192.168.2.5
Oct 31, 2024 04:16:05.573945045 CET	61649	53	192.168.2.5	1.1.1.1
Oct 31, 2024 04:16:05.578373909 CET	49220	53	192.168.2.5	1.1.1.1
Oct 31, 2024 04:16:05.580615044 CET	53	61649	1.1.1.1	192.168.2.5
Oct 31, 2024 04:16:05.583463907 CET	58456	53	192.168.2.5	1.1.1.1
Oct 31, 2024 04:16:05.585083961 CET	53	49220	1.1.1.1	192.168.2.5
Oct 31, 2024 04:16:05.590116978 CET	53	58456	1.1.1.1	192.168.2.5
Oct 31, 2024 04:16:05.595413923 CET	49996	53	192.168.2.5	1.1.1.1
Oct 31, 2024 04:16:05.603800058 CET	53	49996	1.1.1.1	192.168.2.5
Oct 31, 2024 04:16:05.607220888 CET	49396	53	192.168.2.5	1.1.1.1
Oct 31, 2024 04:16:05.614636898 CET	53	49396	1.1.1.1	192.168.2.5
Oct 31, 2024 04:16:05.807899952 CET	54889	53	192.168.2.5	1.1.1.1
Oct 31, 2024 04:16:08.155668020 CET	55331	53	192.168.2.5	1.1.1.1
Oct 31, 2024 04:16:08.192070007 CET	53	49689	1.1.1.1	192.168.2.5
Oct 31, 2024 04:16:10.789226055 CET	61738	53	192.168.2.5	1.1.1.1
Oct 31, 2024 04:16:10.795717955 CET	53	61738	1.1.1.1	192.168.2.5
Oct 31, 2024 04:16:10.800208092 CET	57707	53	192.168.2.5	1.1.1.1
Oct 31, 2024 04:16:10.807396889 CET	53	57707	1.1.1.1	192.168.2.5
Oct 31, 2024 04:16:10.834084988 CET	56930	53	192.168.2.5	1.1.1.1
Oct 31, 2024 04:16:10.841113091 CET	53	56930	1.1.1.1	192.168.2.5
Oct 31, 2024 04:16:10.957667112 CET	57523	53	192.168.2.5	1.1.1.1
Oct 31, 2024 04:16:10.964355946 CET	53	57523	1.1.1.1	192.168.2.5
Oct 31, 2024 04:16:10.970969915 CET	50367	53	192.168.2.5	1.1.1.1
Oct 31, 2024 04:16:10.977669001 CET	53	50367	1.1.1.1	192.168.2.5
Oct 31, 2024 04:16:10.981394053 CET	53139	53	192.168.2.5	1.1.1.1
Oct 31, 2024 04:16:10.984519005 CET	49426	53	192.168.2.5	1.1.1.1
Oct 31, 2024 04:16:10.988070965 CET	53	53139	1.1.1.1	192.168.2.5
Oct 31, 2024 04:16:10.991242886 CET	53	49426	1.1.1.1	192.168.2.5
Oct 31, 2024 04:16:10.998109102 CET	63920	53	192.168.2.5	1.1.1.1
Oct 31, 2024 04:16:11.000885010 CET	62070	53	192.168.2.5	1.1.1.1
Oct 31, 2024 04:16:11.005096912 CET	53	63920	1.1.1.1	192.168.2.5
Oct 31, 2024 04:16:11.007620096 CET	53	62070	1.1.1.1	192.168.2.5
Oct 31, 2024 04:16:11.010296106 CET	55845	53	192.168.2.5	1.1.1.1
Oct 31, 2024 04:16:11.017368078 CET	53	55845	1.1.1.1	192.168.2.5
Oct 31, 2024 04:16:11.024416924 CET	55210	53	192.168.2.5	1.1.1.1
Oct 31, 2024 04:16:11.031306028 CET	53	55210	1.1.1.1	192.168.2.5
Oct 31, 2024 04:16:11.033159971 CET	51517	53	192.168.2.5	1.1.1.1
Oct 31, 2024 04:16:11.039978981 CET	53	51517	1.1.1.1	192.168.2.5
Oct 31, 2024 04:16:17.293641090 CET	65422	53	192.168.2.5	1.1.1.1
Oct 31, 2024 04:16:17.298274040 CET	60910	53	192.168.2.5	1.1.1.1
Oct 31, 2024 04:16:17.305242062 CET	53	60910	1.1.1.1	192.168.2.5
Oct 31, 2024 04:16:18.364052057 CET	51351	53	192.168.2.5	1.1.1.1
Oct 31, 2024 04:16:18.370678902 CET	53	51351	1.1.1.1	192.168.2.5
Oct 31, 2024 04:16:18.374563932 CET	54453	53	192.168.2.5	1.1.1.1
Oct 31, 2024 04:16:18.382433891 CET	53	54453	1.1.1.1	192.168.2.5
Oct 31, 2024 04:16:20.328171968 CET	50797	53	192.168.2.5	1.1.1.1
Oct 31, 2024 04:16:20.328572989 CET	50463	53	192.168.2.5	1.1.1.1
Oct 31, 2024 04:16:20.328836918 CET	62969	53	192.168.2.5	1.1.1.1
Oct 31, 2024 04:16:20.337552071 CET	53	50797	1.1.1.1	192.168.2.5
Oct 31, 2024 04:16:20.337567091 CET	53	50463	1.1.1.1	192.168.2.5
Oct 31, 2024 04:16:20.337579012 CET	53	62969	1.1.1.1	192.168.2.5
Oct 31, 2024 04:16:20.338457108 CET	62735	53	192.168.2.5	1.1.1.1
Oct 31, 2024 04:16:20.338470936 CET	58926	53	192.168.2.5	1.1.1.1
Oct 31, 2024 04:16:20.338951111 CET	56338	53	192.168.2.5	1.1.1.1
Oct 31, 2024 04:16:20.345647097 CET	53	62735	1.1.1.1	192.168.2.5
Oct 31, 2024 04:16:20.345662117 CET	53	58926	1.1.1.1	192.168.2.5
Oct 31, 2024 04:16:20.346244097 CET	60818	53	192.168.2.5	1.1.1.1
Oct 31, 2024 04:16:20.346260071 CET	50251	53	192.168.2.5	1.1.1.1
Oct 31, 2024 04:16:20.352492094 CET	53	56338	1.1.1.1	192.168.2.5
Oct 31, 2024 04:16:20.352902889 CET	53	60818	1.1.1.1	192.168.2.5
Oct 31, 2024 04:16:20.352953911 CET	53	50251	1.1.1.1	192.168.2.5
Oct 31, 2024 04:16:20.352998018 CET	58271	53	192.168.2.5	1.1.1.1
Oct 31, 2024 04:16:20.353661060 CET	57144	53	192.168.2.5	1.1.1.1
Oct 31, 2024 04:16:20.353694916 CET	56442	53	192.168.2.5	1.1.1.1
Oct 31, 2024 04:16:20.359805107 CET	53	58271	1.1.1.1	192.168.2.5
Oct 31, 2024 04:16:20.360290051 CET	53	57144	1.1.1.1	192.168.2.5
Oct 31, 2024 04:16:20.360421896 CET	53	56442	1.1.1.1	192.168.2.5
Oct 31, 2024 04:16:20.360881090 CET	51805	53	192.168.2.5	1.1.1.1
Oct 31, 2024 04:16:20.361318111 CET	61896	53	192.168.2.5	1.1.1.1
Oct 31, 2024 04:16:20.367785931 CET	53	61896	1.1.1.1	192.168.2.5
Oct 31, 2024 04:16:20.368278980 CET	65474	53	192.168.2.5	1.1.1.1
Oct 31, 2024 04:16:20.368887901 CET	53	51805	1.1.1.1	192.168.2.5
Oct 31, 2024 04:16:20.369611979 CET	60355	53	192.168.2.5	1.1.1.1
Oct 31, 2024 04:16:20.382014036 CET	53	65474	1.1.1.1	192.168.2.5
Oct 31, 2024 04:16:20.382028103 CET	53	60355	1.1.1.1	192.168.2.5
Oct 31, 2024 04:16:30.338427067 CET	61809	53	192.168.2.5	1.1.1.1
Oct 31, 2024 04:16:30.345805883 CET	53	61809	1.1.1.1	192.168.2.5
Oct 31, 2024 04:16:30.346482992 CET	61801	53	192.168.2.5	1.1.1.1
Oct 31, 2024 04:16:30.353970051 CET	53	61801	1.1.1.1	192.168.2.5
Oct 31, 2024 04:16:32.458863020 CET	51652	53	192.168.2.5	1.1.1.1
Oct 31, 2024 04:16:32.470381975 CET	60343	53	192.168.2.5	1.1.1.1
Oct 31, 2024 04:16:32.479795933 CET	53	51652	1.1.1.1	192.168.2.5
Oct 31, 2024 04:16:32.482258081 CET	53	60343	1.1.1.1	192.168.2.5
Oct 31, 2024 04:16:32.483586073 CET	55230	53	192.168.2.5	1.1.1.1
Oct 31, 2024 04:16:32.490868092 CET	53	55230	1.1.1.1	192.168.2.5
Oct 31, 2024 04:16:32.491636038 CET	61788	53	192.168.2.5	1.1.1.1
Oct 31, 2024 04:16:32.498646021 CET	53	61788	1.1.1.1	192.168.2.5
Oct 31, 2024 04:16:32.549454927 CET	55363	53	192.168.2.5	1.1.1.1
Oct 31, 2024 04:16:32.556566000 CET	53	55363	1.1.1.1	192.168.2.5
Oct 31, 2024 04:16:32.564618111 CET	57567	53	192.168.2.5	1.1.1.1
Oct 31, 2024 04:16:32.571820021 CET	53	57567	1.1.1.1	192.168.2.5
Oct 31, 2024 04:16:32.573820114 CET	64002	53	192.168.2.5	1.1.1.1
Oct 31, 2024 04:16:32.580498934 CET	53	64002	1.1.1.1	192.168.2.5
Oct 31, 2024 04:16:33.077685118 CET	63210	53	192.168.2.5	1.1.1.1
Oct 31, 2024 04:16:51.213354111 CET	54145	53	192.168.2.5	1.1.1.1
Oct 31, 2024 04:16:51.219913006 CET	53	54145	1.1.1.1	192.168.2.5
Oct 31, 2024 04:16:51.220777988 CET	54809	53	192.168.2.5	1.1.1.1
Oct 31, 2024 04:16:51.227308989 CET	53	54809	1.1.1.1	192.168.2.5
Oct 31, 2024 04:16:51.834477901 CET	61474	53	192.168.2.5	1.1.1.1
Oct 31, 2024 04:17:02.944474936 CET	52995	53	192.168.2.5	1.1.1.1
Oct 31, 2024 04:17:02.951128006 CET	53	52995	1.1.1.1	192.168.2.5
Oct 31, 2024 04:17:03.597429037 CET	60647	53	192.168.2.5	1.1.1.1
Oct 31, 2024 04:17:03.605262041 CET	56462	53	192.168.2.5	1.1.1.1
Oct 31, 2024 04:17:03.612005949 CET	53	56462	1.1.1.1	192.168.2.5
Oct 31, 2024 04:17:32.147855043 CET	62985	53	192.168.2.5	1.1.1.1
Oct 31, 2024 04:17:32.154612064 CET	53	62985	1.1.1.1	192.168.2.5
Oct 31, 2024 04:17:32.155853033 CET	52394	53	192.168.2.5	1.1.1.1
Oct 31, 2024 04:17:32.162520885 CET	53	52394	1.1.1.1	192.168.2.5
Oct 31, 2024 04:17:32.765527010 CET	63240	53	192.168.2.5	1.1.1.1

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Oct 31, 2024 04:16:03.829900980 CET	192.168.2.5	1.1.1.1	0xc440	Standard query (0)	prod.classify-client.prod.webservices.mozgcp.net	A (IP address)	IN (0x0001)	false
Oct 31, 2024 04:16:03.844537020 CET	192.168.2.5	1.1.1.1	0xd10e	Standard query (0)	prod.classify-client.prod.webservices.mozgcp.net	28	IN (0x0001)	false
Oct 31, 2024 04:16:04.302046061 CET	192.168.2.5	1.1.1.1	0xd85e	Standard query (0)	youtube.com	A (IP address)	IN (0x0001)	false
Oct 31, 2024 04:16:04.339848042 CET	192.168.2.5	1.1.1.1	0xd1cd	Standard query (0)	youtube.com	A (IP address)	IN (0x0001)	false
Oct 31, 2024 04:16:04.347031116 CET	192.168.2.5	1.1.1.1	0x49af	Standard query (0)	youtube.com	28	IN (0x0001)	false
Oct 31, 2024 04:16:04.396779060 CET	192.168.2.5	1.1.1.1	0x1660	Standard query (0)	detectportal.firefox.com	A (IP address)	IN (0x0001)	false
Oct 31, 2024 04:16:04.406301022 CET	192.168.2.5	1.1.1.1	0x455d	Standard query (0)	prod.detectportal.prod.cloudops.mozgcp.net	A (IP address)	IN (0x0001)	false
Oct 31, 2024 04:16:04.414012909 CET	192.168.2.5	1.1.1.1	0x3207	Standard query (0)	prod.detectportal.prod.cloudops.mozgcp.net	28	IN (0x0001)	false
Oct 31, 2024 04:16:04.723747015 CET	192.168.2.5	1.1.1.1	0xaa6c	Standard query (0)	contile.services.mozilla.com	A (IP address)	IN (0x0001)	false
Oct 31, 2024 04:16:04.728163004 CET	192.168.2.5	1.1.1.1	0x5105	Standard query (0)	spocs.getpocket.com	A (IP address)	IN (0x0001)	false
Oct 31, 2024 04:16:04.732712984 CET	192.168.2.5	1.1.1.1	0xe659	Standard query (0)	contile.services.mozilla.com	A (IP address)	IN (0x0001)	false
Oct 31, 2024 04:16:04.736263990 CET	192.168.2.5	1.1.1.1	0x4fa7	Standard query (0)	prod.ads.prod.webservices.mozgcp.net	A (IP address)	IN (0x0001)	false
Oct 31, 2024 04:16:04.743127108 CET	192.168.2.5	1.1.1.1	0x1e7a	Standard query (0)	contile.services.mozilla.com	28	IN (0x0001)	false
Oct 31, 2024 04:16:04.743499041 CET	192.168.2.5	1.1.1.1	0x1b30	Standard query (0)	prod.ads.prod.webservices.mozgcp.net	28	IN (0x0001)	false
Oct 31, 2024 04:16:05.019109964 CET	192.168.2.5	1.1.1.1	0xeb28	Standard query (0)	prod.balrog.prod.cloudops.mozgcp.net	A (IP address)	IN (0x0001)	false
Oct 31, 2024 04:16:05.038887024 CET	192.168.2.5	1.1.1.1	0x7bd2	Standard query (0)	prod.balrog.prod.cloudops.mozgcp.net	28	IN (0x0001)	false
Oct 31, 2024 04:16:05.573945045 CET	192.168.2.5	1.1.1.1	0x9d5	Standard query (0)	example.org	A (IP address)	IN (0x0001)	false
Oct 31, 2024 04:16:05.578373909 CET	192.168.2.5	1.1.1.1	0xcdea	Standard query (0)	ipv4only.arpa	A (IP address)	IN (0x0001)	false
Oct 31, 2024 04:16:05.583463907 CET	192.168.2.5	1.1.1.1	0x5351	Standard query (0)	content-signature-2.cdn.mozilla.net	A (IP address)	IN (0x0001)	false
Oct 31, 2024 04:16:05.595413923 CET	192.168.2.5	1.1.1.1	0x2594	Standard query (0)	prod.content-signature-chains.prod.webservices.mozgcp.net	A (IP address)	IN (0x0001)	false
Oct 31, 2024 04:16:05.607220888 CET	192.168.2.5	1.1.1.1	0x9d13	Standard query (0)	prod.content-signature-chains.prod.webservices.mozgcp.net	28	IN (0x0001)	false
Oct 31, 2024 04:16:05.807899952 CET	192.168.2.5	1.1.1.1	0xa73b	Standard query (0)	detectportal.firefox.com	A (IP address)	IN (0x0001)	false
Oct 31, 2024 04:16:08.155668020 CET	192.168.2.5	1.1.1.1	0xc74e	Standard query (0)	shavar.services.mozilla.com	A (IP address)	IN (0x0001)	false
Oct 31, 2024 04:16:10.789226055 CET	192.168.2.5	1.1.1.1	0xfdc5	Standard query (0)	support.mozilla.org	A (IP address)	IN (0x0001)	false
Oct 31, 2024 04:16:10.800208092 CET	192.168.2.5	1.1.1.1	0x5a1b	Standard query (0)	us-west1.prod.sumo.prod.webservices.mozgcp.net	A (IP address)	IN (0x0001)	false
Oct 31, 2024 04:16:10.834084988 CET	192.168.2.5	1.1.1.1	0x6537	Standard query (0)	us-west1.prod.sumo.prod.webservices.mozgcp.net	28	IN (0x0001)	false
Oct 31, 2024 04:16:10.957667112 CET	192.168.2.5	1.1.1.1	0xdee2	Standard query (0)	push.services.mozilla.com	A (IP address)	IN (0x0001)	false
Oct 31, 2024 04:16:10.970969915 CET	192.168.2.5	1.1.1.1	0xbc97	Standard query (0)	push.services.mozilla.com	A (IP address)	IN (0x0001)	false
Oct 31, 2024 04:16:10.981394053 CET	192.168.2.5	1.1.1.1	0xe49a	Standard query (0)	push.services.mozilla.com	28	IN (0x0001)	false
Oct 31, 2024 04:16:10.984519005 CET	192.168.2.5	1.1.1.1	0x776c	Standard query (0)	telemetry-incoming.r53-2.services.mozilla.com	A (IP address)	IN (0x0001)	false
Oct 31, 2024 04:16:10.998109102 CET	192.168.2.5	1.1.1.1	0xe8d4	Standard query (0)	telemetry-incoming.r53-2.services.mozilla.com	28	IN (0x0001)	false
Oct 31, 2024 04:16:11.000885010 CET	192.168.2.5	1.1.1.1	0x38d9	Standard query (0)	firefox.settings.services.mozilla.com	A (IP address)	IN (0x0001)	false
Oct 31, 2024 04:16:11.010296106 CET	192.168.2.5	1.1.1.1	0x3c28	Standard query (0)	prod.balrog.prod.cloudops.mozgcp.net	28	IN (0x0001)	false
Oct 31, 2024 04:16:11.024416924 CET	192.168.2.5	1.1.1.1	0x7729	Standard query (0)	prod.remote-settings.prod.webservices.mozgcp.net	A (IP address)	IN (0x0001)	false
Oct 31, 2024 04:16:11.033159971 CET	192.168.2.5	1.1.1.1	0x66ac	Standard query (0)	prod.remote-settings.prod.webservices.mozgcp.net	28	IN (0x0001)	false
Oct 31, 2024 04:16:17.293641090 CET	192.168.2.5	1.1.1.1	0x84e6	Standard query (0)	detectportal.firefox.com	A (IP address)	IN (0x0001)	false
Oct 31, 2024 04:16:17.298274040 CET	192.168.2.5	1.1.1.1	0xb731	Standard query (0)	telemetry-incoming.r53-2.services.mozilla.com	28	IN (0x0001)	false
Oct 31, 2024 04:16:18.364052057 CET	192.168.2.5	1.1.1.1	0x1585	Standard query (0)	push.services.mozilla.com	A (IP address)	IN (0x0001)	false
Oct 31, 2024 04:16:18.374563932 CET	192.168.2.5	1.1.1.1	0xb39e	Standard query (0)	push.services.mozilla.com	28	IN (0x0001)	false
Oct 31, 2024 04:16:20.328171968 CET	192.168.2.5	1.1.1.1	0xfb68	Standard query (0)	www.youtube.com	A (IP address)	IN (0x0001)	false
Oct 31, 2024 04:16:20.328572989 CET	192.168.2.5	1.1.1.1	0x35a8	Standard query (0)	www.facebook.com	A (IP address)	IN (0x0001)	false
Oct 31, 2024 04:16:20.328836918 CET	192.168.2.5	1.1.1.1	0x9d5c	Standard query (0)	www.wikipedia.org	A (IP address)	IN (0x0001)	false
Oct 31, 2024 04:16:20.338457108 CET	192.168.2.5	1.1.1.1	0xc32b	Standard query (0)	star-mini.c10r.facebook.com	A (IP address)	IN (0x0001)	false
Oct 31, 2024 04:16:20.338470936 CET	192.168.2.5	1.1.1.1	0x8a6f	Standard query (0)	youtube-ui.l.google.com	A (IP address)	IN (0x0001)	false
Oct 31, 2024 04:16:20.338951111 CET	192.168.2.5	1.1.1.1	0xfe2e	Standard query (0)	dyna.wikimedia.org	A (IP address)	IN (0x0001)	false
Oct 31, 2024 04:16:20.346244097 CET	192.168.2.5	1.1.1.1	0xd84c	Standard query (0)	star-mini.c10r.facebook.com	28	IN (0x0001)	false
Oct 31, 2024 04:16:20.346260071 CET	192.168.2.5	1.1.1.1	0xfda4	Standard query (0)	youtube-ui.l.google.com	28	IN (0x0001)	false
Oct 31, 2024 04:16:20.352998018 CET	192.168.2.5	1.1.1.1	0xe9da	Standard query (0)	dyna.wikimedia.org	28	IN (0x0001)	false
Oct 31, 2024 04:16:20.353661060 CET	192.168.2.5	1.1.1.1	0xa81f	Standard query (0)	www.reddit.com	A (IP address)	IN (0x0001)	false
Oct 31, 2024 04:16:20.353694916 CET	192.168.2.5	1.1.1.1	0x9048	Standard query (0)	twitter.com	A (IP address)	IN (0x0001)	false
Oct 31, 2024 04:16:20.360881090 CET	192.168.2.5	1.1.1.1	0x478	Standard query (0)	reddit.map.fastly.net	A (IP address)	IN (0x0001)	false
Oct 31, 2024 04:16:20.361318111 CET	192.168.2.5	1.1.1.1	0xf5d0	Standard query (0)	twitter.com	A (IP address)	IN (0x0001)	false
Oct 31, 2024 04:16:20.368278980 CET	192.168.2.5	1.1.1.1	0x92ea	Standard query (0)	twitter.com	28	IN (0x0001)	false
Oct 31, 2024 04:16:20.369611979 CET	192.168.2.5	1.1.1.1	0x5d50	Standard query (0)	reddit.map.fastly.net	28	IN (0x0001)	false
Oct 31, 2024 04:16:30.338427067 CET	192.168.2.5	1.1.1.1	0xb498	Standard query (0)	push.services.mozilla.com	A (IP address)	IN (0x0001)	false
Oct 31, 2024 04:16:30.346482992 CET	192.168.2.5	1.1.1.1	0xb9e	Standard query (0)	push.services.mozilla.com	28	IN (0x0001)	false
Oct 31, 2024 04:16:32.458863020 CET	192.168.2.5	1.1.1.1	0x36c1	Standard query (0)	prod.balrog.prod.cloudops.mozgcp.net	28	IN (0x0001)	false
Oct 31, 2024 04:16:32.470381975 CET	192.168.2.5	1.1.1.1	0x5231	Standard query (0)	services.addons.mozilla.org	A (IP address)	IN (0x0001)	false
Oct 31, 2024 04:16:32.483586073 CET	192.168.2.5	1.1.1.1	0xf918	Standard query (0)	services.addons.mozilla.org	A (IP address)	IN (0x0001)	false
Oct 31, 2024 04:16:32.491636038 CET	192.168.2.5	1.1.1.1	0x10fa	Standard query (0)	services.addons.mozilla.org	28	IN (0x0001)	false
Oct 31, 2024 04:16:32.549454927 CET	192.168.2.5	1.1.1.1	0x4119	Standard query (0)	normandy.cdn.mozilla.net	A (IP address)	IN (0x0001)	false
Oct 31, 2024 04:16:32.564618111 CET	192.168.2.5	1.1.1.1	0x3554	Standard query (0)	normandy-cdn.services.mozilla.com	A (IP address)	IN (0x0001)	false
Oct 31, 2024 04:16:32.573820114 CET	192.168.2.5	1.1.1.1	0x634c	Standard query (0)	normandy-cdn.services.mozilla.com	28	IN (0x0001)	false
Oct 31, 2024 04:16:33.077685118 CET	192.168.2.5	1.1.1.1	0x29d3	Standard query (0)	detectportal.firefox.com	A (IP address)	IN (0x0001)	false
Oct 31, 2024 04:16:51.213354111 CET	192.168.2.5	1.1.1.1	0x3545	Standard query (0)	push.services.mozilla.com	A (IP address)	IN (0x0001)	false
Oct 31, 2024 04:16:51.220777988 CET	192.168.2.5	1.1.1.1	0x70de	Standard query (0)	push.services.mozilla.com	28	IN (0x0001)	false
Oct 31, 2024 04:16:51.834477901 CET	192.168.2.5	1.1.1.1	0x371b	Standard query (0)	detectportal.firefox.com	A (IP address)	IN (0x0001)	false
Oct 31, 2024 04:17:02.944474936 CET	192.168.2.5	1.1.1.1	0x113e	Standard query (0)	telemetry-incoming.r53-2.services.mozilla.com	28	IN (0x0001)	false
Oct 31, 2024 04:17:03.597429037 CET	192.168.2.5	1.1.1.1	0xce95	Standard query (0)	detectportal.firefox.com	A (IP address)	IN (0x0001)	false
Oct 31, 2024 04:17:03.605262041 CET	192.168.2.5	1.1.1.1	0xe8b	Standard query (0)	prod.detectportal.prod.cloudops.mozgcp.net	A (IP address)	IN (0x0001)	false
Oct 31, 2024 04:17:32.147855043 CET	192.168.2.5	1.1.1.1	0xcfc9	Standard query (0)	push.services.mozilla.com	A (IP address)	IN (0x0001)	false
Oct 31, 2024 04:17:32.155853033 CET	192.168.2.5	1.1.1.1	0x7b2e	Standard query (0)	push.services.mozilla.com	28	IN (0x0001)	false
Oct 31, 2024 04:17:32.765527010 CET	192.168.2.5	1.1.1.1	0x4109	Standard query (0)	detectportal.firefox.com	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Oct 31, 2024 04:16:03.802989006 CET	1.1.1.1	192.168.2.5	0xf226	No error (0)	prod.classify-client.prod.webservices.mozgcp.net		35.190.72.216	A (IP address)	IN (0x0001)	false
Oct 31, 2024 04:16:03.836994886 CET	1.1.1.1	192.168.2.5	0xc440	No error (0)	prod.classify-client.prod.webservices.mozgcp.net		35.190.72.216	A (IP address)	IN (0x0001)	false
Oct 31, 2024 04:16:04.338279963 CET	1.1.1.1	192.168.2.5	0xd85e	No error (0)	youtube.com		142.250.185.238	A (IP address)	IN (0x0001)	false
Oct 31, 2024 04:16:04.346551895 CET	1.1.1.1	192.168.2.5	0xd1cd	No error (0)	youtube.com		142.250.185.206	A (IP address)	IN (0x0001)	false
Oct 31, 2024 04:16:04.353841066 CET	1.1.1.1	192.168.2.5	0x49af	No error (0)	youtube.com			28	IN (0x0001)	false
Oct 31, 2024 04:16:04.403589964 CET	1.1.1.1	192.168.2.5	0x1660	No error (0)	detectportal.firefox.com	detectportal.prod.mozaws.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 31, 2024 04:16:04.403589964 CET	1.1.1.1	192.168.2.5	0x1660	No error (0)	prod.detectportal.prod.cloudops.mozgcp.net		34.107.221.82	A (IP address)	IN (0x0001)	false
Oct 31, 2024 04:16:04.413044930 CET	1.1.1.1	192.168.2.5	0x455d	No error (0)	prod.detectportal.prod.cloudops.mozgcp.net		34.107.221.82	A (IP address)	IN (0x0001)	false
Oct 31, 2024 04:16:04.422494888 CET	1.1.1.1	192.168.2.5	0x3207	No error (0)	prod.detectportal.prod.cloudops.mozgcp.net			28	IN (0x0001)	false
Oct 31, 2024 04:16:04.730776072 CET	1.1.1.1	192.168.2.5	0xaa6c	No error (0)	contile.services.mozilla.com		34.117.188.166	A (IP address)	IN (0x0001)	false
Oct 31, 2024 04:16:04.735347986 CET	1.1.1.1	192.168.2.5	0x5105	No error (0)	spocs.getpocket.com	prod.ads.prod.webservices.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 31, 2024 04:16:04.735347986 CET	1.1.1.1	192.168.2.5	0x5105	No error (0)	prod.ads.prod.webservices.mozgcp.net		34.117.188.166	A (IP address)	IN (0x0001)	false
Oct 31, 2024 04:16:04.739291906 CET	1.1.1.1	192.168.2.5	0xe659	No error (0)	contile.services.mozilla.com		34.117.188.166	A (IP address)	IN (0x0001)	false
Oct 31, 2024 04:16:04.742996931 CET	1.1.1.1	192.168.2.5	0x4fa7	No error (0)	prod.ads.prod.webservices.mozgcp.net		34.117.188.166	A (IP address)	IN (0x0001)	false
Oct 31, 2024 04:16:05.015512943 CET	1.1.1.1	192.168.2.5	0x226b	No error (0)	balrog-aus5.r53-2.services.mozilla.com	prod.balrog.prod.cloudops.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 31, 2024 04:16:05.015512943 CET	1.1.1.1	192.168.2.5	0x226b	No error (0)	prod.balrog.prod.cloudops.mozgcp.net		35.244.181.201	A (IP address)	IN (0x0001)	false
Oct 31, 2024 04:16:05.025867939 CET	1.1.1.1	192.168.2.5	0xeb28	No error (0)	prod.balrog.prod.cloudops.mozgcp.net		35.244.181.201	A (IP address)	IN (0x0001)	false
Oct 31, 2024 04:16:05.580615044 CET	1.1.1.1	192.168.2.5	0x9d5	No error (0)	example.org		93.184.215.14	A (IP address)	IN (0x0001)	false
Oct 31, 2024 04:16:05.585083961 CET	1.1.1.1	192.168.2.5	0xcdea	No error (0)	ipv4only.arpa		192.0.0.170	A (IP address)	IN (0x0001)	false
Oct 31, 2024 04:16:05.585083961 CET	1.1.1.1	192.168.2.5	0xcdea	No error (0)	ipv4only.arpa		192.0.0.171	A (IP address)	IN (0x0001)	false
Oct 31, 2024 04:16:05.590116978 CET	1.1.1.1	192.168.2.5	0x5351	No error (0)	content-signature-2.cdn.mozilla.net	content-signature-chains.prod.autograph.services.mozaws.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 31, 2024 04:16:05.590116978 CET	1.1.1.1	192.168.2.5	0x5351	No error (0)	content-signature-chains.prod.autograph.services.mozaws.net	prod.content-signature-chains.prod.webservices.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 31, 2024 04:16:05.590116978 CET	1.1.1.1	192.168.2.5	0x5351	No error (0)	prod.content-signature-chains.prod.webservices.mozgcp.net		34.160.144.191	A (IP address)	IN (0x0001)	false
Oct 31, 2024 04:16:05.603800058 CET	1.1.1.1	192.168.2.5	0x2594	No error (0)	prod.content-signature-chains.prod.webservices.mozgcp.net		34.160.144.191	A (IP address)	IN (0x0001)	false
Oct 31, 2024 04:16:05.614636898 CET	1.1.1.1	192.168.2.5	0x9d13	No error (0)	prod.content-signature-chains.prod.webservices.mozgcp.net			28	IN (0x0001)	false
Oct 31, 2024 04:16:05.814610004 CET	1.1.1.1	192.168.2.5	0xa73b	No error (0)	detectportal.firefox.com	detectportal.prod.mozaws.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 31, 2024 04:16:05.814610004 CET	1.1.1.1	192.168.2.5	0xa73b	No error (0)	prod.detectportal.prod.cloudops.mozgcp.net		34.107.221.82	A (IP address)	IN (0x0001)	false
Oct 31, 2024 04:16:08.162764072 CET	1.1.1.1	192.168.2.5	0xc74e	No error (0)	shavar.services.mozilla.com	shavar.prod.mozaws.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 31, 2024 04:16:10.795717955 CET	1.1.1.1	192.168.2.5	0xfdc5	No error (0)	support.mozilla.org	prod.sumo.prod.webservices.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 31, 2024 04:16:10.795717955 CET	1.1.1.1	192.168.2.5	0xfdc5	No error (0)	prod.sumo.prod.webservices.mozgcp.net	us-west1.prod.sumo.prod.webservices.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 31, 2024 04:16:10.795717955 CET	1.1.1.1	192.168.2.5	0xfdc5	No error (0)	us-west1.prod.sumo.prod.webservices.mozgcp.net		34.149.128.2	A (IP address)	IN (0x0001)	false
Oct 31, 2024 04:16:10.807396889 CET	1.1.1.1	192.168.2.5	0x5a1b	No error (0)	us-west1.prod.sumo.prod.webservices.mozgcp.net		34.149.128.2	A (IP address)	IN (0x0001)	false
Oct 31, 2024 04:16:10.964355946 CET	1.1.1.1	192.168.2.5	0xdee2	No error (0)	push.services.mozilla.com		34.107.243.93	A (IP address)	IN (0x0001)	false
Oct 31, 2024 04:16:10.976897955 CET	1.1.1.1	192.168.2.5	0x6944	No error (0)	telemetry-incoming.r53-2.services.mozilla.com		34.120.208.123	A (IP address)	IN (0x0001)	false
Oct 31, 2024 04:16:10.977669001 CET	1.1.1.1	192.168.2.5	0xbc97	No error (0)	push.services.mozilla.com		34.107.243.93	A (IP address)	IN (0x0001)	false
Oct 31, 2024 04:16:10.991242886 CET	1.1.1.1	192.168.2.5	0x776c	No error (0)	telemetry-incoming.r53-2.services.mozilla.com		34.120.208.123	A (IP address)	IN (0x0001)	false
Oct 31, 2024 04:16:11.007620096 CET	1.1.1.1	192.168.2.5	0x38d9	No error (0)	firefox.settings.services.mozilla.com	prod.remote-settings.prod.webservices.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 31, 2024 04:16:11.007620096 CET	1.1.1.1	192.168.2.5	0x38d9	No error (0)	prod.remote-settings.prod.webservices.mozgcp.net		34.149.100.209	A (IP address)	IN (0x0001)	false
Oct 31, 2024 04:16:11.014580965 CET	1.1.1.1	192.168.2.5	0xbc44	No error (0)	balrog-aus5.r53-2.services.mozilla.com	prod.balrog.prod.cloudops.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 31, 2024 04:16:11.014580965 CET	1.1.1.1	192.168.2.5	0xbc44	No error (0)	prod.balrog.prod.cloudops.mozgcp.net		35.244.181.201	A (IP address)	IN (0x0001)	false
Oct 31, 2024 04:16:11.031306028 CET	1.1.1.1	192.168.2.5	0x7729	No error (0)	prod.remote-settings.prod.webservices.mozgcp.net		34.149.100.209	A (IP address)	IN (0x0001)	false
Oct 31, 2024 04:16:11.621083021 CET	1.1.1.1	192.168.2.5	0x1d16	No error (0)	telemetry-incoming.r53-2.services.mozilla.com		34.120.208.123	A (IP address)	IN (0x0001)	false
Oct 31, 2024 04:16:17.302369118 CET	1.1.1.1	192.168.2.5	0x84e6	No error (0)	detectportal.firefox.com	detectportal.prod.mozaws.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 31, 2024 04:16:17.302369118 CET	1.1.1.1	192.168.2.5	0x84e6	No error (0)	prod.detectportal.prod.cloudops.mozgcp.net		34.107.221.82	A (IP address)	IN (0x0001)	false
Oct 31, 2024 04:16:18.370678902 CET	1.1.1.1	192.168.2.5	0x1585	No error (0)	push.services.mozilla.com		34.107.243.93	A (IP address)	IN (0x0001)	false
Oct 31, 2024 04:16:20.337552071 CET	1.1.1.1	192.168.2.5	0xfb68	No error (0)	www.youtube.com	youtube-ui.l.google.com		CNAME (Canonical name)	IN (0x0001)	false
Oct 31, 2024 04:16:20.337552071 CET	1.1.1.1	192.168.2.5	0xfb68	No error (0)	youtube-ui.l.google.com		216.58.212.174	A (IP address)	IN (0x0001)	false
Oct 31, 2024 04:16:20.337552071 CET	1.1.1.1	192.168.2.5	0xfb68	No error (0)	youtube-ui.l.google.com		142.250.185.78	A (IP address)	IN (0x0001)	false
Oct 31, 2024 04:16:20.337552071 CET	1.1.1.1	192.168.2.5	0xfb68	No error (0)	youtube-ui.l.google.com		142.250.185.142	A (IP address)	IN (0x0001)	false
Oct 31, 2024 04:16:20.337552071 CET	1.1.1.1	192.168.2.5	0xfb68	No error (0)	youtube-ui.l.google.com		142.250.185.174	A (IP address)	IN (0x0001)	false
Oct 31, 2024 04:16:20.337552071 CET	1.1.1.1	192.168.2.5	0xfb68	No error (0)	youtube-ui.l.google.com		142.250.185.238	A (IP address)	IN (0x0001)	false
Oct 31, 2024 04:16:20.337552071 CET	1.1.1.1	192.168.2.5	0xfb68	No error (0)	youtube-ui.l.google.com		142.250.185.206	A (IP address)	IN (0x0001)	false
Oct 31, 2024 04:16:20.337552071 CET	1.1.1.1	192.168.2.5	0xfb68	No error (0)	youtube-ui.l.google.com		142.250.186.46	A (IP address)	IN (0x0001)	false
Oct 31, 2024 04:16:20.337552071 CET	1.1.1.1	192.168.2.5	0xfb68	No error (0)	youtube-ui.l.google.com		142.250.184.238	A (IP address)	IN (0x0001)	false
Oct 31, 2024 04:16:20.337552071 CET	1.1.1.1	192.168.2.5	0xfb68	No error (0)	youtube-ui.l.google.com		216.58.212.142	A (IP address)	IN (0x0001)	false
Oct 31, 2024 04:16:20.337552071 CET	1.1.1.1	192.168.2.5	0xfb68	No error (0)	youtube-ui.l.google.com		142.250.181.238	A (IP address)	IN (0x0001)	false
Oct 31, 2024 04:16:20.337552071 CET	1.1.1.1	192.168.2.5	0xfb68	No error (0)	youtube-ui.l.google.com		142.250.185.110	A (IP address)	IN (0x0001)	false
Oct 31, 2024 04:16:20.337552071 CET	1.1.1.1	192.168.2.5	0xfb68	No error (0)	youtube-ui.l.google.com		142.250.186.78	A (IP address)	IN (0x0001)	false
Oct 31, 2024 04:16:20.337552071 CET	1.1.1.1	192.168.2.5	0xfb68	No error (0)	youtube-ui.l.google.com		216.58.206.78	A (IP address)	IN (0x0001)	false
Oct 31, 2024 04:16:20.337552071 CET	1.1.1.1	192.168.2.5	0xfb68	No error (0)	youtube-ui.l.google.com		172.217.18.110	A (IP address)	IN (0x0001)	false
Oct 31, 2024 04:16:20.337552071 CET	1.1.1.1	192.168.2.5	0xfb68	No error (0)	youtube-ui.l.google.com		216.58.206.46	A (IP address)	IN (0x0001)	false
Oct 31, 2024 04:16:20.337552071 CET	1.1.1.1	192.168.2.5	0xfb68	No error (0)	youtube-ui.l.google.com		172.217.23.110	A (IP address)	IN (0x0001)	false
Oct 31, 2024 04:16:20.337567091 CET	1.1.1.1	192.168.2.5	0x35a8	No error (0)	www.facebook.com	star-mini.c10r.facebook.com		CNAME (Canonical name)	IN (0x0001)	false
Oct 31, 2024 04:16:20.337567091 CET	1.1.1.1	192.168.2.5	0x35a8	No error (0)	star-mini.c10r.facebook.com		157.240.252.35	A (IP address)	IN (0x0001)	false
Oct 31, 2024 04:16:20.337579012 CET	1.1.1.1	192.168.2.5	0x9d5c	No error (0)	www.wikipedia.org	dyna.wikimedia.org		CNAME (Canonical name)	IN (0x0001)	false
Oct 31, 2024 04:16:20.337579012 CET	1.1.1.1	192.168.2.5	0x9d5c	No error (0)	dyna.wikimedia.org		185.15.59.224	A (IP address)	IN (0x0001)	false
Oct 31, 2024 04:16:20.345647097 CET	1.1.1.1	192.168.2.5	0xc32b	No error (0)	star-mini.c10r.facebook.com		157.240.0.35	A (IP address)	IN (0x0001)	false
Oct 31, 2024 04:16:20.345662117 CET	1.1.1.1	192.168.2.5	0x8a6f	No error (0)	youtube-ui.l.google.com		142.250.185.206	A (IP address)	IN (0x0001)	false
Oct 31, 2024 04:16:20.345662117 CET	1.1.1.1	192.168.2.5	0x8a6f	No error (0)	youtube-ui.l.google.com		142.250.185.174	A (IP address)	IN (0x0001)	false
Oct 31, 2024 04:16:20.345662117 CET	1.1.1.1	192.168.2.5	0x8a6f	No error (0)	youtube-ui.l.google.com		142.250.185.238	A (IP address)	IN (0x0001)	false
Oct 31, 2024 04:16:20.345662117 CET	1.1.1.1	192.168.2.5	0x8a6f	No error (0)	youtube-ui.l.google.com		172.217.23.110	A (IP address)	IN (0x0001)	false
Oct 31, 2024 04:16:20.345662117 CET	1.1.1.1	192.168.2.5	0x8a6f	No error (0)	youtube-ui.l.google.com		172.217.16.142	A (IP address)	IN (0x0001)	false
Oct 31, 2024 04:16:20.345662117 CET	1.1.1.1	192.168.2.5	0x8a6f	No error (0)	youtube-ui.l.google.com		142.250.185.142	A (IP address)	IN (0x0001)	false
Oct 31, 2024 04:16:20.345662117 CET	1.1.1.1	192.168.2.5	0x8a6f	No error (0)	youtube-ui.l.google.com		142.250.74.206	A (IP address)	IN (0x0001)	false
Oct 31, 2024 04:16:20.345662117 CET	1.1.1.1	192.168.2.5	0x8a6f	No error (0)	youtube-ui.l.google.com		142.250.186.142	A (IP address)	IN (0x0001)	false
Oct 31, 2024 04:16:20.345662117 CET	1.1.1.1	192.168.2.5	0x8a6f	No error (0)	youtube-ui.l.google.com		216.58.212.174	A (IP address)	IN (0x0001)	false
Oct 31, 2024 04:16:20.345662117 CET	1.1.1.1	192.168.2.5	0x8a6f	No error (0)	youtube-ui.l.google.com		216.58.206.46	A (IP address)	IN (0x0001)	false
Oct 31, 2024 04:16:20.345662117 CET	1.1.1.1	192.168.2.5	0x8a6f	No error (0)	youtube-ui.l.google.com		142.250.181.238	A (IP address)	IN (0x0001)	false
Oct 31, 2024 04:16:20.345662117 CET	1.1.1.1	192.168.2.5	0x8a6f	No error (0)	youtube-ui.l.google.com		142.250.185.78	A (IP address)	IN (0x0001)	false
Oct 31, 2024 04:16:20.345662117 CET	1.1.1.1	192.168.2.5	0x8a6f	No error (0)	youtube-ui.l.google.com		142.250.186.46	A (IP address)	IN (0x0001)	false
Oct 31, 2024 04:16:20.345662117 CET	1.1.1.1	192.168.2.5	0x8a6f	No error (0)	youtube-ui.l.google.com		142.250.184.206	A (IP address)	IN (0x0001)	false
Oct 31, 2024 04:16:20.345662117 CET	1.1.1.1	192.168.2.5	0x8a6f	No error (0)	youtube-ui.l.google.com		142.250.186.78	A (IP address)	IN (0x0001)	false
Oct 31, 2024 04:16:20.345662117 CET	1.1.1.1	192.168.2.5	0x8a6f	No error (0)	youtube-ui.l.google.com		142.250.185.110	A (IP address)	IN (0x0001)	false
Oct 31, 2024 04:16:20.352492094 CET	1.1.1.1	192.168.2.5	0xfe2e	No error (0)	dyna.wikimedia.org		185.15.59.224	A (IP address)	IN (0x0001)	false
Oct 31, 2024 04:16:20.352902889 CET	1.1.1.1	192.168.2.5	0xd84c	No error (0)	star-mini.c10r.facebook.com			28	IN (0x0001)	false
Oct 31, 2024 04:16:20.352953911 CET	1.1.1.1	192.168.2.5	0xfda4	No error (0)	youtube-ui.l.google.com			28	IN (0x0001)	false
Oct 31, 2024 04:16:20.352953911 CET	1.1.1.1	192.168.2.5	0xfda4	No error (0)	youtube-ui.l.google.com			28	IN (0x0001)	false
Oct 31, 2024 04:16:20.352953911 CET	1.1.1.1	192.168.2.5	0xfda4	No error (0)	youtube-ui.l.google.com			28	IN (0x0001)	false
Oct 31, 2024 04:16:20.352953911 CET	1.1.1.1	192.168.2.5	0xfda4	No error (0)	youtube-ui.l.google.com			28	IN (0x0001)	false
Oct 31, 2024 04:16:20.359805107 CET	1.1.1.1	192.168.2.5	0xe9da	No error (0)	dyna.wikimedia.org			28	IN (0x0001)	false
Oct 31, 2024 04:16:20.360290051 CET	1.1.1.1	192.168.2.5	0xa81f	No error (0)	www.reddit.com	reddit.map.fastly.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 31, 2024 04:16:20.360290051 CET	1.1.1.1	192.168.2.5	0xa81f	No error (0)	reddit.map.fastly.net		151.101.193.140	A (IP address)	IN (0x0001)	false
Oct 31, 2024 04:16:20.360290051 CET	1.1.1.1	192.168.2.5	0xa81f	No error (0)	reddit.map.fastly.net		151.101.129.140	A (IP address)	IN (0x0001)	false
Oct 31, 2024 04:16:20.360290051 CET	1.1.1.1	192.168.2.5	0xa81f	No error (0)	reddit.map.fastly.net		151.101.65.140	A (IP address)	IN (0x0001)	false
Oct 31, 2024 04:16:20.360290051 CET	1.1.1.1	192.168.2.5	0xa81f	No error (0)	reddit.map.fastly.net		151.101.1.140	A (IP address)	IN (0x0001)	false
Oct 31, 2024 04:16:20.360421896 CET	1.1.1.1	192.168.2.5	0x9048	No error (0)	twitter.com		104.244.42.193	A (IP address)	IN (0x0001)	false
Oct 31, 2024 04:16:20.367785931 CET	1.1.1.1	192.168.2.5	0xf5d0	No error (0)	twitter.com		104.244.42.1	A (IP address)	IN (0x0001)	false
Oct 31, 2024 04:16:20.368887901 CET	1.1.1.1	192.168.2.5	0x478	No error (0)	reddit.map.fastly.net		151.101.1.140	A (IP address)	IN (0x0001)	false
Oct 31, 2024 04:16:20.368887901 CET	1.1.1.1	192.168.2.5	0x478	No error (0)	reddit.map.fastly.net		151.101.65.140	A (IP address)	IN (0x0001)	false
Oct 31, 2024 04:16:20.368887901 CET	1.1.1.1	192.168.2.5	0x478	No error (0)	reddit.map.fastly.net		151.101.129.140	A (IP address)	IN (0x0001)	false
Oct 31, 2024 04:16:20.368887901 CET	1.1.1.1	192.168.2.5	0x478	No error (0)	reddit.map.fastly.net		151.101.193.140	A (IP address)	IN (0x0001)	false
Oct 31, 2024 04:16:30.345805883 CET	1.1.1.1	192.168.2.5	0xb498	No error (0)	push.services.mozilla.com		34.107.243.93	A (IP address)	IN (0x0001)	false
Oct 31, 2024 04:16:32.456665993 CET	1.1.1.1	192.168.2.5	0xd80b	No error (0)	balrog-aus5.r53-2.services.mozilla.com	prod.balrog.prod.cloudops.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 31, 2024 04:16:32.456665993 CET	1.1.1.1	192.168.2.5	0xd80b	No error (0)	prod.balrog.prod.cloudops.mozgcp.net		35.244.181.201	A (IP address)	IN (0x0001)	false
Oct 31, 2024 04:16:32.482258081 CET	1.1.1.1	192.168.2.5	0x5231	No error (0)	services.addons.mozilla.org		151.101.65.91	A (IP address)	IN (0x0001)	false
Oct 31, 2024 04:16:32.482258081 CET	1.1.1.1	192.168.2.5	0x5231	No error (0)	services.addons.mozilla.org		151.101.193.91	A (IP address)	IN (0x0001)	false
Oct 31, 2024 04:16:32.482258081 CET	1.1.1.1	192.168.2.5	0x5231	No error (0)	services.addons.mozilla.org		151.101.129.91	A (IP address)	IN (0x0001)	false
Oct 31, 2024 04:16:32.482258081 CET	1.1.1.1	192.168.2.5	0x5231	No error (0)	services.addons.mozilla.org		151.101.1.91	A (IP address)	IN (0x0001)	false
Oct 31, 2024 04:16:32.490868092 CET	1.1.1.1	192.168.2.5	0xf918	No error (0)	services.addons.mozilla.org		151.101.193.91	A (IP address)	IN (0x0001)	false
Oct 31, 2024 04:16:32.490868092 CET	1.1.1.1	192.168.2.5	0xf918	No error (0)	services.addons.mozilla.org		151.101.1.91	A (IP address)	IN (0x0001)	false
Oct 31, 2024 04:16:32.490868092 CET	1.1.1.1	192.168.2.5	0xf918	No error (0)	services.addons.mozilla.org		151.101.129.91	A (IP address)	IN (0x0001)	false
Oct 31, 2024 04:16:32.490868092 CET	1.1.1.1	192.168.2.5	0xf918	No error (0)	services.addons.mozilla.org		151.101.65.91	A (IP address)	IN (0x0001)	false
Oct 31, 2024 04:16:32.498646021 CET	1.1.1.1	192.168.2.5	0x10fa	No error (0)	services.addons.mozilla.org			28	IN (0x0001)	false
Oct 31, 2024 04:16:32.498646021 CET	1.1.1.1	192.168.2.5	0x10fa	No error (0)	services.addons.mozilla.org			28	IN (0x0001)	false
Oct 31, 2024 04:16:32.498646021 CET	1.1.1.1	192.168.2.5	0x10fa	No error (0)	services.addons.mozilla.org			28	IN (0x0001)	false
Oct 31, 2024 04:16:32.498646021 CET	1.1.1.1	192.168.2.5	0x10fa	No error (0)	services.addons.mozilla.org			28	IN (0x0001)	false
Oct 31, 2024 04:16:32.556566000 CET	1.1.1.1	192.168.2.5	0x4119	No error (0)	normandy.cdn.mozilla.net	normandy-cdn.services.mozilla.com		CNAME (Canonical name)	IN (0x0001)	false
Oct 31, 2024 04:16:32.556566000 CET	1.1.1.1	192.168.2.5	0x4119	No error (0)	normandy-cdn.services.mozilla.com		35.201.103.21	A (IP address)	IN (0x0001)	false
Oct 31, 2024 04:16:32.571820021 CET	1.1.1.1	192.168.2.5	0x3554	No error (0)	normandy-cdn.services.mozilla.com		35.201.103.21	A (IP address)	IN (0x0001)	false
Oct 31, 2024 04:16:33.084151983 CET	1.1.1.1	192.168.2.5	0x29d3	No error (0)	detectportal.firefox.com	detectportal.prod.mozaws.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 31, 2024 04:16:33.084151983 CET	1.1.1.1	192.168.2.5	0x29d3	No error (0)	prod.detectportal.prod.cloudops.mozgcp.net		34.107.221.82	A (IP address)	IN (0x0001)	false
Oct 31, 2024 04:16:33.754348993 CET	1.1.1.1	192.168.2.5	0x3f53	No error (0)	a21ed24aedde648804e7-228765c84088fef4ff5e70f2710398e9.r17.cf1.rackcdn.com	a17.rackcdn.com		CNAME (Canonical name)	IN (0x0001)	false
Oct 31, 2024 04:16:33.754348993 CET	1.1.1.1	192.168.2.5	0x3f53	No error (0)	a17.rackcdn.com	a17.rackcdn.com.mdc.edgesuite.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 31, 2024 04:16:51.219913006 CET	1.1.1.1	192.168.2.5	0x3545	No error (0)	push.services.mozilla.com		34.107.243.93	A (IP address)	IN (0x0001)	false
Oct 31, 2024 04:16:51.840971947 CET	1.1.1.1	192.168.2.5	0x371b	No error (0)	detectportal.firefox.com	detectportal.prod.mozaws.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 31, 2024 04:16:51.840971947 CET	1.1.1.1	192.168.2.5	0x371b	No error (0)	prod.detectportal.prod.cloudops.mozgcp.net		34.107.221.82	A (IP address)	IN (0x0001)	false
Oct 31, 2024 04:17:02.950624943 CET	1.1.1.1	192.168.2.5	0xee0d	No error (0)	telemetry-incoming.r53-2.services.mozilla.com		34.120.208.123	A (IP address)	IN (0x0001)	false
Oct 31, 2024 04:17:03.604255915 CET	1.1.1.1	192.168.2.5	0xce95	No error (0)	detectportal.firefox.com	detectportal.prod.mozaws.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 31, 2024 04:17:03.604255915 CET	1.1.1.1	192.168.2.5	0xce95	No error (0)	prod.detectportal.prod.cloudops.mozgcp.net		34.107.221.82	A (IP address)	IN (0x0001)	false
Oct 31, 2024 04:17:03.612005949 CET	1.1.1.1	192.168.2.5	0xe8b	No error (0)	prod.detectportal.prod.cloudops.mozgcp.net		34.107.221.82	A (IP address)	IN (0x0001)	false
Oct 31, 2024 04:17:32.154612064 CET	1.1.1.1	192.168.2.5	0xcfc9	No error (0)	push.services.mozilla.com		34.107.243.93	A (IP address)	IN (0x0001)	false
Oct 31, 2024 04:17:32.772326946 CET	1.1.1.1	192.168.2.5	0x4109	No error (0)	detectportal.firefox.com	detectportal.prod.mozaws.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 31, 2024 04:17:32.772326946 CET	1.1.1.1	192.168.2.5	0x4109	No error (0)	prod.detectportal.prod.cloudops.mozgcp.net		34.107.221.82	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

detectportal.firefox.com

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.5	49713	34.107.221.82	80	1288	C:\Program Files\Mozilla Firefox\firefox.exe

Timestamp	Bytes transferred	Direction	Data
Oct 31, 2024 04:16:04.490940094 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 31, 2024 04:16:05.132070065 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Wed, 30 Oct 2024 04:31:13 GMT Age: 81892 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.5	49723	34.107.221.82	80	1288	C:\Program Files\Mozilla Firefox\firefox.exe

Timestamp	Bytes transferred	Direction	Data
Oct 31, 2024 04:16:05.820558071 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.5	49724	34.107.221.82	80	1288	C:\Program Files\Mozilla Firefox\firefox.exe

Timestamp	Bytes transferred	Direction	Data
Oct 31, 2024 04:16:06.077680111 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 31, 2024 04:16:06.661689997 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Wed, 30 Oct 2024 04:31:13 GMT Age: 81893 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 31, 2024 04:16:08.155033112 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 31, 2024 04:16:08.277972937 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Wed, 30 Oct 2024 04:31:13 GMT Age: 81895 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 31, 2024 04:16:10.808263063 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 31, 2024 04:16:10.930860996 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Wed, 30 Oct 2024 04:31:13 GMT Age: 81897 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 31, 2024 04:16:11.610589027 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 31, 2024 04:16:11.733038902 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Wed, 30 Oct 2024 04:31:13 GMT Age: 81898 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 31, 2024 04:16:11.799549103 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 31, 2024 04:16:11.922040939 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Wed, 30 Oct 2024 04:31:13 GMT Age: 81898 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 31, 2024 04:16:17.293745041 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 31, 2024 04:16:17.417252064 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Wed, 30 Oct 2024 04:31:13 GMT Age: 81904 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 31, 2024 04:16:20.329293966 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 31, 2024 04:16:20.451797009 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Wed, 30 Oct 2024 04:31:13 GMT Age: 81907 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 31, 2024 04:16:30.466525078 CET	6	OUT	Data Raw: 00 Data Ascii:
Oct 31, 2024 04:16:30.966762066 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 31, 2024 04:16:31.095901012 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Wed, 30 Oct 2024 04:31:13 GMT Age: 81918 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 31, 2024 04:16:33.077172995 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 31, 2024 04:16:33.200179100 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Wed, 30 Oct 2024 04:31:13 GMT Age: 81920 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 31, 2024 04:16:33.732104063 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 31, 2024 04:16:33.855052948 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Wed, 30 Oct 2024 04:31:13 GMT Age: 81920 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 31, 2024 04:16:38.408710957 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 31, 2024 04:16:38.702791929 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Wed, 30 Oct 2024 04:31:13 GMT Age: 81925 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 31, 2024 04:16:48.703628063 CET	6	OUT	Data Raw: 00 Data Ascii:
Oct 31, 2024 04:16:51.834117889 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 31, 2024 04:16:51.956518888 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Wed, 30 Oct 2024 04:31:13 GMT Age: 81938 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 31, 2024 04:17:01.957245111 CET	6	OUT	Data Raw: 00 Data Ascii:
Oct 31, 2024 04:17:03.597094059 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 31, 2024 04:17:03.720046043 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Wed, 30 Oct 2024 04:31:13 GMT Age: 81950 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 31, 2024 04:17:13.722182989 CET	6	OUT	Data Raw: 00 Data Ascii:
Oct 31, 2024 04:17:23.735863924 CET	6	OUT	Data Raw: 00 Data Ascii:
Oct 31, 2024 04:17:32.765064955 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 31, 2024 04:17:32.888245106 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Wed, 30 Oct 2024 04:31:13 GMT Age: 81979 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 31, 2024 04:17:42.891840935 CET	6	OUT	Data Raw: 00 Data Ascii:
Oct 31, 2024 04:17:52.903639078 CET	6	OUT	Data Raw: 00 Data Ascii:
Oct 31, 2024 04:18:02.911277056 CET	6	OUT	Data Raw: 00 Data Ascii:

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.5	49726	34.107.221.82	80	1288	C:\Program Files\Mozilla Firefox\firefox.exe

Timestamp	Bytes transferred	Direction	Data
Oct 31, 2024 04:16:06.857050896 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 31, 2024 04:16:07.452804089 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Wed, 30 Oct 2024 04:30:51 GMT Age: 81916 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 31, 2024 04:16:10.801772118 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 31, 2024 04:16:10.926076889 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Wed, 30 Oct 2024 04:30:51 GMT Age: 81919 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 31, 2024 04:16:10.971848965 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 31, 2024 04:16:11.095999002 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Wed, 30 Oct 2024 04:30:51 GMT Age: 81920 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 31, 2024 04:16:11.741445065 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 31, 2024 04:16:11.866267920 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Wed, 30 Oct 2024 04:30:51 GMT Age: 81920 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 31, 2024 04:16:11.937062979 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 31, 2024 04:16:12.061336040 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Wed, 30 Oct 2024 04:30:51 GMT Age: 81921 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 31, 2024 04:16:18.474860907 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 31, 2024 04:16:18.600122929 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Wed, 30 Oct 2024 04:30:51 GMT Age: 81927 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 31, 2024 04:16:20.866981983 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 31, 2024 04:16:20.991241932 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Wed, 30 Oct 2024 04:30:51 GMT Age: 81929 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 31, 2024 04:16:30.999250889 CET	6	OUT	Data Raw: 00 Data Ascii:
Oct 31, 2024 04:16:31.100138903 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 31, 2024 04:16:31.224455118 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Wed, 30 Oct 2024 04:30:51 GMT Age: 81940 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 31, 2024 04:16:33.203059912 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 31, 2024 04:16:33.327461004 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Wed, 30 Oct 2024 04:30:51 GMT Age: 81942 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 31, 2024 04:16:33.858331919 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 31, 2024 04:16:33.982350111 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Wed, 30 Oct 2024 04:30:51 GMT Age: 81942 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 31, 2024 04:16:38.706188917 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 31, 2024 04:16:38.830389023 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Wed, 30 Oct 2024 04:30:51 GMT Age: 81947 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 31, 2024 04:16:48.835223913 CET	6	OUT	Data Raw: 00 Data Ascii:
Oct 31, 2024 04:16:51.959731102 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 31, 2024 04:16:52.083987951 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Wed, 30 Oct 2024 04:30:51 GMT Age: 81961 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 31, 2024 04:17:02.088769913 CET	6	OUT	Data Raw: 00 Data Ascii:
Oct 31, 2024 04:17:03.723238945 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 31, 2024 04:17:03.848611116 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Wed, 30 Oct 2024 04:30:51 GMT Age: 81972 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 31, 2024 04:17:13.860306025 CET	6	OUT	Data Raw: 00 Data Ascii:
Oct 31, 2024 04:17:23.867305040 CET	6	OUT	Data Raw: 00 Data Ascii:
Oct 31, 2024 04:17:32.893255949 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 31, 2024 04:17:33.017858982 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Wed, 30 Oct 2024 04:30:51 GMT Age: 82001 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 31, 2024 04:17:43.023025036 CET	6	OUT	Data Raw: 00 Data Ascii:
Oct 31, 2024 04:17:53.034810066 CET	6	OUT	Data Raw: 00 Data Ascii:
Oct 31, 2024 04:18:03.042835951 CET	6	OUT	Data Raw: 00 Data Ascii:

Target ID:	0
Start time:	23:15:56
Start date:	30/10/2024
Path:	C:\Users\user\Desktop\file.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\file.exe"
Imagebase:	0x410000
File size:	919'552 bytes
MD5 hash:	1D861B36E55E04FBC04FF38B5D152A08
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CredentialFlusher, Description: Yara detected Credential Flusher, Source: 00000000.00000003.2105717464.00000000016FF000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	23:15:56
Start date:	30/10/2024
Path:	C:\Windows\SysWOW64\taskkill.exe
Wow64 process (32bit):	true
Commandline:	taskkill /F /IM firefox.exe /T
Imagebase:	0xaa0000
File size:	74'240 bytes
MD5 hash:	CA313FD7E6C2A778FFD21CFB5C1C56CD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	23:15:56
Start date:	30/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	23:15:58
Start date:	30/10/2024
Path:	C:\Windows\SysWOW64\taskkill.exe
Wow64 process (32bit):	true
Commandline:	taskkill /F /IM chrome.exe /T
Imagebase:	0xaa0000
File size:	74'240 bytes
MD5 hash:	CA313FD7E6C2A778FFD21CFB5C1C56CD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	23:15:59
Start date:	30/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	23:15:59
Start date:	30/10/2024
Path:	C:\Windows\SysWOW64\taskkill.exe
Wow64 process (32bit):	true
Commandline:	taskkill /F /IM msedge.exe /T
Imagebase:	0xaa0000
File size:	74'240 bytes
MD5 hash:	CA313FD7E6C2A778FFD21CFB5C1C56CD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	23:15:59
Start date:	30/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	23:15:59
Start date:	30/10/2024
Path:	C:\Windows\SysWOW64\taskkill.exe
Wow64 process (32bit):	true
Commandline:	taskkill /F /IM opera.exe /T
Imagebase:	0xaa0000
File size:	74'240 bytes
MD5 hash:	CA313FD7E6C2A778FFD21CFB5C1C56CD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	9
Start time:	23:15:59
Start date:	30/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	10
Start time:	23:15:59
Start date:	30/10/2024
Path:	C:\Windows\SysWOW64\taskkill.exe
Wow64 process (32bit):	true
Commandline:	taskkill /F /IM brave.exe /T
Imagebase:	0xaa0000
File size:	74'240 bytes
MD5 hash:	CA313FD7E6C2A778FFD21CFB5C1C56CD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	11
Start time:	23:15:59
Start date:	30/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	12
Start time:	23:15:59
Start date:	30/10/2024
Path:	C:\Program Files\Mozilla Firefox\firefox.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking
Imagebase:	0x7ff79f9e0000
File size:	676'768 bytes
MD5 hash:	C86B1BE9ED6496FE0E0CBE73F81D8045
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	13
Start time:	23:15:59
Start date:	30/10/2024
Path:	C:\Program Files\Mozilla Firefox\firefox.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking --attempting-deelevation
Imagebase:	0x7ff79f9e0000
File size:	676'768 bytes
MD5 hash:	C86B1BE9ED6496FE0E0CBE73F81D8045
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	14
Start time:	23:15:59
Start date:	30/10/2024
Path:	C:\Program Files\Mozilla Firefox\firefox.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking
Imagebase:	0x7ff79f9e0000
File size:	676'768 bytes
MD5 hash:	C86B1BE9ED6496FE0E0CBE73F81D8045
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	16
Start time:	23:16:00
Start date:	30/10/2024
Path:	C:\Program Files\Mozilla Firefox\firefox.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2180 -parentBuildID 20230927232528 -prefsHandle 2128 -prefMapHandle 2120 -prefsLen 25308 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {39515606-0953-4238-9f6b-6d6653a23c41} 1288 "\\.\pipe\gecko-crash-server-pipe.1288" 1fdff570310 socket
Imagebase:	0x7ff79f9e0000
File size:	676'768 bytes
MD5 hash:	C86B1BE9ED6496FE0E0CBE73F81D8045
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	17
Start time:	23:16:02
Start date:	30/10/2024
Path:	C:\Program Files\Mozilla Firefox\firefox.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4236 -parentBuildID 20230927232528 -prefsHandle 4656 -prefMapHandle 4648 -prefsLen 26273 -prefMapSize 237879 -appDir "C:\Program Files\Mozilla Firefox\browser" - {e71d3d03-5e0e-4be1-9e03-002cc7d7a404} 1288 "\\.\pipe\gecko-crash-server-pipe.1288" 1fd91c29910 rdd
Imagebase:	0x7ff79f9e0000
File size:	676'768 bytes
MD5 hash:	C86B1BE9ED6496FE0E0CBE73F81D8045
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	18
Start time:	23:16:09
Start date:	30/10/2024
Path:	C:\Program Files\Mozilla Firefox\firefox.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5036 -parentBuildID 20230927232528 -sandboxingKind 0 -prefsHandle 4940 -prefMapHandle 4952 -prefsLen 33119 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {04af4695-a06b-4c33-be4e-ae43f533d05c} 1288 "\\.\pipe\gecko-crash-server-pipe.1288" 1fd994d8510 utility
Imagebase:	0x7ff79f9e0000
File size:	676'768 bytes
MD5 hash:	C86B1BE9ED6496FE0E0CBE73F81D8045
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	2%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	6.9%
Total number of Nodes:	1516
Total number of Limit Nodes:	50

Executed Functions

Function 004142DE Relevance: 21.2, APIs: 9, Strings: 3, Instructions: 235
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetVersionExW.KERNEL32(?), ref: 0041430D

Part of subcall function 00416B57: _wcslen.LIBCMT ref: 00416B6A

GetCurrentProcess.KERNEL32(?,004ACB64,00000000,?,?), ref: 00414422
IsWow64Process.KERNEL32(00000000,?,?), ref: 00414429
LoadLibraryA.KERNEL32(kernel32.dll,?,?), ref: 00414454
GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo), ref: 00414466
GetNativeSystemInfo.KERNELBASE(?,?,?), ref: 00414474
FreeLibrary.KERNEL32(00000000,?,?), ref: 0041447B
GetSystemInfo.KERNEL32(?,?,?), ref: 004144A0

Strings

GetNativeSystemInfo, xrefs: 00414460
kernel32.dll, xrefs: 0041444F
|O, xrefs: 004536F8

Memory Dump Source

Source File: 00000000.00000002.2107394819.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2107065431.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107532194.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107532194.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107645477.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107703493.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: InfoLibraryProcessSystem$AddressCurrentFreeLoadNativeProcVersionWow64_wcslen
String ID: GetNativeSystemInfo$kernel32.dll$|O
API String ID: 3290436268-3101561225
Opcode ID: aaf28ca9ac9dff68355ec1cf01acc6150346ab212075de34b17506de4523a9e2
Instruction ID: 5bd0a10c115b8233cb2554a713b1d08cb2f7d6e949969e7e1139dd94e7fea33c
Opcode Fuzzy Hash: aaf28ca9ac9dff68355ec1cf01acc6150346ab212075de34b17506de4523a9e2
Instruction Fuzzy Hash: 6AA1C27198A2D0CFE711CB6978C05D97FA46B66741B0848FADC819BB33D2384959CB3E

Function 004142A2 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 61
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateStreamOnHGlobal.COMBASE(00000000,00000001,?,?,?,?,?,004150AA,?,?,00000000,00000000), ref: 004142B2
FindResourceExW.KERNEL32(?,0000000A,SCRIPT,00000000,?,?,004150AA,?,?,00000000,00000000), ref: 004142C9
LoadResource.KERNEL32(?,00000000,?,?,004150AA,?,?,00000000,00000000,?,?,?,?,?,?,00414F20), ref: 004535BE
SizeofResource.KERNEL32(?,00000000,?,?,004150AA,?,?,00000000,00000000,?,?,?,?,?,?,00414F20), ref: 004535D3
LockResource.KERNEL32(004150AA,?,?,004150AA,?,?,00000000,00000000,?,?,?,?,?,?,00414F20,?), ref: 004535E6

Strings

SCRIPT, xrefs: 004142BF

Memory Dump Source

Source File: 00000000.00000002.2107394819.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2107065431.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107532194.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107532194.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107645477.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107703493.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: Resource$CreateFindGlobalLoadLockSizeofStream
String ID: SCRIPT
API String ID: 3051347437-3967369404
Opcode ID: 746cf777421605f4214d5d84872288f6da5fa601163c1849baf0c5c19e0d5c78
Instruction ID: 64b352aa6eec582408cddc42f2d7f946e43335457cb45514df6342ae0d7497fa
Opcode Fuzzy Hash: 746cf777421605f4214d5d84872288f6da5fa601163c1849baf0c5c19e0d5c78
Instruction Fuzzy Hash: 4E118E71600700BFD7218B65DC88FA77BBAEBC6B91F2041AEF402D6290DB71DC408675

Function 00452BA5 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 62
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetCurrentDirectoryW.KERNEL32(?), ref: 00412B6B

Part of subcall function 00413A5A: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,004E1418,?,00412E7F,?,?,?,00000000), ref: 00413A78

Part of subcall function 00419CB3: _wcslen.LIBCMT ref: 00419CBD

GetForegroundWindow.USER32(runas,?,?,?,?,?,004D2224), ref: 00452C10
ShellExecuteW.SHELL32(00000000,?,?,004D2224), ref: 00452C17

Strings

runas, xrefs: 00452C0B

Memory Dump Source

Source File: 00000000.00000002.2107394819.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2107065431.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107532194.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107532194.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107645477.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107703493.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: CurrentDirectoryExecuteFileForegroundModuleNameShellWindow_wcslen
String ID: runas
API String ID: 448630720-4000483414
Opcode ID: adc9694af30804778cb0f32cd20c049f26a85de0057f438f61f20be7b8d1c523
Instruction ID: ad4ded320dad4d48f974248dad2d2636c224a195f8523edf24c567d04a517595
Opcode Fuzzy Hash: adc9694af30804778cb0f32cd20c049f26a85de0057f438f61f20be7b8d1c523
Instruction Fuzzy Hash: B411D2312483456AC704FF21D9A19FE7BA4AB9175AF04142FF582421A3CF7C9A9AC71E

Function 0047D4DC Relevance: 6.1, APIs: 4, Instructions: 86
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 0047D501
Process32FirstW.KERNEL32(00000000,?), ref: 0047D50F
Process32NextW.KERNEL32(00000000,?), ref: 0047D52F
CloseHandle.KERNELBASE(00000000), ref: 0047D5DC

Memory Dump Source

Source File: 00000000.00000002.2107394819.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2107065431.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107532194.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107532194.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107645477.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107703493.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32
String ID:
API String ID: 420147892-0
Opcode ID: ae6df1fc43c79cceca9ac8620771c9b993d029c47febd1ffbe75dfa978aa0795
Instruction ID: f94cc9343f9b6e6d5958c8450b0b2dfa4962ca403455e7102376e4fbd1840aad
Opcode Fuzzy Hash: ae6df1fc43c79cceca9ac8620771c9b993d029c47febd1ffbe75dfa978aa0795
Instruction Fuzzy Hash: 4D31C471108300AFD300EF54C881AEFBBF8EF99348F14492EF585821A1EB759988CB96

Function 0047DBBE Relevance: 6.0, APIs: 4, Instructions: 29
filestringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

lstrlenW.KERNEL32(?,00455222), ref: 0047DBCE
GetFileAttributesW.KERNELBASE(?), ref: 0047DBDD
FindFirstFileW.KERNEL32(?,?), ref: 0047DBEE
FindClose.KERNEL32(00000000), ref: 0047DBFA

Memory Dump Source

Source File: 00000000.00000002.2107394819.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2107065431.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107532194.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107532194.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107645477.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107703493.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: FileFind$AttributesCloseFirstlstrlen
String ID:
API String ID: 2695905019-0
Opcode ID: 0d694c7e09d17afecbe423db6a296fda9315c71e712afbfc010a4e8934ba701c
Instruction ID: 09ebdddbf36ce4036177ee0147db7007318ee147bebc28438f175371bef3acbf
Opcode Fuzzy Hash: 0d694c7e09d17afecbe423db6a296fda9315c71e712afbfc010a4e8934ba701c
Instruction Fuzzy Hash: 0DF0A031C209105B92216B78AC4D8EB3BBC9E02334B148B53F83AC21E0EBB45D55869E

Function 00434CE8 Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(004428E9,?,00434CBE,004428E9,004D88B8,0000000C,00434E15,004428E9,00000002,00000000,?,004428E9), ref: 00434D09
TerminateProcess.KERNEL32(00000000,?,00434CBE,004428E9,004D88B8,0000000C,00434E15,004428E9,00000002,00000000,?,004428E9), ref: 00434D10
ExitProcess.KERNEL32 ref: 00434D22

Memory Dump Source

Source File: 00000000.00000002.2107394819.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2107065431.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107532194.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107532194.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107645477.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107703493.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: Process$CurrentExitTerminate
String ID:
API String ID: 1703294689-0
Opcode ID: 055a9437ebe809f51264ae9737a8e9a537305b218d522fa2cea4adfab8ac1e9c
Instruction ID: e2ce1280af31f4e8cff46ac7f0b083e64033e412971894a31d71b14f0566a782
Opcode Fuzzy Hash: 055a9437ebe809f51264ae9737a8e9a537305b218d522fa2cea4adfab8ac1e9c
Instruction Fuzzy Hash: 6EE0B631000148ABDFA1AF55DD49A993F69EB86785F104029FC159A232CB39ED42CB88

Function 0041BF40 Relevance: 2.4, Strings: 1, Instructions: 1178COMMON

Download Yara Rule

Strings

p#N, xrefs: 004607CE

Memory Dump Source

Source File: 00000000.00000002.2107394819.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2107065431.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107532194.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107532194.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107645477.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107703493.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: BuffCharUpper
String ID: p#N
API String ID: 3964851224-2222828212
Opcode ID: 7c7256de5aebfede7a5059d25cc691aa0045b6b956f5d397660c6e6c63295886
Instruction ID: 46ac8441f4e408f5f890657d813a83ac492ee8f03bec2790fc94a1389a817f05
Opcode Fuzzy Hash: 7c7256de5aebfede7a5059d25cc691aa0045b6b956f5d397660c6e6c63295886
Instruction Fuzzy Hash: 39A26E706083419FC714DF15C480B6BB7E1BF89304F54896EE89A8B352E779EC85CB9A

Function 0049AFF9 Relevance: 24.4, APIs: 16, Instructions: 418
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_wcslen.LIBCMT ref: 0049B198
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 0049B1B0
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 0049B1D4
_wcslen.LIBCMT ref: 0049B200
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 0049B214
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 0049B236
_wcslen.LIBCMT ref: 0049B332

Part of subcall function 004805A7: GetStdHandle.KERNEL32(000000F6), ref: 004805C6

_wcslen.LIBCMT ref: 0049B34B
_wcslen.LIBCMT ref: 0049B366
CreateProcessW.KERNELBASE(00000000,?,00000000,00000000,?,?,00000000,?,?,?), ref: 0049B3B6
GetLastError.KERNEL32(00000000), ref: 0049B407
CloseHandle.KERNEL32(?), ref: 0049B439
CloseHandle.KERNEL32(00000000), ref: 0049B44A
CloseHandle.KERNEL32(00000000), ref: 0049B45C
CloseHandle.KERNEL32(00000000), ref: 0049B46E
CloseHandle.KERNEL32(?), ref: 0049B4E3

Memory Dump Source

Source File: 00000000.00000002.2107394819.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2107065431.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107532194.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107532194.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107645477.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107703493.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: Handle$Close_wcslen$Directory$CurrentSystem$CreateErrorLastProcess
String ID:
API String ID: 2178637699-0
Opcode ID: dce5db95391f94078f4c5331cad4d16ab776b727b90ab990cddbaadf58af8266
Instruction ID: 25048c09a4b289408e7811efd2d9f096f84f233f76021500413f10eee37acff8
Opcode Fuzzy Hash: dce5db95391f94078f4c5331cad4d16ab776b727b90ab990cddbaadf58af8266
Instruction Fuzzy Hash: B2F18F315042009FCB14EF25D985B6FBBE1EF85314F14856EF8855B2A2DB39EC44CB9A

Function 0041D730 Relevance: 21.6, APIs: 14, Instructions: 627windowsleeptimeCOMMON

Download Yara Rule

APIs

GetInputState.USER32 ref: 0041D807
timeGetTime.WINMM ref: 0041DA07
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 0041DB28
TranslateMessage.USER32(?), ref: 0041DB7B
DispatchMessageW.USER32(?), ref: 0041DB89
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 0041DB9F
Sleep.KERNELBASE(0000000A), ref: 0041DBB1

Memory Dump Source

Source File: 00000000.00000002.2107394819.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2107065431.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107532194.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107532194.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107645477.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107703493.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: Message$Peek$DispatchInputSleepStateTimeTranslatetime
String ID:
API String ID: 2189390790-0
Opcode ID: fc30afacb4da65af0f07c6c1642baf5c1b581ddbffef7d3fd2867a03ec8dad16
Instruction ID: 233eb11a11d6ee92a0007f630f6eca49b9dfb503b303113e6136d5293f7cdb47
Opcode Fuzzy Hash: fc30afacb4da65af0f07c6c1642baf5c1b581ddbffef7d3fd2867a03ec8dad16
Instruction Fuzzy Hash: 9C42E6B0A08641EFD724CF25C984BAAB7E4BF45304F14452FE4568B391D7B8E885CB8B

Function 00412CD4 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 53
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 00412D07
RegisterClassExW.USER32(00000030), ref: 00412D31
RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00412D42
InitCommonControlsEx.COMCTL32(?), ref: 00412D5F
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00412D6F
LoadIconW.USER32(000000A9), ref: 00412D85
ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00412D94

Strings

0, xrefs: 00412CE9
AutoIt v3 GUI, xrefs: 00412D23
+, xrefs: 00412CF0
TaskbarCreated, xrefs: 00412D37

Memory Dump Source

Source File: 00000000.00000002.2107394819.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2107065431.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107532194.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107532194.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107645477.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107703493.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
String ID: +$0$AutoIt v3 GUI$TaskbarCreated
API String ID: 2914291525-1005189915
Opcode ID: 32c5a8e4bb33209f5f27b13525c99b181c67f46ff3983be29a8df546a1a241be
Instruction ID: 26d889eeab7737b67dd740a4315651944a1799193d87aa314ad0eb52171a6d8d
Opcode Fuzzy Hash: 32c5a8e4bb33209f5f27b13525c99b181c67f46ff3983be29a8df546a1a241be
Instruction Fuzzy Hash: 8621E3B5D41259AFDB40DFA4E889BDDBFB4FB09700F00812AF911AA2A1D7B50540CF98

Function 0045065B Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 272
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0045039A: CreateFileW.KERNELBASE(00000000,00000000,?,00450704,?,?,00000000,?,00450704,00000000,0000000C), ref: 004503B7

GetLastError.KERNEL32 ref: 0045076F
__dosmaperr.LIBCMT ref: 00450776
GetFileType.KERNELBASE(00000000), ref: 00450782
GetLastError.KERNEL32 ref: 0045078C
__dosmaperr.LIBCMT ref: 00450795
CloseHandle.KERNEL32(00000000), ref: 004507B5
CloseHandle.KERNEL32(?), ref: 004508FF
GetLastError.KERNEL32 ref: 00450931
__dosmaperr.LIBCMT ref: 00450938

Strings

H, xrefs: 004508BD

Memory Dump Source

Source File: 00000000.00000002.2107394819.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2107065431.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107532194.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107532194.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107645477.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107703493.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: ErrorLast__dosmaperr$CloseFileHandle$CreateType
String ID: H
API String ID: 4237864984-2852464175
Opcode ID: 62422ab422a217111100034ea33636ba52f09ab7fcb2cecb204abd2e280dd0aa
Instruction ID: 8e904d2056069bcdf7042deb4b8b28dc10fc79de7f2d6027b8a517a76bdb949f
Opcode Fuzzy Hash: 62422ab422a217111100034ea33636ba52f09ab7fcb2cecb204abd2e280dd0aa
Instruction Fuzzy Hash: 8AA138369001448FDF19AF68D891BAE7BA0AB0A325F14015EFC119F3D2DB799C17CB99

Function 0041344D Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 201
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00413A5A: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,004E1418,?,00412E7F,?,?,?,00000000), ref: 00413A78

Part of subcall function 00413357: GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 00413379

RegOpenKeyExW.KERNELBASE(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?,?,\Include\), ref: 0041356A
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,00000000,?), ref: 0045318D
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,?,?,00000000), ref: 004531CE
RegCloseKey.ADVAPI32(?), ref: 00453210
_wcslen.LIBCMT ref: 00453277
_wcslen.LIBCMT ref: 00453286

Strings

\, xrefs: 0045328C
\Include\, xrefs: 00413527
Include, xrefs: 00453184, 004531C5
Software\AutoIt v3\AutoIt, xrefs: 00413560

Memory Dump Source

Source File: 00000000.00000002.2107394819.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2107065431.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107532194.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107532194.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107645477.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107703493.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: NameQueryValue_wcslen$CloseFileFullModuleOpenPath
String ID: Include$Software\AutoIt v3\AutoIt$\$\Include\
API String ID: 98802146-2727554177
Opcode ID: 13002e1a8feeb434b5f527f3f9c0bfcbfc2e5ec7fd1eea55d1858609a9db928c
Instruction ID: e858ca5e4124b1a09b43b7b6f1e66bc920bdadb0341b8ba7d42d13a84b332d22
Opcode Fuzzy Hash: 13002e1a8feeb434b5f527f3f9c0bfcbfc2e5ec7fd1eea55d1858609a9db928c
Instruction Fuzzy Hash: 66717F714043409EC314DF66DD8299BBBE8BF95744F40443FF94587262EBB89A88CF69

Function 00412B83 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 63
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 00412B8E
LoadCursorW.USER32(00000000,00007F00), ref: 00412B9D
LoadIconW.USER32(00000063), ref: 00412BB3
LoadIconW.USER32(000000A4), ref: 00412BC5
LoadIconW.USER32(000000A2), ref: 00412BD7
LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 00412BEF
RegisterClassExW.USER32(?), ref: 00412C40

Part of subcall function 00412CD4: GetSysColorBrush.USER32(0000000F), ref: 00412D07
Part of subcall function 00412CD4: RegisterClassExW.USER32(00000030), ref: 00412D31
Part of subcall function 00412CD4: RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00412D42
Part of subcall function 00412CD4: InitCommonControlsEx.COMCTL32(?), ref: 00412D5F
Part of subcall function 00412CD4: ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00412D6F
Part of subcall function 00412CD4: LoadIconW.USER32(000000A9), ref: 00412D85
Part of subcall function 00412CD4: ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00412D94

Strings

0, xrefs: 00412C0F
AutoIt v3, xrefs: 00412C2F
#, xrefs: 00412C16

Memory Dump Source

Source File: 00000000.00000002.2107394819.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2107065431.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107532194.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107532194.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107645477.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107703493.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: Load$Icon$ImageRegister$BrushClassColorList_$CommonControlsCreateCursorInitMessageReplaceWindow
String ID: #$0$AutoIt v3
API String ID: 423443420-4155596026
Opcode ID: 5f3defe11aa67fa14354c54093b3ed26a43743fd2890b839e2a8da65b06e3452
Instruction ID: 3b2bc01a16742ff9486beedea7918da6c5c0350a629f755a44a63e5c1f45029d
Opcode Fuzzy Hash: 5f3defe11aa67fa14354c54093b3ed26a43743fd2890b839e2a8da65b06e3452
Instruction Fuzzy Hash: 7D210974E40358ABEB109FA5ECD5AAD7FB4FB48B50F00403AE901AA6B1D7B51540DF98

Function 00413170 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 145
windowtimeregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DefWindowProcW.USER32(?,?,?,?,?,?,?,?,?,0041316A,?,?), ref: 004131D8
KillTimer.USER32(?,00000001,?,?,?,?,?,0041316A,?,?), ref: 00413204
SetTimer.USER32(?,00000001,000002EE,00000000), ref: 00413227
RegisterWindowMessageW.USER32(TaskbarCreated,?,?,?,?,?,0041316A,?,?), ref: 00413232
CreatePopupMenu.USER32 ref: 00413246
PostQuitMessage.USER32(00000000), ref: 00413267

Strings

TaskbarCreated, xrefs: 0041322D

Memory Dump Source

Source File: 00000000.00000002.2107394819.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2107065431.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107532194.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107532194.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107645477.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107703493.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: MessageTimerWindow$CreateKillMenuPopupPostProcQuitRegister
String ID: TaskbarCreated
API String ID: 129472671-2362178303
Opcode ID: 4d7a731822c9f1eb19ae1bfe0d2bbd7754fc1f3ff387ec4789a8d7fc6d7e87a2
Instruction ID: 6c59f49d2d4b00ad51ea740e1028840623781f8c34ef55a238766ca6cf6b1d49
Opcode Fuzzy Hash: 4d7a731822c9f1eb19ae1bfe0d2bbd7754fc1f3ff387ec4789a8d7fc6d7e87a2
Instruction Fuzzy Hash: 1F411935380144B6DB146F689D8D7FE3A59E706346F04413BF901892B2CBBD9EC1876E

Function 00411410 Relevance: 14.3, APIs: 7, Strings: 1, Instructions: 332
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

mciSendStringW.WINMM(close all,00000000,00000000,00000000), ref: 00411459
CoUninitialize.COMBASE ref: 004114F8
UnregisterHotKey.USER32(?), ref: 004116DD
DestroyWindow.USER32(?), ref: 004524B9
FreeLibrary.KERNEL32(?), ref: 0045251E
VirtualFree.KERNEL32(?,00000000,00008000), ref: 0045254B

Strings

close all, xrefs: 00411454

Memory Dump Source

Source File: 00000000.00000002.2107394819.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2107065431.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107532194.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107532194.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107645477.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107703493.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: Free$DestroyLibrarySendStringUninitializeUnregisterVirtualWindow
String ID: close all
API String ID: 469580280-3243417748
Opcode ID: 8e9a22c9dccdcc8e646b6124bd51dee839857400eab36e5666cc0d2c267be717
Instruction ID: 1cdaf9cef9cef249be199b6956ef20ef562f5cfe89942317c1ea88c597efcc65
Opcode Fuzzy Hash: 8e9a22c9dccdcc8e646b6124bd51dee839857400eab36e5666cc0d2c267be717
Instruction Fuzzy Hash: FAD1CE30701222DFCB19EF15C594A6AF7A0BF06705F1441AFE90A6B362DB38AC56CF49

Function 00412C63 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 00412C91
CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00412CB2
ShowWindow.USER32(00000000,?,?,?,?,?,?,00411CAD,?), ref: 00412CC6
ShowWindow.USER32(00000000,?,?,?,?,?,?,00411CAD,?), ref: 00412CCF

Strings

edit, xrefs: 00412CAC
AutoIt v3, xrefs: 00412C89, 00412C8E, 00412C8F

Memory Dump Source

Source File: 00000000.00000002.2107394819.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2107065431.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107532194.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107532194.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107645477.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107703493.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: Window$CreateShow
String ID: AutoIt v3$edit
API String ID: 1584632944-3779509399
Opcode ID: 2593c6742b82fe79092b42ec5e3f34119de21b5e21aa63ce0c963a6b0e605cb1
Instruction ID: 99052c86cc8cf3efcc0869b0853d3bb92962d71e3989a705adee18fcf6d74e1a
Opcode Fuzzy Hash: 2593c6742b82fe79092b42ec5e3f34119de21b5e21aa63ce0c963a6b0e605cb1
Instruction Fuzzy Hash: A5F03A759802D07AFB700713AC88E772EBDD7C7F50B00002AFD00AA5B1C2750840DAB8

Function 00413B1C Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 58
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegOpenKeyExW.KERNELBASE(80000001,Control Panel\Mouse,00000000,00000001,00000000,?,?,80000001,80000001,?,00413B0F,SwapMouseButtons,00000004,?), ref: 00413B40
RegQueryValueExW.KERNELBASE(00000000,00000000,00000000,00000000,?,?,?,?,?,80000001,80000001,?,00413B0F,SwapMouseButtons,00000004,?), ref: 00413B61
RegCloseKey.KERNELBASE(00000000,?,?,?,80000001,80000001,?,00413B0F,SwapMouseButtons,00000004,?), ref: 00413B83

Strings

Control Panel\Mouse, xrefs: 00413B3E

Memory Dump Source

Source File: 00000000.00000002.2107394819.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2107065431.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107532194.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107532194.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107645477.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107703493.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: CloseOpenQueryValue
String ID: Control Panel\Mouse
API String ID: 3677997916-824357125
Opcode ID: 089459aa4bae07c699fe4cf93e00379ad960607a0c012dee4c00178955b40e5d
Instruction ID: efe99ebc86e2a43639fa0a45ccb95c55ad0c1e52a376fff70b7430767290cc3a
Opcode Fuzzy Hash: 089459aa4bae07c699fe4cf93e00379ad960607a0c012dee4c00178955b40e5d
Instruction Fuzzy Hash: 34112AB5515208FFDB208FA5DC84AEFBBB8EF05745B10446AA805D7211E235AE809768

Function 00413923 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 94windowCOMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000065,?,0000007F,00000104), ref: 004533A2

Part of subcall function 00416B57: _wcslen.LIBCMT ref: 00416B6A

Shell_NotifyIconW.SHELL32(00000001,?), ref: 00413A04

Strings

Line: , xrefs: 004533EB

Memory Dump Source

Source File: 00000000.00000002.2107394819.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2107065431.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107532194.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107532194.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107645477.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107703493.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: IconLoadNotifyShell_String_wcslen
String ID: Line:
API String ID: 2289894680-1585850449
Opcode ID: 9c8269cd77b392e4b6cc86720c9b986e4d0e489490e0938c946c4369cdf0796d
Instruction ID: 64eb98bd1e8a2c6d8bf1d1448a80795433b550d303183492142cb03938254339
Opcode Fuzzy Hash: 9c8269cd77b392e4b6cc86720c9b986e4d0e489490e0938c946c4369cdf0796d
Instruction Fuzzy Hash: 6E31E571448304AAD321EF20DC45BEBB7D8AF44719F10092FF999931A1DB789A89C7CE

Function 00412DE3 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 64COMMON

Download Yara Rule

APIs

GetOpenFileNameW.COMDLG32(?), ref: 00452C8C

Part of subcall function 00413AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00413A97,?,?,00412E7F,?,?,?,00000000), ref: 00413AC2

Part of subcall function 00412DA5: GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 00412DC4

Strings

`eM, xrefs: 00452C85
X, xrefs: 00452C5A

Memory Dump Source

Source File: 00000000.00000002.2107394819.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2107065431.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107532194.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107532194.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107645477.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107703493.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: Name$Path$FileFullLongOpen
String ID: X$`eM
API String ID: 779396738-3105956497
Opcode ID: 007bc4fc2ed29e8fa6074b4542330180b982ea32c1c1f0f6e4dc116566c22c30
Instruction ID: 60189ebbf70a092f4650bb241f0bb35d40b29c1db4a319a09a0ab6a936fb48da
Opcode Fuzzy Hash: 007bc4fc2ed29e8fa6074b4542330180b982ea32c1c1f0f6e4dc116566c22c30
Instruction Fuzzy Hash: F221C671A00258ABDB41DF95D8457EE7BF89F49305F00805BE405E7341DBFC55898F69

Function 0042FDDB Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 43COMMON

Download Yara Rule

APIs

__CxxThrowException@8.LIBVCRUNTIME ref: 00430668

Part of subcall function 004332A4: RaiseException.KERNEL32(?,?,?,0043068A,?,004E1444,?,?,?,?,?,?,0043068A,00411129,004D8738,00411129), ref: 00433304

__CxxThrowException@8.LIBVCRUNTIME ref: 00430685

Strings

Unknown exception, xrefs: 00430692

Memory Dump Source

Source File: 00000000.00000002.2107394819.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2107065431.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107532194.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107532194.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107645477.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107703493.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: Exception@8Throw$ExceptionRaise
String ID: Unknown exception
API String ID: 3476068407-410509341
Opcode ID: 69e14e7717e1c5e950dc7e9d52de0ed288cfc225bbd858c076ed927c420365e1
Instruction ID: 8a9ef89cd59e2d12a381263514402eb75b796a092c879378687861d6288dc8f0
Opcode Fuzzy Hash: 69e14e7717e1c5e950dc7e9d52de0ed288cfc225bbd858c076ed927c420365e1
Instruction Fuzzy Hash: CBF0283090020C73CB00FAA6E856D9F777C5E04314FA0423BB814D16D5EF78DA59C58C

Function 004110F3 Relevance: 4.7, APIs: 3, Instructions: 153comCOMMON

Download Yara Rule

APIs

Part of subcall function 00411BC3: MapVirtualKeyW.USER32(0000005B,00000000), ref: 00411BF4
Part of subcall function 00411BC3: MapVirtualKeyW.USER32(00000010,00000000), ref: 00411BFC
Part of subcall function 00411BC3: MapVirtualKeyW.USER32(000000A0,00000000), ref: 00411C07
Part of subcall function 00411BC3: MapVirtualKeyW.USER32(000000A1,00000000), ref: 00411C12
Part of subcall function 00411BC3: MapVirtualKeyW.USER32(00000011,00000000), ref: 00411C1A
Part of subcall function 00411BC3: MapVirtualKeyW.USER32(00000012,00000000), ref: 00411C22

Part of subcall function 00411B4A: RegisterWindowMessageW.USER32(00000004,?,004112C4), ref: 00411BA2

GetStdHandle.KERNEL32(000000F6,00000000,00000000), ref: 0041136A
OleInitialize.OLE32 ref: 00411388
CloseHandle.KERNEL32(00000000,00000000), ref: 004524AB

Memory Dump Source

Source File: 00000000.00000002.2107394819.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2107065431.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107532194.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107532194.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107645477.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107703493.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: Virtual$Handle$CloseInitializeMessageRegisterWindow
String ID:
API String ID: 1986988660-0
Opcode ID: edf4b1c9d4ce36de066d10ca834a21dcfb9e4e6da13ae5f4827b678026176e8a
Instruction ID: b84454b7ec4f0764e400905ca68859637c0bfc71ced587ec1fd0445a8f5a922f
Opcode Fuzzy Hash: edf4b1c9d4ce36de066d10ca834a21dcfb9e4e6da13ae5f4827b678026176e8a
Instruction Fuzzy Hash: 807181B4991380AF8384EF7AA9C56A93AE4BB89344754853FD41ACB372E7344481CF4D

Function 0047C161 Relevance: 4.6, APIs: 3, Instructions: 74timewindowCOMMON

Download Yara Rule

APIs

Part of subcall function 00413923: Shell_NotifyIconW.SHELL32(00000001,?), ref: 00413A04

Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 0047C259
KillTimer.USER32(?,00000001,?,?), ref: 0047C261
SetTimer.USER32(?,00000001,000002EE,00000000), ref: 0047C270

Memory Dump Source

Source File: 00000000.00000002.2107394819.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2107065431.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107532194.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107532194.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107645477.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107703493.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: IconNotifyShell_Timer$Kill
String ID:
API String ID: 3500052701-0
Opcode ID: 19cbec374081e78010e2f5191070ee544f18fa0f3289eaef025c164c73595352
Instruction ID: 07c0a4e9dda9abd1281bfa016e86650e58038c89447dd5e7653cab4097062b5a
Opcode Fuzzy Hash: 19cbec374081e78010e2f5191070ee544f18fa0f3289eaef025c164c73595352
Instruction Fuzzy Hash: 7731B170904344AFEB22CF6498D5BE7BBEC9B06308F0044DED69EA7242C7785A85CB59

Function 004486AE Relevance: 4.6, APIs: 3, Instructions: 61COMMONLIBRARYCODE

Download Yara Rule

APIs

CloseHandle.KERNELBASE(00000000,00000000,?,?,004485CC,?,004D8CC8,0000000C), ref: 00448704
GetLastError.KERNEL32(?,004485CC,?,004D8CC8,0000000C), ref: 0044870E
__dosmaperr.LIBCMT ref: 00448739

Memory Dump Source

Source File: 00000000.00000002.2107394819.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2107065431.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107532194.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107532194.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107645477.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107703493.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: CloseErrorHandleLast__dosmaperr
String ID:
API String ID: 2583163307-0
Opcode ID: cce0ef7157022dc22e8da79089ef6260ca41a62ec3158b915f3db859766f3306
Instruction ID: ea73b3928fc640aac435520ba355ecc7594b0d5115cddce301038186b9cb4e05
Opcode Fuzzy Hash: cce0ef7157022dc22e8da79089ef6260ca41a62ec3158b915f3db859766f3306
Instruction Fuzzy Hash: CA016F3360416027FAA16634588577F27594B92778F36011FFC148B2D3DDAC8C81815C

Function 0041DB38 Relevance: 4.5, APIs: 3, Instructions: 29windowsleepCOMMON

Download Yara Rule

APIs

TranslateMessage.USER32(?), ref: 0041DB7B
DispatchMessageW.USER32(?), ref: 0041DB89
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 0041DB9F
Sleep.KERNELBASE(0000000A), ref: 0041DBB1
TranslateAcceleratorW.USER32(?,?,?), ref: 00461CC9

Memory Dump Source

Source File: 00000000.00000002.2107394819.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2107065431.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107532194.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107532194.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107645477.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107703493.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: Message$Translate$AcceleratorDispatchPeekSleep
String ID:
API String ID: 3288985973-0
Opcode ID: 7dc6f04953acee438d6cfbe4919970260107ddd43f23a896f61b748bab606d7e
Instruction ID: 549212170e5995362c6f35e5c4ec1d5f8b3e2d2477322f221449ac2b3544161b
Opcode Fuzzy Hash: 7dc6f04953acee438d6cfbe4919970260107ddd43f23a896f61b748bab606d7e
Instruction Fuzzy Hash: 6AF054706443419BE770D761CC85FDB77ACEB45310F10452AE61A831D0DB38A4848B1E

Function 00421310 Relevance: 4.0, APIs: 1, Strings: 1, Instructions: 531COMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 004217F6

Strings

CALL, xrefs: 004217C6

Memory Dump Source

Source File: 00000000.00000002.2107394819.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2107065431.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107532194.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107532194.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107645477.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107703493.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: Init_thread_footer
String ID: CALL
API String ID: 1385522511-4196123274
Opcode ID: f388de8371513ea5ba7c1ebe0f7ba614b96975cfbca758d26dbafc0493f3b6ba
Instruction ID: a776517bb2fe5df75cedd954906f4bafdafd1e5466ba507881bd09a3726e9400
Opcode Fuzzy Hash: f388de8371513ea5ba7c1ebe0f7ba614b96975cfbca758d26dbafc0493f3b6ba
Instruction Fuzzy Hash: 7422CE706083119FC714DF15E480B2ABBF1BF95308F54896EF8868B361D779E885CB8A

Function 00413837 Relevance: 3.1, APIs: 2, Instructions: 77windowCOMMON

Download Yara Rule

APIs

Shell_NotifyIconW.SHELL32(00000000,?), ref: 00413908

Memory Dump Source

Source File: 00000000.00000002.2107394819.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2107065431.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107532194.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107532194.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107645477.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107703493.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: IconNotifyShell_
String ID:
API String ID: 1144537725-0
Opcode ID: f9938d2b0b43a721b09cec2748b82e54fc3efe950bbc5c5b80701b8e260995e1
Instruction ID: 056957f1de2ae35761f1b6e384e14098924950fae4bfab9b2b904b30d0ce5a52
Opcode Fuzzy Hash: f9938d2b0b43a721b09cec2748b82e54fc3efe950bbc5c5b80701b8e260995e1
Instruction Fuzzy Hash: 7B31AEB06043009FE320EF65D8847D7BBE8FB49709F00092FF99987251E775AA84CB5A

Function 0042F645 Relevance: 3.0, APIs: 2, Instructions: 29sleeptimeCOMMON

Download Yara Rule

APIs

timeGetTime.WINMM ref: 0042F661

Part of subcall function 0041D730: GetInputState.USER32 ref: 0041D807

Sleep.KERNEL32(00000000), ref: 0046F2DE

Memory Dump Source

Source File: 00000000.00000002.2107394819.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2107065431.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107532194.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107532194.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107645477.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107703493.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: InputSleepStateTimetime
String ID:
API String ID: 4149333218-0
Opcode ID: 12c28d855accd201bc2b3bfc37119bf12fa153e1894a38738301fabeec9362f7
Instruction ID: 6b4aa508ff43c5fcbd79eb740f9a3b29f5e869f4e5e1717f3dd2a331738286c1
Opcode Fuzzy Hash: 12c28d855accd201bc2b3bfc37119bf12fa153e1894a38738301fabeec9362f7
Instruction Fuzzy Hash: E8F08271240215AFD350EF65D445B9ABBE5FF45764F00003AE859C72A0EB70A840CF99

Function 00414ECB Relevance: 1.6, APIs: 1, Instructions: 65libraryCOMMON

Download Yara Rule

APIs

Part of subcall function 00414E90: LoadLibraryA.KERNEL32(kernel32.dll,?,?,00414EDD,?,004E1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00414E9C
Part of subcall function 00414E90: GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 00414EAE
Part of subcall function 00414E90: FreeLibrary.KERNEL32(00000000,?,?,00414EDD,?,004E1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00414EC0

LoadLibraryExW.KERNEL32(?,00000000,00000002,?,004E1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00414EFD

Part of subcall function 00414E59: LoadLibraryA.KERNEL32(kernel32.dll,?,?,00453CDE,?,004E1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00414E62
Part of subcall function 00414E59: GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 00414E74
Part of subcall function 00414E59: FreeLibrary.KERNEL32(00000000,?,?,00453CDE,?,004E1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00414E87

Memory Dump Source

Source File: 00000000.00000002.2107394819.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2107065431.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107532194.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107532194.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107645477.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107703493.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: Library$Load$AddressFreeProc
String ID:
API String ID: 2632591731-0
Opcode ID: 7105be3e625b6789eedda4a0fb4253c0138869e0127055b4b7711cd55418853a
Instruction ID: 900f2c9c90345bbf6c8c6cc6d72cff397e7799e8d9f53e8a554612d68bf07ed7
Opcode Fuzzy Hash: 7105be3e625b6789eedda4a0fb4253c0138869e0127055b4b7711cd55418853a
Instruction Fuzzy Hash: 39112732600305ABCF11BF62DD02FED77A4AF80715F10842FF442AA2C1DE789A86D758

Function 00448402 Relevance: 1.6, APIs: 1, Instructions: 54COMMON

Download Yara Rule

APIs

__wsopen_s.LIBCMT ref: 00448440

Memory Dump Source

Source File: 00000000.00000002.2107394819.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2107065431.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107532194.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107532194.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107645477.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107703493.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: __wsopen_s
String ID:
API String ID: 3347428461-0
Opcode ID: 2ba38ccc1f517318ac4ca6c83e4bfe39dc5b3b419bedfe04272d4e55b40f7bb4
Instruction ID: 468fc146550a3b5ad369d51ca4c32303ba9c9804c984b30da46b8717e1514b66
Opcode Fuzzy Hash: 2ba38ccc1f517318ac4ca6c83e4bfe39dc5b3b419bedfe04272d4e55b40f7bb4
Instruction Fuzzy Hash: 9C11187590410AAFDB15DF58E94199F7BF5EF48314F14406AFC08AB312EA31EA11CBA9

Function 00445000 Relevance: 1.6, APIs: 1, Instructions: 52COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00444C7D: RtlAllocateHeap.NTDLL(00000008,00411129,00000000,?,00442E29,00000001,00000364,?,?,?,0043F2DE,00443863,004E1444,?,0042FDF5,?), ref: 00444CBE

_free.LIBCMT ref: 0044506C

Memory Dump Source

Source File: 00000000.00000002.2107394819.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2107065431.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107532194.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107532194.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107645477.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107703493.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: AllocateHeap_free
String ID:
API String ID: 614378929-0
Opcode ID: 9ba45ce058d1080761d5af908226540236078fd1fc19e2e0238d0ad147f07c6e
Instruction ID: 3207294c87015c732eee2cb8e60bba1371940945a62811add9f7db552efcf610
Opcode Fuzzy Hash: 9ba45ce058d1080761d5af908226540236078fd1fc19e2e0238d0ad147f07c6e
Instruction Fuzzy Hash: E9014E762047055BF7318F55D881A5AFBEDFB85370F65051EF184932C1EA746805C778

Function 0043E602 Relevance: 1.5, APIs: 1, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2107394819.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2107065431.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107532194.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107532194.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107645477.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107703493.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d6c69ec2a70ac845cc05b5f137181c3f07394ab8b33ef369e8c7ef627d5c9574
Instruction ID: 4d792ed2e3683cdd0f0f3db6df7e6a3928387465b157af95a35fa66ad32eb828
Opcode Fuzzy Hash: d6c69ec2a70ac845cc05b5f137181c3f07394ab8b33ef369e8c7ef627d5c9574
Instruction Fuzzy Hash: 2DF0F932912A14D6E6313A679C06B5B37989F66339F50171FF420922D2CB7CD40285AD

Function 00444C7D Relevance: 1.5, APIs: 1, Instructions: 39memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000008,00411129,00000000,?,00442E29,00000001,00000364,?,?,?,0043F2DE,00443863,004E1444,?,0042FDF5,?), ref: 00444CBE

Memory Dump Source

Source File: 00000000.00000002.2107394819.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2107065431.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107532194.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107532194.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107645477.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107703493.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 00b8a9029b60a4de6008d7f84fe3df22ef27a5458a4a8b3990a9dd5d917f4057
Instruction ID: 7ee51492ea6bf53f0f876b325c3ebd3a3d483ebfaeec00ef9577486e0ae18ae0
Opcode Fuzzy Hash: 00b8a9029b60a4de6008d7f84fe3df22ef27a5458a4a8b3990a9dd5d917f4057
Instruction Fuzzy Hash: CAF0B43164222466FB215F62AC85B5B3788AFC17B1B1E4127BC15AB2D1CA38D80146AC

Function 00443820 Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000000,?,004E1444,?,0042FDF5,?,?,0041A976,00000010,004E1440,004113FC,?,004113C6,?,00411129), ref: 00443852

Memory Dump Source

Source File: 00000000.00000002.2107394819.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2107065431.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107532194.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107532194.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107645477.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107703493.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: f80a1775c4178c73938ae438c7dc3135fc328c179332c78d4bdc76bbfe87b6fe
Instruction ID: 2be2194f537c97b26d387be2b5a0cfa5e511e3eb05b278967ff7e17510578f57
Opcode Fuzzy Hash: f80a1775c4178c73938ae438c7dc3135fc328c179332c78d4bdc76bbfe87b6fe
Instruction Fuzzy Hash: 49E0E53110022496F6213E679C01B9BB6C9AB82FB2F050037BC14966D1DB29ED0185ED

Function 00414F39 Relevance: 1.5, APIs: 1, Instructions: 28COMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32(?,?,004E1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00414F6D

Memory Dump Source

Source File: 00000000.00000002.2107394819.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2107065431.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107532194.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107532194.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107645477.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107703493.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: FreeLibrary
String ID:
API String ID: 3664257935-0
Opcode ID: 5e81d9c48a0a96b64a1673927d00dc671cac0e2df3dc051f73cd1d71df787b82
Instruction ID: d8e467e417625fc9cc4bbec40cd4c4cc744f867c383fa02e1d3cfa8514ed483f
Opcode Fuzzy Hash: 5e81d9c48a0a96b64a1673927d00dc671cac0e2df3dc051f73cd1d71df787b82
Instruction Fuzzy Hash: 0BF0A970105302CFCB348F21D4908A2BBE0EF44329320897FE1EA86720C739988ADF08

Function 004A2A55 Relevance: 1.5, APIs: 1, Instructions: 25COMMON

Download Yara Rule

APIs

IsWindow.USER32(00000000), ref: 004A2A66

Memory Dump Source

Source File: 00000000.00000002.2107394819.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2107065431.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107532194.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107532194.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107645477.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107703493.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: Window
String ID:
API String ID: 2353593579-0
Opcode ID: 1c12b465f1a897295ca47a6b7ac2352397185d511a2daf52b6b321ac2aa30acf
Instruction ID: 2adda7da943e03969f9efe6a3a539bc8c6ab1c2384465282f44adeaf0f934759
Opcode Fuzzy Hash: 1c12b465f1a897295ca47a6b7ac2352397185d511a2daf52b6b321ac2aa30acf
Instruction Fuzzy Hash: 50E0DF72340116AEC750EA35DC809FE734CEB61399B00443BAC2AC2100DB788986A2A8

Function 004130F2 Relevance: 1.5, APIs: 1, Instructions: 24windowCOMMON

Download Yara Rule

APIs

Shell_NotifyIconW.SHELL32(00000002,?), ref: 0041314E

Memory Dump Source

Source File: 00000000.00000002.2107394819.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2107065431.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107532194.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107532194.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107645477.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107703493.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: IconNotifyShell_
String ID:
API String ID: 1144537725-0
Opcode ID: 8d4745098d247c865b053b599f1c001060be833388ed5f776e639976ecd23720
Instruction ID: 9644816f2644e973a62ff5c4221b72a75d44b3e4d76f69f2c84862296c4903f2
Opcode Fuzzy Hash: 8d4745098d247c865b053b599f1c001060be833388ed5f776e639976ecd23720
Instruction Fuzzy Hash: DAF0A7709403449FE752DF24DC857D67BBCA70570CF0000F9A54896292D77447C8CF49

Function 00412DA5 Relevance: 1.5, APIs: 1, Instructions: 23COMMON

Download Yara Rule

APIs

GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 00412DC4

Part of subcall function 00416B57: _wcslen.LIBCMT ref: 00416B6A

Memory Dump Source

Source File: 00000000.00000002.2107394819.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2107065431.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107532194.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107532194.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107645477.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107703493.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: LongNamePath_wcslen
String ID:
API String ID: 541455249-0
Opcode ID: 07e93df19021665f8703897f14feb267f6a17ad950f393ec9de9c6906b6ee212
Instruction ID: 2739d31557871911e61141ce964b9a973c10960a1f6eb8ab37d91c0c6c9ed021
Opcode Fuzzy Hash: 07e93df19021665f8703897f14feb267f6a17ad950f393ec9de9c6906b6ee212
Instruction Fuzzy Hash: 2FE0C273A042245BCB20A2999C06FEA77EDDFC8794F0500B6FD09E7258DA64ED848698

Function 00412B3D Relevance: 1.5, APIs: 1, Instructions: 22COMMON

Download Yara Rule

APIs

Part of subcall function 00413837: Shell_NotifyIconW.SHELL32(00000000,?), ref: 00413908

Part of subcall function 0041D730: GetInputState.USER32 ref: 0041D807

SetCurrentDirectoryW.KERNEL32(?), ref: 00412B6B

Part of subcall function 004130F2: Shell_NotifyIconW.SHELL32(00000002,?), ref: 0041314E

Memory Dump Source

Source File: 00000000.00000002.2107394819.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2107065431.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107532194.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107532194.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107645477.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107703493.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: IconNotifyShell_$CurrentDirectoryInputState
String ID:
API String ID: 3667716007-0
Opcode ID: 448c220d5c012b6285b664cea2ddf5140af79e0b910bfb50521a8966eba76f2c
Instruction ID: 05eef3e647f2d1bdc569f713e98c19156a91d242edd2c6bba7c316fc13daa8e0
Opcode Fuzzy Hash: 448c220d5c012b6285b664cea2ddf5140af79e0b910bfb50521a8966eba76f2c
Instruction Fuzzy Hash: 8AE04F3160424407CA04BF66A8525EDA7999B9535AF40553FF142862A3CF6C89C5435A

Function 0045039A Relevance: 1.5, APIs: 1, Instructions: 15fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

CreateFileW.KERNELBASE(00000000,00000000,?,00450704,?,?,00000000,?,00450704,00000000,0000000C), ref: 004503B7

Memory Dump Source

Source File: 00000000.00000002.2107394819.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2107065431.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107532194.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107532194.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107645477.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107703493.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 13cd5b35064a8f4c334f2466d3f35b3b711b8666d2090b4f2faec2d5c0f6257b
Instruction ID: 04a77af7f8c2275ecb2ffb4b20581333ca1a498ae7f0c6d44ef901ceab7b802d
Opcode Fuzzy Hash: 13cd5b35064a8f4c334f2466d3f35b3b711b8666d2090b4f2faec2d5c0f6257b
Instruction Fuzzy Hash: 23D06C3214010DBBDF028F84DD46EDA3FAAFB48714F014010BE1856020C736E821AB94

Function 00411CAD Relevance: 1.5, APIs: 1, Instructions: 8COMMON

Download Yara Rule

APIs

SystemParametersInfoW.USER32(00002001,00000000,00000002), ref: 00411CBC

Memory Dump Source

Source File: 00000000.00000002.2107394819.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2107065431.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107532194.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107532194.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107645477.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107703493.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: InfoParametersSystem
String ID:
API String ID: 3098949447-0
Opcode ID: a651408382e47b846d8772c1fe62edfba992f306b6b4cddaca8a63fcdc23facc
Instruction ID: c43445fa6cd2b0e5a4a152cc0ed159e05a7acda552d4d864697e47614e2418b9
Opcode Fuzzy Hash: a651408382e47b846d8772c1fe62edfba992f306b6b4cddaca8a63fcdc23facc
Instruction Fuzzy Hash: 20C09B356C0354BFF2144780BDCAF107754A348B00F444011F6095D5F3C7F11810D758

Non-executed Functions

Function 004A9576 Relevance: 74.1, APIs: 39, Strings: 3, Instructions: 625windowkeyboardCOMMON

Download Yara Rule

APIs

Part of subcall function 00429BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00429BB2

DefDlgProcW.USER32(?,0000004E,?,?,?,?,?,?), ref: 004A961A
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 004A965B
GetWindowLongW.USER32(FFFFFDD9,000000F0), ref: 004A969F
SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 004A96C9
SendMessageW.USER32 ref: 004A96F2
GetKeyState.USER32(00000011), ref: 004A978B
GetKeyState.USER32(00000009), ref: 004A9798
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 004A97AE
GetKeyState.USER32(00000010), ref: 004A97B8
SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 004A97E9
SendMessageW.USER32 ref: 004A9810
SendMessageW.USER32(?,00001030,?,004A7E95), ref: 004A9918
ImageList_SetDragCursorImage.COMCTL32(00000000,00000000,00000000,?,?,?), ref: 004A992E
ImageList_BeginDrag.COMCTL32(00000000,000000F8,000000F0), ref: 004A9941
SetCapture.USER32(?), ref: 004A994A
ClientToScreen.USER32(?,?), ref: 004A99AF
ImageList_DragEnter.COMCTL32(00000000,?,?), ref: 004A99BC
InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 004A99D6
ReleaseCapture.USER32 ref: 004A99E1
GetCursorPos.USER32(?), ref: 004A9A19
ScreenToClient.USER32(?,?), ref: 004A9A26
SendMessageW.USER32(?,00001012,00000000,?), ref: 004A9A80
SendMessageW.USER32 ref: 004A9AAE
SendMessageW.USER32(?,00001111,00000000,?), ref: 004A9AEB
SendMessageW.USER32 ref: 004A9B1A
SendMessageW.USER32(?,0000110B,00000009,00000000), ref: 004A9B3B
SendMessageW.USER32(?,0000110B,00000009,?), ref: 004A9B4A
GetCursorPos.USER32(?), ref: 004A9B68
ScreenToClient.USER32(?,?), ref: 004A9B75
GetParent.USER32(?), ref: 004A9B93
SendMessageW.USER32(?,00001012,00000000,?), ref: 004A9BFA
SendMessageW.USER32 ref: 004A9C2B
ClientToScreen.USER32(?,?), ref: 004A9C84
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000), ref: 004A9CB4
SendMessageW.USER32(?,00001111,00000000,?), ref: 004A9CDE
SendMessageW.USER32 ref: 004A9D01
ClientToScreen.USER32(?,?), ref: 004A9D4E
TrackPopupMenuEx.USER32(?,00000080,?,?,?,00000000), ref: 004A9D82

Part of subcall function 00429944: GetWindowLongW.USER32(?,000000EB), ref: 00429952

GetWindowLongW.USER32(?,000000F0), ref: 004A9E05

Strings

p#N, xrefs: 004A9990
@GUI_DRAGID, xrefs: 004A997D
F, xrefs: 004A9D07

Memory Dump Source

Source File: 00000000.00000002.2107394819.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2107065431.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107532194.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107532194.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107645477.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107703493.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: MessageSend$ClientScreen$ImageLongWindow$CursorDragList_State$CaptureMenuPopupTrack$BeginEnterInvalidateParentProcRectRelease
String ID: @GUI_DRAGID$F$p#N
API String ID: 3429851547-2054023450
Opcode ID: 3faf7f7d99aa7be426bc0ffa34db28e195b7383e21ce021d671e6d87b7168031
Instruction ID: 2872065ed9abebc30ef48a79d199d808c24ffbffe602ce20e88ab05f5eb9e2d2
Opcode Fuzzy Hash: 3faf7f7d99aa7be426bc0ffa34db28e195b7383e21ce021d671e6d87b7168031
Instruction Fuzzy Hash: CA42AC74605240AFDB24CF24CC84AABBBE5FF5A314F14062EF699872A1D735EC50CB5A

Function 004A4873 Relevance: 60.1, APIs: 33, Strings: 1, Instructions: 566windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000408,00000000,00000000), ref: 004A48F3
SendMessageW.USER32(00000000,00000188,00000000,00000000), ref: 004A4908
SendMessageW.USER32(00000000,0000018A,00000000,00000000), ref: 004A4927
SendMessageW.USER32(?,00000148,00000000,00000000), ref: 004A494B
SendMessageW.USER32(00000000,00000147,00000000,00000000), ref: 004A495C
SendMessageW.USER32(00000000,00000149,00000000,00000000), ref: 004A497B
SendMessageW.USER32(00000000,0000130B,00000000,00000000), ref: 004A49AE
SendMessageW.USER32(00000000,0000133C,00000000,?), ref: 004A49D4
SendMessageW.USER32(00000000,0000110A,00000009,00000000), ref: 004A4A0F
SendMessageW.USER32(00000000,0000113E,00000000,00000004), ref: 004A4A56
SendMessageW.USER32(00000000,0000113E,00000000,00000004), ref: 004A4A7E
IsMenu.USER32(?), ref: 004A4A97
GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 004A4AF2
GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 004A4B20
GetWindowLongW.USER32(?,000000F0), ref: 004A4B94
SendMessageW.USER32(?,0000113E,00000000,00000008), ref: 004A4BE3
SendMessageW.USER32(00000000,00001001,00000000,?), ref: 004A4C82
wsprintfW.USER32 ref: 004A4CAE
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 004A4CC9
GetWindowTextW.USER32(?,00000000,00000001), ref: 004A4CF1
SendMessageW.USER32(00000000,000000F0,00000000,00000000), ref: 004A4D13
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 004A4D33
GetWindowTextW.USER32(?,00000000,00000001), ref: 004A4D5A

Strings

%d/%02d/%02d, xrefs: 004A4CA8

Memory Dump Source

Source File: 00000000.00000002.2107394819.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2107065431.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107532194.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107532194.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107645477.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107703493.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: MessageSend$MenuWindow$InfoItemText$Longwsprintf
String ID: %d/%02d/%02d
API String ID: 4054740463-328681919
Opcode ID: 80b1819f44eb6403bc36e41b72e15589932672447e5f344b6c73eabee28bdb88
Instruction ID: d4e54a8277d1ec3bdc5d3dffb94d56975de19d66760bfbbcc03ba14aa7d86c4f
Opcode Fuzzy Hash: 80b1819f44eb6403bc36e41b72e15589932672447e5f344b6c73eabee28bdb88
Instruction Fuzzy Hash: D812D171600214AFEB258F24DC49FAF7BF8AFD6314F10412AF515EA2E1DBB89941CB58

Function 0042F98E Relevance: 43.9, APIs: 24, Strings: 1, Instructions: 130keyboardthreadwindowCOMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(00000000,00000000,00000000), ref: 0042F998
FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 0046F474
IsIconic.USER32(00000000), ref: 0046F47D
ShowWindow.USER32(00000000,00000009), ref: 0046F48A
SetForegroundWindow.USER32(00000000), ref: 0046F494
GetWindowThreadProcessId.USER32(00000000,00000000), ref: 0046F4AA
GetCurrentThreadId.KERNEL32 ref: 0046F4B1
GetWindowThreadProcessId.USER32(00000000,00000000), ref: 0046F4BD
AttachThreadInput.USER32(?,00000000,00000001), ref: 0046F4CE
AttachThreadInput.USER32(?,00000000,00000001), ref: 0046F4D6
AttachThreadInput.USER32(00000000,000000FF,00000001), ref: 0046F4DE
SetForegroundWindow.USER32(00000000), ref: 0046F4E1
MapVirtualKeyW.USER32(00000012,00000000), ref: 0046F4F6
keybd_event.USER32(00000012,00000000), ref: 0046F501
MapVirtualKeyW.USER32(00000012,00000000), ref: 0046F50B
keybd_event.USER32(00000012,00000000), ref: 0046F510
MapVirtualKeyW.USER32(00000012,00000000), ref: 0046F519
keybd_event.USER32(00000012,00000000), ref: 0046F51E
MapVirtualKeyW.USER32(00000012,00000000), ref: 0046F528
keybd_event.USER32(00000012,00000000), ref: 0046F52D
SetForegroundWindow.USER32(00000000), ref: 0046F530
AttachThreadInput.USER32(?,000000FF,00000000), ref: 0046F557

Strings

Shell_TrayWnd, xrefs: 0046F46F

Memory Dump Source

Source File: 00000000.00000002.2107394819.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2107065431.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107532194.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107532194.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107645477.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107703493.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: Window$Thread$AttachForegroundInputVirtualkeybd_event$Process$CurrentFindIconicShow
String ID: Shell_TrayWnd
API String ID: 4125248594-2988720461
Opcode ID: 2b396dec389d5808e26e17054d6bf84b8e6eb8f18ddd4c07db2f3a4fc30e717a
Instruction ID: 6f0a8fd8c16c7855d3511cfa0acd8bab40b8d326641864457239685d22461f6e
Opcode Fuzzy Hash: 2b396dec389d5808e26e17054d6bf84b8e6eb8f18ddd4c07db2f3a4fc30e717a
Instruction Fuzzy Hash: 77315471B40328BFEB206BB55C8AFBF7E6CEB45B50F100076F601E61D1DAB55D00AA69

Function 00471201 Relevance: 40.5, APIs: 19, Strings: 4, Instructions: 241COMMON

Download Yara Rule

APIs

Part of subcall function 004716C3: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 0047170D
Part of subcall function 004716C3: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 0047173A
Part of subcall function 004716C3: GetLastError.KERNEL32 ref: 0047174A

LogonUserW.ADVAPI32(?,?,?,00000000,00000000,?), ref: 00471286
DuplicateTokenEx.ADVAPI32(?,00000000,00000000,00000002,00000001,?), ref: 004712A8
CloseHandle.KERNEL32(?), ref: 004712B9
OpenWindowStationW.USER32(winsta0,00000000,00060000), ref: 004712D1
GetProcessWindowStation.USER32 ref: 004712EA
SetProcessWindowStation.USER32(00000000), ref: 004712F4
OpenDesktopW.USER32(default,00000000,00000000,00060081), ref: 00471310

Part of subcall function 004710BF: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,004711FC), ref: 004710D4
Part of subcall function 004710BF: CloseHandle.KERNEL32(?,?,004711FC), ref: 004710E9

Strings

, xrefs: 0047125A
winsta0, xrefs: 004712CC
ZM, xrefs: 00471392
default, xrefs: 0047130B

Memory Dump Source

Source File: 00000000.00000002.2107394819.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2107065431.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107532194.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107532194.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107645477.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107703493.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: StationTokenWindow$AdjustCloseHandleOpenPrivilegesProcess$DesktopDuplicateErrorLastLogonLookupPrivilegeUserValue
String ID: $default$winsta0$ZM
API String ID: 22674027-4222036657
Opcode ID: 8ea6af06f53bd573f65e76c55f9f76494034890b387175284b794910541fb624
Instruction ID: 5ebe5b4610c0680d9d62e6ad8f3315e4581e40c96d5973091170d4397814dd83
Opcode Fuzzy Hash: 8ea6af06f53bd573f65e76c55f9f76494034890b387175284b794910541fb624
Instruction Fuzzy Hash: A481A171900209AFDF219FA8DC49FEF7FB9EF05704F14812AF914A62A0D7388944CB69

Function 00470B62 Relevance: 31.7, APIs: 21, Instructions: 202memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 004710F9: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00471114
Part of subcall function 004710F9: GetLastError.KERNEL32(?,00000000,00000000,?,?,00470B9B,?,?,?), ref: 00471120
Part of subcall function 004710F9: GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,00470B9B,?,?,?), ref: 0047112F
Part of subcall function 004710F9: HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,00470B9B,?,?,?), ref: 00471136
Part of subcall function 004710F9: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 0047114D

GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00470BCC
GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 00470C00
GetLengthSid.ADVAPI32(?), ref: 00470C17
GetAce.ADVAPI32(?,00000000,?), ref: 00470C51
AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 00470C6D
GetLengthSid.ADVAPI32(?), ref: 00470C84
GetProcessHeap.KERNEL32(00000008,00000008), ref: 00470C8C
HeapAlloc.KERNEL32(00000000), ref: 00470C93
GetLengthSid.ADVAPI32(?,00000008,?), ref: 00470CB4
CopySid.ADVAPI32(00000000), ref: 00470CBB
AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 00470CEA
SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 00470D0C
SetUserObjectSecurity.USER32(?,00000004,?), ref: 00470D1E
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00470D45
HeapFree.KERNEL32(00000000), ref: 00470D4C
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00470D55
HeapFree.KERNEL32(00000000), ref: 00470D5C
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00470D65
HeapFree.KERNEL32(00000000), ref: 00470D6C
GetProcessHeap.KERNEL32(00000000,?), ref: 00470D78
HeapFree.KERNEL32(00000000), ref: 00470D7F

Part of subcall function 00471193: GetProcessHeap.KERNEL32(00000008,00470BB1,?,00000000,?,00470BB1,?), ref: 004711A1
Part of subcall function 00471193: HeapAlloc.KERNEL32(00000000,?,00000000,?,00470BB1,?), ref: 004711A8
Part of subcall function 00471193: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00000000,?,00470BB1,?), ref: 004711B7

Memory Dump Source

Source File: 00000000.00000002.2107394819.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2107065431.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107532194.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107532194.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107645477.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107703493.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: Heap$Process$Security$Free$AllocDescriptorLengthObjectUser$Dacl$CopyErrorInformationInitializeLast
String ID:
API String ID: 4175595110-0
Opcode ID: 1b8153b32cc06ffeacdc767c23e31243b0441e50c6438e83969ba2ff51be4d39
Instruction ID: f75398bc8c1c949a0eff6f3967684da32f54ae3d3bbeb5faa71af6c81c44da00
Opcode Fuzzy Hash: 1b8153b32cc06ffeacdc767c23e31243b0441e50c6438e83969ba2ff51be4d39
Instruction Fuzzy Hash: 5A714C7190120AEFDF209FE4DC84BEFBBB8AF05304F148526E919A6291D779A905CF64

Function 0048EAFF Relevance: 30.2, APIs: 20, Instructions: 191clipboardfileCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32(004ACC08), ref: 0048EB29
IsClipboardFormatAvailable.USER32(0000000D), ref: 0048EB37
GetClipboardData.USER32(0000000D), ref: 0048EB43
CloseClipboard.USER32 ref: 0048EB4F
GlobalLock.KERNEL32(00000000), ref: 0048EB87
CloseClipboard.USER32 ref: 0048EB91
GlobalUnlock.KERNEL32(00000000), ref: 0048EBBC
IsClipboardFormatAvailable.USER32(00000001), ref: 0048EBC9
GetClipboardData.USER32(00000001), ref: 0048EBD1
GlobalLock.KERNEL32(00000000), ref: 0048EBE2
GlobalUnlock.KERNEL32(00000000), ref: 0048EC22
IsClipboardFormatAvailable.USER32(0000000F), ref: 0048EC38
GetClipboardData.USER32(0000000F), ref: 0048EC44
GlobalLock.KERNEL32(00000000), ref: 0048EC55
DragQueryFileW.SHELL32(00000000,000000FF,00000000,00000000), ref: 0048EC77
DragQueryFileW.SHELL32(00000000,?,?,00000104), ref: 0048EC94
DragQueryFileW.SHELL32(00000000,?,?,00000104), ref: 0048ECD2
GlobalUnlock.KERNEL32(00000000), ref: 0048ECF3
CountClipboardFormats.USER32 ref: 0048ED14
CloseClipboard.USER32 ref: 0048ED59

Memory Dump Source

Source File: 00000000.00000002.2107394819.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2107065431.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107532194.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107532194.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107645477.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107703493.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: Clipboard$Global$AvailableCloseDataDragFileFormatLockQueryUnlock$CountFormatsOpen
String ID:
API String ID: 420908878-0
Opcode ID: 6b4e96f6a69040cf0d6115442954a480089e9f58b116ef10b6fea427e8af3e67
Instruction ID: 9306f0b11657eb8d9a23f21ffc00f9e261983ffbde9b1bd8d88eeb74486a11bb
Opcode Fuzzy Hash: 6b4e96f6a69040cf0d6115442954a480089e9f58b116ef10b6fea427e8af3e67
Instruction Fuzzy Hash: FC61F5352043029FD300EF26C884F6E7BE4AF85714F04496EF456872A2DB39ED45CB6A

Function 0048698F Relevance: 21.4, APIs: 7, Strings: 5, Instructions: 363timefileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 004869BE
FindClose.KERNEL32(00000000), ref: 00486A12
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00486A4E
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00486A75

Part of subcall function 00419CB3: _wcslen.LIBCMT ref: 00419CBD

FileTimeToSystemTime.KERNEL32(?,?), ref: 00486AB2
FileTimeToSystemTime.KERNEL32(?,?), ref: 00486ADF

Strings

%4d, xrefs: 00486BB1
%02d, xrefs: 00486C00, 00486C0A, 00486C5A, 00486CAA, 00486CFA, 00486D4A
%4d%02d%02d%02d%02d%02d%03d, xrefs: 00486B32
%4d%02d%02d%02d%02d%02d, xrefs: 00486B6A
%03d, xrefs: 00486DA2

Memory Dump Source

Source File: 00000000.00000002.2107394819.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2107065431.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107532194.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107532194.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107645477.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107703493.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: Time$File$FindLocalSystem$CloseFirst_wcslen
String ID: %02d$%03d$%4d$%4d%02d%02d%02d%02d%02d$%4d%02d%02d%02d%02d%02d%03d
API String ID: 3830820486-3289030164
Opcode ID: d50b361ecc7459d6a310d35c16ad13c7e183dbb0e16df1676b4f462f063730cb
Instruction ID: 952399157b43fb10bf334b2d9b7ad416bf02b22bcdc3439a9c8d05a9a9766f16
Opcode Fuzzy Hash: d50b361ecc7459d6a310d35c16ad13c7e183dbb0e16df1676b4f462f063730cb
Instruction Fuzzy Hash: BFD15371508300AFC714EBA5D891EAFB7ECAF88708F44491EF589C7291EB38DA44C766

Function 00489642 Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 118fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,75918FB0,?,00000000), ref: 00489663
GetFileAttributesW.KERNEL32(?), ref: 004896A1
SetFileAttributesW.KERNEL32(?,?), ref: 004896BB
FindNextFileW.KERNEL32(00000000,?), ref: 004896D3
FindClose.KERNEL32(00000000), ref: 004896DE
FindFirstFileW.KERNEL32(*.*,?), ref: 004896FA
SetCurrentDirectoryW.KERNEL32(?), ref: 0048974A
SetCurrentDirectoryW.KERNEL32(004D6B7C), ref: 00489768
FindNextFileW.KERNEL32(00000000,00000010), ref: 00489772
FindClose.KERNEL32(00000000), ref: 0048977F
FindClose.KERNEL32(00000000), ref: 0048978F

Strings

*.*, xrefs: 004896F5

Memory Dump Source

Source File: 00000000.00000002.2107394819.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2107065431.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107532194.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107532194.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107645477.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107703493.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: Find$File$Close$AttributesCurrentDirectoryFirstNext
String ID: *.*
API String ID: 1409584000-438819550
Opcode ID: b37c28f8aa6febed70524a5c74c0ac3342af179ceccea51debf3ec7e05f1a97a
Instruction ID: 76abdfb5c3706c9f0603e01a83b8f067962f123f56fa04c96d695ab40ba92a32
Opcode Fuzzy Hash: b37c28f8aa6febed70524a5c74c0ac3342af179ceccea51debf3ec7e05f1a97a
Instruction Fuzzy Hash: 9431B432500619AADB10BFB4DC48AEF77AC9F49320F1845A7E805E2290EB38DD408B5C

Function 0048979D Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 111fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,75918FB0,?,00000000), ref: 004897BE
FindNextFileW.KERNEL32(00000000,?), ref: 00489819
FindClose.KERNEL32(00000000), ref: 00489824
FindFirstFileW.KERNEL32(*.*,?), ref: 00489840
SetCurrentDirectoryW.KERNEL32(?), ref: 00489890
SetCurrentDirectoryW.KERNEL32(004D6B7C), ref: 004898AE
FindNextFileW.KERNEL32(00000000,00000010), ref: 004898B8
FindClose.KERNEL32(00000000), ref: 004898C5
FindClose.KERNEL32(00000000), ref: 004898D5

Part of subcall function 0047DAE5: CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000003,02000080,00000000), ref: 0047DB00

Strings

*.*, xrefs: 0048983B

Memory Dump Source

Source File: 00000000.00000002.2107394819.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2107065431.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107532194.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107532194.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107645477.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107703493.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: Find$File$Close$CurrentDirectoryFirstNext$Create
String ID: *.*
API String ID: 2640511053-438819550
Opcode ID: 582084bc44084f2350d59844ef028be15d9055e5863383b6f64733860eee3faf
Instruction ID: 2526aa5c16bd58def1cde4d971fda47a61c40baeea5adc0bf30615f079905b43
Opcode Fuzzy Hash: 582084bc44084f2350d59844ef028be15d9055e5863383b6f64733860eee3faf
Instruction Fuzzy Hash: 5A31A532500A1A6EDF10BFB5DC48AEF77AC9F06324F1845A7E814A2290DB38DD458B6C

Function 0049BE44 Relevance: 17.0, APIs: 11, Instructions: 456registryCOMMON

Download Yara Rule

APIs

Part of subcall function 0049C998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,0049B6AE,?,?), ref: 0049C9B5
Part of subcall function 0049C998: _wcslen.LIBCMT ref: 0049C9F1
Part of subcall function 0049C998: _wcslen.LIBCMT ref: 0049CA68
Part of subcall function 0049C998: _wcslen.LIBCMT ref: 0049CA9E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0049BF3E
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?,?,?), ref: 0049BFA9
RegCloseKey.ADVAPI32(00000000), ref: 0049BFCD
RegQueryValueExW.ADVAPI32(?,?,00000000,?,00000000,?), ref: 0049C02C
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,00000008), ref: 0049C0E7
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,?,?,00000000), ref: 0049C154
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,?,?,00000000), ref: 0049C1E9
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,00000000,?,?,?,00000000), ref: 0049C23A
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,?,?,00000000), ref: 0049C2E3
RegCloseKey.ADVAPI32(?,?,00000000), ref: 0049C382
RegCloseKey.ADVAPI32(00000000), ref: 0049C38F

Memory Dump Source

Source File: 00000000.00000002.2107394819.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2107065431.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107532194.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107532194.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107645477.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107703493.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: QueryValue$Close_wcslen$BuffCharConnectOpenRegistryUpper
String ID:
API String ID: 3102970594-0
Opcode ID: 5cbb20db5de75d270401d7a793aa6626d53db097390d172ae5ab82e3723d7cd5
Instruction ID: f8e0af166d31c316af214529f682295d1b4fd83829a2da681b95b168441c762d
Opcode Fuzzy Hash: 5cbb20db5de75d270401d7a793aa6626d53db097390d172ae5ab82e3723d7cd5
Instruction Fuzzy Hash: FF024D716042009FDB14DF24C8D5E2ABBE5EF89318F1884AEF84ACB2A2D735ED45CB55

Function 00488195 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 186timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?), ref: 00488257
SystemTimeToFileTime.KERNEL32(?,?), ref: 00488267
LocalFileTimeToFileTime.KERNEL32(?,?), ref: 00488273
GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00488310
SetCurrentDirectoryW.KERNEL32(?), ref: 00488324
SetCurrentDirectoryW.KERNEL32(?), ref: 00488356
SetCurrentDirectoryW.KERNEL32(?,?,?,?,?), ref: 0048838C
SetCurrentDirectoryW.KERNEL32(?), ref: 00488395

Strings

*.*, xrefs: 0048839B

Memory Dump Source

Source File: 00000000.00000002.2107394819.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2107065431.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107532194.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107532194.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107645477.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107703493.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: CurrentDirectoryTime$File$Local$System
String ID: *.*
API String ID: 1464919966-438819550
Opcode ID: 80373a1b7d3725b696cef15b87f7b1ed5e1f2b2db72753518e9ec4bd2d1dfda6
Instruction ID: 8c87cecdd7d48a25a21600357a76941b17b959492d1dc5e36fa3645ee2878ee6
Opcode Fuzzy Hash: 80373a1b7d3725b696cef15b87f7b1ed5e1f2b2db72753518e9ec4bd2d1dfda6
Instruction Fuzzy Hash: C6615B725043059FCB10EF61C88099FB3E9FF89318F44896EF98987251DB39E945CB9A

Function 0047D076 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 172fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00413AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00413A97,?,?,00412E7F,?,?,?,00000000), ref: 00413AC2

Part of subcall function 0047E199: GetFileAttributesW.KERNEL32(?,0047CF95), ref: 0047E19A

FindFirstFileW.KERNEL32(?,?), ref: 0047D122
DeleteFileW.KERNEL32(?,?,?,?,?,00000000,?,?,?), ref: 0047D1DD
MoveFileW.KERNEL32(?,?), ref: 0047D1F0
DeleteFileW.KERNEL32(?,?,?,?), ref: 0047D20D
FindNextFileW.KERNEL32(00000000,00000010), ref: 0047D237

Part of subcall function 0047D29C: CopyFileExW.KERNEL32(?,?,00000000,00000000,00000000,00000008,?,?,0047D21C,?,?), ref: 0047D2B2

FindClose.KERNEL32(00000000,?,?,?), ref: 0047D253
FindClose.KERNEL32(00000000), ref: 0047D264

Strings

\*.*, xrefs: 0047D0CD, 0047D0D6, 0047D0EB

Memory Dump Source

Source File: 00000000.00000002.2107394819.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2107065431.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107532194.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107532194.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107645477.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107703493.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: File$Find$CloseDelete$AttributesCopyFirstFullMoveNameNextPath
String ID: \*.*
API String ID: 1946585618-1173974218
Opcode ID: 52b6dc8331a7ce922533ba6c519eb5c51158a04816a5c1bfc2b72679fcad07fe
Instruction ID: c9bd246417695e58f40d9c310ba86c615feddd4b560745cbcdddbfd4be17de3e
Opcode Fuzzy Hash: 52b6dc8331a7ce922533ba6c519eb5c51158a04816a5c1bfc2b72679fcad07fe
Instruction Fuzzy Hash: 50619271C1110D9FCF05EBE1C9929EDB775AF15304F2481AAE40677192EB386F4ACB68

Function 0048ED6A Relevance: 13.6, APIs: 9, Instructions: 102clipboardmemoryCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32 ref: 0048ED91
EmptyClipboard.USER32 ref: 0048ED97
GlobalAlloc.KERNEL32(00000002,?), ref: 0048EDAC
CloseClipboard.USER32 ref: 0048EEA3

Memory Dump Source

Source File: 00000000.00000002.2107394819.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2107065431.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107532194.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107532194.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107645477.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107703493.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: Clipboard$AllocCloseEmptyGlobalOpen
String ID:
API String ID: 1737998785-0
Opcode ID: cd68f13ec782993252d30324e1fb8098c14ce5da59e5cb62fc8a2c464e88e98a
Instruction ID: f6a1ee12a9bf1f9d6cd9cfd059f083aaf3a7f76c7cfd54588a7e6f3cede820cf
Opcode Fuzzy Hash: cd68f13ec782993252d30324e1fb8098c14ce5da59e5cb62fc8a2c464e88e98a
Instruction Fuzzy Hash: 4141A235604611DFD310DF16D888B6ABBE1EF45318F14C4AAE4198B7A2C739EC42CB98

Function 0047E8F6 Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 57shutdownCOMMON

Download Yara Rule

APIs

Part of subcall function 004716C3: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 0047170D
Part of subcall function 004716C3: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 0047173A
Part of subcall function 004716C3: GetLastError.KERNEL32 ref: 0047174A

ExitWindowsEx.USER32(?,00000000), ref: 0047E932

Strings

, xrefs: 0047E95C
@, xrefs: 0047E925
SeShutdownPrivilege, xrefs: 0047E902
, xrefs: 0047E920

Memory Dump Source

Source File: 00000000.00000002.2107394819.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2107065431.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107532194.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107532194.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107645477.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107703493.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: AdjustErrorExitLastLookupPrivilegePrivilegesTokenValueWindows
String ID: $ $@$SeShutdownPrivilege
API String ID: 2234035333-3163812486
Opcode ID: c0bb1e47f55966020c3eb9b5c09e81f143c2da03bb055d585ed43775d9d982f9
Instruction ID: 4121d37f4915808f1e42dbe2fa5f43559ff917019860fa529bbb4499c1d22683
Opcode Fuzzy Hash: c0bb1e47f55966020c3eb9b5c09e81f143c2da03bb055d585ed43775d9d982f9
Instruction Fuzzy Hash: B4012BF3610210ABEB5426B69C85FFB765C9708744F158667FA06F21D1D6685C40829C

Function 00491204 Relevance: 12.1, APIs: 8, Instructions: 113networkCOMMON

Download Yara Rule

APIs

socket.WSOCK32(00000002,00000001,00000006,?,00000002,00000000), ref: 00491276
WSAGetLastError.WSOCK32 ref: 00491283
bind.WSOCK32(00000000,?,00000010), ref: 004912BA
WSAGetLastError.WSOCK32 ref: 004912C5
closesocket.WSOCK32(00000000), ref: 004912F4
listen.WSOCK32(00000000,00000005), ref: 00491303
WSAGetLastError.WSOCK32 ref: 0049130D
closesocket.WSOCK32(00000000), ref: 0049133C

Memory Dump Source

Source File: 00000000.00000002.2107394819.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2107065431.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107532194.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107532194.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107645477.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107703493.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: ErrorLast$closesocket$bindlistensocket
String ID:
API String ID: 540024437-0
Opcode ID: f2901c0e9320d57d6022956eb0eba1e4c89fefc9eb384b579d7bac31061d82de
Instruction ID: 36fb13bde51371ff65b9a3fbae29feb4be3297c3ac66fa839b86cba43553d432
Opcode Fuzzy Hash: f2901c0e9320d57d6022956eb0eba1e4c89fefc9eb384b579d7bac31061d82de
Instruction Fuzzy Hash: A64162316001019FDB10EF64C484B6ABBE5BF46318F1881ADD8569F3E6C779ED81CBA5

Function 0044B952 Relevance: 10.9, APIs: 7, Instructions: 370timeCOMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 0044B9D4
_free.LIBCMT ref: 0044B9F8
_free.LIBCMT ref: 0044BB7F
GetTimeZoneInformation.KERNEL32(?,00000000,00000000,00000000,?,004B3700), ref: 0044BB91
WideCharToMultiByte.KERNEL32(00000000,00000000,004E121C,000000FF,00000000,0000003F,00000000,?,?), ref: 0044BC09
WideCharToMultiByte.KERNEL32(00000000,00000000,004E1270,000000FF,?,0000003F,00000000,?), ref: 0044BC36
_free.LIBCMT ref: 0044BD4B

Memory Dump Source

Source File: 00000000.00000002.2107394819.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2107065431.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107532194.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107532194.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107645477.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107703493.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: _free$ByteCharMultiWide$InformationTimeZone
String ID:
API String ID: 314583886-0
Opcode ID: 947d3d152d4689eb1bfec6cf6bdd486f82cd9c713d1e7efe0a6840d044974208
Instruction ID: e9597cbb70ea9c676cba07968464c17cb60811c319e0a9a9fe6d1cced2f7fdb4
Opcode Fuzzy Hash: 947d3d152d4689eb1bfec6cf6bdd486f82cd9c713d1e7efe0a6840d044974208
Instruction Fuzzy Hash: A5C11971A042459FEB209F6A8C81AAA7BB8EF45314F1441AFE990EB352D738DD4187D8

Function 0047D3A9 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 91fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00413AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00413A97,?,?,00412E7F,?,?,?,00000000), ref: 00413AC2

Part of subcall function 0047E199: GetFileAttributesW.KERNEL32(?,0047CF95), ref: 0047E19A

FindFirstFileW.KERNEL32(?,?), ref: 0047D420
DeleteFileW.KERNEL32(?,?,?,?), ref: 0047D470
FindNextFileW.KERNEL32(00000000,00000010), ref: 0047D481
FindClose.KERNEL32(00000000), ref: 0047D498
FindClose.KERNEL32(00000000), ref: 0047D4A1

Strings

\*.*, xrefs: 0047D3F2

Memory Dump Source

Source File: 00000000.00000002.2107394819.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2107065431.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107532194.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107532194.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107645477.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107703493.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: FileFind$Close$AttributesDeleteFirstFullNameNextPath
String ID: \*.*
API String ID: 2649000838-1173974218
Opcode ID: e8453d006fc1e7dfa993f2c16fbef677be51cae7b30a75245200ed417a9ecffb
Instruction ID: 881502f683e4a739534d3d2421454e492770a406ec2f3b67fa0c6386e1b0b148
Opcode Fuzzy Hash: e8453d006fc1e7dfa993f2c16fbef677be51cae7b30a75245200ed417a9ecffb
Instruction Fuzzy Hash: 2C31B2714183449BC300EF61C8918EF77E8AE91314F448E1FF4D552191EB38AA49C76B

Function 0044E4FF Relevance: 10.1, APIs: 1, Strings: 4, Instructions: 1381COMMON

Download Yara Rule

APIs

__floor_pentium4.LIBCMT ref: 0044E645

Strings

1#INF, xrefs: 0044F852
1#QNAN, xrefs: 0044F84B
1#IND, xrefs: 0044F83D
1#SNAN, xrefs: 0044F844

Memory Dump Source

Source File: 00000000.00000002.2107394819.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2107065431.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107532194.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107532194.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107645477.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107703493.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: __floor_pentium4
String ID: 1#IND$1#INF$1#QNAN$1#SNAN
API String ID: 4168288129-2761157908
Opcode ID: 55d8a0112e7536801a80e2d2face1bd2a77649d72c9dacf9f5349b32c2276289
Instruction ID: 7f2a59f8be7e269ccb82b669bf2442bb820b17bf4250837d9df762e4fa5cdb0f
Opcode Fuzzy Hash: 55d8a0112e7536801a80e2d2face1bd2a77649d72c9dacf9f5349b32c2276289
Instruction Fuzzy Hash: F4C24872E046288FEB25CE299D407EAB7B5FB48305F1441EBD80DE7241E778AE858F45

Function 0048648E Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 367comCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 004864DC
CoInitialize.OLE32(00000000), ref: 00486639
CoCreateInstance.OLE32(004AFCF8,00000000,00000001,004AFB68,?), ref: 00486650
CoUninitialize.OLE32 ref: 004868D4

Strings

.lnk, xrefs: 004864BA, 00486524, 004865E0

Memory Dump Source

Source File: 00000000.00000002.2107394819.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2107065431.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107532194.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107532194.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107645477.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107703493.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: CreateInitializeInstanceUninitialize_wcslen
String ID: .lnk
API String ID: 886957087-24824748
Opcode ID: 5746d0e128abf1746091c8fc35c349ecb1e70696260edf34eeb56ce358158970
Instruction ID: bd6775c1ad53ba9417aa207dd946af9fa3ab70a9163365b3164009be91aae2f7
Opcode Fuzzy Hash: 5746d0e128abf1746091c8fc35c349ecb1e70696260edf34eeb56ce358158970
Instruction Fuzzy Hash: 5ED15B71508301AFC304EF25C891AABB7E8FF98708F10496EF5958B291EB34ED45CB96

Function 004922DA Relevance: 9.1, APIs: 6, Instructions: 103COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(?,?,00000000), ref: 004922E8

Part of subcall function 0048E4EC: GetWindowRect.USER32(?,?), ref: 0048E504

GetDesktopWindow.USER32 ref: 00492312
GetWindowRect.USER32(00000000), ref: 00492319
mouse_event.USER32(00008001,?,?,00000002,00000002), ref: 00492355
GetCursorPos.USER32(?), ref: 00492381
mouse_event.USER32(00008001,?,?,00000000,00000000), ref: 004923DF

Memory Dump Source

Source File: 00000000.00000002.2107394819.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2107065431.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107532194.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107532194.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107645477.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107703493.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: Window$Rectmouse_event$CursorDesktopForeground
String ID:
API String ID: 2387181109-0
Opcode ID: a8a07764a6c0faaf334571e613809a976c782fb92ab1b4b6bfa29b7e8829307b
Instruction ID: bda8f7bd6a7f8d7156a8f373fab8ae418e43ecd8c114459a1b6a3ef742074e25
Opcode Fuzzy Hash: a8a07764a6c0faaf334571e613809a976c782fb92ab1b4b6bfa29b7e8829307b
Instruction Fuzzy Hash: C931E672505315AFCB20DF25C845B5B7BE9FF89314F00092EF98597181DB78E908CB95

Function 00489B2B Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 119filesleepCOMMON

Download Yara Rule

APIs

Part of subcall function 00419CB3: _wcslen.LIBCMT ref: 00419CBD

FindFirstFileW.KERNEL32(00000001,?,*.*,?,?,00000000,00000000), ref: 00489B78
FindClose.KERNEL32(00000000,?,00000000,00000000), ref: 00489C8B

Part of subcall function 00483874: GetInputState.USER32 ref: 004838CB
Part of subcall function 00483874: PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00483966

Sleep.KERNEL32(0000000A,?,00000000,00000000), ref: 00489BA8
FindNextFileW.KERNEL32(?,?,?,00000000,00000000), ref: 00489C75

Strings

*.*, xrefs: 00489B5D

Memory Dump Source

Source File: 00000000.00000002.2107394819.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2107065431.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107532194.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107532194.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107645477.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107703493.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: Find$File$CloseFirstInputMessageNextPeekSleepState_wcslen
String ID: *.*
API String ID: 1972594611-438819550
Opcode ID: 205a781e5336a773ee82f868c49ac03131397ed52d091963f8dde5e3f5b8f9b8
Instruction ID: 49a0db4858c119d05f826541f64bd1c1de7c45d6420c29d4adb679eba4af7771
Opcode Fuzzy Hash: 205a781e5336a773ee82f868c49ac03131397ed52d091963f8dde5e3f5b8f9b8
Instruction Fuzzy Hash: 2941B3719006099FDF15EF64C889AEE7BF4FF05310F24445BE805A2291EB39AE84CF68

Function 0042997D Relevance: 7.9, APIs: 5, Instructions: 375COMMON

Download Yara Rule

APIs

Part of subcall function 00429BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00429BB2

DefDlgProcW.USER32(?,?,?,?,?), ref: 00429A4E
GetSysColor.USER32(0000000F), ref: 00429B23
SetBkColor.GDI32(?,00000000), ref: 00429B36

Memory Dump Source

Source File: 00000000.00000002.2107394819.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2107065431.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107532194.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107532194.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107645477.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107703493.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: Color$LongProcWindow
String ID:
API String ID: 3131106179-0
Opcode ID: 4ef140965a7e9bddf5908c3ae7c646a6ee2ee3860e67d70e09dad162ffcfb65a
Instruction ID: f33e99569ca7314aa580f14835c56f0e6487d477b6a2df7b9c28cc2b4582c339
Opcode Fuzzy Hash: 4ef140965a7e9bddf5908c3ae7c646a6ee2ee3860e67d70e09dad162ffcfb65a
Instruction Fuzzy Hash: 45A12D703085A0BEE724AA2DAC98D7B295DEF43358F54411FF402C6792DA2D9D42C27F

Function 00491806 Relevance: 7.7, APIs: 5, Instructions: 153networkCOMMON

Download Yara Rule

APIs

Part of subcall function 0049304E: inet_addr.WSOCK32(?,?,?,?,?,00000000), ref: 0049307A
Part of subcall function 0049304E: _wcslen.LIBCMT ref: 0049309B

socket.WSOCK32(00000002,00000002,00000011,?,?,00000000), ref: 0049185D
WSAGetLastError.WSOCK32 ref: 00491884
bind.WSOCK32(00000000,?,00000010), ref: 004918DB
WSAGetLastError.WSOCK32 ref: 004918E6
closesocket.WSOCK32(00000000), ref: 00491915

Memory Dump Source

Source File: 00000000.00000002.2107394819.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2107065431.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107532194.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107532194.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107645477.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107703493.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: ErrorLast$_wcslenbindclosesocketinet_addrsocket
String ID:
API String ID: 1601658205-0
Opcode ID: 7e95823b984781d212d0e4ecb6d37d4c6716ace0ec562b3ecb0f5ad93d868c32
Instruction ID: 61dfaf6aaed178368c8f86e4d8af9b38a4c53dc191049b18f6dc8a06e67cc523
Opcode Fuzzy Hash: 7e95823b984781d212d0e4ecb6d37d4c6716ace0ec562b3ecb0f5ad93d868c32
Instruction Fuzzy Hash: 6251B171A00210AFDB10EF24C886F6A7BE5AB45718F04809DF9155F3D3C779ED428BA5

Function 004A1C41 Relevance: 7.6, APIs: 5, Instructions: 83windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32 ref: 004A1CC0
IsWindowEnabled.USER32 ref: 004A1CCE
GetForegroundWindow.USER32(?,?,00000001,?), ref: 004A1CDB
IsIconic.USER32 ref: 004A1CE9
IsZoomed.USER32 ref: 004A1CF7

Memory Dump Source

Source File: 00000000.00000002.2107394819.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2107065431.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107532194.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107532194.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107645477.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107703493.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: Window$EnabledForegroundIconicVisibleZoomed
String ID:
API String ID: 292994002-0
Opcode ID: 83be3fe16b0eada9d84b5d24131c50c0d88bf7c3195c116de9dfd601ca50eaf8
Instruction ID: 1b582f708d5333429c38d7c272864bafcb15e379d6e87731d89e9730ec1cd216
Opcode Fuzzy Hash: 83be3fe16b0eada9d84b5d24131c50c0d88bf7c3195c116de9dfd601ca50eaf8
Instruction Fuzzy Hash: A52197317406115FE7208F1AD884B677BE5EFA6325F19806EE846CB361C779EC42CB98

Function 00418060 Relevance: 7.4, Strings: 5, Instructions: 1151COMMON

Download Yara Rule

Strings

VUUU, xrefs: 0041843C
ERCP, xrefs: 0041813C
VUUU, xrefs: 004183FA
VUUU, xrefs: 00455DF0
VUUU, xrefs: 004183E8

Memory Dump Source

Source File: 00000000.00000002.2107394819.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2107065431.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107532194.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107532194.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107645477.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107703493.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID:
String ID: ERCP$VUUU$VUUU$VUUU$VUUU
API String ID: 0-1546025612
Opcode ID: a47f74887cdec0ca62775d863d3a2791c6fad9aba549954cb7e236fff54248cf
Instruction ID: dcac04e15f16dcd5f4ad99a31405ad59be15cef23d9735500cacf7078ae58de4
Opcode Fuzzy Hash: a47f74887cdec0ca62775d863d3a2791c6fad9aba549954cb7e236fff54248cf
Instruction Fuzzy Hash: 00A28C70A0061ACBDF24CF58C9507EEB7B1AB54311F25819BEC15A7382EB389DC5CB99

Function 00478298 Relevance: 6.6, APIs: 1, Strings: 3, Instructions: 568stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,?,?,00000000), ref: 004782AA

Strings

|, xrefs: 004782DA
tbM, xrefs: 004784F4
(, xrefs: 004782F0

Memory Dump Source

Source File: 00000000.00000002.2107394819.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2107065431.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107532194.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107532194.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107645477.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107703493.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: lstrlen
String ID: ($tbM$|
API String ID: 1659193697-2959561728
Opcode ID: 1f3107bc233b6917bffc585d16fca7ab5a95f20a43e32632d3a738617f4ba5bb
Instruction ID: 26f52a6da03ec17fb982b3d23b80084894bb90065f382fbebe4ab9c652514ebc
Opcode Fuzzy Hash: 1f3107bc233b6917bffc585d16fca7ab5a95f20a43e32632d3a738617f4ba5bb
Instruction Fuzzy Hash: 2C324674A007059FCB28CF19C484AAAB7F0FF48710B15C56EE89ADB7A1EB74E941CB44

Function 0047AA57 Relevance: 6.1, APIs: 4, Instructions: 107keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,00000001,00000040,00000000), ref: 0047AAAC
SetKeyboardState.USER32(00000080), ref: 0047AAC8
PostMessageW.USER32(?,00000102,00000001,00000001), ref: 0047AB36
SendInput.USER32(00000001,?,0000001C,00000001,00000040,00000000), ref: 0047AB88

Memory Dump Source

Source File: 00000000.00000002.2107394819.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2107065431.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107532194.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107532194.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107645477.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107703493.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: 1e88283fa3b960101e8e1c967dc627a4e1c5f4b4010cdb7a1c330d9be1e59f62
Instruction ID: d047cb36b58012327e03cf793e2875beafb4bef4af9709bef7950b2e43ec58b9
Opcode Fuzzy Hash: 1e88283fa3b960101e8e1c967dc627a4e1c5f4b4010cdb7a1c330d9be1e59f62
Instruction Fuzzy Hash: E831FB30A40204AEFB25CA65C805BFF7BA6ABC5310F04C21BF289552D1D37CA965C75B

Function 0048CE44 Relevance: 6.1, APIs: 4, Instructions: 75filenetworkCOMMON

Download Yara Rule

APIs

InternetReadFile.WININET(?,?,00000400,?), ref: 0048CE89
GetLastError.KERNEL32(?,00000000), ref: 0048CEEA
SetEvent.KERNEL32(?,?,00000000), ref: 0048CEFE

Memory Dump Source

Source File: 00000000.00000002.2107394819.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2107065431.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107532194.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107532194.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107645477.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107703493.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: ErrorEventFileInternetLastRead
String ID:
API String ID: 234945975-0
Opcode ID: a9c051143c1e3b11bd2e1e4940b97909d37930246d3b9fa34ba0518a3cd32c00
Instruction ID: 7f7814d51e181b2f6b9beb3ab883d1bc04334b89ad5f6d1789026b9788c9685f
Opcode Fuzzy Hash: a9c051143c1e3b11bd2e1e4940b97909d37930246d3b9fa34ba0518a3cd32c00
Instruction Fuzzy Hash: 752192719003059BE730EF55D984BAB77F8EB51354F10482FE64692291D778ED058B68

Function 00485C97 Relevance: 4.6, APIs: 3, Instructions: 138fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 00485CC1
FindNextFileW.KERNEL32(00000000,?), ref: 00485D17
FindClose.KERNEL32(?), ref: 00485D5F

Memory Dump Source

Source File: 00000000.00000002.2107394819.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2107065431.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107532194.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107532194.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107645477.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107703493.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: Find$File$CloseFirstNext
String ID:
API String ID: 3541575487-0
Opcode ID: 84f86bb209615a9e86f169a691e9267b644bf16b9ba532a07f7d90a7f9662fdf
Instruction ID: 17d6ded8bbdfeb055e7ab827c6b7c8d2470d14081125e9846a0701b152a51fdc
Opcode Fuzzy Hash: 84f86bb209615a9e86f169a691e9267b644bf16b9ba532a07f7d90a7f9662fdf
Instruction Fuzzy Hash: 6251AA346046019FC714DF28C494A9AB7E4FF49318F14895EE95A8B3A1CB38EC45CF95

Function 00442622 Relevance: 4.6, APIs: 3, Instructions: 78COMMONLIBRARYCODE

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32 ref: 0044271A
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00442724
UnhandledExceptionFilter.KERNEL32(?), ref: 00442731

Memory Dump Source

Source File: 00000000.00000002.2107394819.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2107065431.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107532194.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107532194.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107645477.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107703493.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: ExceptionFilterUnhandled$DebuggerPresent
String ID:
API String ID: 3906539128-0
Opcode ID: e6634ef1f1cf553940349ee3d284e99854a98cefd423b437a59bbc8382b7cf6e
Instruction ID: f0a91f49a73f4d2670ce6a8201a05471ec36f34d493f05d08f924ae8020d6c70
Opcode Fuzzy Hash: e6634ef1f1cf553940349ee3d284e99854a98cefd423b437a59bbc8382b7cf6e
Instruction Fuzzy Hash: F431D67490121C9BCB21DF65DD897DDBBB8AF08310F5042EAE80CA7260E7749F818F48

Function 004851CD Relevance: 4.6, APIs: 3, Instructions: 76COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 004851DA
GetDiskFreeSpaceExW.KERNEL32(?,?,?,?), ref: 00485238
SetErrorMode.KERNEL32(00000000), ref: 004852A1

Memory Dump Source

Source File: 00000000.00000002.2107394819.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2107065431.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107532194.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107532194.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107645477.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107703493.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: ErrorMode$DiskFreeSpace
String ID:
API String ID: 1682464887-0
Opcode ID: cbfd20ac1b9916423c1bd9f7b370c35ce454e305f9f13a635842239b7a4dcb63
Instruction ID: b46b3ddad400828f7b0c3bd4e6fbbc9f4f51c2a9c9057384e1868e1abc44f79b
Opcode Fuzzy Hash: cbfd20ac1b9916423c1bd9f7b370c35ce454e305f9f13a635842239b7a4dcb63
Instruction Fuzzy Hash: 1F314F75A00518DFDB00EF55D8C4EADBBB4FF49318F04849AE8059B392DB35E856CB54

Function 004716C3 Relevance: 4.6, APIs: 3, Instructions: 68COMMON

Download Yara Rule

APIs

Part of subcall function 0042FDDB: __CxxThrowException@8.LIBVCRUNTIME ref: 00430668
Part of subcall function 0042FDDB: __CxxThrowException@8.LIBVCRUNTIME ref: 00430685

LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 0047170D
AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 0047173A
GetLastError.KERNEL32 ref: 0047174A

Memory Dump Source

Source File: 00000000.00000002.2107394819.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2107065431.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107532194.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107532194.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107645477.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107703493.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: Exception@8Throw$AdjustErrorLastLookupPrivilegePrivilegesTokenValue
String ID:
API String ID: 577356006-0
Opcode ID: d6759744601ebbdabb8cd3e76b1f565d2232adab4d7a3dec0a667158343e4808
Instruction ID: 18fc88071497311a0cba97fe41d400e6cfb07f12cfe12254bab8d2776a0ad4d1
Opcode Fuzzy Hash: d6759744601ebbdabb8cd3e76b1f565d2232adab4d7a3dec0a667158343e4808
Instruction Fuzzy Hash: E811C1B2514304AFD7189F54ECC6DABBBBDEB04714B60C52EE05693251EB74BC418B68

Function 0047D5EB Relevance: 4.6, APIs: 3, Instructions: 58fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 0047D608
DeviceIoControl.KERNEL32(00000000,002D1400,?,0000000C,?,00000028,?,00000000), ref: 0047D645
CloseHandle.KERNEL32(?,?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 0047D650

Memory Dump Source

Source File: 00000000.00000002.2107394819.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2107065431.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107532194.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107532194.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107645477.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107703493.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: CloseControlCreateDeviceFileHandle
String ID:
API String ID: 33631002-0
Opcode ID: a6742f7660be72c51bd600da9fc50fb6fdfdd852e52e12c84e56d818b71834be
Instruction ID: b5a699aacca66e5602bb2e1963d6860e8a37be59f87fb75179525ac0aaec123b
Opcode Fuzzy Hash: a6742f7660be72c51bd600da9fc50fb6fdfdd852e52e12c84e56d818b71834be
Instruction Fuzzy Hash: 24117C71E01228BBDB108F949C84FAFBFBCEB45B50F108122F908E7290D6704A018BA5

Function 00471663 Relevance: 4.5, APIs: 3, Instructions: 40memoryCOMMON

Download Yara Rule

APIs

AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?,?), ref: 0047168C
CheckTokenMembership.ADVAPI32(00000000,?,?), ref: 004716A1
FreeSid.ADVAPI32(?), ref: 004716B1

Memory Dump Source

Source File: 00000000.00000002.2107394819.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2107065431.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107532194.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107532194.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107645477.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107703493.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: AllocateCheckFreeInitializeMembershipToken
String ID:
API String ID: 3429775523-0
Opcode ID: a259ebb3a9bd4bc8146d36e062b05acaa742873583dce6b6539371f138a4ed5c
Instruction ID: 0e2bef568d4ae50979519424c85f10ed086d26084bc358bcbfc30b265d87147d
Opcode Fuzzy Hash: a259ebb3a9bd4bc8146d36e062b05acaa742873583dce6b6539371f138a4ed5c
Instruction Fuzzy Hash: FAF0F47195030DFBDB00DFE49C89EAEBBBCEB09604F508565E501E2191E774AA448A54

Function 0044C2A2 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 127COMMON

Download Yara Rule

Strings

/, xrefs: 0044C36C

Memory Dump Source

Source File: 00000000.00000002.2107394819.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2107065431.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107532194.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107532194.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107645477.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107703493.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID:
String ID: /
API String ID: 0-2043925204
Opcode ID: c0ed885b057a154dd4d4a007440493614cf3c8344ddb9dce7dacc7a261998021
Instruction ID: 8369cdf84fbea0b1922c9144b817f9f71b20c85c1454a9d6c02d077b6d318009
Opcode Fuzzy Hash: c0ed885b057a154dd4d4a007440493614cf3c8344ddb9dce7dacc7a261998021
Instruction Fuzzy Hash: 164149729012196FDB209FB9CC88EBB77B9EB84314F1442AEF905C7280E6749D41CB58

Function 0046D27A Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON

Download Yara Rule

APIs

GetUserNameW.ADVAPI32(?,?), ref: 0046D28C

Strings

X64, xrefs: 0046D2A8

Memory Dump Source

Source File: 00000000.00000002.2107394819.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2107065431.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107532194.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107532194.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107645477.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107703493.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: NameUser
String ID: X64
API String ID: 2645101109-893830106
Opcode ID: 893398ad9dafa3edd6b738b8f27ec3f3615b9fdb97cc81ed712a2810b442ca0d
Instruction ID: ed0a3ed3a20f4c6a0c6a86f509358568946b49f33e52ce0ab44c71645a3f08ea
Opcode Fuzzy Hash: 893398ad9dafa3edd6b738b8f27ec3f3615b9fdb97cc81ed712a2810b442ca0d
Instruction Fuzzy Hash: FAD0C9B4D0516DEACB90CB90ECC8DD9B77CBB04305F100192F106A2000DB3495498F15

Function 0043CAA0 Relevance: 3.5, APIs: 2, Instructions: 464COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2107394819.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2107065431.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107532194.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107532194.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107645477.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107703493.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2fbdbeface8d474e65e3d830227d731b015bc4fe83c76ff0107a9da6199ccf29
Instruction ID: 93108dced47ae960ecb6207f19bdd7daf14b010d4f522f71b178ba6952163ed0
Opcode Fuzzy Hash: 2fbdbeface8d474e65e3d830227d731b015bc4fe83c76ff0107a9da6199ccf29
Instruction Fuzzy Hash: 25021D72E002199BDF14CFA9C9C06AEFBF1EF48314F25916AD819F7384D735AA418B94

Function 0041CAF0 Relevance: 3.2, Strings: 2, Instructions: 659COMMON

Download Yara Rule

Strings

p#N, xrefs: 0041CF7F
Variable is not of type 'Object'., xrefs: 00460C40

Memory Dump Source

Source File: 00000000.00000002.2107394819.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2107065431.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107532194.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107532194.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107645477.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107703493.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID:
String ID: Variable is not of type 'Object'.$p#N
API String ID: 0-3233274810
Opcode ID: c758f5d67d77f277a1f363d3eca551ca7fc69e5f37f305e31ba0af17a94627e0
Instruction ID: eaf1ae8991d39c9fd18ce6b6a1c7b5a3536a6b9310fb3bb73bb85a732cb4285a
Opcode Fuzzy Hash: c758f5d67d77f277a1f363d3eca551ca7fc69e5f37f305e31ba0af17a94627e0
Instruction Fuzzy Hash: 77328E70940218DBDF14DF90D981AEEB7B5FF04308F14405BE806AB392E779AD86CB5A

Function 004868EE Relevance: 3.1, APIs: 2, Instructions: 57fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 00486918
FindClose.KERNEL32(00000000), ref: 00486961

Memory Dump Source

Source File: 00000000.00000002.2107394819.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2107065431.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107532194.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107532194.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107645477.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107703493.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID:
API String ID: 2295610775-0
Opcode ID: 59ebd294e15c8fe6538ac749b4ab6692e04ffde2667a46df7be83a552f42afa5
Instruction ID: 9d71941b85c6fcdba99199f5a1609a0b72cbea65a5800d56cdd19460d75f049e
Opcode Fuzzy Hash: 59ebd294e15c8fe6538ac749b4ab6692e04ffde2667a46df7be83a552f42afa5
Instruction Fuzzy Hash: 621181716042009FD710DF29D8C4A1ABBE5EF85328F15C6AEE4698F7A2C734EC45CB95

Function 004837B5 Relevance: 3.0, APIs: 2, Instructions: 33windowCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(00000000,?,00000FFF,00000000,?,?,?,00494891,?,?,00000035,?), ref: 004837E4
FormatMessageW.KERNEL32(00001000,00000000,?,00000000,?,00000FFF,00000000,?,?,?,00494891,?,?,00000035,?), ref: 004837F4

Memory Dump Source

Source File: 00000000.00000002.2107394819.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2107065431.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107532194.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107532194.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107645477.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107703493.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: ErrorFormatLastMessage
String ID:
API String ID: 3479602957-0
Opcode ID: 1a44e45063fc424b86853aa1404ef490567e98cbb2e72d99a7bb7dc316c0e784
Instruction ID: 9eeae545dbadd5be335424df86c9b4d180ad6a20f6f13cbd3374a379a3265c39
Opcode Fuzzy Hash: 1a44e45063fc424b86853aa1404ef490567e98cbb2e72d99a7bb7dc316c0e784
Instruction Fuzzy Hash: 8FF0EC71A042142AD75027664C4DFDB7A9DDFC5B65F000176F505D2291D9609D44C7F8

Function 0047B226 Relevance: 3.0, APIs: 2, Instructions: 29keyboardCOMMON

Download Yara Rule

APIs

SendInput.USER32(00000001,?,0000001C,?,?,00000002), ref: 0047B25D
keybd_event.USER32(?,75A8C0D0,?,00000000), ref: 0047B270

Memory Dump Source

Source File: 00000000.00000002.2107394819.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2107065431.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107532194.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107532194.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107645477.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107703493.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: InputSendkeybd_event
String ID:
API String ID: 3536248340-0
Opcode ID: 34c6daeecc7c90afa9245fa8cd82a39deb64df1fd9a568f54d6be64025163a19
Instruction ID: 27d8c012cca1ca3818a3cc571a97bf8d54cc97717b1acda51ea59f53da98aea9
Opcode Fuzzy Hash: 34c6daeecc7c90afa9245fa8cd82a39deb64df1fd9a568f54d6be64025163a19
Instruction Fuzzy Hash: 9AF01D7580424EABDB059FA0C805BFE7FB4FF09309F00805AF955A5192C37986119F98

Function 004710BF Relevance: 3.0, APIs: 2, Instructions: 24COMMON

Download Yara Rule

APIs

AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,004711FC), ref: 004710D4
CloseHandle.KERNEL32(?,?,004711FC), ref: 004710E9

Memory Dump Source

Source File: 00000000.00000002.2107394819.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2107065431.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107532194.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107532194.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107645477.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107703493.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: AdjustCloseHandlePrivilegesToken
String ID:
API String ID: 81990902-0
Opcode ID: 2f06a02423cc23f8f71f895ba6cd15a06b5b6ab1099f6c8d9170ae763e71d167
Instruction ID: 99b901fce3db8f87312295d95c22310121ec12dc42d2ff0e07c4f11101fcbfc5
Opcode Fuzzy Hash: 2f06a02423cc23f8f71f895ba6cd15a06b5b6ab1099f6c8d9170ae763e71d167
Instruction Fuzzy Hash: D3E04F32018610AEE7252B61FC05EB37BA9EF04310B10883EF4A6804B1DB626C90DB58

Function 0044676B Relevance: 1.8, APIs: 1, Instructions: 269COMMONLIBRARYCODE

Download Yara Rule

APIs

RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,00446766,?,?,00000008,?,?,0044FEFE,00000000), ref: 00446998

Memory Dump Source

Source File: 00000000.00000002.2107394819.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2107065431.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107532194.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107532194.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107645477.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107703493.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: ExceptionRaise
String ID:
API String ID: 3997070919-0
Opcode ID: 7e0699f6885c9e0e35e63e4f06ff1928b36fabb1e40a5a5284bea70460529ed5
Instruction ID: d393cb3b16803b487488d236cd6f9d7c94727054d244dfda872452f66f586e50
Opcode Fuzzy Hash: 7e0699f6885c9e0e35e63e4f06ff1928b36fabb1e40a5a5284bea70460529ed5
Instruction Fuzzy Hash: DDB16E71610608DFE715CF28C486B657BE0FF46364F268659E899CF3A2C339D982CB46

Function 0042B119 Relevance: 1.8, Strings: 1, Instructions: 511COMMON

Download Yara Rule

Strings

, xrefs: 0046851F

Memory Dump Source

Source File: 00000000.00000002.2107394819.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2107065431.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107532194.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107532194.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107645477.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107703493.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: 3f88c311f12813d9ae2998550c1f4482843a08754cbfa491248a302a7f4aef57
Instruction ID: 76232ba2bdb4dd4a55621ba40e147716257af1688b8bdec1df18873947bd21c7
Opcode Fuzzy Hash: 3f88c311f12813d9ae2998550c1f4482843a08754cbfa491248a302a7f4aef57
Instruction Fuzzy Hash: 07126F71A002299BCB14DF58D8806EEB7B5FF48310F54819BE849EB355EB389E81CF95

Function 0048EAA2 Relevance: 1.5, APIs: 1, Instructions: 25keyboardCOMMON

Download Yara Rule

APIs

BlockInput.USER32(00000001), ref: 0048EABD

Memory Dump Source

Source File: 00000000.00000002.2107394819.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2107065431.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107532194.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107532194.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107645477.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107703493.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: BlockInput
String ID:
API String ID: 3456056419-0
Opcode ID: 7212ef0b92fc8f380ed5a3efaf03d38414c787674acb62c3cddc732ad52ca21e
Instruction ID: 1781a261ba94e53d80adcaf363e293251e87bf873f1f1829f6dab33583834531
Opcode Fuzzy Hash: 7212ef0b92fc8f380ed5a3efaf03d38414c787674acb62c3cddc732ad52ca21e
Instruction Fuzzy Hash: 1BE01A31200204AFC710EF5AD844E9ABBE9AF98764F00842BFC49C7391DA74E8818B95

Function 004309D5 Relevance: 1.5, APIs: 1, Instructions: 3COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(Function_000209E1,004303EE), ref: 004309DA

Memory Dump Source

Source File: 00000000.00000002.2107394819.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2107065431.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107532194.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107532194.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107645477.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107703493.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: a069eac97da2023fc5ff85f1cb8ec43ecea8412b9b591cdbb40bca010c4db709
Instruction ID: 991ab77617efdda4c5f72285da7c0ec40fb0d159deb7bbb2cff1c3768c8cb150
Opcode Fuzzy Hash: a069eac97da2023fc5ff85f1cb8ec43ecea8412b9b591cdbb40bca010c4db709
Instruction Fuzzy Hash:

Function 0043781B Relevance: 1.5, Strings: 1, Instructions: 214COMMON

Download Yara Rule

Strings

0, xrefs: 0043798B

Memory Dump Source

Source File: 00000000.00000002.2107394819.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2107065431.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107532194.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107532194.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107645477.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107703493.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID:
String ID: 0
API String ID: 0-4108050209
Opcode ID: 9084b4e029052128895840c3c28e948f6724b1d83b91d22a18243ac96ad56844
Instruction ID: 110126e8969a0e9dd53842a00397caa192adff14845f88466a9de7126b6a3ff4
Opcode Fuzzy Hash: 9084b4e029052128895840c3c28e948f6724b1d83b91d22a18243ac96ad56844
Instruction Fuzzy Hash: DF5134E160C7456AEB3C6629449A7BF67859F0E344F183A0FE8C287382C61DDE02D35E

Function 00482046 Relevance: 1.3, Strings: 1, Instructions: 72COMMON

Download Yara Rule

Strings

0&N, xrefs: 00482053

Memory Dump Source

Source File: 00000000.00000002.2107394819.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2107065431.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107532194.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107532194.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107645477.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107703493.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID:
String ID: 0&N
API String ID: 0-2307969841
Opcode ID: 07183efe61759c0c6122caa06fbb8e47cfae173e81ac29cc90237ca9693c9288
Instruction ID: 5a794de70105e9bdb6ded61bf82c1de75a8d5c1544ed8ab870e91f3ec8027bfd
Opcode Fuzzy Hash: 07183efe61759c0c6122caa06fbb8e47cfae173e81ac29cc90237ca9693c9288
Instruction Fuzzy Hash: 8421EB326206118BDB28CF79C91367E73E9A754310F148A2EE4A7C73D1DEB9A904C784

Function 00446DD9 Relevance: .6, Instructions: 637COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2107394819.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2107065431.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107532194.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107532194.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107645477.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107703493.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0968b6ffe64bf806d03d9ab60a54bc427789297fd9135d47466a2d5038968240
Instruction ID: 881136962dc75cc9bf3f34b6bc7bcc0ca3eb2d6e1765fa22485b7ef371f1c26b
Opcode Fuzzy Hash: 0968b6ffe64bf806d03d9ab60a54bc427789297fd9135d47466a2d5038968240
Instruction Fuzzy Hash: 8F323521D29F014EEB239635CD22336A64DAFB73C5F15D737E81AB5EA5EB68C4834104

Function 0042CC39 Relevance: .6, Instructions: 635COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2107394819.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2107065431.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107532194.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107532194.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107645477.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107703493.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 77ca3e73ff07188aab83d9a94ca336fb4c74d74a551f28ffe4fe9bce99ff69fe
Instruction ID: c51d29c05a9ec3443fe24ba45c0e2700ca34eacb9bb1c584056eba32015b3e1f
Opcode Fuzzy Hash: 77ca3e73ff07188aab83d9a94ca336fb4c74d74a551f28ffe4fe9bce99ff69fe
Instruction Fuzzy Hash: 2A32E131B001558BDF28CE69D4D467E7BA1AF45300F68816BD4DA9B391F23C9E82DB4B

Function 00417920 Relevance: .6, Instructions: 563COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2107394819.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2107065431.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107532194.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107532194.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107645477.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107703493.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 46315ff4d06abdf6c409ee17110306186bde2a3f13c2425008bcaf872b44c1d3
Instruction ID: e79187e9489bcf6a0213a319a3d41cb664b3c4e337d71a61c055d85dfabdbe0e
Opcode Fuzzy Hash: 46315ff4d06abdf6c409ee17110306186bde2a3f13c2425008bcaf872b44c1d3
Instruction Fuzzy Hash: 7222F1B0A04609DFDF04CF65C991AFEB3B5FF48304F10412AE816A7291EB39AD55CB59

Function 004191C0 Relevance: .5, Instructions: 475COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2107394819.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2107065431.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107532194.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107532194.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107645477.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107703493.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4444f9a0391d09c9fe50618b9d038a363dd65db3eec8be7b969609c09527e23a
Instruction ID: c4ea14548b8f248bac80e692cb8833e04a3c248062f6c23e961347b75e32532f
Opcode Fuzzy Hash: 4444f9a0391d09c9fe50618b9d038a363dd65db3eec8be7b969609c09527e23a
Instruction Fuzzy Hash: 0102F6B0E00109EBCB05DF65D981AAEB7B1FF44304F50816AE816DB391E739EE55CB89

Function 00449EEE Relevance: .3, Instructions: 294COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2107394819.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2107065431.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107532194.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107532194.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107645477.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107703493.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 985c991bc033f74a7c532f2352aa882db713a6ed12624c534da32706451a2290
Instruction ID: 079241d686458ae519cec04d320dcdebed1900bfd42149ffe0d8f6bdec5cbed8
Opcode Fuzzy Hash: 985c991bc033f74a7c532f2352aa882db713a6ed12624c534da32706451a2290
Instruction Fuzzy Hash: 33B10720D2AF504ED7239A398871337B69C6FB76D6F51E72BFC1674D22EB2185834144

Function 00431C77 Relevance: .3, Instructions: 254COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2107394819.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2107065431.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107532194.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107532194.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107645477.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107703493.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 93657a121f16255c59120ad0d08fdbba6372c273009ad596b4ecdf6e8f3c6909
Instruction ID: 88aa4d5110643c649ddbc04e2564b90e9b6b4898e293fa57585c52177d949e86
Opcode Fuzzy Hash: 93657a121f16255c59120ad0d08fdbba6372c273009ad596b4ecdf6e8f3c6909
Instruction Fuzzy Hash: EF9198721080A34ADB29423E853503FFFE15E563B1B1A279FD4F2CA2E1FE18D954D624

Function 004319B0 Relevance: .2, Instructions: 240COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2107394819.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2107065431.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107532194.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107532194.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107645477.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107703493.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 40101273f58913c3cb3bc7eb54df01d47b4121c3e67d19f11ec2cb23d33ea445
Instruction ID: 22f1bcf4688c62c16413c403157820c39866a4f555445a4a06d86e54ad177b84
Opcode Fuzzy Hash: 40101273f58913c3cb3bc7eb54df01d47b4121c3e67d19f11ec2cb23d33ea445
Instruction Fuzzy Hash: F291C6722090E30ADB2D427A847403FFFE14A963B2B1A279FD4F2CA2E1FD18D555D624

Function 00437A4A Relevance: .2, Instructions: 237COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2107394819.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2107065431.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107532194.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107532194.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107645477.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107703493.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 665f1f512deed0926ffc35e1f86ea16cee1f24a7845e9de2f44113ac22bf4de6
Instruction ID: 0ab1eda3c4a2fc816106b00c2e7bdc9c09070e2be8bb8df06286ae26a1288aaa
Opcode Fuzzy Hash: 665f1f512deed0926ffc35e1f86ea16cee1f24a7845e9de2f44113ac22bf4de6
Instruction Fuzzy Hash: AC613AE120874956DA34AA2848957BFB3A4DF4D718F14391FF8C2DB382D61DAE42C35E

Function 00437CA7 Relevance: .2, Instructions: 237COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2107394819.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2107065431.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107532194.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107532194.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107645477.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107703493.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9e6a13024682c61d09378aabdfe7cc2aa841bb2a405dfad74ccdf5efd8af8506
Instruction ID: b2a439f55ce16124dc78880318638c415f119d223588e3b7d968c0c4349d371b
Opcode Fuzzy Hash: 9e6a13024682c61d09378aabdfe7cc2aa841bb2a405dfad74ccdf5efd8af8506
Instruction Fuzzy Hash: E1616BF120870966DE385A289892BBF63949F4D744F20395FF9C3DB381D61E9D42825E

Function 00431706 Relevance: .2, Instructions: 232COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2107394819.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2107065431.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107532194.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107532194.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107645477.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107703493.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 70da388f96bbbf26b230a155b4728740b34f0d100ea60ab2bbadb9d7d0befbf0
Instruction ID: 769b7f0385c46742cd252e659e0394e639662515a03f0afdc5151e829fa24050
Opcode Fuzzy Hash: 70da388f96bbbf26b230a155b4728740b34f0d100ea60ab2bbadb9d7d0befbf0
Instruction Fuzzy Hash: 0F8196725080A309DB2D423A857443FFFE15E963A1B1E179FD4F2CA2E1EE18C554D628

Function 00492ADE Relevance: 77.5, APIs: 40, Strings: 4, Instructions: 486filecommemoryCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 00492B30
DeleteObject.GDI32(00000000), ref: 00492B43
DestroyWindow.USER32 ref: 00492B52
GetDesktopWindow.USER32 ref: 00492B6D
GetWindowRect.USER32(00000000), ref: 00492B74
SetRect.USER32(?,00000000,00000000,00000007,00000002), ref: 00492CA3
AdjustWindowRectEx.USER32(?,88C00000,00000000,?), ref: 00492CB1
CreateWindowExW.USER32(?,AutoIt v3,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00492CF8
GetClientRect.USER32(00000000,?), ref: 00492D04
CreateWindowExW.USER32(00000000,static,00000000,5000000E,00000000,00000000,?,?,00000000,00000000,00000000), ref: 00492D40
CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00492D62
GetFileSize.KERNEL32(00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00492D75
GlobalAlloc.KERNEL32(00000002,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00492D80
GlobalLock.KERNEL32(00000000), ref: 00492D89
ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00492D98
GlobalUnlock.KERNEL32(00000000), ref: 00492DA1
CloseHandle.KERNEL32(00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00492DA8
GlobalFree.KERNEL32(00000000), ref: 00492DB3
CreateStreamOnHGlobal.OLE32(00000000,00000001,?,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00492DC5
OleLoadPicture.OLEAUT32(?,00000000,00000000,004AFC38,00000000), ref: 00492DDB
GlobalFree.KERNEL32(00000000), ref: 00492DEB
CopyImage.USER32(00000007,00000000,00000000,00000000,00002000), ref: 00492E11
SendMessageW.USER32(00000000,00000172,00000000,00000007), ref: 00492E30
SetWindowPos.USER32(00000000,00000000,00000000,00000000,?,?,00000020,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00492E52
ShowWindow.USER32(00000004,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 0049303F

Strings

AutoIt v3, xrefs: 00492CF2
DISPLAY, xrefs: 00492EA2
, xrefs: 00492FC5
static, xrefs: 00492D3A, 00492E91

Memory Dump Source

Source File: 00000000.00000002.2107394819.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2107065431.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107532194.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107532194.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107645477.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107703493.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: Window$Global$CreateRect$File$DeleteFreeObject$AdjustAllocClientCloseCopyDesktopDestroyHandleImageLoadLockMessagePictureReadSendShowSizeStreamUnlock
String ID: $AutoIt v3$DISPLAY$static
API String ID: 2211948467-2373415609
Opcode ID: 48e8eb2a03e54829c18017eeefd8fa3ca7c4d6be2a3aa6711a90ad40ac848b43
Instruction ID: ffe006199e9f278330d7a5bd163bf6eceddee57d23d595ee7ffd9f292397d65f
Opcode Fuzzy Hash: 48e8eb2a03e54829c18017eeefd8fa3ca7c4d6be2a3aa6711a90ad40ac848b43
Instruction Fuzzy Hash: 8B027D71A00205AFDB14DF64CD89EAE7FB9EF49314F008169F915AB2A1DB74AD01CF68

Function 004A70D5 Relevance: 49.8, APIs: 33, Instructions: 273COMMON

Download Yara Rule

APIs

SetTextColor.GDI32(?,00000000), ref: 004A712F
GetSysColorBrush.USER32(0000000F), ref: 004A7160
GetSysColor.USER32(0000000F), ref: 004A716C
SetBkColor.GDI32(?,000000FF), ref: 004A7186
SelectObject.GDI32(?,?), ref: 004A7195
InflateRect.USER32(?,000000FF,000000FF), ref: 004A71C0
GetSysColor.USER32(00000010), ref: 004A71C8
CreateSolidBrush.GDI32(00000000), ref: 004A71CF
FrameRect.USER32(?,?,00000000), ref: 004A71DE
DeleteObject.GDI32(00000000), ref: 004A71E5
InflateRect.USER32(?,000000FE,000000FE), ref: 004A7230
FillRect.USER32(?,?,?), ref: 004A7262
GetWindowLongW.USER32(?,000000F0), ref: 004A7284

Part of subcall function 004A73E8: GetSysColor.USER32(00000012), ref: 004A7421
Part of subcall function 004A73E8: SetTextColor.GDI32(?,?), ref: 004A7425
Part of subcall function 004A73E8: GetSysColorBrush.USER32(0000000F), ref: 004A743B
Part of subcall function 004A73E8: GetSysColor.USER32(0000000F), ref: 004A7446
Part of subcall function 004A73E8: GetSysColor.USER32(00000011), ref: 004A7463
Part of subcall function 004A73E8: CreatePen.GDI32(00000000,00000001,00743C00), ref: 004A7471
Part of subcall function 004A73E8: SelectObject.GDI32(?,00000000), ref: 004A7482
Part of subcall function 004A73E8: SetBkColor.GDI32(?,00000000), ref: 004A748B
Part of subcall function 004A73E8: SelectObject.GDI32(?,?), ref: 004A7498
Part of subcall function 004A73E8: InflateRect.USER32(?,000000FF,000000FF), ref: 004A74B7
Part of subcall function 004A73E8: RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 004A74CE
Part of subcall function 004A73E8: GetWindowLongW.USER32(00000000,000000F0), ref: 004A74DB

Memory Dump Source

Source File: 00000000.00000002.2107394819.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2107065431.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107532194.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107532194.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107645477.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107703493.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: Color$Rect$Object$BrushInflateSelect$CreateLongTextWindow$DeleteFillFrameRoundSolid
String ID:
API String ID: 4124339563-0
Opcode ID: 7e3ba27dfc4fceb1822dc7db107000eb912b1216b2826e502d08f3a45506fba6
Instruction ID: f9750ebc21ed2f779264fe058ba64ec8d91ebe6f7ce6eb81098d1e806a156fdc
Opcode Fuzzy Hash: 7e3ba27dfc4fceb1822dc7db107000eb912b1216b2826e502d08f3a45506fba6
Instruction Fuzzy Hash: 21A1B072508311BFDB509F60DC88A6B7BE9FF4A320F100A29F962961E1D734E945CF56

Function 00428D85 Relevance: 47.7, APIs: 26, Strings: 1, Instructions: 480windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?), ref: 00428E14
SendMessageW.USER32(?,00001308,?,00000000), ref: 00466AC5
ImageList_Remove.COMCTL32(?,000000FF,?), ref: 00466AFE
MoveWindow.USER32(?,?,?,?,?,00000000), ref: 00466F43

Part of subcall function 00428F62: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00428BE8,?,00000000,?,?,?,?,00428BBA,00000000,?), ref: 00428FC5

SendMessageW.USER32(?,00001053), ref: 00466F7F
SendMessageW.USER32(?,00001008,000000FF,00000000), ref: 00466F96
ImageList_Destroy.COMCTL32(00000000,?), ref: 00466FAC
ImageList_Destroy.COMCTL32(00000000,?), ref: 00466FB7

Strings

0, xrefs: 00466DCF

Memory Dump Source

Source File: 00000000.00000002.2107394819.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2107065431.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107532194.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107532194.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107645477.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107703493.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: DestroyImageList_MessageSend$Window$InvalidateMoveRectRemove
String ID: 0
API String ID: 2760611726-4108050209
Opcode ID: 0ae642a49dc10cab2eb136b1e90c390d6a728b744337930b170b8338b7df97e8
Instruction ID: e85ca2b2c90c6feb97eea3cbf86d1acb8bcee936fe23978b98dc5e39ab1ebc98
Opcode Fuzzy Hash: 0ae642a49dc10cab2eb136b1e90c390d6a728b744337930b170b8338b7df97e8
Instruction Fuzzy Hash: 2312AD30201261EFD725CF14D884BAABBE5FB45300F56446EF485CB262DB39AC52CF9A

Function 00492711 Relevance: 45.8, APIs: 22, Strings: 4, Instructions: 330windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(00000000), ref: 0049273E
SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 0049286A
SetRect.USER32(?,00000000,00000000,0000012C,?), ref: 004928A9
AdjustWindowRectEx.USER32(?,88C00000,00000000,00000008), ref: 004928B9
CreateWindowExW.USER32(00000008,AutoIt v3,?,88C00000,000000FF,?,?,?,00000000,00000000,00000000), ref: 00492900
GetClientRect.USER32(00000000,?), ref: 0049290C
CreateWindowExW.USER32(00000000,static,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000), ref: 00492955
CreateDCW.GDI32(DISPLAY,00000000,00000000,00000000), ref: 00492964
GetStockObject.GDI32(00000011), ref: 00492974
SelectObject.GDI32(00000000,00000000), ref: 00492978
GetTextFaceW.GDI32(00000000,00000040,?,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000,?,88C00000,000000FF,?), ref: 00492988
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00492991
DeleteDC.GDI32(00000000), ref: 0049299A
CreateFontW.GDI32(00000000,00000000,00000000,00000000,00000258,00000000,00000000,00000000,00000001,00000004,00000000,00000002,00000000,?), ref: 004929C6
SendMessageW.USER32(00000030,00000000,00000001), ref: 004929DD
CreateWindowExW.USER32(00000200,msctls_progress32,00000000,50000001,?,-0000001D,00000104,00000014,00000000,00000000,00000000), ref: 00492A1D
SendMessageW.USER32(00000000,00000401,00000000,00640000), ref: 00492A31
SendMessageW.USER32(00000404,00000001,00000000), ref: 00492A42
CreateWindowExW.USER32(00000000,static,?,50000000,?,00000041,00000500,-00000027,00000000,00000000,00000000), ref: 00492A77
GetStockObject.GDI32(00000011), ref: 00492A82
SendMessageW.USER32(00000030,00000000,?,50000000), ref: 00492A8D
ShowWindow.USER32(00000004,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000,?,88C00000,000000FF,?,?,?), ref: 00492A97

Strings

msctls_progress32, xrefs: 00492A13
AutoIt v3, xrefs: 004928F8
DISPLAY, xrefs: 0049295A
static, xrefs: 0049294F, 00492A71

Memory Dump Source

Source File: 00000000.00000002.2107394819.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2107065431.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107532194.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107532194.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107645477.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107703493.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: Window$Create$MessageSend$ObjectRect$Stock$AdjustCapsClientDeleteDestroyDeviceFaceFontInfoParametersSelectShowSystemText
String ID: AutoIt v3$DISPLAY$msctls_progress32$static
API String ID: 2910397461-517079104
Opcode ID: f02e6e03209e82f10c4dcfa8a99c1eccd857aca8c649c6cbd17841e4bc6b8f98
Instruction ID: ac55f365a4a78227d321ccebc7043afebb5a7eabf6cfe2735ba8c94126c14207
Opcode Fuzzy Hash: f02e6e03209e82f10c4dcfa8a99c1eccd857aca8c649c6cbd17841e4bc6b8f98
Instruction Fuzzy Hash: BFB16D71A40215BFEB14DFA8CD85FAF7BA9EB05714F004129F914EB2A1D774AD40CBA8

Function 00484ADF Relevance: 45.7, APIs: 3, Strings: 23, Instructions: 191COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 00484AED
GetDriveTypeW.KERNEL32(?,004ACB68,?,\\.\,004ACC08), ref: 00484BCA
SetErrorMode.KERNEL32(00000000,004ACB68,?,\\.\,004ACC08), ref: 00484D36

Strings

CDROM, xrefs: 00484BFB
Virtual, xrefs: 00484CE5
SATA, xrefs: 00484CD0
PhysicalDrive, xrefs: 00484B76
1394, xrefs: 00484C9F
FileBackedVirtual, xrefs: 00484CEC
ATA, xrefs: 00484C98
RAID, xrefs: 00484CBB
Unknown, xrefs: 00484BED, 00484C83
SAS, xrefs: 00484CC9
RAMDisk, xrefs: 00484BF4
SSA, xrefs: 00484CA6
Fibre, xrefs: 00484CAD
\\.\, xrefs: 00484B3F
ATAPI, xrefs: 00484C91
MMC, xrefs: 00484CDE
Fixed, xrefs: 00484C09
SSD, xrefs: 00484C4A
Network, xrefs: 00484C02
SCSI, xrefs: 00484C8A
USB, xrefs: 00484CB4
Removable, xrefs: 00484C10, 00484C15
iSCSI, xrefs: 00484CC2

Memory Dump Source

Source File: 00000000.00000002.2107394819.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2107065431.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107532194.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107532194.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107645477.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107703493.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: ErrorMode$DriveType
String ID: 1394$ATA$ATAPI$CDROM$Fibre$FileBackedVirtual$Fixed$MMC$Network$PhysicalDrive$RAID$RAMDisk$Removable$SAS$SATA$SCSI$SSA$SSD$USB$Unknown$Virtual$\\.\$iSCSI
API String ID: 2907320926-4222207086
Opcode ID: 7ebe6ad75f755881f33468f4446c242a2916dd2afe087671c2a08d4cf28eaebd
Instruction ID: 427a2dd218af584eb15e7a214791de95c45331cfc946f5d6ba2a1a272927d42f
Opcode Fuzzy Hash: 7ebe6ad75f755881f33468f4446c242a2916dd2afe087671c2a08d4cf28eaebd
Instruction Fuzzy Hash: 8161C2307011079BCB04FF24C991AADB7A5AB84744B22881BF806AB751DB7DED42DB5E

Function 004A73E8 Relevance: 39.2, APIs: 26, Instructions: 201windowCOMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000012), ref: 004A7421
SetTextColor.GDI32(?,?), ref: 004A7425
GetSysColorBrush.USER32(0000000F), ref: 004A743B
GetSysColor.USER32(0000000F), ref: 004A7446
CreateSolidBrush.GDI32(?), ref: 004A744B
GetSysColor.USER32(00000011), ref: 004A7463
CreatePen.GDI32(00000000,00000001,00743C00), ref: 004A7471
SelectObject.GDI32(?,00000000), ref: 004A7482
SetBkColor.GDI32(?,00000000), ref: 004A748B
SelectObject.GDI32(?,?), ref: 004A7498
InflateRect.USER32(?,000000FF,000000FF), ref: 004A74B7
RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 004A74CE
GetWindowLongW.USER32(00000000,000000F0), ref: 004A74DB
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 004A752A
GetWindowTextW.USER32(00000000,00000000,00000001), ref: 004A7554
InflateRect.USER32(?,000000FD,000000FD), ref: 004A7572
DrawFocusRect.USER32(?,?), ref: 004A757D
GetSysColor.USER32(00000011), ref: 004A758E
SetTextColor.GDI32(?,00000000), ref: 004A7596
DrawTextW.USER32(?,004A70F5,000000FF,?,00000000), ref: 004A75A8
SelectObject.GDI32(?,?), ref: 004A75BF
DeleteObject.GDI32(?), ref: 004A75CA
SelectObject.GDI32(?,?), ref: 004A75D0
DeleteObject.GDI32(?), ref: 004A75D5
SetTextColor.GDI32(?,?), ref: 004A75DB
SetBkColor.GDI32(?,?), ref: 004A75E5

Memory Dump Source

Source File: 00000000.00000002.2107394819.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2107065431.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107532194.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107532194.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107645477.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107703493.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: Color$Object$Text$RectSelect$BrushCreateDeleteDrawInflateWindow$FocusLongMessageRoundSendSolid
String ID:
API String ID: 1996641542-0
Opcode ID: 62cfe1381b38b71ccb6e936f21ed0db56e0524fea45440ced7ba65b98672198b
Instruction ID: 08a8fdc4e1a997d8656ee657d41150064e53ff0c03ac1a4196fc342feacf585f
Opcode Fuzzy Hash: 62cfe1381b38b71ccb6e936f21ed0db56e0524fea45440ced7ba65b98672198b
Instruction Fuzzy Hash: 41615F72D04218BFDF119FA4DC89AAE7FB9EB0A320F114125F915AB2A1D7749940CF94

Function 004A0FF3 Relevance: 37.0, APIs: 18, Strings: 3, Instructions: 284windowCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 004A1128
GetDesktopWindow.USER32 ref: 004A113D
GetWindowRect.USER32(00000000), ref: 004A1144
GetWindowLongW.USER32(?,000000F0), ref: 004A1199
DestroyWindow.USER32(?), ref: 004A11B9
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,7FFFFFFD,80000000,80000000,80000000,80000000,00000000,00000000,00000000,00000000), ref: 004A11ED
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 004A120B
SendMessageW.USER32(00000000,00000418,00000000,?), ref: 004A121D
SendMessageW.USER32(00000000,00000421,?,?), ref: 004A1232
SendMessageW.USER32(00000000,0000041D,00000000,00000000), ref: 004A1245
IsWindowVisible.USER32(00000000), ref: 004A12A1
SendMessageW.USER32(00000000,00000412,00000000,D8F0D8F0), ref: 004A12BC
SendMessageW.USER32(00000000,00000411,00000001,00000030), ref: 004A12D0
GetWindowRect.USER32(00000000,?), ref: 004A12E8
MonitorFromPoint.USER32(?,?,00000002), ref: 004A130E
GetMonitorInfoW.USER32(00000000,?), ref: 004A1328
CopyRect.USER32(?,?), ref: 004A133F
SendMessageW.USER32(00000000,00000412,00000000), ref: 004A13AA

Strings

tooltips_class32, xrefs: 004A11E6
0, xrefs: 004A10D3
(, xrefs: 004A131B

Memory Dump Source

Source File: 00000000.00000002.2107394819.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2107065431.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107532194.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107532194.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107645477.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107703493.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: MessageSendWindow$Rect$Monitor$CopyCreateCursorDesktopDestroyFromInfoLongPointVisible
String ID: ($0$tooltips_class32
API String ID: 698492251-4156429822
Opcode ID: 22dc715e092b7db86997d443cd8f30914446447dd2da8694ece98b2402bc7719
Instruction ID: 0ffc2c64c37b8490d36b32f9974f36d28d8c94be82043d8f3acc072a01946b38
Opcode Fuzzy Hash: 22dc715e092b7db86997d443cd8f30914446447dd2da8694ece98b2402bc7719
Instruction Fuzzy Hash: 94B1AE71608340AFD700DF65C884BABBBE4FF99354F00891EF9999B261C735E845CB99

Function 004A0241 Relevance: 35.4, APIs: 7, Strings: 13, Instructions: 391windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 004A02E5
_wcslen.LIBCMT ref: 004A031F
_wcslen.LIBCMT ref: 004A0389
_wcslen.LIBCMT ref: 004A03F1
_wcslen.LIBCMT ref: 004A0475
SendMessageW.USER32(?,00001032,00000000,00000000), ref: 004A04C5
SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 004A0504

Part of subcall function 0042F9F2: _wcslen.LIBCMT ref: 0042F9FD

Part of subcall function 0047223F: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00472258
Part of subcall function 0047223F: SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 0047228A

Strings

GETITEMCOUNT, xrefs: 004A0316, 004A0337
SELECTINVERT, xrefs: 004A057E
GETSELECTEDCOUNT, xrefs: 004A0470, 004A048B
GETSUBITEMCOUNT, xrefs: 004A0384, 004A039F
VIEWCHANGE, xrefs: 004A0675
SELECT, xrefs: 004A0548
ISSELECTED, xrefs: 004A04DD
SELECTALL, xrefs: 004A0515
GETSELECTED, xrefs: 004A05E1
FINDITEM, xrefs: 004A0627
DESELECT, xrefs: 004A059C
GETTEXT, xrefs: 004A03EC, 004A0407
SELECTCLEAR, xrefs: 004A052D

Memory Dump Source

Source File: 00000000.00000002.2107394819.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2107065431.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107532194.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107532194.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107645477.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107703493.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: _wcslen$MessageSend$BuffCharUpper
String ID: DESELECT$FINDITEM$GETITEMCOUNT$GETSELECTED$GETSELECTEDCOUNT$GETSUBITEMCOUNT$GETTEXT$ISSELECTED$SELECT$SELECTALL$SELECTCLEAR$SELECTINVERT$VIEWCHANGE
API String ID: 1103490817-719923060
Opcode ID: 8bae7d9e2864a4c7ddbb3d1f7814e8f1ae5bb241f1fc9bbb8b66333534eb2381
Instruction ID: 18ae399115aa6f0accb2650a70511161145c9c3628812edb00ffb1e0d68a9a9c
Opcode Fuzzy Hash: 8bae7d9e2864a4c7ddbb3d1f7814e8f1ae5bb241f1fc9bbb8b66333534eb2381
Instruction Fuzzy Hash: 9FE1D3312082009FC714DF25C55096BB3E2BFA9718F54496FF8969B391D738ED45CB8A

Function 00428891 Relevance: 33.5, APIs: 18, Strings: 1, Instructions: 282windowtimeCOMMON

Download Yara Rule

APIs

SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 00428968
GetSystemMetrics.USER32(00000007), ref: 00428970
SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 0042899B
GetSystemMetrics.USER32(00000008), ref: 004289A3
GetSystemMetrics.USER32(00000004), ref: 004289C8
SetRect.USER32(000000FF,00000000,00000000,000000FF,000000FF), ref: 004289E5
AdjustWindowRectEx.USER32(000000FF,?,00000000,?), ref: 004289F5
CreateWindowExW.USER32(?,AutoIt v3 GUI,?,?,?,000000FF,000000FF,000000FF,?,00000000,00000000), ref: 00428A28
SetWindowLongW.USER32(00000000,000000EB,00000000), ref: 00428A3C
GetClientRect.USER32(00000000,000000FF), ref: 00428A5A
GetStockObject.GDI32(00000011), ref: 00428A76
SendMessageW.USER32(00000000,00000030,00000000), ref: 00428A81

Part of subcall function 0042912D: GetCursorPos.USER32(?), ref: 00429141
Part of subcall function 0042912D: ScreenToClient.USER32(00000000,?), ref: 0042915E
Part of subcall function 0042912D: GetAsyncKeyState.USER32(00000001), ref: 00429183
Part of subcall function 0042912D: GetAsyncKeyState.USER32(00000002), ref: 0042919D

SetTimer.USER32(00000000,00000000,00000028,004290FC), ref: 00428AA8

Strings

AutoIt v3 GUI, xrefs: 00428A20

Memory Dump Source

Source File: 00000000.00000002.2107394819.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2107065431.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107532194.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107532194.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107645477.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107703493.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: System$MetricsRectWindow$AsyncClientInfoParametersState$AdjustCreateCursorLongMessageObjectScreenSendStockTimer
String ID: AutoIt v3 GUI
API String ID: 1458621304-248962490
Opcode ID: 5f8ba771d19987adb07de9170ad83bdb939ca2147108a9e47d0a27ffd58f4270
Instruction ID: f0d2f4109e6c040b0ed59e70fe219348a0646202f3286822d3bfbae8bd7143cb
Opcode Fuzzy Hash: 5f8ba771d19987adb07de9170ad83bdb939ca2147108a9e47d0a27ffd58f4270
Instruction Fuzzy Hash: 6DB1A171A002199FDB14DF68DC85BAE3BB5FB48315F11422AFA05EB290DB38E841CF59

Function 00470D8B Relevance: 31.7, APIs: 21, Instructions: 202memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 004710F9: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00471114
Part of subcall function 004710F9: GetLastError.KERNEL32(?,00000000,00000000,?,?,00470B9B,?,?,?), ref: 00471120
Part of subcall function 004710F9: GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,00470B9B,?,?,?), ref: 0047112F
Part of subcall function 004710F9: HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,00470B9B,?,?,?), ref: 00471136
Part of subcall function 004710F9: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 0047114D

GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00470DF5
GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 00470E29
GetLengthSid.ADVAPI32(?), ref: 00470E40
GetAce.ADVAPI32(?,00000000,?), ref: 00470E7A
AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 00470E96
GetLengthSid.ADVAPI32(?), ref: 00470EAD
GetProcessHeap.KERNEL32(00000008,00000008), ref: 00470EB5
HeapAlloc.KERNEL32(00000000), ref: 00470EBC
GetLengthSid.ADVAPI32(?,00000008,?), ref: 00470EDD
CopySid.ADVAPI32(00000000), ref: 00470EE4
AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 00470F13
SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 00470F35
SetUserObjectSecurity.USER32(?,00000004,?), ref: 00470F47
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00470F6E
HeapFree.KERNEL32(00000000), ref: 00470F75
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00470F7E
HeapFree.KERNEL32(00000000), ref: 00470F85
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00470F8E
HeapFree.KERNEL32(00000000), ref: 00470F95
GetProcessHeap.KERNEL32(00000000,?), ref: 00470FA1
HeapFree.KERNEL32(00000000), ref: 00470FA8

Part of subcall function 00471193: GetProcessHeap.KERNEL32(00000008,00470BB1,?,00000000,?,00470BB1,?), ref: 004711A1
Part of subcall function 00471193: HeapAlloc.KERNEL32(00000000,?,00000000,?,00470BB1,?), ref: 004711A8
Part of subcall function 00471193: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00000000,?,00470BB1,?), ref: 004711B7

Memory Dump Source

Source File: 00000000.00000002.2107394819.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2107065431.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107532194.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107532194.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107645477.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107703493.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: Heap$Process$Security$Free$AllocDescriptorLengthObjectUser$Dacl$CopyErrorInformationInitializeLast
String ID:
API String ID: 4175595110-0
Opcode ID: ad664e0038d737355d8e93589271598f1583315f857685ac41813197bac5a640
Instruction ID: 7099d9c0095d656a1b53d86a66b4f77c82821f2cff5746ffa2e987abacfeea12
Opcode Fuzzy Hash: ad664e0038d737355d8e93589271598f1583315f857685ac41813197bac5a640
Instruction Fuzzy Hash: 60714CB290520AEBDB20DFA5DC44BEFBBB8BF05300F148126F919B6291D7759905CF68

Function 0049C3B7 Relevance: 30.2, APIs: 11, Strings: 6, Instructions: 495registryCOMMON

Download Yara Rule

APIs

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0049C4BD
RegCreateKeyExW.ADVAPI32(?,?,00000000,004ACC08,00000000,?,00000000,?,?), ref: 0049C544
RegCloseKey.ADVAPI32(00000000,00000000,00000000), ref: 0049C5A4
_wcslen.LIBCMT ref: 0049C5F4
_wcslen.LIBCMT ref: 0049C66F
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000001,?,?), ref: 0049C6B2
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000007,?,?), ref: 0049C7C1
RegSetValueExW.ADVAPI32(00000001,?,00000000,0000000B,?,00000008), ref: 0049C84D
RegCloseKey.ADVAPI32(?), ref: 0049C881
RegCloseKey.ADVAPI32(00000000), ref: 0049C88E
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000003,00000000,00000000), ref: 0049C960

Strings

REG_DWORD, xrefs: 0049C804
REG_QWORD, xrefs: 0049C8C3
REG_BINARY, xrefs: 0049C913
REG_SZ, xrefs: 0049C644
REG_EXPAND_SZ, xrefs: 0049C5CD
REG_MULTI_SZ, xrefs: 0049C6F5

Memory Dump Source

Source File: 00000000.00000002.2107394819.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2107065431.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107532194.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107532194.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107645477.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107703493.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: Value$Close$_wcslen$ConnectCreateRegistry
String ID: REG_BINARY$REG_DWORD$REG_EXPAND_SZ$REG_MULTI_SZ$REG_QWORD$REG_SZ
API String ID: 9721498-966354055
Opcode ID: ea4ac931ed11933e21a7c83c2425bb7c7770304952f3a236188610cfefbc7cdd
Instruction ID: 4da2fe471f31ca3bfbd45d4141142f24a7ff825f6c59403002ef929b4aecf9e9
Opcode Fuzzy Hash: ea4ac931ed11933e21a7c83c2425bb7c7770304952f3a236188610cfefbc7cdd
Instruction Fuzzy Hash: ED1280312042019FDB14DF15C491A6ABBE5FF88358F05886EF8499B3A2DB39FC41CB89

Function 004A091E Relevance: 30.1, APIs: 6, Strings: 11, Instructions: 372windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 004A09C6
_wcslen.LIBCMT ref: 004A0A01
SendMessageW.USER32(?,00001105,00000000,00000000), ref: 004A0A54
_wcslen.LIBCMT ref: 004A0A8A
_wcslen.LIBCMT ref: 004A0B06
_wcslen.LIBCMT ref: 004A0B81

Part of subcall function 0042F9F2: _wcslen.LIBCMT ref: 0042F9FD

Part of subcall function 00472BE8: SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00472BFA

Strings

EXISTS, xrefs: 004A0B7C, 004A0B97
EXPAND, xrefs: 004A0BF8
GETITEMCOUNT, xrefs: 004A0C1E
UNCHECK, xrefs: 004A0D3E
SELECT, xrefs: 004A0D11
GETSELECTED, xrefs: 004A0C4E
COLLAPSE, xrefs: 004A0B01, 004A0B1C
GETTOTALCOUNT, xrefs: 004A09F2, 004A0A17
GETTEXT, xrefs: 004A0C97
CHECK, xrefs: 004A0A85, 004A0AA0
ISCHECKED, xrefs: 004A0CE1

Memory Dump Source

Source File: 00000000.00000002.2107394819.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2107065431.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107532194.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107532194.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107645477.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107703493.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: _wcslen$MessageSend$BuffCharUpper
String ID: CHECK$COLLAPSE$EXISTS$EXPAND$GETITEMCOUNT$GETSELECTED$GETTEXT$GETTOTALCOUNT$ISCHECKED$SELECT$UNCHECK
API String ID: 1103490817-4258414348
Opcode ID: 0720a5bfdb4e81eb8932f2283124a063d73bb46e898ebb9025f98d16490c2fe7
Instruction ID: 71bb98aa1d0cb647c24a067f9355aa1627f251d85bc7f1c45857d5aefb18cbd5
Opcode Fuzzy Hash: 0720a5bfdb4e81eb8932f2283124a063d73bb46e898ebb9025f98d16490c2fe7
Instruction Fuzzy Hash: 13E1D1712083019FC714DF25C45096AB7E2BFA9318F50895FF8999B3A2D738ED45CB8A

Function 0049C998 Relevance: 30.0, APIs: 7, Strings: 10, Instructions: 242COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,?,?,?,?,?,0049B6AE,?,?), ref: 0049C9B5
_wcslen.LIBCMT ref: 0049C9F1
_wcslen.LIBCMT ref: 0049CA68
_wcslen.LIBCMT ref: 0049CA9E
_wcslen.LIBCMT ref: 0049CAF9
_wcslen.LIBCMT ref: 0049CB2F
_wcslen.LIBCMT ref: 0049CB7F

Strings

HKU, xrefs: 0049CBF0
HKCU, xrefs: 0049CBCE
HKEY_CURRENT_CONFIG, xrefs: 0049CB79, 0049CB7E
HKLM, xrefs: 0049CA98, 0049CA9D
HKEY_LOCAL_MACHINE, xrefs: 0049CA62, 0049CA67
HKCR, xrefs: 0049CB29, 0049CB2E
HKEY_CURRENT_USER, xrefs: 0049CBBD
HKCC, xrefs: 0049CBAC
HKEY_CLASSES_ROOT, xrefs: 0049CAF3, 0049CAF8
HKEY_USERS, xrefs: 0049CBDF

Memory Dump Source

Source File: 00000000.00000002.2107394819.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2107065431.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107532194.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107532194.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107645477.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107703493.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: _wcslen$BuffCharUpper
String ID: HKCC$HKCR$HKCU$HKEY_CLASSES_ROOT$HKEY_CURRENT_CONFIG$HKEY_CURRENT_USER$HKEY_LOCAL_MACHINE$HKEY_USERS$HKLM$HKU
API String ID: 1256254125-909552448
Opcode ID: bac4f9cd323f08682ec5b06894ef53aa53b38e830bd08fb05a1defae5ff1d7ed
Instruction ID: d5d863f6c86e870ab54e73c1e16bf93cde290a1e23b92c2b14424a1a4fa95069
Opcode Fuzzy Hash: bac4f9cd323f08682ec5b06894ef53aa53b38e830bd08fb05a1defae5ff1d7ed
Instruction Fuzzy Hash: 3071023260012A8BCF20DE78D9D16BF3B91AFA4764B50453BE85697384E63CDD8583AC

Function 004A833C Relevance: 29.9, APIs: 14, Strings: 3, Instructions: 196windowlibraryCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 004A835A
_wcslen.LIBCMT ref: 004A836E
_wcslen.LIBCMT ref: 004A8391
_wcslen.LIBCMT ref: 004A83B4
LoadImageW.USER32(00000000,?,00000001,?,?,00002010), ref: 004A83F2
LoadLibraryExW.KERNEL32(?,00000000,00000032,00000000,?,?,?,?,?,004A5BF2), ref: 004A844E
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 004A8487
LoadImageW.USER32(00000000,?,00000001,?,?,00000000), ref: 004A84CA
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 004A8501
FreeLibrary.KERNEL32(?), ref: 004A850D
ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 004A851D
DestroyIcon.USER32(?,?,?,?,?,004A5BF2), ref: 004A852C
SendMessageW.USER32(?,00000170,00000000,00000000), ref: 004A8549
SendMessageW.USER32(?,00000064,00000172,00000001), ref: 004A8555

Strings

.icl, xrefs: 004A8368
.dll, xrefs: 004A83AB
.exe, xrefs: 004A8388

Memory Dump Source

Source File: 00000000.00000002.2107394819.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2107065431.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107532194.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107532194.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107645477.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107703493.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: Load$Image_wcslen$IconLibraryMessageSend$DestroyExtractFree
String ID: .dll$.exe$.icl
API String ID: 799131459-1154884017
Opcode ID: a0ba2eaa562fba035ce4f5868e329f6d95a4f8662d8f1f7125fc70b63ca8b933
Instruction ID: 87c3c71bab557bf3440b5ae3ca86f648046470f02ca5c71676a4d27e303ff600
Opcode Fuzzy Hash: a0ba2eaa562fba035ce4f5868e329f6d95a4f8662d8f1f7125fc70b63ca8b933
Instruction Fuzzy Hash: E061DF71900215BEEB14DF64CC81BFF7BA8FB19720F10451AF815DA1D1EB78A980CBA8

Function 00417778 Relevance: 28.3, APIs: 1, Strings: 15, Instructions: 273COMMON

Download Yara Rule

Strings

Unterminated group of comments, xrefs: 0045528C
#comments-end, xrefs: 004178D9
', xrefs: 00455169
#pragma compile, xrefs: 004177D3
#cs, xrefs: 00417873, 004178C5
", xrefs: 00455153
Bad directive syntax error, xrefs: 0045519A
#include, xrefs: 00417847
#include-once, xrefs: 0041782F
Cannot parse #include, xrefs: 00455279
#notrayicon, xrefs: 004177E7
#requireadmin, xrefs: 004177FF
#comments-start, xrefs: 0041785F, 004178B1
#OnAutoItStartRegister, xrefs: 00417817
#ce, xrefs: 004178ED

Memory Dump Source

Source File: 00000000.00000002.2107394819.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2107065431.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107532194.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107532194.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107645477.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107703493.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID:
String ID: "$#OnAutoItStartRegister$#ce$#comments-end$#comments-start$#cs$#include$#include-once$#notrayicon$#pragma compile$#requireadmin$'$Bad directive syntax error$Cannot parse #include$Unterminated group of comments
API String ID: 0-1645009161
Opcode ID: 21c0a4db85087019c27a5669bc44e6d4c5a30fe63eb901d03337d645ae29b811
Instruction ID: 9163805a9ffd9d5412d66ca13c160e931ca9fb4f2aefb45c61f1c69912936ce9
Opcode Fuzzy Hash: 21c0a4db85087019c27a5669bc44e6d4c5a30fe63eb901d03337d645ae29b811
Instruction Fuzzy Hash: B681F470A40605ABDB20AF61DC52FEF7B74AF15304F04402BF805AA292EB7CD985C79D

Function 00483E79 Relevance: 28.2, APIs: 8, Strings: 8, Instructions: 205COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?), ref: 00483EF8
_wcslen.LIBCMT ref: 00483F03
_wcslen.LIBCMT ref: 00483F5A
_wcslen.LIBCMT ref: 00483F98
GetDriveTypeW.KERNEL32(?), ref: 00483FD6
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0048401E
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00484059
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00484087

Strings

open , xrefs: 00483FE5
close cd wait, xrefs: 00484072
closed, xrefs: 00483F08, 00483F2D, 00483F46, 00483F7E, 00483F97
set cd door , xrefs: 00484028
type cdaudio alias cd wait, xrefs: 00484001
open, xrefs: 00483F54, 00483F59
wait, xrefs: 00484044
close, xrefs: 00483EFE, 00483F18

Memory Dump Source

Source File: 00000000.00000002.2107394819.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2107065431.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107532194.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107532194.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107645477.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107703493.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: SendString_wcslen$BuffCharDriveLowerType
String ID: type cdaudio alias cd wait$ wait$close$close cd wait$closed$open$open $set cd door
API String ID: 1839972693-4113822522
Opcode ID: b726c860f32b7690b1632d17fb7119f0f0fd9924b106f2dd857fb5e4f43bb1ef
Instruction ID: 71e3a7638ec9c3419b363a39a2abbf3ea2d0218442d8a22f393c237894bea0b1
Opcode Fuzzy Hash: b726c860f32b7690b1632d17fb7119f0f0fd9924b106f2dd857fb5e4f43bb1ef
Instruction Fuzzy Hash: 6471AC316042129FC310EF24C8909AFB7E4EF99B58B10492FFA9597251EB38ED45CB99

Function 00475A1B Relevance: 27.2, APIs: 18, Instructions: 198windowtimeCOMMON

Download Yara Rule

APIs

LoadIconW.USER32(00000063), ref: 00475A2E
SendMessageW.USER32(?,00000080,00000000,00000000), ref: 00475A40
SetWindowTextW.USER32(?,?), ref: 00475A57
GetDlgItem.USER32(?,000003EA), ref: 00475A6C
SetWindowTextW.USER32(00000000,?), ref: 00475A72
GetDlgItem.USER32(?,000003E9), ref: 00475A82
SetWindowTextW.USER32(00000000,?), ref: 00475A88
SendDlgItemMessageW.USER32(?,000003E9,000000CC,?,00000000), ref: 00475AA9
SendDlgItemMessageW.USER32(?,000003E9,000000C5,00000000,00000000), ref: 00475AC3
GetWindowRect.USER32(?,?), ref: 00475ACC
_wcslen.LIBCMT ref: 00475B33
SetWindowTextW.USER32(?,?), ref: 00475B6F
GetDesktopWindow.USER32 ref: 00475B75
GetWindowRect.USER32(00000000), ref: 00475B7C
MoveWindow.USER32(?,?,00000080,00000000,?,00000000), ref: 00475BD3
GetClientRect.USER32(?,?), ref: 00475BE0
PostMessageW.USER32(?,00000005,00000000,?), ref: 00475C05
SetTimer.USER32(?,0000040A,00000000,00000000), ref: 00475C2F

Memory Dump Source

Source File: 00000000.00000002.2107394819.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2107065431.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107532194.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107532194.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107645477.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107703493.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: Window$ItemMessageText$RectSend$ClientDesktopIconLoadMovePostTimer_wcslen
String ID:
API String ID: 895679908-0
Opcode ID: 15b77cc3a12dcd2901aa2ecc5caedef83fd7d4d0605f2cc54582615693e99587
Instruction ID: d68c9926c70e6a31f208645eeaef471f8df6a7d1c520532eabc3135bfbba4c8e
Opcode Fuzzy Hash: 15b77cc3a12dcd2901aa2ecc5caedef83fd7d4d0605f2cc54582615693e99587
Instruction Fuzzy Hash: CE718231900B059FDB20DFA8CE85AAFBBF5FF48704F104529E146A66A0D7B4F944CB54

Function 0048FE0E Relevance: 27.1, APIs: 18, Instructions: 128COMMON

Download Yara Rule

APIs

LoadCursorW.USER32(00000000,00007F89), ref: 0048FE27
LoadCursorW.USER32(00000000,00007F8A), ref: 0048FE32
LoadCursorW.USER32(00000000,00007F00), ref: 0048FE3D
LoadCursorW.USER32(00000000,00007F03), ref: 0048FE48
LoadCursorW.USER32(00000000,00007F8B), ref: 0048FE53
LoadCursorW.USER32(00000000,00007F01), ref: 0048FE5E
LoadCursorW.USER32(00000000,00007F81), ref: 0048FE69
LoadCursorW.USER32(00000000,00007F88), ref: 0048FE74
LoadCursorW.USER32(00000000,00007F80), ref: 0048FE7F
LoadCursorW.USER32(00000000,00007F86), ref: 0048FE8A
LoadCursorW.USER32(00000000,00007F83), ref: 0048FE95
LoadCursorW.USER32(00000000,00007F85), ref: 0048FEA0
LoadCursorW.USER32(00000000,00007F82), ref: 0048FEAB
LoadCursorW.USER32(00000000,00007F84), ref: 0048FEB6
LoadCursorW.USER32(00000000,00007F04), ref: 0048FEC1
LoadCursorW.USER32(00000000,00007F02), ref: 0048FECC
GetCursorInfo.USER32(?), ref: 0048FEDC
GetLastError.KERNEL32 ref: 0048FF1E

Memory Dump Source

Source File: 00000000.00000002.2107394819.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2107065431.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107532194.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107532194.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107645477.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107703493.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: Cursor$Load$ErrorInfoLast
String ID:
API String ID: 3215588206-0
Opcode ID: 1cae7388290d62eb1e9138eb1ab7b6de09495a8b3acbfb82c8e11b89813763ed
Instruction ID: f024c8a07490e52d5bf28ffbe9aa5142c39de002ac0c7f767aa7bf45c1c17f68
Opcode Fuzzy Hash: 1cae7388290d62eb1e9138eb1ab7b6de09495a8b3acbfb82c8e11b89813763ed
Instruction Fuzzy Hash: D34131B0D443196ADB10DFBA8C8985EBFE8FF04754B50452BE21DE7281DB78E9018F95

Function 004730F7 Relevance: 26.6, APIs: 8, Strings: 7, Instructions: 400COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 0047318D
_wcslen.LIBCMT ref: 004731F8

Strings

REGEXPCLASS, xrefs: 00473255, 00473266
TEXT, xrefs: 0047347C
INSTANCE, xrefs: 00473453
NAME, xrefs: 00473335, 00473346
CLASS, xrefs: 00473188, 004731A5
CLASSNN, xrefs: 004731F3, 00473204
[M, xrefs: 0047339A

Memory Dump Source

Source File: 00000000.00000002.2107394819.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2107065431.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107532194.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107532194.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107645477.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107703493.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: _wcslen
String ID: CLASS$CLASSNN$INSTANCE$NAME$REGEXPCLASS$TEXT$[M
API String ID: 176396367-3897780819
Opcode ID: b96623a95b347f7aca3d4d8b97c3991ae9194941cbfa1ecd679a5c21578a44c8
Instruction ID: aa63f2a369256b94df989cc275171d9e3d6b15e2fc1709ac387eae9b27f71ea6
Opcode Fuzzy Hash: b96623a95b347f7aca3d4d8b97c3991ae9194941cbfa1ecd679a5c21578a44c8
Instruction Fuzzy Hash: 90E1E432A00516ABCB289F74C4517EEBBB0BF44715F54C12BE45AB7340DF38AE85A798

Function 004300C6 Relevance: 26.3, APIs: 10, Strings: 5, Instructions: 81COMMON

Download Yara Rule

APIs

__scrt_initialize_thread_safe_statics_platform_specific.LIBCMT ref: 004300C6

Part of subcall function 004300ED: InitializeCriticalSectionAndSpinCount.KERNEL32(004E070C,00000FA0,D5B5E8DE,?,?,?,?,004523B3,000000FF), ref: 0043011C
Part of subcall function 004300ED: GetModuleHandleW.KERNEL32(api-ms-win-core-synch-l1-2-0.dll,?,?,?,?,004523B3,000000FF), ref: 00430127
Part of subcall function 004300ED: GetModuleHandleW.KERNEL32(kernel32.dll,?,?,?,?,004523B3,000000FF), ref: 00430138
Part of subcall function 004300ED: GetProcAddress.KERNEL32(00000000,InitializeConditionVariable), ref: 0043014E
Part of subcall function 004300ED: GetProcAddress.KERNEL32(00000000,SleepConditionVariableCS), ref: 0043015C
Part of subcall function 004300ED: GetProcAddress.KERNEL32(00000000,WakeAllConditionVariable), ref: 0043016A
Part of subcall function 004300ED: __crt_fast_encode_pointer.LIBVCRUNTIME ref: 00430195
Part of subcall function 004300ED: __crt_fast_encode_pointer.LIBVCRUNTIME ref: 004301A0

___scrt_fastfail.LIBCMT ref: 004300E7

Part of subcall function 004300A3: __onexit.LIBCMT ref: 004300A9

Strings

SleepConditionVariableCS, xrefs: 00430154
kernel32.dll, xrefs: 00430133
WakeAllConditionVariable, xrefs: 00430162
InitializeConditionVariable, xrefs: 00430148
api-ms-win-core-synch-l1-2-0.dll, xrefs: 00430122

Memory Dump Source

Source File: 00000000.00000002.2107394819.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2107065431.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107532194.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107532194.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107645477.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107703493.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: AddressProc$HandleModule__crt_fast_encode_pointer$CountCriticalInitializeSectionSpin___scrt_fastfail__onexit__scrt_initialize_thread_safe_statics_platform_specific
String ID: InitializeConditionVariable$SleepConditionVariableCS$WakeAllConditionVariable$api-ms-win-core-synch-l1-2-0.dll$kernel32.dll
API String ID: 66158676-1714406822
Opcode ID: 8424aec140013ab03561fba2c7cc318467006b6a89ece3e2d06ac802320f4b1a
Instruction ID: d4bd76f16599715a784a70480cebc38e1d83c7f5d8cb9fa6486302071be1f816
Opcode Fuzzy Hash: 8424aec140013ab03561fba2c7cc318467006b6a89ece3e2d06ac802320f4b1a
Instruction Fuzzy Hash: 2E21FC32B447106BDB116BA5AC55B6A77E4DB1AB61F10033BF801A7791DBBD5C008A9C

Function 004844C0 Relevance: 24.8, APIs: 7, Strings: 7, Instructions: 309COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(00000000,00000000,004ACC08), ref: 00484527
_wcslen.LIBCMT ref: 0048453B
_wcslen.LIBCMT ref: 00484599
_wcslen.LIBCMT ref: 004845F4
_wcslen.LIBCMT ref: 0048463F
_wcslen.LIBCMT ref: 004846A7

Part of subcall function 0042F9F2: _wcslen.LIBCMT ref: 0042F9FD

GetDriveTypeW.KERNEL32(?,004D6BF0,00000061), ref: 00484743

Strings

all, xrefs: 00484531, 00484536
unknown, xrefs: 00484708
fixed, xrefs: 00484635, 0048463A
network, xrefs: 0048469D, 004846A2
cdrom, xrefs: 0048458F, 00484594
ramdisk, xrefs: 004846F1
removable, xrefs: 004845EA, 004845EF

Memory Dump Source

Source File: 00000000.00000002.2107394819.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2107065431.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107532194.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107532194.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107645477.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107703493.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: _wcslen$BuffCharDriveLowerType
String ID: all$cdrom$fixed$network$ramdisk$removable$unknown
API String ID: 2055661098-1000479233
Opcode ID: a2d2277e741d4015f6cde9329ad8f7ab1f6da727179d9b750c3183022b816716
Instruction ID: 0698786d47ba9e68c8ff4849903cbcedee9b381c6aae5198ddae73ed37c08107
Opcode Fuzzy Hash: a2d2277e741d4015f6cde9329ad8f7ab1f6da727179d9b750c3183022b816716
Instruction Fuzzy Hash: BFB1DE316083029BC310EF29C890A6FB7E5AFE5724F504D1FF59697291E738E845CB5A

Function 004A911E Relevance: 24.7, APIs: 10, Strings: 4, Instructions: 181windowfileCOMMON

Download Yara Rule

APIs

Part of subcall function 00429BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00429BB2

DragQueryPoint.SHELL32(?,?), ref: 004A9147

Part of subcall function 004A7674: ClientToScreen.USER32(?,?), ref: 004A769A
Part of subcall function 004A7674: GetWindowRect.USER32(?,?), ref: 004A7710
Part of subcall function 004A7674: PtInRect.USER32(?,?,004A8B89), ref: 004A7720

SendMessageW.USER32(?,000000B0,?,?), ref: 004A91B0
DragQueryFileW.SHELL32(?,000000FF,00000000,00000000), ref: 004A91BB
DragQueryFileW.SHELL32(?,00000000,?,00000104), ref: 004A91DE
SendMessageW.USER32(?,000000C2,00000001,?), ref: 004A9225
SendMessageW.USER32(?,000000B0,?,?), ref: 004A923E
SendMessageW.USER32(?,000000B1,?,?), ref: 004A9255
SendMessageW.USER32(?,000000B1,?,?), ref: 004A9277
DragFinish.SHELL32(?), ref: 004A927E
DefDlgProcW.USER32(?,00000233,?,00000000,?,?,?), ref: 004A9371

Strings

p#N, xrefs: 004A92BB
@GUI_DROPID, xrefs: 004A929E
@GUI_DRAGID, xrefs: 004A92E9
@GUI_DRAGFILE, xrefs: 004A9320

Memory Dump Source

Source File: 00000000.00000002.2107394819.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2107065431.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107532194.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107532194.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107645477.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107703493.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: MessageSend$Drag$Query$FileRectWindow$ClientFinishLongPointProcScreen
String ID: @GUI_DRAGFILE$@GUI_DRAGID$@GUI_DROPID$p#N
API String ID: 221274066-3777839306
Opcode ID: fb11f4cb25d4cca32d578a96fd01ea80aff25c89b9804c16dc353d1a40ead24b
Instruction ID: 1a6b1795c3cc3da4ae714f8f05d55f9eeb9ab44cdba21cae6a91b786647a3ec2
Opcode Fuzzy Hash: fb11f4cb25d4cca32d578a96fd01ea80aff25c89b9804c16dc353d1a40ead24b
Instruction Fuzzy Hash: 56618D71108300AFC701EF65DC85EAFBBE8EF99354F00092EF595931A1DB749A49CB9A

Function 0041326F Relevance: 23.0, APIs: 12, Strings: 1, Instructions: 214windowCOMMON

Download Yara Rule

APIs

GetMenuItemCount.USER32(004E1990), ref: 00452F8D
GetMenuItemCount.USER32(004E1990), ref: 0045303D
GetCursorPos.USER32(?), ref: 00453081
SetForegroundWindow.USER32(00000000), ref: 0045308A
TrackPopupMenuEx.USER32(004E1990,00000000,?,00000000,00000000,00000000), ref: 0045309D
PostMessageW.USER32(00000000,00000000,00000000,00000000), ref: 004530A9

Strings

0, xrefs: 0041327D

Memory Dump Source

Source File: 00000000.00000002.2107394819.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2107065431.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107532194.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107532194.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107645477.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107703493.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: Menu$CountItem$CursorForegroundMessagePopupPostTrackWindow
String ID: 0
API String ID: 36266755-4108050209
Opcode ID: 599c75741219997bade773841e3042aadca866dce69520f094be17eced15d794
Instruction ID: d52a3e0dce57be7f60c5b77a1431bcbed5ec4adafd949a2b997b8c1421e7ff8d
Opcode Fuzzy Hash: 599c75741219997bade773841e3042aadca866dce69520f094be17eced15d794
Instruction Fuzzy Hash: 7D716931640205BEEB219F24DC89FDBBF64FF02365F204217F9146A2E1C7B9A954DB98

Function 004A6CD9 Relevance: 22.9, APIs: 11, Strings: 2, Instructions: 194windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(00000000,?), ref: 004A6DEB

Part of subcall function 00416B57: _wcslen.LIBCMT ref: 00416B6A

CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00000000,?), ref: 004A6E5F
SendMessageW.USER32(00000000,00000433,00000000,00000030), ref: 004A6E81
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 004A6E94
DestroyWindow.USER32(?), ref: 004A6EB5
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00410000,00000000), ref: 004A6EE4
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 004A6EFD
GetDesktopWindow.USER32 ref: 004A6F16
GetWindowRect.USER32(00000000), ref: 004A6F1D
SendMessageW.USER32(00000000,00000418,00000000,?), ref: 004A6F35
SendMessageW.USER32(00000000,00000421,?,00000000), ref: 004A6F4D

Part of subcall function 00429944: GetWindowLongW.USER32(?,000000EB), ref: 00429952

Strings

tooltips_class32, xrefs: 004A6E58, 004A6EDD
0, xrefs: 004A6D98

Memory Dump Source

Source File: 00000000.00000002.2107394819.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2107065431.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107532194.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107532194.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107645477.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107703493.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: Window$MessageSend$CreateDestroy$DesktopLongRect_wcslen
String ID: 0$tooltips_class32
API String ID: 2429346358-3619404913
Opcode ID: e0cd5f90fcd73690cf8c5ab392a1d1636a5a422d21d77e6fbddd6ac0f1e6dbee
Instruction ID: 480449d6847d523ead7291c8894ffbcea8572c8879d447d827b19be4b4543d40
Opcode Fuzzy Hash: e0cd5f90fcd73690cf8c5ab392a1d1636a5a422d21d77e6fbddd6ac0f1e6dbee
Instruction Fuzzy Hash: 16716B74144244AFDB21CF18DC84BABBBE9FB9A304F49042EF999873A1C774E905CB19

Function 0048C476 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 143networkCOMMON

Download Yara Rule

APIs

InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 0048C4B0
GetLastError.KERNEL32(?,00000003,?,?,?,?,?,?), ref: 0048C4C3
SetEvent.KERNEL32(?,?,00000003,?,?,?,?,?,?), ref: 0048C4D7
HttpOpenRequestW.WININET(00000000,00000000,?,00000000,00000000,00000000,?,00000000), ref: 0048C4F0
InternetQueryOptionW.WININET(00000000,0000001F,?,?), ref: 0048C533
InternetSetOptionW.WININET(00000000,0000001F,00000100,00000004), ref: 0048C549
HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 0048C554
HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 0048C584
GetLastError.KERNEL32(?,00000003,?,?,?,?,?,?), ref: 0048C5DC
SetEvent.KERNEL32(?,?,00000003,?,?,?,?,?,?), ref: 0048C5F0
InternetCloseHandle.WININET(00000000), ref: 0048C5FB

Strings

, xrefs: 0048C575

Memory Dump Source

Source File: 00000000.00000002.2107394819.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2107065431.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107532194.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107532194.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107645477.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107703493.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: Internet$Http$ErrorEventLastOptionQueryRequest$CloseConnectHandleInfoOpenSend
String ID:
API String ID: 3800310941-3916222277
Opcode ID: 68fb875449e4cc42c6dca594d0758b07764563a79b01867c82de9594eaedf6e5
Instruction ID: e6696c870a8f472e951e1b2e8277b7b114244663c75e5189ff1b9eef0f6f2f84
Opcode Fuzzy Hash: 68fb875449e4cc42c6dca594d0758b07764563a79b01867c82de9594eaedf6e5
Instruction Fuzzy Hash: B0515DB5500205BFDB21AF61C9C8AAF7BFCFF09754F00482AF94596250DB38E9449B78

Function 004A856F Relevance: 22.6, APIs: 15, Instructions: 131filecommemoryCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,00000000,?,?,?,?,?,00000000,?,000000EC), ref: 004A8592
GetFileSize.KERNEL32(00000000,00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 004A85A2
GlobalAlloc.KERNEL32(00000002,00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 004A85AD
CloseHandle.KERNEL32(00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 004A85BA
GlobalLock.KERNEL32(00000000), ref: 004A85C8
ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 004A85D7
GlobalUnlock.KERNEL32(00000000), ref: 004A85E0
CloseHandle.KERNEL32(00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 004A85E7
CreateStreamOnHGlobal.OLE32(00000000,00000001,000000F0,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 004A85F8
OleLoadPicture.OLEAUT32(000000F0,00000000,00000000,004AFC38,?), ref: 004A8611
GlobalFree.KERNEL32(00000000), ref: 004A8621
GetObjectW.GDI32(?,00000018,?), ref: 004A8641
CopyImage.USER32(?,00000000,00000000,?,00002000), ref: 004A8671
DeleteObject.GDI32(?), ref: 004A8699
SendMessageW.USER32(?,00000172,00000000,00000000), ref: 004A86AF

Memory Dump Source

Source File: 00000000.00000002.2107394819.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2107065431.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107532194.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107532194.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107645477.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107703493.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: Global$File$CloseCreateHandleObject$AllocCopyDeleteFreeImageLoadLockMessagePictureReadSendSizeStreamUnlock
String ID:
API String ID: 3840717409-0
Opcode ID: 3109d90dc184fdbb912968a58aa33ab52785152fe92feac7fc2717fb69d8b838
Instruction ID: e6ec7d9842439c99f61616a9e84471a96dcc8ccf038acd46d5fdce04b350a222
Opcode Fuzzy Hash: 3109d90dc184fdbb912968a58aa33ab52785152fe92feac7fc2717fb69d8b838
Instruction Fuzzy Hash: DF41FA75A00208BFDB519FA5DC88EAB7BB8FF9A711F144069F905E7260DB349901CB68

Function 004814BD Relevance: 21.4, APIs: 10, Strings: 2, Instructions: 360timeCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(00000000), ref: 00481502
VariantCopy.OLEAUT32(?,?), ref: 0048150B
VariantClear.OLEAUT32(?), ref: 00481517
VariantTimeToSystemTime.OLEAUT32(?,?,?), ref: 004815FB
VarR8FromDec.OLEAUT32(?,?), ref: 00481657
VariantInit.OLEAUT32(?), ref: 00481708
SysFreeString.OLEAUT32(?), ref: 0048178C
VariantClear.OLEAUT32(?), ref: 004817D8
VariantClear.OLEAUT32(?), ref: 004817E7
VariantInit.OLEAUT32(00000000), ref: 00481823

Strings

Default, xrefs: 004816AF
%4d%02d%02d%02d%02d%02d, xrefs: 00481625

Memory Dump Source

Source File: 00000000.00000002.2107394819.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2107065431.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107532194.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107532194.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107645477.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107703493.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: Variant$ClearInit$Time$CopyFreeFromStringSystem
String ID: %4d%02d%02d%02d%02d%02d$Default
API String ID: 1234038744-3931177956
Opcode ID: 8626206c736955df7ae1993ca3d08af2af09fa440c0c0578b02da9b46500e2d1
Instruction ID: 1e7e7bfefe4b90ca68e4988ad8633cfb91fafc46916d762e6377b0326fef6c0c
Opcode Fuzzy Hash: 8626206c736955df7ae1993ca3d08af2af09fa440c0c0578b02da9b46500e2d1
Instruction Fuzzy Hash: 62D11571600111EBDB00AF69E884B7DB7B9BF45700F50886BF446AB2A0DB38DC47DB5A

Function 0049B60E Relevance: 21.3, APIs: 10, Strings: 2, Instructions: 285registrylibraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 00419CB3: _wcslen.LIBCMT ref: 00419CBD

Part of subcall function 0049C998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,0049B6AE,?,?), ref: 0049C9B5
Part of subcall function 0049C998: _wcslen.LIBCMT ref: 0049C9F1
Part of subcall function 0049C998: _wcslen.LIBCMT ref: 0049CA68
Part of subcall function 0049C998: _wcslen.LIBCMT ref: 0049CA9E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0049B6F4
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 0049B772
RegDeleteValueW.ADVAPI32(?,?), ref: 0049B80A
RegCloseKey.ADVAPI32(?), ref: 0049B87E
RegCloseKey.ADVAPI32(?), ref: 0049B89C
LoadLibraryA.KERNEL32(advapi32.dll), ref: 0049B8F2
GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 0049B904
RegDeleteKeyW.ADVAPI32(?,?), ref: 0049B922
FreeLibrary.KERNEL32(00000000), ref: 0049B983
RegCloseKey.ADVAPI32(00000000), ref: 0049B994

Strings

advapi32.dll, xrefs: 0049B8ED
RegDeleteKeyExW, xrefs: 0049B8FE

Memory Dump Source

Source File: 00000000.00000002.2107394819.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2107065431.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107532194.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107532194.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107645477.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107703493.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: _wcslen$Close$DeleteLibrary$AddressBuffCharConnectFreeLoadOpenProcRegistryUpperValue
String ID: RegDeleteKeyExW$advapi32.dll
API String ID: 146587525-4033151799
Opcode ID: f4dfe2cbd5043bef8a05754c3a9d85b1d30be51a35c1f5ef1db0f3418d6acc88
Instruction ID: fa615ed0b01782387e58b718d2a11691133ab1bdceb8145f8568586ea849ea40
Opcode Fuzzy Hash: f4dfe2cbd5043bef8a05754c3a9d85b1d30be51a35c1f5ef1db0f3418d6acc88
Instruction Fuzzy Hash: DAC18F70204201AFDB10DF15D594F2ABBE5FF84308F1485AEE5994B3A2C779EC46CB95

Function 0049255C Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 169windowCOMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 004925D8
CreateCompatibleBitmap.GDI32(00000000,?,?), ref: 004925E8
CreateCompatibleDC.GDI32(?), ref: 004925F4
SelectObject.GDI32(00000000,?), ref: 00492601
StretchBlt.GDI32(?,00000000,00000000,?,?,?,00000006,?,?,?,00CC0020), ref: 0049266D
GetDIBits.GDI32(?,?,00000000,00000000,00000000,00000028,00000000), ref: 004926AC
GetDIBits.GDI32(?,?,00000000,?,00000000,00000028,00000000), ref: 004926D0
SelectObject.GDI32(?,?), ref: 004926D8
DeleteObject.GDI32(?), ref: 004926E1
DeleteDC.GDI32(?), ref: 004926E8
ReleaseDC.USER32(00000000,?), ref: 004926F3

Strings

(, xrefs: 0049268D

Memory Dump Source

Source File: 00000000.00000002.2107394819.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2107065431.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107532194.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107532194.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107645477.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107703493.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: Object$BitsCompatibleCreateDeleteSelect$BitmapReleaseStretch
String ID: (
API String ID: 2598888154-3887548279
Opcode ID: e7c76a15e1f6273465474079c167818fed6e7a976a8e3e44bc5312cc5a85b3a9
Instruction ID: afe30b257a05467c9fec05000a697a3f78429f877108e9f3009296d23cb2d67e
Opcode Fuzzy Hash: e7c76a15e1f6273465474079c167818fed6e7a976a8e3e44bc5312cc5a85b3a9
Instruction Fuzzy Hash: 6561D1B5E00219EFCF05CFA4D984AAEBBB5FF48310F20852AE955A7250E774A941CF94

Function 0044DA5D Relevance: 19.6, APIs: 13, Instructions: 114COMMONLIBRARYCODE

Download Yara Rule

APIs

___free_lconv_mon.LIBCMT ref: 0044DAA1

Part of subcall function 0044D63C: _free.LIBCMT ref: 0044D659
Part of subcall function 0044D63C: _free.LIBCMT ref: 0044D66B
Part of subcall function 0044D63C: _free.LIBCMT ref: 0044D67D
Part of subcall function 0044D63C: _free.LIBCMT ref: 0044D68F
Part of subcall function 0044D63C: _free.LIBCMT ref: 0044D6A1
Part of subcall function 0044D63C: _free.LIBCMT ref: 0044D6B3
Part of subcall function 0044D63C: _free.LIBCMT ref: 0044D6C5
Part of subcall function 0044D63C: _free.LIBCMT ref: 0044D6D7
Part of subcall function 0044D63C: _free.LIBCMT ref: 0044D6E9
Part of subcall function 0044D63C: _free.LIBCMT ref: 0044D6FB
Part of subcall function 0044D63C: _free.LIBCMT ref: 0044D70D
Part of subcall function 0044D63C: _free.LIBCMT ref: 0044D71F
Part of subcall function 0044D63C: _free.LIBCMT ref: 0044D731

_free.LIBCMT ref: 0044DA96

Part of subcall function 004429C8: RtlFreeHeap.NTDLL(00000000,00000000,?,0044D7D1,00000000,00000000,00000000,00000000,?,0044D7F8,00000000,00000007,00000000,?,0044DBF5,00000000), ref: 004429DE
Part of subcall function 004429C8: GetLastError.KERNEL32(00000000,?,0044D7D1,00000000,00000000,00000000,00000000,?,0044D7F8,00000000,00000007,00000000,?,0044DBF5,00000000,00000000), ref: 004429F0

_free.LIBCMT ref: 0044DAB8
_free.LIBCMT ref: 0044DACD
_free.LIBCMT ref: 0044DAD8
_free.LIBCMT ref: 0044DAFA
_free.LIBCMT ref: 0044DB0D
_free.LIBCMT ref: 0044DB1B
_free.LIBCMT ref: 0044DB26
_free.LIBCMT ref: 0044DB5E
_free.LIBCMT ref: 0044DB65
_free.LIBCMT ref: 0044DB82
_free.LIBCMT ref: 0044DB9A

Memory Dump Source

Source File: 00000000.00000002.2107394819.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2107065431.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107532194.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107532194.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107645477.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107703493.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast___free_lconv_mon
String ID:
API String ID: 161543041-0
Opcode ID: c105ba9458f2702fb0df8d2a44a6a4991dc3ad4c0ac3a8d1d5cfe33d60b762af
Instruction ID: 0fbc7f903a6bfa94f2bcc192590e3471ce0bd6f3987e2933896b359906d1fcbb
Opcode Fuzzy Hash: c105ba9458f2702fb0df8d2a44a6a4991dc3ad4c0ac3a8d1d5cfe33d60b762af
Instruction Fuzzy Hash: 51316AB1A046459FFB21AA3AE945B5BB7E9FF00314F51442BF049D7291DA78AC40C728

Function 0047365B Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 267windowtimeCOMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000100), ref: 0047369C
_wcslen.LIBCMT ref: 004736A7
SendMessageTimeoutW.USER32(?,?,00000101,00000000,00000002,00001388,?), ref: 00473797
GetClassNameW.USER32(?,?,00000400), ref: 0047380C
GetDlgCtrlID.USER32(?), ref: 0047385D
GetWindowRect.USER32(?,?), ref: 00473882
GetParent.USER32(?), ref: 004738A0
ScreenToClient.USER32(00000000), ref: 004738A7
GetClassNameW.USER32(?,?,00000100), ref: 00473921
GetWindowTextW.USER32(?,?,00000400), ref: 0047395D

Strings

%s%u, xrefs: 00473734

Memory Dump Source

Source File: 00000000.00000002.2107394819.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2107065431.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107532194.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107532194.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107645477.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107703493.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: ClassName$Window$ClientCtrlMessageParentRectScreenSendTextTimeout_wcslen
String ID: %s%u
API String ID: 4010501982-679674701
Opcode ID: 3ee711676b9be292302927535824d43032d8a856ff6ed10647d211009fc797ff
Instruction ID: 7106b567ec3585191244bd828ee75418fe1e49136e2ca5b3a6696f0e1cf8f10d
Opcode Fuzzy Hash: 3ee711676b9be292302927535824d43032d8a856ff6ed10647d211009fc797ff
Instruction Fuzzy Hash: C691C3B1204206AFD718DF24C884BEBB7E8FF44315F00C52AFA9D82250DB38EA45DB95

Function 00474954 Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 253COMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000400), ref: 00474994
GetWindowTextW.USER32(?,?,00000400), ref: 004749DA
_wcslen.LIBCMT ref: 004749EB
CharUpperBuffW.USER32(?,00000000), ref: 004749F7
_wcsstr.LIBVCRUNTIME ref: 00474A2C
GetClassNameW.USER32(00000018,?,00000400), ref: 00474A64
GetWindowTextW.USER32(?,?,00000400), ref: 00474A9D
GetClassNameW.USER32(00000018,?,00000400), ref: 00474AE6
GetClassNameW.USER32(?,?,00000400), ref: 00474B20
GetWindowRect.USER32(?,?), ref: 00474B8B

Strings

ThumbnailClass, xrefs: 00474A6F, 00474AF1

Memory Dump Source

Source File: 00000000.00000002.2107394819.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2107065431.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107532194.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107532194.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107645477.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107703493.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: ClassName$Window$Text$BuffCharRectUpper_wcslen_wcsstr
String ID: ThumbnailClass
API String ID: 1311036022-1241985126
Opcode ID: a241618ee9a1aff6ab3c65ff6abcf850d1e318a96d8ec44b4220d26f6d52b681
Instruction ID: 3e46f777533f94fe0d5f87b77e93d849d40ddff76415f2c031b173f9daee5041
Opcode Fuzzy Hash: a241618ee9a1aff6ab3c65ff6abcf850d1e318a96d8ec44b4220d26f6d52b681
Instruction Fuzzy Hash: 0D91AC711042059FDB05DE14C981BFBB7E8EF84314F04846BED899A296DB38ED45CBAA

Function 004A8D0E Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 221windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00429BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00429BB2

PostMessageW.USER32(?,00000111,00000000,00000000), ref: 004A8D5A
GetFocus.USER32 ref: 004A8D6A
GetDlgCtrlID.USER32(00000000), ref: 004A8D75
DefDlgProcW.USER32(?,00000111,?,?,00000000,?,?,?,?,?,?,?), ref: 004A8E1D
GetMenuItemInfoW.USER32(?,00000000,00000000,?), ref: 004A8ECF
GetMenuItemCount.USER32(?), ref: 004A8EEC
GetMenuItemID.USER32(?,00000000), ref: 004A8EFC
GetMenuItemInfoW.USER32(?,-00000001,00000001,?), ref: 004A8F2E
GetMenuItemInfoW.USER32(?,?,00000001,?), ref: 004A8F70
CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 004A8FA1

Strings

0, xrefs: 004A8E9F

Memory Dump Source

Source File: 00000000.00000002.2107394819.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2107065431.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107532194.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107532194.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107645477.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107703493.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: ItemMenu$Info$CheckCountCtrlFocusLongMessagePostProcRadioWindow
String ID: 0
API String ID: 1026556194-4108050209
Opcode ID: 7bc6d3c64b8ebf5ae01fe22a8847a99c6d13b2a3ea2c7af1079b2e393a8aa3a6
Instruction ID: a1483002659df2c769b64139de1c9b98ef7785f78553308075a25c6b183a3a62
Opcode Fuzzy Hash: 7bc6d3c64b8ebf5ae01fe22a8847a99c6d13b2a3ea2c7af1079b2e393a8aa3a6
Instruction Fuzzy Hash: 2C81B371504311AFDB10CF24D884A6BBBE9FFAA314F14092EF985D7291DB78D901CB69

Function 0047DC0E Relevance: 19.4, APIs: 6, Strings: 5, Instructions: 178COMMON

Download Yara Rule

APIs

GetFileVersionInfoSizeW.VERSION(?,?), ref: 0047DC20
GetFileVersionInfoW.VERSION(?,00000000,00000000,00000000,?,?), ref: 0047DC46
_wcslen.LIBCMT ref: 0047DC50
_wcsstr.LIBVCRUNTIME ref: 0047DCA0
VerQueryValueW.VERSION(?,\VarFileInfo\Translation,?,?,?,?,?,?,00000000,?,?), ref: 0047DCBC

Strings

%u.%u.%u.%u, xrefs: 0047DD9A
\VarFileInfo\Translation, xrefs: 0047DCB4
DefaultLangCodepage, xrefs: 0047DD1F
StringFileInfo\, xrefs: 0047DC8F
04090000, xrefs: 0047DCF2

Memory Dump Source

Source File: 00000000.00000002.2107394819.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2107065431.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107532194.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107532194.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107645477.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107703493.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: FileInfoVersion$QuerySizeValue_wcslen_wcsstr
String ID: %u.%u.%u.%u$04090000$DefaultLangCodepage$StringFileInfo\$\VarFileInfo\Translation
API String ID: 1939486746-1459072770
Opcode ID: 02bfc9abe3a274e56ed06f8e380c05fda1abc8c723e2014e049120b1bf87454b
Instruction ID: b3fee1bfc6078b955bec20cc79ca37a490acab5d2dd6c5a520f950a9bc8bd273
Opcode Fuzzy Hash: 02bfc9abe3a274e56ed06f8e380c05fda1abc8c723e2014e049120b1bf87454b
Instruction Fuzzy Hash: A8412432A402107ADB15A661AC83FFF37BCDF5A714F50406FF904A2182EB7DA90197AD

Function 0049CC34 Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 104registryCOMMON

Download Yara Rule

APIs

RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?,00000000), ref: 0049CC64
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?,?,?,00000000), ref: 0049CC8D
FreeLibrary.KERNEL32(00000000,?,?,00000000), ref: 0049CD48

Part of subcall function 0049CC34: RegCloseKey.ADVAPI32(?,?,?,00000000), ref: 0049CCAA
Part of subcall function 0049CC34: LoadLibraryA.KERNEL32(advapi32.dll,?,?,00000000), ref: 0049CCBD
Part of subcall function 0049CC34: GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 0049CCCF
Part of subcall function 0049CC34: FreeLibrary.KERNEL32(00000000,?,?,00000000), ref: 0049CD05
Part of subcall function 0049CC34: RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?,00000000), ref: 0049CD28

RegDeleteKeyW.ADVAPI32(?,?), ref: 0049CCF3

Strings

advapi32.dll, xrefs: 0049CCB8
RegDeleteKeyExW, xrefs: 0049CCC9

Memory Dump Source

Source File: 00000000.00000002.2107394819.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2107065431.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107532194.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107532194.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107645477.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107703493.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: Library$EnumFree$AddressCloseDeleteLoadOpenProc
String ID: RegDeleteKeyExW$advapi32.dll
API String ID: 2734957052-4033151799
Opcode ID: 96e21358bb9ea3f98390cb7f73ff936c887cce294f6a27e653639b81f8fa2f58
Instruction ID: 7538443a2070a75c8f6738d5cf86d3d8f676141747eedc8856924e3f1a3f32c1
Opcode Fuzzy Hash: 96e21358bb9ea3f98390cb7f73ff936c887cce294f6a27e653639b81f8fa2f58
Instruction Fuzzy Hash: 1B316071A41129BBDB209B95DCC8EFFBF7CEF46754F000176F905E2240D6389E459AA8

Function 00483D1E Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 101fileCOMMON

Download Yara Rule

APIs

GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 00483D40
_wcslen.LIBCMT ref: 00483D6D
CreateDirectoryW.KERNEL32(?,00000000), ref: 00483D9D
CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000003,02200000,00000000), ref: 00483DBE
RemoveDirectoryW.KERNEL32(?), ref: 00483DCE
DeviceIoControl.KERNEL32(00000000,000900A4,?,?,00000000,00000000,?,00000000), ref: 00483E55
CloseHandle.KERNEL32(00000000), ref: 00483E60
CloseHandle.KERNEL32(00000000), ref: 00483E6B

Strings

\, xrefs: 00483D77
\??\%s, xrefs: 00483D5B
:, xrefs: 00483D82

Memory Dump Source

Source File: 00000000.00000002.2107394819.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2107065431.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107532194.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107532194.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107645477.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107703493.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: CloseCreateDirectoryHandle$ControlDeviceFileFullNamePathRemove_wcslen
String ID: :$\$\??\%s
API String ID: 1149970189-3457252023
Opcode ID: 80ac30bf395c0d8dca7af9d18548eadca34b56373005702233e20461d83ba766
Instruction ID: 01218be2fc8f2de56f93013dde21c61150c6cbe48c7afecb1293de8e9cae7b58
Opcode Fuzzy Hash: 80ac30bf395c0d8dca7af9d18548eadca34b56373005702233e20461d83ba766
Instruction Fuzzy Hash: 6B31B6729001096BDB21AFA0DC85FEF37BCEF89B05F1044B6F905D6150EB7897458B28

Function 0047E6B0 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 72sleepwindowtimeCOMMON

Download Yara Rule

APIs

timeGetTime.WINMM ref: 0047E6B4

Part of subcall function 0042E551: timeGetTime.WINMM(?,?,0047E6D4), ref: 0042E555

Sleep.KERNEL32(0000000A), ref: 0047E6E1
EnumThreadWindows.USER32(?,Function_0006E665,00000000), ref: 0047E705
FindWindowExW.USER32(00000000,00000000,BUTTON,00000000), ref: 0047E727
SetActiveWindow.USER32 ref: 0047E746
SendMessageW.USER32(00000000,000000F5,00000000,00000000), ref: 0047E754
SendMessageW.USER32(00000010,00000000,00000000), ref: 0047E773
Sleep.KERNEL32(000000FA), ref: 0047E77E
IsWindow.USER32 ref: 0047E78A
EndDialog.USER32(00000000), ref: 0047E79B

Strings

BUTTON, xrefs: 0047E719

Memory Dump Source

Source File: 00000000.00000002.2107394819.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2107065431.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107532194.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107532194.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107645477.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107703493.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: Window$MessageSendSleepTimetime$ActiveDialogEnumFindThreadWindows
String ID: BUTTON
API String ID: 1194449130-3405671355
Opcode ID: 0ce4e31316d84ee1a9df28ce108d7ae3b03154ccf470b9ad86f47536e608884c
Instruction ID: 494c76b985108189b84701e682c771b886766d41e0b061f8c7d00f00864028ea
Opcode Fuzzy Hash: 0ce4e31316d84ee1a9df28ce108d7ae3b03154ccf470b9ad86f47536e608884c
Instruction Fuzzy Hash: 0121D4B0200244AFEB105F36EDC9A663F6DF71A349F108676F409952B2DBB5AC009A2C

Function 0047E9FC Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 71COMMON

Download Yara Rule

APIs

Part of subcall function 00419CB3: _wcslen.LIBCMT ref: 00419CBD

mciSendStringW.WINMM(status PlayMe mode,?,00000100,00000000), ref: 0047EA5D
mciSendStringW.WINMM(close PlayMe,00000000,00000000,00000000), ref: 0047EA73
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0047EA84
mciSendStringW.WINMM(play PlayMe wait,00000000,00000000,00000000), ref: 0047EA96
mciSendStringW.WINMM(play PlayMe,00000000,00000000,00000000), ref: 0047EAA7

Strings

status PlayMe mode, xrefs: 0047EA58
play PlayMe wait, xrefs: 0047EA91
open , xrefs: 0047EA0C
close PlayMe, xrefs: 0047EA6E, 0047EA9B
alias PlayMe, xrefs: 0047EA36
play PlayMe, xrefs: 0047EAA2

Memory Dump Source

Source File: 00000000.00000002.2107394819.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2107065431.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107532194.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107532194.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107645477.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107703493.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: SendString$_wcslen
String ID: alias PlayMe$close PlayMe$open $play PlayMe$play PlayMe wait$status PlayMe mode
API String ID: 2420728520-1007645807
Opcode ID: df8e3da0a5e259090cab6440a6af7588a6aaf42412739cb9de69359772a0b638
Instruction ID: 185efa22bfd07092d35c6ad2d555b2b30407d90891556a1a8f714cf41da1f940
Opcode Fuzzy Hash: df8e3da0a5e259090cab6440a6af7588a6aaf42412739cb9de69359772a0b638
Instruction Fuzzy Hash: 6E11E370A9021979D720A7A2DC6AEFF6B7CEBC1F04F10046BB801A21D0EE781D45C9B8

Function 00475CC6 Relevance: 18.2, APIs: 12, Instructions: 173COMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,00000001), ref: 00475CE2
GetWindowRect.USER32(00000000,?), ref: 00475CFB
MoveWindow.USER32(?,0000000A,00000004,?,?,00000004,00000000), ref: 00475D59
GetDlgItem.USER32(?,00000002), ref: 00475D69
GetWindowRect.USER32(00000000,?), ref: 00475D7B
MoveWindow.USER32(?,?,00000004,00000000,?,00000004,00000000), ref: 00475DCF
GetDlgItem.USER32(?,000003E9), ref: 00475DDD
GetWindowRect.USER32(00000000,?), ref: 00475DEF
MoveWindow.USER32(?,0000000A,00000000,?,00000004,00000000), ref: 00475E31
GetDlgItem.USER32(?,000003EA), ref: 00475E44
MoveWindow.USER32(00000000,0000000A,0000000A,?,-00000005,00000000), ref: 00475E5A
InvalidateRect.USER32(?,00000000,00000001), ref: 00475E67

Memory Dump Source

Source File: 00000000.00000002.2107394819.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2107065431.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107532194.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107532194.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107645477.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107703493.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: Window$ItemMoveRect$Invalidate
String ID:
API String ID: 3096461208-0
Opcode ID: 85fce70f1bc3c6a58b00dbe9f269ff0012521eeb4d645d9ced75c338d75638a7
Instruction ID: 7af9dc3cde50717f7a15d0e0f9f9ffc130238e322a778124ca07208abb8f559d
Opcode Fuzzy Hash: 85fce70f1bc3c6a58b00dbe9f269ff0012521eeb4d645d9ced75c338d75638a7
Instruction Fuzzy Hash: 3C510E71B00605AFDF18CFA8DD89AAEBBB5FB48300F548129F519E7290D7749E04CB54

Function 00428BCD Relevance: 18.2, APIs: 12, Instructions: 168timeCOMMON

Download Yara Rule

APIs

Part of subcall function 00428F62: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00428BE8,?,00000000,?,?,?,?,00428BBA,00000000,?), ref: 00428FC5

DestroyWindow.USER32(?), ref: 00428C81
KillTimer.USER32(00000000,?,?,?,?,00428BBA,00000000,?), ref: 00428D1B
DestroyAcceleratorTable.USER32(00000000), ref: 00466973
ImageList_Destroy.COMCTL32(00000000,?,?,?,?,?,?,00000000,?,?,?,?,00428BBA,00000000,?), ref: 004669A1
ImageList_Destroy.COMCTL32(?,?,?,?,?,?,?,00000000,?,?,?,?,00428BBA,00000000,?), ref: 004669B8
ImageList_Destroy.COMCTL32(00000000,?,?,?,?,?,?,?,?,00000000,?,?,?,?,00428BBA,00000000), ref: 004669D4
DeleteObject.GDI32(00000000), ref: 004669E6

Memory Dump Source

Source File: 00000000.00000002.2107394819.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2107065431.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107532194.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107532194.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107645477.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107703493.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: Destroy$ImageList_$AcceleratorDeleteInvalidateKillObjectRectTableTimerWindow
String ID:
API String ID: 641708696-0
Opcode ID: d312ec482637de34eab6c8cb0abf800ef1d87be553b45fe41c1f9b4440f380c5
Instruction ID: 6c6c78c700273877c720b5be97dd70d0af4906cd395b8db5d91e4763b518ce99
Opcode Fuzzy Hash: d312ec482637de34eab6c8cb0abf800ef1d87be553b45fe41c1f9b4440f380c5
Instruction Fuzzy Hash: FA61C170202620DFDB219F15EA88B2A7BF1FB41316F55452EE0429B671CB39AC81CF9D

Function 00429838 Relevance: 18.1, APIs: 12, Instructions: 137COMMON

Download Yara Rule

APIs

Part of subcall function 00429944: GetWindowLongW.USER32(?,000000EB), ref: 00429952

GetSysColor.USER32(0000000F), ref: 00429862

Memory Dump Source

Source File: 00000000.00000002.2107394819.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2107065431.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107532194.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107532194.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107645477.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107703493.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: ColorLongWindow
String ID:
API String ID: 259745315-0
Opcode ID: 5a4886a40c9aaeaf3bb6ae34570c01d04d3e4fd7cde98486b7776afaba0a22ec
Instruction ID: f874ee9d2f2be3fd10760c2b7717790b9c456f1175dcccdab44d2fb6697bf3e7
Opcode Fuzzy Hash: 5a4886a40c9aaeaf3bb6ae34570c01d04d3e4fd7cde98486b7776afaba0a22ec
Instruction Fuzzy Hash: 1741FA31600650AFDB206F38AC84BBA3B65EB17330F584656F9A2873E2D7349C42DB19

Function 00448D45 Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 300COMMONLIBRARYCODE

Download Yara Rule

Strings

.C, xrefs: 0044903A, 00448FD0, 00448FF2

Memory Dump Source

Source File: 00000000.00000002.2107394819.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2107065431.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107532194.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107532194.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107645477.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107703493.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID:
String ID: .C
API String ID: 0-1181961956
Opcode ID: 9b58f5dabe3077509171e732bff81eb824458f57b6083445ac5ab056f66e97ef
Instruction ID: eb9610bd3511200ec6d90fa95a5c7e010e857ca5343351805dd7b5ce85707d63
Opcode Fuzzy Hash: 9b58f5dabe3077509171e732bff81eb824458f57b6083445ac5ab056f66e97ef
Instruction Fuzzy Hash: 1EC1F474D04249AFEF11DFA9D841BAFBBB0AF09314F14409AF814A7392C7798D42DB69

Function 004796E2 Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 137windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,00000FFF,00000001,00000000,?,?,0045F7F8,00000001,0000138C,00000001,?,00000001,00000000,?,?), ref: 00479717
LoadStringW.USER32(00000000,?,0045F7F8,00000001), ref: 00479720

Part of subcall function 00419CB3: _wcslen.LIBCMT ref: 00419CBD

GetModuleHandleW.KERNEL32(00000000,00000001,?,00000FFF,?,?,0045F7F8,00000001,0000138C,00000001,?,00000001,00000000,?,?,00000000), ref: 00479742
LoadStringW.USER32(00000000,?,0045F7F8,00000001), ref: 00479745
MessageBoxW.USER32(00000000,00000000,?,00011010), ref: 00479866

Strings

Line %d:, xrefs: 004797A0
Line %d (File "%s"):, xrefs: 0047978F
Error: , xrefs: 0047981D
%s (%d) : ==> %s: %s %s, xrefs: 0047984A
^ ERROR, xrefs: 004797FB

Memory Dump Source

Source File: 00000000.00000002.2107394819.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2107065431.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107532194.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107532194.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107645477.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107703493.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: HandleLoadModuleString$Message_wcslen
String ID: Error: $%s (%d) : ==> %s: %s %s$Line %d (File "%s"):$Line %d:$^ ERROR
API String ID: 747408836-2268648507
Opcode ID: 3ee9530a851cd0c7f38de4390686cf59642ea22bf7a459988ec1dc21611975c2
Instruction ID: 47649ed6707ce6315a6fb9766a92006ead74d56158a65ab5c8854d2702f008b9
Opcode Fuzzy Hash: 3ee9530a851cd0c7f38de4390686cf59642ea22bf7a459988ec1dc21611975c2
Instruction Fuzzy Hash: A1416572800119AADF04FBE1CD96DEE7778AF15744F50402BF60572192EB396F88CB69

Function 004706DE Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 127registryshareCOMMON

Download Yara Rule

APIs

Part of subcall function 00416B57: _wcslen.LIBCMT ref: 00416B6A

WNetAddConnection2W.MPR(?,?,?,00000000), ref: 004707A2
RegConnectRegistryW.ADVAPI32(?,80000002,?), ref: 004707BE
RegOpenKeyExW.ADVAPI32(?,?,00000000,00020019,?,?,SOFTWARE\Classes\), ref: 004707DA
RegQueryValueExW.ADVAPI32(?,00000000,00000000,00000000,?,?,?,SOFTWARE\Classes\), ref: 00470804
CLSIDFromString.OLE32(?,000001FE,?,SOFTWARE\Classes\), ref: 0047082C
RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 00470837
RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 0047083C

Strings

\IPC$, xrefs: 00470784
\CLSID, xrefs: 00470724
SOFTWARE\Classes\, xrefs: 0047070E

Memory Dump Source

Source File: 00000000.00000002.2107394819.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2107065431.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107532194.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107532194.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107645477.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107703493.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: Close$ConnectConnection2FromOpenQueryRegistryStringValue_wcslen
String ID: SOFTWARE\Classes\$\CLSID$\IPC$
API String ID: 323675364-22481851
Opcode ID: 2105aacdd6c737f33dc8ded460abfac6fe9d8952a66773c56c8a4bb317b591c2
Instruction ID: 971b3f1af4e9c7bad6bcaabeef2f6bc07191664b0645e154af9b29989f684920
Opcode Fuzzy Hash: 2105aacdd6c737f33dc8ded460abfac6fe9d8952a66773c56c8a4bb317b591c2
Instruction Fuzzy Hash: 0C413B71C11228EBCF15EFA4DC95CEEB778BF04354F15412AE905A3260EB38AE44CB94

Function 00493C30 Relevance: 16.8, APIs: 11, Instructions: 344fileCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00493C5C
CoInitialize.OLE32(00000000), ref: 00493C8A
CoUninitialize.OLE32 ref: 00493C94
_wcslen.LIBCMT ref: 00493D2D
GetRunningObjectTable.OLE32(00000000,?), ref: 00493DB1
SetErrorMode.KERNEL32(00000001,00000029), ref: 00493ED5
CoGetInstanceFromFile.OLE32(00000000,?,00000000,00000015,00000002,?,00000001,?), ref: 00493F0E
CoGetObject.OLE32(?,00000000,004AFB98,?), ref: 00493F2D
SetErrorMode.KERNEL32(00000000), ref: 00493F40
SetErrorMode.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 00493FC4
VariantClear.OLEAUT32(?), ref: 00493FD8

Memory Dump Source

Source File: 00000000.00000002.2107394819.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2107065431.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107532194.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107532194.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107645477.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107703493.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: ErrorMode$ObjectVariant$ClearFileFromInitInitializeInstanceRunningTableUninitialize_wcslen
String ID:
API String ID: 429561992-0
Opcode ID: bd28a41bbed7338230c01f431dd6a8a5859c679330a8b047e730b4abd573d918
Instruction ID: f46ce77e6ea40ec39aeecf3c65ce7f6ba73e3857271a89658ab5552a3a1d6a17
Opcode Fuzzy Hash: bd28a41bbed7338230c01f431dd6a8a5859c679330a8b047e730b4abd573d918
Instruction Fuzzy Hash: 23C158716083059FCB00DF65C88496BBBE9FF8A749F00496EF98A9B210D734EE05CB56

Function 00487A96 Relevance: 16.8, APIs: 11, Instructions: 298comCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 00487AF3
SHGetSpecialFolderLocation.SHELL32(00000000,00000000,?), ref: 00487B8F
SHGetDesktopFolder.SHELL32(?), ref: 00487BA3
CoCreateInstance.OLE32(004AFD08,00000000,00000001,004D6E6C,?), ref: 00487BEF
SHCreateShellItem.SHELL32(00000000,00000000,?,00000003), ref: 00487C74
CoTaskMemFree.OLE32(?,?), ref: 00487CCC
SHBrowseForFolderW.SHELL32(?), ref: 00487D57
SHGetPathFromIDListW.SHELL32(00000000,?), ref: 00487D7A
CoTaskMemFree.OLE32(00000000), ref: 00487D81
CoTaskMemFree.OLE32(00000000), ref: 00487DD6
CoUninitialize.OLE32 ref: 00487DDC

Memory Dump Source

Source File: 00000000.00000002.2107394819.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2107065431.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107532194.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107532194.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107645477.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107703493.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: FolderFreeTask$Create$BrowseDesktopFromInitializeInstanceItemListLocationPathShellSpecialUninitialize
String ID:
API String ID: 2762341140-0
Opcode ID: 5ce2fca2df1c0f1af2976dfdea444bb9711469775f9fc02b0fe9a823da8672c2
Instruction ID: 88d8fb7e9a5a88090902244ea6af08d937b7dc800ece08ee49cd5c22bb9600be
Opcode Fuzzy Hash: 5ce2fca2df1c0f1af2976dfdea444bb9711469775f9fc02b0fe9a823da8672c2
Instruction Fuzzy Hash: 73C13D75A04105AFCB14EFA4C894DAEBBF9FF48308B1484A9E81ADB361D734ED41CB94

Function 004A541D Relevance: 16.7, APIs: 11, Instructions: 191windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000158,000000FF,00000158), ref: 004A5504
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 004A5515
CharNextW.USER32(00000158), ref: 004A5544
SendMessageW.USER32(?,0000014B,00000000,00000000), ref: 004A5585
SendMessageW.USER32(?,00000158,000000FF,0000014E), ref: 004A559B
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 004A55AC

Memory Dump Source

Source File: 00000000.00000002.2107394819.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2107065431.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107532194.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107532194.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107645477.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107703493.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: MessageSend$CharNext
String ID:
API String ID: 1350042424-0
Opcode ID: 2efb1f7c96c8081bb18d15c9847767f811f787cce9b19fadcfeee2f16e489ed0
Instruction ID: 886126b4b6221783a70d92fb59f16fe1a659533b40aeb0ed112194b5baff34cd
Opcode Fuzzy Hash: 2efb1f7c96c8081bb18d15c9847767f811f787cce9b19fadcfeee2f16e489ed0
Instruction Fuzzy Hash: F161BE71900608FBDF10DF54CD84AFF3BB9EB2B320F104156F925AA291D7388A81DB69

Function 0046FA88 Relevance: 16.6, APIs: 11, Instructions: 122memoryCOMMON

Download Yara Rule

APIs

SafeArrayAllocDescriptorEx.OLEAUT32(0000000C,?,?), ref: 0046FAAF
SafeArrayAllocData.OLEAUT32(?), ref: 0046FB08
VariantInit.OLEAUT32(?), ref: 0046FB1A
SafeArrayAccessData.OLEAUT32(?,?), ref: 0046FB3A
VariantCopy.OLEAUT32(?,?), ref: 0046FB8D
SafeArrayUnaccessData.OLEAUT32(?), ref: 0046FBA1
VariantClear.OLEAUT32(?), ref: 0046FBB6
SafeArrayDestroyData.OLEAUT32(?), ref: 0046FBC3
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 0046FBCC
VariantClear.OLEAUT32(?), ref: 0046FBDE
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 0046FBE9

Memory Dump Source

Source File: 00000000.00000002.2107394819.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2107065431.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107532194.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107532194.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107645477.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107703493.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: ArraySafe$DataVariant$DescriptorDestroy$AllocClear$AccessCopyInitUnaccess
String ID:
API String ID: 2706829360-0
Opcode ID: c215a2eadedc096187399e35b036147ca007a2358cc53a2e26fafaf8e74fc690
Instruction ID: 69da9d415d22f4735617171077b00187f906dca4e4e7837b33ff6fada278e84d
Opcode Fuzzy Hash: c215a2eadedc096187399e35b036147ca007a2358cc53a2e26fafaf8e74fc690
Instruction Fuzzy Hash: E9417275A002199FCB00DF64D8949EEBFB9FF49344F00807AE945A7261DB34E945CF99

Function 00479C79 Relevance: 16.6, APIs: 11, Instructions: 119keyboardCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?), ref: 00479CA1
GetAsyncKeyState.USER32(000000A0), ref: 00479D22
GetKeyState.USER32(000000A0), ref: 00479D3D
GetAsyncKeyState.USER32(000000A1), ref: 00479D57
GetKeyState.USER32(000000A1), ref: 00479D6C
GetAsyncKeyState.USER32(00000011), ref: 00479D84
GetKeyState.USER32(00000011), ref: 00479D96
GetAsyncKeyState.USER32(00000012), ref: 00479DAE
GetKeyState.USER32(00000012), ref: 00479DC0
GetAsyncKeyState.USER32(0000005B), ref: 00479DD8
GetKeyState.USER32(0000005B), ref: 00479DEA

Memory Dump Source

Source File: 00000000.00000002.2107394819.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2107065431.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107532194.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107532194.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107645477.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107703493.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: State$Async$Keyboard
String ID:
API String ID: 541375521-0
Opcode ID: 7496078645f185c8b955c02ad3bdb58ae11c5035c34322887f17f5e42b53c589
Instruction ID: 105258d4d7e9098a205df19608756355a8728712edbacb0a07328e843bb98f96
Opcode Fuzzy Hash: 7496078645f185c8b955c02ad3bdb58ae11c5035c34322887f17f5e42b53c589
Instruction Fuzzy Hash: 9F41D8345047C96DFF71866484443F7BEA16B12344F08C05BDACA567C2EBAC9DC8C79A

Function 0049055B Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 207networkfileCOMMON

Download Yara Rule

APIs

WSAStartup.WSOCK32(00000101,?), ref: 004905BC
inet_addr.WSOCK32(?), ref: 0049061C
gethostbyname.WSOCK32(?), ref: 00490628
IcmpCreateFile.IPHLPAPI ref: 00490636
IcmpSendEcho.IPHLPAPI(?,?,?,00000005,00000000,?,00000029,00000FA0), ref: 004906C6
IcmpSendEcho.IPHLPAPI(00000000,00000000,?,00000005,00000000,?,00000029,00000FA0), ref: 004906E5
IcmpCloseHandle.IPHLPAPI(?), ref: 004907B9
WSACleanup.WSOCK32 ref: 004907BF

Strings

Ping, xrefs: 00490676

Memory Dump Source

Source File: 00000000.00000002.2107394819.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2107065431.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107532194.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107532194.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107645477.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107703493.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: Icmp$EchoSend$CleanupCloseCreateFileHandleStartupgethostbynameinet_addr
String ID: Ping
API String ID: 1028309954-2246546115
Opcode ID: 35b271760b3fe989d2de4de195e4d215d81501438eb02a27fff2c89ccfa652c0
Instruction ID: d698bc833c7678b93aeb067f8947c4fc809515c985cc515df99e0be90776a55b
Opcode Fuzzy Hash: 35b271760b3fe989d2de4de195e4d215d81501438eb02a27fff2c89ccfa652c0
Instruction Fuzzy Hash: 49917E35604201AFDB20DF15D488F1ABFE0AF44328F1585AAE4698B7A2C738ED85CF95

Function 00498CD3 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 193COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?,00000000,?), ref: 00498CF3

Part of subcall function 00478E54: _wcslen.LIBCMT ref: 00478E77

_wcslen.LIBCMT ref: 00498D4E
_wcslen.LIBCMT ref: 00498D9C
_wcslen.LIBCMT ref: 00498DDC
_wcslen.LIBCMT ref: 00498E6E

Strings

stdcall, xrefs: 00498DD6, 00498DDB
cdecl, xrefs: 00498D48, 00498D4D
winapi, xrefs: 00498D96, 00498D9B
none, xrefs: 00498E65, 00498E6A

Memory Dump Source

Source File: 00000000.00000002.2107394819.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2107065431.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107532194.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107532194.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107645477.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107703493.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: _wcslen$BuffCharLower
String ID: cdecl$none$stdcall$winapi
API String ID: 707087890-567219261
Opcode ID: 2988b8d1db754f97fcb01959b2ec187e4289b9debbd9552d54519e9fb1cf070f
Instruction ID: f2321c66c4dea0c95bd39490f25074e66ef5b59c05288e109135086d3958da2f
Opcode Fuzzy Hash: 2988b8d1db754f97fcb01959b2ec187e4289b9debbd9552d54519e9fb1cf070f
Instruction Fuzzy Hash: 9F519071A001169BCF14DF6DC9609BEBBA5AF66324B21423FE426E7384DB39DD40C798

Function 0049372C Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 187comCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32 ref: 00493774
CoUninitialize.OLE32 ref: 0049377F
CoCreateInstance.OLE32(?,00000000,00000017,004AFB78,?), ref: 004937D9
IIDFromString.OLE32(?,?), ref: 0049384C
VariantInit.OLEAUT32(?), ref: 004938E4
VariantClear.OLEAUT32(?), ref: 00493936

Strings

Invalid parameter, xrefs: 00493865
NULL Pointer assignment, xrefs: 0049381E
Failed to create object, xrefs: 004937E4, 0049389A

Memory Dump Source

Source File: 00000000.00000002.2107394819.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2107065431.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107532194.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107532194.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107645477.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107703493.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: Variant$ClearCreateFromInitInitializeInstanceStringUninitialize
String ID: Failed to create object$Invalid parameter$NULL Pointer assignment
API String ID: 636576611-1287834457
Opcode ID: 1e76311899763007a6a4355971e6b500c6099e01768a07ff98e4a84797a443ce
Instruction ID: c09ade78cfc8693cfbb62d65456be79016457365495fb0cb24c547c6a8c76256
Opcode Fuzzy Hash: 1e76311899763007a6a4355971e6b500c6099e01768a07ff98e4a84797a443ce
Instruction Fuzzy Hash: 6561B070608301AFD710EF55C888B6ABBE4EF4A705F10486FF58597291C778EE49CB9A

Function 004A8B02 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 149windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00429BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00429BB2

Part of subcall function 0042912D: GetCursorPos.USER32(?), ref: 00429141
Part of subcall function 0042912D: ScreenToClient.USER32(00000000,?), ref: 0042915E
Part of subcall function 0042912D: GetAsyncKeyState.USER32(00000001), ref: 00429183
Part of subcall function 0042912D: GetAsyncKeyState.USER32(00000002), ref: 0042919D

ImageList_DragLeave.COMCTL32(00000000,00000000,00000001,?,?,?,?), ref: 004A8B6B
ImageList_EndDrag.COMCTL32 ref: 004A8B71
ReleaseCapture.USER32 ref: 004A8B77
SetWindowTextW.USER32(?,00000000), ref: 004A8C12
SendMessageW.USER32(?,000000B1,00000000,000000FF), ref: 004A8C25
DefDlgProcW.USER32(?,00000202,?,?,00000000,00000001,?,?,?,?), ref: 004A8CFF

Strings

@GUI_DROPID, xrefs: 004A8C51
p#N, xrefs: 004A8C71
@GUI_DRAGFILE, xrefs: 004A8C9A

Memory Dump Source

Source File: 00000000.00000002.2107394819.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2107065431.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107532194.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107532194.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107645477.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107703493.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: AsyncDragImageList_StateWindow$CaptureClientCursorLeaveLongMessageProcReleaseScreenSendText
String ID: @GUI_DRAGFILE$@GUI_DROPID$p#N
API String ID: 1924731296-3991093434
Opcode ID: 993f0510353d533d072f03afe6da25543189ea6be430bc402e84c74b585bceda
Instruction ID: 47c12726a45359ca2c067fea2545401927e23d90b7c28c502135f77aac93ccd2
Opcode Fuzzy Hash: 993f0510353d533d072f03afe6da25543189ea6be430bc402e84c74b585bceda
Instruction Fuzzy Hash: 33518B70204200AFD704EF15DC95FAA77E4FB89714F400A2EF996572E2DB789D44CB6A

Function 00483388 Relevance: 15.9, APIs: 3, Strings: 6, Instructions: 149COMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000066,?,00000FFF,?), ref: 004833CF

Part of subcall function 00419CB3: _wcslen.LIBCMT ref: 00419CBD

LoadStringW.USER32(00000072,?,00000FFF,?), ref: 004833F0

Strings

Incorrect parameters to object property !, xrefs: 004834AB
Line %d (File "%s"):, xrefs: 00483443, 0048345C
"%s" (%d) : ==> %s:, xrefs: 00483522
Error: , xrefs: 004834D1
"%s" (%d) : ==> %s:%s%s, xrefs: 00483504
^ ERROR , xrefs: 0048349E

Memory Dump Source

Source File: 00000000.00000002.2107394819.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2107065431.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107532194.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107532194.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107645477.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107703493.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: LoadString$_wcslen
String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Incorrect parameters to object property !$Line %d (File "%s"):$^ ERROR
API String ID: 4099089115-3080491070
Opcode ID: 1142c04a9c81701bb75aae4beb97b563b64bd2f7e18b9087fe87dddb4fc3f9c0
Instruction ID: 7695c21b8b36afe79131069c5ec5d0ca14b9c4d6ae953ec27149b8bd75fa862b
Opcode Fuzzy Hash: 1142c04a9c81701bb75aae4beb97b563b64bd2f7e18b9087fe87dddb4fc3f9c0
Instruction Fuzzy Hash: D051D471900209BADF14EBE1CD52EEEB778AF04744F20446BF50572162EB392F98DB68

Function 0047B5C8 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 142COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 0047B5FC
_wcslen.LIBCMT ref: 0047B608
_wcslen.LIBCMT ref: 0047B64D
_wcslen.LIBCMT ref: 0047B68C
_wcslen.LIBCMT ref: 0047B6C7

Strings

EXISTS, xrefs: 0047B686, 0047B68B
REMOVE, xrefs: 0047B602, 0047B607
KEYS, xrefs: 0047B647, 0047B64C
APPEND, xrefs: 0047B6C1, 0047B6C6

Memory Dump Source

Source File: 00000000.00000002.2107394819.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2107065431.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107532194.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107532194.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107645477.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107703493.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: _wcslen$BuffCharUpper
String ID: APPEND$EXISTS$KEYS$REMOVE
API String ID: 1256254125-769500911
Opcode ID: 05988ba4a17b9c84888d3bbc0106db6ad0fca6b2443a379f5b7f8fc0d0f0e533
Instruction ID: 414aed57adbb56d44630540c850783c453eb60b242e3bbd21be030ebb81c53ac
Opcode Fuzzy Hash: 05988ba4a17b9c84888d3bbc0106db6ad0fca6b2443a379f5b7f8fc0d0f0e533
Instruction Fuzzy Hash: 31412A32A001269ACB106F7D88906FF77A1EFA0758B24812BE629D7384E73DCD81C3D5

Function 00485393 Relevance: 15.9, APIs: 4, Strings: 5, Instructions: 103COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 004853A0
GetDiskFreeSpaceW.KERNEL32(?,?,?,?,?,00000002,00000001), ref: 00485416
GetLastError.KERNEL32 ref: 00485420
SetErrorMode.KERNEL32(00000000,READY), ref: 004854A7

Strings

INVALID, xrefs: 00485459
READONLY, xrefs: 00485452
READY, xrefs: 00485460, 00485468
NOTREADY, xrefs: 0048544B
UNKNOWN, xrefs: 00485444

Memory Dump Source

Source File: 00000000.00000002.2107394819.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2107065431.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107532194.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107532194.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107645477.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107703493.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: Error$Mode$DiskFreeLastSpace
String ID: INVALID$NOTREADY$READONLY$READY$UNKNOWN
API String ID: 4194297153-14809454
Opcode ID: 8dafa5648ace807a1cbe3412b834b70b3b72cad942207dffd6dc4ceda2610241
Instruction ID: cbe64af34b405703c3480dd1aee301c646ac5b5423df9dc3eb6c89aac84d6b26
Opcode Fuzzy Hash: 8dafa5648ace807a1cbe3412b834b70b3b72cad942207dffd6dc4ceda2610241
Instruction Fuzzy Hash: 0231CE35A002049FDB10EF68C484BAEBBB4EF45709F14846BE405CB392DB79DD82CB95

Function 004A3C46 Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 101windowCOMMON

Download Yara Rule

APIs

CreateMenu.USER32 ref: 004A3C79
SetMenu.USER32(?,00000000), ref: 004A3C88
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 004A3D10
IsMenu.USER32(?), ref: 004A3D24
CreatePopupMenu.USER32 ref: 004A3D2E
InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 004A3D5B
DrawMenuBar.USER32 ref: 004A3D63

Strings

0, xrefs: 004A3C54
F, xrefs: 004A3D4E

Memory Dump Source

Source File: 00000000.00000002.2107394819.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2107065431.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107532194.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107532194.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107645477.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107703493.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: Menu$CreateItem$DrawInfoInsertPopup
String ID: 0$F
API String ID: 161812096-3044882817
Opcode ID: 61bf1a0c13cbfdcf9b5887dc7343f0fc2790829543ca24696400371479a97c1a
Instruction ID: 88367d0572a9587ccdce4249f6a151579d92679bdd64667a54bb18dfb3d73e06
Opcode Fuzzy Hash: 61bf1a0c13cbfdcf9b5887dc7343f0fc2790829543ca24696400371479a97c1a
Instruction Fuzzy Hash: 28417EB5A01209EFDB14CF64D884ADA7BB5FF5A351F14002AF946A7360E734AA10CF58

Function 00471EDF Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 78windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00419CB3: _wcslen.LIBCMT ref: 00419CBD

Part of subcall function 00473CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00473CCA

SendMessageW.USER32(?,0000018C,000000FF,00020000), ref: 00471F64
GetDlgCtrlID.USER32 ref: 00471F6F
GetParent.USER32 ref: 00471F8B
SendMessageW.USER32(00000000,?,00000111,?), ref: 00471F8E
GetDlgCtrlID.USER32(?), ref: 00471F97
GetParent.USER32(?), ref: 00471FAB
SendMessageW.USER32(00000000,?,00000111,?), ref: 00471FAE

Strings

ComboBox, xrefs: 00471EEC
ListBox, xrefs: 00471F21

Memory Dump Source

Source File: 00000000.00000002.2107394819.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2107065431.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107532194.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107532194.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107645477.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107703493.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: MessageSend$CtrlParent$ClassName_wcslen
String ID: ComboBox$ListBox
API String ID: 711023334-1403004172
Opcode ID: 2482581fa915c43a01fffc99b3093fe117c9891835abd700e5ce3564698c1547
Instruction ID: 911ac598e1d5e5cae51a6700bafdf9c31b3e101bcb7c18fb55eda3b226416f2b
Opcode Fuzzy Hash: 2482581fa915c43a01fffc99b3093fe117c9891835abd700e5ce3564698c1547
Instruction Fuzzy Hash: CE21C271900214BBCF15EFA4CC95EEEBBB8EF06354B10411BF965672A1DB385904DB68

Function 004A3A23 Relevance: 15.2, APIs: 10, Instructions: 182windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000101F,00000000,00000000), ref: 004A3A9D
SendMessageW.USER32(00000000,?,0000101F,00000000), ref: 004A3AA0
GetWindowLongW.USER32(?,000000F0), ref: 004A3AC7
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 004A3AEA
SendMessageW.USER32(?,0000104D,00000000,00000007), ref: 004A3B62
SendMessageW.USER32(?,00001074,00000000,00000007), ref: 004A3BAC
SendMessageW.USER32(?,00001057,00000000,00000000), ref: 004A3BC7
SendMessageW.USER32(?,0000101D,00001004,00000000), ref: 004A3BE2
SendMessageW.USER32(?,0000101E,00001004,00000000), ref: 004A3BF6
SendMessageW.USER32(?,00001008,00000000,00000007), ref: 004A3C13

Memory Dump Source

Source File: 00000000.00000002.2107394819.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2107065431.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107532194.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107532194.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107645477.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107703493.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: MessageSend$LongWindow
String ID:
API String ID: 312131281-0
Opcode ID: 8750fad242930c77f0ba0a5b7088109129fc0be0950115208b9d46647844f1c6
Instruction ID: 9b9b1362c474cf40edbbecfd28caa1ac6b822cdd5dbcf18cdb8d3d0f30ad3c48
Opcode Fuzzy Hash: 8750fad242930c77f0ba0a5b7088109129fc0be0950115208b9d46647844f1c6
Instruction Fuzzy Hash: 04619F75900248AFDB10DF64CC81EEE77F8EB19314F1000AAFA05A73A2D774AE45DB54

Function 0047B12F Relevance: 15.1, APIs: 10, Instructions: 88threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 0047B151
GetForegroundWindow.USER32(00000000,?,?,?,?,?,0047A1E1,?,00000001), ref: 0047B165
GetWindowThreadProcessId.USER32(00000000), ref: 0047B16C
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,0047A1E1,?,00000001), ref: 0047B17B
GetWindowThreadProcessId.USER32(?,00000000), ref: 0047B18D
AttachThreadInput.USER32(?,00000000,00000001,?,?,?,?,?,0047A1E1,?,00000001), ref: 0047B1A6
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,0047A1E1,?,00000001), ref: 0047B1B8
AttachThreadInput.USER32(00000000,00000000,?,?,?,?,?,0047A1E1,?,00000001), ref: 0047B1FD
AttachThreadInput.USER32(?,?,00000000,?,?,?,?,?,0047A1E1,?,00000001), ref: 0047B212
AttachThreadInput.USER32(00000000,?,00000000,?,?,?,?,?,0047A1E1,?,00000001), ref: 0047B21D

Memory Dump Source

Source File: 00000000.00000002.2107394819.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2107065431.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107532194.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107532194.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107645477.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107703493.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: Thread$AttachInput$Window$Process$CurrentForeground
String ID:
API String ID: 2156557900-0
Opcode ID: 83c3472da5634ea67357a083ed23f30d82bf44ddcd5c52161906f8a17ba07ca0
Instruction ID: 60138c64cf79c9cf67be6e330ec5055d278779b652c5cf4ab33331a845a62410
Opcode Fuzzy Hash: 83c3472da5634ea67357a083ed23f30d82bf44ddcd5c52161906f8a17ba07ca0
Instruction Fuzzy Hash: 8731A271540204AFDB119F64DC8CBAE7B69EB51356F108466FA08DB251D7789E008FAC

Function 00442C80 Relevance: 15.1, APIs: 10, Instructions: 54COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00442C94

Part of subcall function 004429C8: RtlFreeHeap.NTDLL(00000000,00000000,?,0044D7D1,00000000,00000000,00000000,00000000,?,0044D7F8,00000000,00000007,00000000,?,0044DBF5,00000000), ref: 004429DE
Part of subcall function 004429C8: GetLastError.KERNEL32(00000000,?,0044D7D1,00000000,00000000,00000000,00000000,?,0044D7F8,00000000,00000007,00000000,?,0044DBF5,00000000,00000000), ref: 004429F0

_free.LIBCMT ref: 00442CA0
_free.LIBCMT ref: 00442CAB
_free.LIBCMT ref: 00442CB6
_free.LIBCMT ref: 00442CC1
_free.LIBCMT ref: 00442CCC
_free.LIBCMT ref: 00442CD7
_free.LIBCMT ref: 00442CE2
_free.LIBCMT ref: 00442CED
_free.LIBCMT ref: 00442CFB

Memory Dump Source

Source File: 00000000.00000002.2107394819.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2107065431.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107532194.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107532194.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107645477.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107703493.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: baeddbe0655e94e118552a65794846ef528a4f51d5828953fe4ae3143878e0bf
Instruction ID: c4d3835c6e39c14024aa1b946a06c50d845e7d2803cfcb573c61ee3650419366
Opcode Fuzzy Hash: baeddbe0655e94e118552a65794846ef528a4f51d5828953fe4ae3143878e0bf
Instruction Fuzzy Hash: 6411FEB5200108BFEB02EF56DA42CDD3B65FF05354F81449AF9485F232D675EE509B54

Function 00487DF0 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 230COMMON

Download Yara Rule

APIs

GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00487FAD
SetCurrentDirectoryW.KERNEL32(?), ref: 00487FC1
GetFileAttributesW.KERNEL32(?), ref: 00487FEB
SetFileAttributesW.KERNEL32(?,00000000), ref: 00488005
SetCurrentDirectoryW.KERNEL32(?), ref: 00488017
SetCurrentDirectoryW.KERNEL32(?), ref: 00488060
SetCurrentDirectoryW.KERNEL32(?,?,?,?,?), ref: 004880B0

Strings

*.*, xrefs: 00488066

Memory Dump Source

Source File: 00000000.00000002.2107394819.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2107065431.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107532194.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107532194.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107645477.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107703493.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: CurrentDirectory$AttributesFile
String ID: *.*
API String ID: 769691225-438819550
Opcode ID: 75ed41fe40df109effce1867840db597d0068e9624acc88efec2f2c0e749759e
Instruction ID: 60776df3a2aa20ebd64d375f27d7d87eae9c9b1fdb66f3cae49938412a292d9a
Opcode Fuzzy Hash: 75ed41fe40df109effce1867840db597d0068e9624acc88efec2f2c0e749759e
Instruction Fuzzy Hash: 8B8190725082019BCB20EF15C8949BFB7E8AF89314F644C5FF889D7250EB38DD458B5A

Function 00415BEA Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 184windowCOMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(?,000000EB), ref: 00415C7A

Part of subcall function 00415D0A: GetClientRect.USER32(?,?), ref: 00415D30
Part of subcall function 00415D0A: GetWindowRect.USER32(?,?), ref: 00415D71
Part of subcall function 00415D0A: ScreenToClient.USER32(?,?), ref: 00415D99

GetDC.USER32 ref: 004546F5
SendMessageW.USER32(?,00000031,00000000,00000000), ref: 00454708
SelectObject.GDI32(00000000,00000000), ref: 00454716
SelectObject.GDI32(00000000,00000000), ref: 0045472B
ReleaseDC.USER32(?,00000000), ref: 00454733
MoveWindow.USER32(?,?,?,?,?,?,?,00000031,00000000,00000000), ref: 004547C4

Strings

U, xrefs: 00454693

Memory Dump Source

Source File: 00000000.00000002.2107394819.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2107065431.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107532194.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107532194.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107645477.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107703493.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: Window$ClientObjectRectSelect$LongMessageMoveReleaseScreenSend
String ID: U
API String ID: 4009187628-3372436214
Opcode ID: 35b70a7b7996833853d03c08335a8f43a9e06e71ff8c86c7ce4ac674f8b758aa
Instruction ID: 887fb8666af04f3ee60c595cc3ab95fc0868f9ada7a6041cbaf17a9e9da7969d
Opcode Fuzzy Hash: 35b70a7b7996833853d03c08335a8f43a9e06e71ff8c86c7ce4ac674f8b758aa
Instruction Fuzzy Hash: E171DE34400205DFCF218F64C984AEA3BB1FF8A32AF14426BED555E267D7388886DF58

Function 0048359C Relevance: 14.2, APIs: 3, Strings: 5, Instructions: 150COMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000066,?,00000FFF,00000000), ref: 004835E4

Part of subcall function 00419CB3: _wcslen.LIBCMT ref: 00419CBD

LoadStringW.USER32(004E2390,?,00000FFF,?), ref: 0048360A

Strings

"%s" (%d) : ==> %s:, xrefs: 00483742
Line %d (File "%s"):, xrefs: 0048366B
Error: , xrefs: 004836EF
^ ERROR, xrefs: 004836C9
"%s" (%d) : ==> %s:%s%s, xrefs: 00483724

Memory Dump Source

Source File: 00000000.00000002.2107394819.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2107065431.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107532194.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107532194.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107645477.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107703493.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: LoadString$_wcslen
String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Line %d (File "%s"):$^ ERROR
API String ID: 4099089115-2391861430
Opcode ID: 6829c1961d2d7a976b95a72771c5281948a3b144cbd59cc3e9a777d504f96c59
Instruction ID: 4c2bca62849440ba06ab7cf45b7e745419e897b1c1e1e03a16b17439adab886e
Opcode Fuzzy Hash: 6829c1961d2d7a976b95a72771c5281948a3b144cbd59cc3e9a777d504f96c59
Instruction Fuzzy Hash: E5517071800209AADF14EFA1CC92EEEBB35AF04745F14452BF505721A1EB386AD9DF68

Function 0048C253 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 94networkCOMMON

Download Yara Rule

APIs

InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 0048C272
HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 0048C29A
HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 0048C2CA
GetLastError.KERNEL32 ref: 0048C322
SetEvent.KERNEL32(?), ref: 0048C336
InternetCloseHandle.WININET(00000000), ref: 0048C341

Strings

, xrefs: 0048C2BB

Memory Dump Source

Source File: 00000000.00000002.2107394819.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2107065431.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107532194.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107532194.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107645477.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107703493.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: HttpInternet$CloseErrorEventHandleInfoLastOpenQueryRequestSend
String ID:
API String ID: 3113390036-3916222277
Opcode ID: 74b0636c93e256869bad559c5974195124dd36c9636d8b7d25542fd185a0c4db
Instruction ID: dcca571e5fa73f26138b9223ec9660c497b26d26be665a6c4ee5f2301c3f81ee
Opcode Fuzzy Hash: 74b0636c93e256869bad559c5974195124dd36c9636d8b7d25542fd185a0c4db
Instruction Fuzzy Hash: 6A316F71500604AFD721AF6598C4AAF7BFCEB49744B10892FF84692240DB38DD059B79

Function 0047989B Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 74windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000FFF,00000000,?,00453AAF,?,?,Bad directive syntax error,004ACC08,00000000,00000010,?,?,>>>AUTOIT SCRIPT<<<), ref: 004798BC
LoadStringW.USER32(00000000,?,00453AAF,?), ref: 004798C3

Part of subcall function 00419CB3: _wcslen.LIBCMT ref: 00419CBD

MessageBoxW.USER32(00000000,00000001,00000001,00011010), ref: 00479987

Strings

Error: , xrefs: 00479955
Line %d:, xrefs: 00479912
Line %d (File "%s"):, xrefs: 0047992D
., xrefs: 0047996D
%s (%d) : ==> %s.: %s %s, xrefs: 004798F1

Memory Dump Source

Source File: 00000000.00000002.2107394819.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2107065431.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107532194.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107532194.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107645477.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107703493.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: HandleLoadMessageModuleString_wcslen
String ID: Error: $%s (%d) : ==> %s.: %s %s$.$Line %d (File "%s"):$Line %d:
API String ID: 858772685-4153970271
Opcode ID: fa06d9b2b9ad3f3bd0e7f2c0e597206f5bd85a688edb2dc1f3b8ae400d4d489b
Instruction ID: 5e73d1bf454e12fe2114cdb077473c7e2ec109ca6bea76091fc6e4f3dc4d1393
Opcode Fuzzy Hash: fa06d9b2b9ad3f3bd0e7f2c0e597206f5bd85a688edb2dc1f3b8ae400d4d489b
Instruction Fuzzy Hash: BA21B47190021EBBDF11AF90CC16EEE7775FF14704F04442BF915621A2EB39AA68DB58

Function 0047209F Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 71windowCOMMON

Download Yara Rule

APIs

GetParent.USER32 ref: 004720AB
GetClassNameW.USER32(00000000,?,00000100), ref: 004720C0
SendMessageW.USER32(00000000,00000111,0000702B,00000000), ref: 0047214D

Strings

list, xrefs: 0047212F
smallicons, xrefs: 00472115
largeicons, xrefs: 004720E1
details, xrefs: 004720FB
SHELLDLL_DefView, xrefs: 004720CC

Memory Dump Source

Source File: 00000000.00000002.2107394819.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2107065431.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107532194.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107532194.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107645477.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107703493.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: ClassMessageNameParentSend
String ID: SHELLDLL_DefView$details$largeicons$list$smallicons
API String ID: 1290815626-3381328864
Opcode ID: 480a8efdf70b991f5fc79afe6b89803628bf79b93d37c7c71f2b55f650fe3af9
Instruction ID: 611cbf69ee29b9cdf684a2aa189dc85727efe1fc5bc048144b682bf17ae3cdaf
Opcode Fuzzy Hash: 480a8efdf70b991f5fc79afe6b89803628bf79b93d37c7c71f2b55f650fe3af9
Instruction Fuzzy Hash: 2B110676688707B9FA017621DD16DE7379CEB09328F60902BFB08B51D2EEAD7802565C

Function 0044CE90 Relevance: 13.7, APIs: 9, Instructions: 209COMMON

Download Yara Rule

APIs

___from_strstr_to_strchr.LIBCMT ref: 0044CEB7
_free.LIBCMT ref: 0044CF22
_free.LIBCMT ref: 0044CF48
_free.LIBCMT ref: 0044CF71
_free.LIBCMT ref: 0044CFA9
_free.LIBCMT ref: 0044CFDA
_free.LIBCMT ref: 0044D01B
SetEnvironmentVariableA.KERNEL32(00000000,00000000), ref: 0044D09C
_free.LIBCMT ref: 0044D0B5

Memory Dump Source

Source File: 00000000.00000002.2107394819.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2107065431.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107532194.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107532194.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107645477.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107703493.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: _free$EnvironmentVariable___from_strstr_to_strchr
String ID:
API String ID: 1282221369-0
Opcode ID: 0f6d594d9b792e19d64dba72ca68b34b4ada623c32d40a52b9590f8e37912daa
Instruction ID: 750c0a0e7a1f753b1cb60f520546c754aa0ddf1d1d4dabc90750fc9e587da608
Opcode Fuzzy Hash: 0f6d594d9b792e19d64dba72ca68b34b4ada623c32d40a52b9590f8e37912daa
Instruction Fuzzy Hash: 4D6138B1A05200ABFB21AFB59CC1A6A7B95EF05314F08416FF9409B3C2DB7D9D45876C

Function 00428B06 Relevance: 13.7, APIs: 9, Instructions: 155windowCOMMON

Download Yara Rule

APIs

LoadImageW.USER32(00000000,?,?,00000010,00000010,00000010), ref: 00466890
ExtractIconExW.SHELL32(?,?,00000000,00000000,00000001), ref: 004668A9
LoadImageW.USER32(00000000,?,00000001,00000000,00000000,00000050), ref: 004668B9
ExtractIconExW.SHELL32(?,?,?,00000000,00000001), ref: 004668D1
SendMessageW.USER32(00000000,00000080,00000000,00000000), ref: 004668F2
DestroyIcon.USER32(00000000,?,00000010,00000010,00000010,?,?,?,?,?,00428874,00000000,00000000,00000000,000000FF,00000000), ref: 00466901
SendMessageW.USER32(00000000,00000080,00000001,00000000), ref: 0046691E
DestroyIcon.USER32(00000000,?,00000010,00000010,00000010,?,?,?,?,?,00428874,00000000,00000000,00000000,000000FF,00000000), ref: 0046692D

Memory Dump Source

Source File: 00000000.00000002.2107394819.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2107065431.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107532194.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107532194.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107645477.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107703493.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: Icon$DestroyExtractImageLoadMessageSend
String ID:
API String ID: 1268354404-0
Opcode ID: fa81703eb3a7b5ad67dffe79f50e50ce3408a4c78cab3e762331d8884ff2e4a0
Instruction ID: bd1738f8097e962daaaf6b2cb2eb0be89b6a46b8e53ad3f6cd96e8920b93ee01
Opcode Fuzzy Hash: fa81703eb3a7b5ad67dffe79f50e50ce3408a4c78cab3e762331d8884ff2e4a0
Instruction Fuzzy Hash: 9F518BB0601209EFDB20CF25DC95FAA7BB5FB48750F10452EF902972A0EB78E951DB58

Function 0048C143 Relevance: 13.6, APIs: 9, Instructions: 95networkCOMMON

Download Yara Rule

APIs

InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 0048C182
GetLastError.KERNEL32 ref: 0048C195
SetEvent.KERNEL32(?), ref: 0048C1A9

Part of subcall function 0048C253: InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 0048C272
Part of subcall function 0048C253: GetLastError.KERNEL32 ref: 0048C322
Part of subcall function 0048C253: SetEvent.KERNEL32(?), ref: 0048C336
Part of subcall function 0048C253: InternetCloseHandle.WININET(00000000), ref: 0048C341

Memory Dump Source

Source File: 00000000.00000002.2107394819.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2107065431.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107532194.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107532194.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107645477.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107703493.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: Internet$ErrorEventLast$CloseConnectHandleOpen
String ID:
API String ID: 337547030-0
Opcode ID: b216da24480443753077756372bf9f2dc18e2b4ffd6eb7504d4b1429d7cdc380
Instruction ID: b03f585cd010f89a7b7b3a1440e4f4ff447f781d7afdfc5ace4c113a7b38417c
Opcode Fuzzy Hash: b216da24480443753077756372bf9f2dc18e2b4ffd6eb7504d4b1429d7cdc380
Instruction Fuzzy Hash: 40317071900601AFDB21AFA5DC84A6BBBE9FF15300B04496EF95682650DB39E8149FB8

Function 004725A2 Relevance: 13.6, APIs: 9, Instructions: 60sleepkeyboardwindowCOMMON

Download Yara Rule

APIs

Part of subcall function 00473A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 00473A57
Part of subcall function 00473A3D: GetCurrentThreadId.KERNEL32 ref: 00473A5E
Part of subcall function 00473A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,004725B3), ref: 00473A65

MapVirtualKeyW.USER32(00000025,00000000), ref: 004725BD
PostMessageW.USER32(?,00000100,00000025,00000000), ref: 004725DB
Sleep.KERNEL32(00000000,?,00000100,00000025,00000000), ref: 004725DF
MapVirtualKeyW.USER32(00000025,00000000), ref: 004725E9
PostMessageW.USER32(?,00000100,00000027,00000000), ref: 00472601
Sleep.KERNEL32(00000000,?,00000100,00000027,00000000), ref: 00472605
MapVirtualKeyW.USER32(00000025,00000000), ref: 0047260F
PostMessageW.USER32(?,00000101,00000027,00000000), ref: 00472623
Sleep.KERNEL32(00000000,?,00000101,00000027,00000000,?,00000100,00000027,00000000), ref: 00472627

Memory Dump Source

Source File: 00000000.00000002.2107394819.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2107065431.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107532194.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107532194.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107645477.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107703493.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: MessagePostSleepThreadVirtual$AttachCurrentInputProcessWindow
String ID:
API String ID: 2014098862-0
Opcode ID: cc795c06aee6b687c30220c1268515723e3d365f9cec9b3b9c9fbbb93e9b046d
Instruction ID: 84133b2d2f81a885ff98e46ed22a8c0740ef85e32ad420e8fde034ecc074791b
Opcode Fuzzy Hash: cc795c06aee6b687c30220c1268515723e3d365f9cec9b3b9c9fbbb93e9b046d
Instruction Fuzzy Hash: 7C01D471390210BBFB106B699CCAF993F59DB4EB12F104016F318AE0D1C9E224459E6E

Function 00471803 Relevance: 13.5, APIs: 9, Instructions: 49memorythreadCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000008,0000000C,?,00000000,?,00471449,?,?,00000000), ref: 0047180C
HeapAlloc.KERNEL32(00000000,?,00471449,?,?,00000000), ref: 00471813
GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,00471449,?,?,00000000), ref: 00471828
GetCurrentProcess.KERNEL32(?,00000000,?,00471449,?,?,00000000), ref: 00471830
DuplicateHandle.KERNEL32(00000000,?,00471449,?,?,00000000), ref: 00471833
GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,00471449,?,?,00000000), ref: 00471843
GetCurrentProcess.KERNEL32(00471449,00000000,?,00471449,?,?,00000000), ref: 0047184B
DuplicateHandle.KERNEL32(00000000,?,00471449,?,?,00000000), ref: 0047184E
CreateThread.KERNEL32(00000000,00000000,00471874,00000000,00000000,00000000), ref: 00471868

Memory Dump Source

Source File: 00000000.00000002.2107394819.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2107065431.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107532194.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107532194.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107645477.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107703493.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: Process$Current$DuplicateHandleHeap$AllocCreateThread
String ID:
API String ID: 1957940570-0
Opcode ID: 99b6ec243ee29bfd6e9bdd53b6a3671cc3cdae3326ceb848c7fb3a9835a12599
Instruction ID: bfcffbb60fd692dca6b937531f55aaf4c7be63ec40b69a2cd0da393570e40acd
Opcode Fuzzy Hash: 99b6ec243ee29bfd6e9bdd53b6a3671cc3cdae3326ceb848c7fb3a9835a12599
Instruction Fuzzy Hash: 4101ACB5340304BFE650ABA5DC89F573BACEB8AB11F014421FA05DB1A1DA749C008F24

Function 00443E80 Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 305COMMON

Download Yara Rule

APIs

_strrchr.LIBCMT ref: 00443F0B
__alldvrm.LIBCMT ref: 0044410C
__alldvrm.LIBCMT ref: 0044412E

Strings

}}C, xrefs: 004440CD
}}C, xrefs: 00443E8A
}}C, xrefs: 00443E96, 00443EF1, 00443F0A, 00444090

Memory Dump Source

Source File: 00000000.00000002.2107394819.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2107065431.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107532194.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107532194.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107645477.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107703493.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: __alldvrm$_strrchr
String ID: }}C$}}C$}}C
API String ID: 1036877536-3838356168
Opcode ID: 190bec492484a18a97fe5f025dcdb3e473ceac46589bc02d4dbe4f94f5be8f6e
Instruction ID: 55d6bb21141281f8b76a98580d82eca2ee82b19744e9c2b012eb12fb0f4261ca
Opcode Fuzzy Hash: 190bec492484a18a97fe5f025dcdb3e473ceac46589bc02d4dbe4f94f5be8f6e
Instruction Fuzzy Hash: 98A14671E006869FFB25CE18C8817AABBE4EFA1354F14416FE5859B382C63C9946C758

Function 0049A0E2 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 160COMMON

Download Yara Rule

APIs

Part of subcall function 0047D4DC: CreateToolhelp32Snapshot.KERNEL32 ref: 0047D501
Part of subcall function 0047D4DC: Process32FirstW.KERNEL32(00000000,?), ref: 0047D50F
Part of subcall function 0047D4DC: CloseHandle.KERNELBASE(00000000), ref: 0047D5DC

OpenProcess.KERNEL32(00000001,00000000,?), ref: 0049A16D
GetLastError.KERNEL32 ref: 0049A180
OpenProcess.KERNEL32(00000001,00000000,?), ref: 0049A1B3
TerminateProcess.KERNEL32(00000000,00000000), ref: 0049A268
GetLastError.KERNEL32(00000000), ref: 0049A273
CloseHandle.KERNEL32(00000000), ref: 0049A2C4

Strings

SeDebugPrivilege, xrefs: 0049A18F

Memory Dump Source

Source File: 00000000.00000002.2107394819.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2107065431.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107532194.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107532194.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107645477.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107703493.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: Process$CloseErrorHandleLastOpen$CreateFirstProcess32SnapshotTerminateToolhelp32
String ID: SeDebugPrivilege
API String ID: 2533919879-2896544425
Opcode ID: 562f8f691dd63b23c87d6ea90d1282525bd97f5838dee050914e66114e600629
Instruction ID: 36f2df698d255feddc6e8a26eca3dc0c4ee3e7c4f17fa9341202c8a72a231482
Opcode Fuzzy Hash: 562f8f691dd63b23c87d6ea90d1282525bd97f5838dee050914e66114e600629
Instruction Fuzzy Hash: B9616030204241AFDB10DF15C495F56BBE1AF44318F1484AEE46A4B7A3C77AED45CBDA

Function 004A3886 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 141windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00001036,00000010,00000010), ref: 004A3925
SendMessageW.USER32(00000000,00001036,00000000,?), ref: 004A393A
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000013), ref: 004A3954
_wcslen.LIBCMT ref: 004A3999
SendMessageW.USER32(?,00001057,00000000,?), ref: 004A39C6
SendMessageW.USER32(?,00001061,?,0000000F), ref: 004A39F4

Strings

SysListView32, xrefs: 004A38F7

Memory Dump Source

Source File: 00000000.00000002.2107394819.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2107065431.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107532194.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107532194.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107645477.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107703493.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: MessageSend$Window_wcslen
String ID: SysListView32
API String ID: 2147712094-78025650
Opcode ID: e8de5c6cb76dbd63778f93a435e166ace9dae01d8fa2b12ffa6c3295429251fc
Instruction ID: ccd2430a9be2a533bf818e9775e89bebad9ccd98701324f406f60594f99308b5
Opcode Fuzzy Hash: e8de5c6cb76dbd63778f93a435e166ace9dae01d8fa2b12ffa6c3295429251fc
Instruction Fuzzy Hash: D941C571A00218ABEB21DF64CC45FEB7BA9EF19354F10012BF944E7291E7799D84CB98

Function 0047BC5E Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 137windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 0047BCFD
IsMenu.USER32(00000000), ref: 0047BD1D
CreatePopupMenu.USER32 ref: 0047BD53
GetMenuItemCount.USER32(016F5500), ref: 0047BDA4
InsertMenuItemW.USER32(016F5500,?,00000001,00000030), ref: 0047BDCC

Strings

0, xrefs: 0047BCA8
2, xrefs: 0047BD37

Memory Dump Source

Source File: 00000000.00000002.2107394819.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2107065431.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107532194.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107532194.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107645477.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107703493.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: Menu$Item$CountCreateInfoInsertPopup
String ID: 0$2
API String ID: 93392585-3793063076
Opcode ID: 45650f18d7a7bbd6b64570c21c9fccb71755610dcfcb28475d05258f060b191a
Instruction ID: 06c1102c7ce32793cf09bb3edbd64f06b4a9908b57febe5af0d55aa46d925c25
Opcode Fuzzy Hash: 45650f18d7a7bbd6b64570c21c9fccb71755610dcfcb28475d05258f060b191a
Instruction Fuzzy Hash: 5A51AD70A00205AFDB21CFA9C8C4BEEBBF5EF45314F14C12AE45997390E7789945CB99

Function 00432D20 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 117COMMON

Download Yara Rule

APIs

_ValidateLocalCookies.LIBCMT ref: 00432D4B
___except_validate_context_record.LIBVCRUNTIME ref: 00432D53
_ValidateLocalCookies.LIBCMT ref: 00432DE1
__IsNonwritableInCurrentImage.LIBCMT ref: 00432E0C
_ValidateLocalCookies.LIBCMT ref: 00432E61

Strings

&HC, xrefs: 00432DFE, 00432E07, 00432E18
csm, xrefs: 00432DF6

Memory Dump Source

Source File: 00000000.00000002.2107394819.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2107065431.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107532194.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107532194.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107645477.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107703493.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
String ID: &HC$csm
API String ID: 1170836740-3574481041
Opcode ID: b052d583835687b0c5e66397fabd623dd367a59914160ab0b7e6a30e5a391072
Instruction ID: 61b2e7129eb97acbeca5891d267d3487f72a20dd187edbdd3b69602293c7d7d0
Opcode Fuzzy Hash: b052d583835687b0c5e66397fabd623dd367a59914160ab0b7e6a30e5a391072
Instruction Fuzzy Hash: 0741D834A00209EBCF10DF69C945A9FBBB5BF48329F14915BE8146B392D779DA01CBD4

Function 0047C874 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 81windowCOMMON

Download Yara Rule

APIs

LoadIconW.USER32(00000000,00007F03), ref: 0047C913

Strings

question, xrefs: 0047C8CC
info, xrefs: 0047C8B4
blank, xrefs: 0047C895
warning, xrefs: 0047C8FC
stop, xrefs: 0047C8E4

Memory Dump Source

Source File: 00000000.00000002.2107394819.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2107065431.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107532194.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107532194.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107645477.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107703493.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: IconLoad
String ID: blank$info$question$stop$warning
API String ID: 2457776203-404129466
Opcode ID: da685e691a2a880c087cbae40ceeebdd519494af2af04ae57b12b6c89776ffce
Instruction ID: 21ff85fea1f5f2ea39103eacf143a7c1e73e2a95a43c3f2567d7c8d498d5142b
Opcode Fuzzy Hash: da685e691a2a880c087cbae40ceeebdd519494af2af04ae57b12b6c89776ffce
Instruction Fuzzy Hash: 12112BB178930ABAA7006B149CC2DEB679CDF15319B21402FF608A6382D76C6D0052AD

Function 0047DE27 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 70networkCOMMON

Download Yara Rule

APIs

WSAStartup.WSOCK32(00000101,?), ref: 0047DE42
gethostname.WSOCK32(?,00000100), ref: 0047DE5C
gethostbyname.WSOCK32(?), ref: 0047DE69
inet_ntoa.WSOCK32(?), ref: 0047DEAB
_strcat.LIBCMT ref: 0047DEB9
WSACleanup.WSOCK32 ref: 0047DEDE

Strings

0.0.0.0, xrefs: 0047DE87

Memory Dump Source

Source File: 00000000.00000002.2107394819.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2107065431.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107532194.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107532194.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107645477.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107703493.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: CleanupStartup_strcatgethostbynamegethostnameinet_ntoa
String ID: 0.0.0.0
API String ID: 642191829-3771769585
Opcode ID: eac639b673e963746120514becdbf649a3a58ae5d3cc5350911577bcb2256ea1
Instruction ID: 0be74e1a5556144794af25f9413a68f80be1d4a0109a6e9c52a7da8c556888a8
Opcode Fuzzy Hash: eac639b673e963746120514becdbf649a3a58ae5d3cc5350911577bcb2256ea1
Instruction Fuzzy Hash: B0113671900115ABDB25BB319C4AEEF7BBCDF55325F00417FF0099A191EF789A818A58

Function 0047ED19 Relevance: 12.1, APIs: 8, Instructions: 137timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32 ref: 0047ED2A
_wcslen.LIBCMT ref: 0047ED3B
_wcslen.LIBCMT ref: 0047ED79
_wcslen.LIBCMT ref: 0047EDAF
_wcslen.LIBCMT ref: 0047EDDF
_wcslen.LIBCMT ref: 0047EDEF
_wcslen.LIBCMT ref: 0047EE2B
_wcslen.LIBCMT ref: 0047EE5A

Memory Dump Source

Source File: 00000000.00000002.2107394819.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2107065431.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107532194.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107532194.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107645477.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107703493.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: _wcslen$LocalTime
String ID:
API String ID: 952045576-0
Opcode ID: f9c3f9204ef27489f36bcdff7212644f5214deb91c4c0603e7f10be9e5b25576
Instruction ID: 1734efafe1a5bf421d02fbefdca4c9ddb8c3307d0966683f1d77b2dafadc82fe
Opcode Fuzzy Hash: f9c3f9204ef27489f36bcdff7212644f5214deb91c4c0603e7f10be9e5b25576
Instruction Fuzzy Hash: 9241B465C1011875DB11EBB6888AACF77A8AF4D310F0095A7F518E3161FB3CE255C3AE

Function 0042F8D8 Relevance: 12.1, APIs: 8, Instructions: 124COMMON

Download Yara Rule

APIs

ShowWindow.USER32(FFFFFFFF,000000FF,?,00000000,?,0046682C,00000004,00000000,00000000), ref: 0042F953
ShowWindow.USER32(FFFFFFFF,00000006,?,00000000,?,0046682C,00000004,00000000,00000000), ref: 0046F3D1
ShowWindow.USER32(FFFFFFFF,000000FF,?,00000000,?,0046682C,00000004,00000000,00000000), ref: 0046F454

Memory Dump Source

Source File: 00000000.00000002.2107394819.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2107065431.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107532194.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107532194.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107645477.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107703493.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: ShowWindow
String ID:
API String ID: 1268545403-0
Opcode ID: 2aa2447e6f49d28833af13ef0f09c1b97ba9820ccf9211e2db444395c33b0ed6
Instruction ID: f4f2621174da2dbcae1f2d9782b7a0e71618c96fab850a6fc96cd5e006374c0e
Opcode Fuzzy Hash: 2aa2447e6f49d28833af13ef0f09c1b97ba9820ccf9211e2db444395c33b0ed6
Instruction Fuzzy Hash: 97411BB1708690BAC7348B29B8C872B7BB1AB56314FD4403FE08756761D63D98C9CB1E

Function 004A2D03 Relevance: 12.1, APIs: 8, Instructions: 95windowCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 004A2D1B
GetDC.USER32(00000000), ref: 004A2D23
GetDeviceCaps.GDI32(00000000,0000005A), ref: 004A2D2E
ReleaseDC.USER32(00000000,00000000), ref: 004A2D3A
CreateFontW.GDI32(?,00000000,00000000,00000000,?,00000000,00000000,00000000,00000001,00000004,00000000,?,00000000,?), ref: 004A2D76
SendMessageW.USER32(?,00000030,00000000,00000001), ref: 004A2D87
MoveWindow.USER32(?,?,?,?,?,00000000,?,?,004A5A65,?,?,000000FF,00000000,?,000000FF,?), ref: 004A2DC2
SendMessageW.USER32(?,00000142,00000000,00000000), ref: 004A2DE1

Memory Dump Source

Source File: 00000000.00000002.2107394819.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2107065431.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107532194.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107532194.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107645477.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107703493.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: MessageSend$CapsCreateDeleteDeviceFontMoveObjectReleaseWindow
String ID:
API String ID: 3864802216-0
Opcode ID: 7316aca04863058deed6b42e3504aef6f9b511fd35c6fe0b7ad1bdef8ef33d5e
Instruction ID: d856e670a8b8925bfa9cab915092b040a5f56776acca71eca82ad4298affb0a6
Opcode Fuzzy Hash: 7316aca04863058deed6b42e3504aef6f9b511fd35c6fe0b7ad1bdef8ef33d5e
Instruction Fuzzy Hash: 51318072201214BFEB518F54CC89FEB3FADEF1A755F044065FE089A291C6B59C51CBA8

Function 00475622 Relevance: 12.1, APIs: 8, Instructions: 92COMMON

Download Yara Rule

APIs

_memcmp.LIBVCRUNTIME ref: 00475637
_memcmp.LIBVCRUNTIME ref: 00475659
_memcmp.LIBVCRUNTIME ref: 00475671
_memcmp.LIBVCRUNTIME ref: 00475684
_memcmp.LIBVCRUNTIME ref: 0047569E
_memcmp.LIBVCRUNTIME ref: 004756B1
_memcmp.LIBVCRUNTIME ref: 004756C9
_memcmp.LIBVCRUNTIME ref: 004756E4

Memory Dump Source

Source File: 00000000.00000002.2107394819.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2107065431.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107532194.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107532194.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107645477.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107703493.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: _memcmp
String ID:
API String ID: 2931989736-0
Opcode ID: f09c90ec28bd79cc54175b72e46c1bc452d5c0fa430c68cb4f18d814f5f72214
Instruction ID: 6aaefbd7a7b5e915b4a7130ec7be96634651264fc8830a9f4e49c14756843ba7
Opcode Fuzzy Hash: f09c90ec28bd79cc54175b72e46c1bc452d5c0fa430c68cb4f18d814f5f72214
Instruction Fuzzy Hash: 5921FC61640A0977E21855128D82FFB335CAF35398F548027FD0C9EA41F7ADEE1581ED

Function 00494FAE Relevance: 10.9, APIs: 4, Strings: 2, Instructions: 359COMMON

Download Yara Rule

Strings

NULL Pointer assignment, xrefs: 0049502E, 00495383
Not an Object type, xrefs: 00495007

Memory Dump Source

Source File: 00000000.00000002.2107394819.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2107065431.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107532194.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107532194.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107645477.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107703493.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID:
String ID: NULL Pointer assignment$Not an Object type
API String ID: 0-572801152
Opcode ID: 3b48ce988c63529401446eb8be1488a6ea468072c15a2631e387b393c970eb8c
Instruction ID: 8dec7c5331494979e5d36cd6c230bcdb9564d4360288d4de5feeed0ef83ed8b7
Opcode Fuzzy Hash: 3b48ce988c63529401446eb8be1488a6ea468072c15a2631e387b393c970eb8c
Instruction Fuzzy Hash: 7CD1B171A0060A9FDF11CFA8C881BAEBBB5BF48344F24807AE915AB381E774DD45CB54

Function 00451522 Relevance: 10.8, APIs: 7, Instructions: 268COMMON

Download Yara Rule

APIs

GetCPInfo.KERNEL32(00000000,00000000,?,7FFFFFFF,?,?,004517FB,00000000,00000000,?,00000000,?,?,?,?,00000000), ref: 004515CE
MultiByteToWideChar.KERNEL32(00000000,00000009,00000000,00000000,00000000,00000000,?,004517FB,00000000,00000000,?,00000000,?,?,?,?), ref: 00451651
MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00000000,00000000,004517FB,?,004517FB,00000000,00000000,?,00000000,?,?,?,?), ref: 004516E4
MultiByteToWideChar.KERNEL32(00000000,00000009,00000000,00000000,00000000,00000000,?,004517FB,00000000,00000000,?,00000000,?,?,?,?), ref: 004516FB

Part of subcall function 00443820: RtlAllocateHeap.NTDLL(00000000,?,004E1444,?,0042FDF5,?,?,0041A976,00000010,004E1440,004113FC,?,004113C6,?,00411129), ref: 00443852

MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00000000,00000000,00000000,?,004517FB,00000000,00000000,?,00000000,?,?,?,?), ref: 00451777
__freea.LIBCMT ref: 004517A2
__freea.LIBCMT ref: 004517AE

Memory Dump Source

Source File: 00000000.00000002.2107394819.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2107065431.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107532194.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107532194.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107645477.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107703493.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: ByteCharMultiWide$__freea$AllocateHeapInfo
String ID:
API String ID: 2829977744-0
Opcode ID: eb0e1b495fce95ff45c970d785a36241d9353bc7e2e12e693997e5d6c088e61a
Instruction ID: 2d9fc0e671a93cb11dd0f2ad9e35df09db9d30e9d6593efe0ad0e6388275eadb
Opcode Fuzzy Hash: eb0e1b495fce95ff45c970d785a36241d9353bc7e2e12e693997e5d6c088e61a
Instruction Fuzzy Hash: 5D919571E00219ABDB208E74C881FEF7BA59F49715F14455BEC01E7262E739DC49CB68

Function 00494523 Relevance: 10.8, APIs: 4, Strings: 2, Instructions: 262COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00494648
VariantInit.OLEAUT32(?), ref: 00494749
VariantClear.OLEAUT32(?), ref: 00494753
VariantClear.OLEAUT32(?), ref: 004947B0

Strings

Incorrect Object type in FOR..IN loop, xrefs: 0049472C
Null Object assignment in FOR..IN loop, xrefs: 004945D8, 00494706, 004947BE

Memory Dump Source

Source File: 00000000.00000002.2107394819.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2107065431.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107532194.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107532194.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107645477.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107703493.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: Variant$ClearInit
String ID: Incorrect Object type in FOR..IN loop$Null Object assignment in FOR..IN loop
API String ID: 2610073882-625585964
Opcode ID: 0d0756cfafbb1801344bc20eec64ddd077a22954fb6982edff489e267dc72d5f
Instruction ID: 49d1327ca34a333b24b80c15ad50ea4de85957ccdb0ea6a9acfa31d50e2c941a
Opcode Fuzzy Hash: 0d0756cfafbb1801344bc20eec64ddd077a22954fb6982edff489e267dc72d5f
Instruction Fuzzy Hash: 23917671A00219ABDF24CF95C844FAF7BB8EF85714F10856AF505AB280D7789946CF64

Function 00481187 Relevance: 10.8, APIs: 7, Instructions: 254COMMON

Download Yara Rule

APIs

SafeArrayGetVartype.OLEAUT32(00000001,?), ref: 0048125C
SafeArrayAccessData.OLEAUT32(00000000,?), ref: 00481284
SafeArrayUnaccessData.OLEAUT32(00000001), ref: 004812A8
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 004812D8
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 0048135F
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 004813C4
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 00481430

Memory Dump Source

Source File: 00000000.00000002.2107394819.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2107065431.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107532194.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107532194.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107645477.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107703493.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: ArraySafe$Data$Access$UnaccessVartype
String ID:
API String ID: 2550207440-0
Opcode ID: aa3eda03435ff02b68a6298a0d2d0bf7c0eab2391e4981e4a85742165c0bc13a
Instruction ID: 64fc30596eb504eb7ab17840d15f4c53607af06c0435327a91be93ebc5de8b8f
Opcode Fuzzy Hash: aa3eda03435ff02b68a6298a0d2d0bf7c0eab2391e4981e4a85742165c0bc13a
Instruction Fuzzy Hash: 29910371A002189FDB00EF95C884BBE77B9FF49715F10486BE901E72A1D77CA946CB98

Function 0042948A Relevance: 10.8, APIs: 7, Instructions: 254COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2107394819.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2107065431.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107532194.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107532194.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107645477.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107703493.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: ObjectSelect$BeginCreatePath
String ID:
API String ID: 3225163088-0
Opcode ID: 56b786534807ed635d9a112595599399987c437eff24ff106a30e51f28f5438f
Instruction ID: 05ca2aec769e6b47f8c426d4addd1e26013a7838f5e39a7bcea2991a43360470
Opcode Fuzzy Hash: 56b786534807ed635d9a112595599399987c437eff24ff106a30e51f28f5438f
Instruction Fuzzy Hash: A1913971A04219EFCB10CFA9D884AEEBBB8FF49324F54405AE515B7251D3789D82CB64

Function 00493947 Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 240COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 0049396B
CharUpperBuffW.USER32(?,?), ref: 00493A7A
_wcslen.LIBCMT ref: 00493A8A
VariantClear.OLEAUT32(?), ref: 00493C1F

Part of subcall function 00480CDF: VariantInit.OLEAUT32(00000000), ref: 00480D1F
Part of subcall function 00480CDF: VariantCopy.OLEAUT32(?,?), ref: 00480D28
Part of subcall function 00480CDF: VariantClear.OLEAUT32(?), ref: 00480D34

Strings

AUTOIT.ERROR, xrefs: 00493A80, 00493A85
Incorrect Parameter format, xrefs: 004939A6, 00493BA1

Memory Dump Source

Source File: 00000000.00000002.2107394819.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2107065431.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107532194.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107532194.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107645477.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107703493.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: Variant$ClearInit$BuffCharCopyUpper_wcslen
String ID: AUTOIT.ERROR$Incorrect Parameter format
API String ID: 4137639002-1221869570
Opcode ID: 18a323709df1a08a91d14f6770db883bf4267b3a705f769677533a0f88554c87
Instruction ID: 7abff49528f9ca478c0ed716ea95a9677b8116d4d684bb9f2884dc78bc125727
Opcode Fuzzy Hash: 18a323709df1a08a91d14f6770db883bf4267b3a705f769677533a0f88554c87
Instruction Fuzzy Hash: C6918F756083019FCB00DF25C49096ABBE5FF89319F14886EF88997351DB38EE45CB9A

Function 00494BAD Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 236COMMON

Download Yara Rule

APIs

Part of subcall function 0047000E: CLSIDFromProgID.OLE32(?,?,?,00000000,?,?,?,-C000001E,00000001,?,0046FF41,80070057,?,?,?,0047035E), ref: 0047002B
Part of subcall function 0047000E: ProgIDFromCLSID.OLE32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0046FF41,80070057,?,?), ref: 00470046
Part of subcall function 0047000E: lstrcmpiW.KERNEL32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0046FF41,80070057,?,?), ref: 00470054
Part of subcall function 0047000E: CoTaskMemFree.OLE32(00000000,?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0046FF41,80070057,?), ref: 00470064

CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000002,00000003,00000000,00000000,00000000,00000001,?,?), ref: 00494C51
_wcslen.LIBCMT ref: 00494D59
CoCreateInstanceEx.OLE32(?,00000000,00000015,?,00000001,?), ref: 00494DCF
CoTaskMemFree.OLE32(?), ref: 00494DDA

Strings

NULL Pointer assignment, xrefs: 00494E23, 00494E52

Memory Dump Source

Source File: 00000000.00000002.2107394819.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2107065431.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107532194.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107532194.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107645477.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107703493.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: FreeFromProgTask$CreateInitializeInstanceSecurity_wcslenlstrcmpi
String ID: NULL Pointer assignment
API String ID: 614568839-2785691316
Opcode ID: 034c0e50423b88157db3d55f6448d277a0f12507a72737709af303e6f75eee3d
Instruction ID: fb1e49d811127fe42ed8b59ade19fa264a589f5667d7a5bcdfb86709c6736fd3
Opcode Fuzzy Hash: 034c0e50423b88157db3d55f6448d277a0f12507a72737709af303e6f75eee3d
Instruction Fuzzy Hash: F6912871D0021DAFDF14DFA5C890EEEBBB8BF48314F10856AE919A7241DB389A45CF64

Function 004A20FD Relevance: 10.7, APIs: 7, Instructions: 196windowCOMMON

Download Yara Rule

APIs

GetMenu.USER32(?), ref: 004A2183
GetMenuItemCount.USER32(00000000), ref: 004A21B5
GetMenuStringW.USER32(00000000,00000000,?,00007FFF,00000400), ref: 004A21DD
_wcslen.LIBCMT ref: 004A2213
GetMenuItemID.USER32(?,?), ref: 004A224D
GetSubMenu.USER32(?,?), ref: 004A225B

Part of subcall function 00473A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 00473A57
Part of subcall function 00473A3D: GetCurrentThreadId.KERNEL32 ref: 00473A5E
Part of subcall function 00473A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,004725B3), ref: 00473A65

PostMessageW.USER32(?,00000111,00000000,00000000), ref: 004A22E3

Part of subcall function 0047E97B: Sleep.KERNEL32 ref: 0047E9F3

Memory Dump Source

Source File: 00000000.00000002.2107394819.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2107065431.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107532194.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107532194.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107645477.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107703493.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: Menu$Thread$Item$AttachCountCurrentInputMessagePostProcessSleepStringWindow_wcslen
String ID:
API String ID: 4196846111-0
Opcode ID: bd4a864fc8a48395ba5cea93e7a1b04479dc3bc3c3e1d109305ab684bd552db5
Instruction ID: 3ef26ecbc2bf3be259ad124bdf7b76e12a09e14050462215450b4c8d5e6bd8a2
Opcode Fuzzy Hash: bd4a864fc8a48395ba5cea93e7a1b04479dc3bc3c3e1d109305ab684bd552db5
Instruction Fuzzy Hash: A271E476E00205AFCB00DF69C981AAEB7F1EF59314F1084AAE816EB341D778ED419B94

Function 004A7E9E Relevance: 10.7, APIs: 7, Instructions: 193windowCOMMON

Download Yara Rule

APIs

IsWindow.USER32(016F54B0), ref: 004A7F37
IsWindowEnabled.USER32(016F54B0), ref: 004A7F43
SendMessageW.USER32(00000000,0000041C,00000000,00000000), ref: 004A801E
SendMessageW.USER32(016F54B0,000000B0,?,?), ref: 004A8051
IsDlgButtonChecked.USER32(?,?), ref: 004A8089
GetWindowLongW.USER32(016F54B0,000000EC), ref: 004A80AB
SendMessageW.USER32(?,000000A1,00000002,00000000), ref: 004A80C3

Memory Dump Source

Source File: 00000000.00000002.2107394819.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2107065431.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107532194.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107532194.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107645477.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107703493.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: MessageSendWindow$ButtonCheckedEnabledLong
String ID:
API String ID: 4072528602-0
Opcode ID: ac810aa56579d711bffd5727c59aecd5d78ea40529efed37e7bb4a2455f98a37
Instruction ID: 9be6b24c02e54c8a316599344a4f6b112b7ea9401317f06a464e82e076ad4b32
Opcode Fuzzy Hash: ac810aa56579d711bffd5727c59aecd5d78ea40529efed37e7bb4a2455f98a37
Instruction Fuzzy Hash: 3A718C74608204AFEB319F54CC94FAB7BB5EF2B300F14405AF945973A1CB39A955DB18

Function 0047AEBA Relevance: 10.7, APIs: 7, Instructions: 162windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(?), ref: 0047AEF9
GetKeyboardState.USER32(?), ref: 0047AF0E
SetKeyboardState.USER32(?), ref: 0047AF6F
PostMessageW.USER32(?,00000101,00000010,?), ref: 0047AF9D
PostMessageW.USER32(?,00000101,00000011,?), ref: 0047AFBC
PostMessageW.USER32(?,00000101,00000012,?), ref: 0047AFFD
PostMessageW.USER32(?,00000101,0000005B,?), ref: 0047B020

Memory Dump Source

Source File: 00000000.00000002.2107394819.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2107065431.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107532194.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107532194.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107645477.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107703493.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: 40ee27a15ad657b69e9c20263c7dba566f63bcabc90887c08775352c3cadb2c5
Instruction ID: d7e5f11b83c820724254a0923878970e609ff0f53a82abb492559a88144b401a
Opcode Fuzzy Hash: 40ee27a15ad657b69e9c20263c7dba566f63bcabc90887c08775352c3cadb2c5
Instruction Fuzzy Hash: A251C1A06087D53DFB3682348849BFB7EA99B46304F08C58AE1DD955C2C39CA894D79A

Function 0047ACDA Relevance: 10.7, APIs: 7, Instructions: 161windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(00000000), ref: 0047AD19
GetKeyboardState.USER32(?), ref: 0047AD2E
SetKeyboardState.USER32(?), ref: 0047AD8F
PostMessageW.USER32(00000000,00000100,00000010,?), ref: 0047ADBB
PostMessageW.USER32(00000000,00000100,00000011,?), ref: 0047ADD8
PostMessageW.USER32(00000000,00000100,00000012,?), ref: 0047AE17
PostMessageW.USER32(00000000,00000100,0000005B,?), ref: 0047AE38

Memory Dump Source

Source File: 00000000.00000002.2107394819.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2107065431.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107532194.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107532194.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107645477.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107703493.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: 6c3b504252f4563d54bb1c869af65293ee7305c5de8bb617e74c4d8021c1d268
Instruction ID: 0bbb919b1a8013fc562e5559fa36ea9a63a4bb6e9823816ce019a46bd98018ea
Opcode Fuzzy Hash: 6c3b504252f4563d54bb1c869af65293ee7305c5de8bb617e74c4d8021c1d268
Instruction Fuzzy Hash: A951E6A15447D13DFB3283248C45BFF7E995B86300F08C88AE0DD469C2C298ECA8D75A

Function 0044542E Relevance: 10.7, APIs: 7, Instructions: 152fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetConsoleCP.KERNEL32(00453CD6,?,?,?,?,?,?,?,?,00445BA3,?,?,00453CD6,?,?), ref: 00445470
__fassign.LIBCMT ref: 004454EB
__fassign.LIBCMT ref: 00445506
WideCharToMultiByte.KERNEL32(?,00000000,?,00000001,00453CD6,00000005,00000000,00000000), ref: 0044552C
WriteFile.KERNEL32(?,00453CD6,00000000,00445BA3,00000000,?,?,?,?,?,?,?,?,?,00445BA3,?), ref: 0044554B
WriteFile.KERNEL32(?,?,00000001,00445BA3,00000000,?,?,?,?,?,?,?,?,?,00445BA3,?), ref: 00445584

Memory Dump Source

Source File: 00000000.00000002.2107394819.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2107065431.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107532194.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107532194.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107645477.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107703493.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: FileWrite__fassign$ByteCharConsoleMultiWide
String ID:
API String ID: 1324828854-0
Opcode ID: 7be974b27e3db8dce4288a28fe535950d8195cfebf89370f4fd5ac15572036ee
Instruction ID: 3a8be8e9041603259f37193ebde6c42580a139486c5335926ac659f1848a661e
Opcode Fuzzy Hash: 7be974b27e3db8dce4288a28fe535950d8195cfebf89370f4fd5ac15572036ee
Instruction Fuzzy Hash: 3751E770A00649AFEF11CFA8D885AEEBBF5EF09300F14412BF555E7292D7749A41CB68

Function 004910B8 Relevance: 10.6, APIs: 7, Instructions: 110networkCOMMON

Download Yara Rule

APIs

Part of subcall function 0049304E: inet_addr.WSOCK32(?,?,?,?,?,00000000), ref: 0049307A
Part of subcall function 0049304E: _wcslen.LIBCMT ref: 0049309B

socket.WSOCK32(00000002,00000001,00000006,?,?,00000000), ref: 00491112
WSAGetLastError.WSOCK32 ref: 00491121
WSAGetLastError.WSOCK32 ref: 004911C9
closesocket.WSOCK32(00000000), ref: 004911F9

Memory Dump Source

Source File: 00000000.00000002.2107394819.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2107065431.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107532194.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107532194.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107645477.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107703493.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: ErrorLast$_wcslenclosesocketinet_addrsocket
String ID:
API String ID: 2675159561-0
Opcode ID: b7f5be6981453c93e9ec974bea7938a17b159b6a8a173b8e965b638d6c3ddd39
Instruction ID: 9765d20cc8d782846dd36171b63127cfe19ab6084df616b64c42d05d81aaa42c
Opcode Fuzzy Hash: b7f5be6981453c93e9ec974bea7938a17b159b6a8a173b8e965b638d6c3ddd39
Instruction Fuzzy Hash: 2341F731600105AFDB109F14C885BAABFE9FF45358F14806AF9159B3A1C778ED81CBE9

Function 0047CF00 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 108filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 0047DDE0: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,0047CF22,?), ref: 0047DDFD

Part of subcall function 0047DDE0: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,0047CF22,?), ref: 0047DE16

lstrcmpiW.KERNEL32(?,?), ref: 0047CF45
MoveFileW.KERNEL32(?,?), ref: 0047CF7F
_wcslen.LIBCMT ref: 0047D005
_wcslen.LIBCMT ref: 0047D01B
SHFileOperationW.SHELL32(?), ref: 0047D061

Strings

\*.*, xrefs: 0047CFF3

Memory Dump Source

Source File: 00000000.00000002.2107394819.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2107065431.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107532194.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107532194.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107645477.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107703493.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: FileFullNamePath_wcslen$MoveOperationlstrcmpi
String ID: \*.*
API String ID: 3164238972-1173974218
Opcode ID: 62f6b3a1e6a5787324d0ee43f90a1785a2ab35238f2a3adaca4e7c80b1e0c04d
Instruction ID: 0a0c3ffc89610867f98d1ace412faacb9624685888a867e35375af47558ba2bc
Opcode Fuzzy Hash: 62f6b3a1e6a5787324d0ee43f90a1785a2ab35238f2a3adaca4e7c80b1e0c04d
Instruction Fuzzy Hash: 8F415771D451185EDF12EFA5C9C1BDE77B8AF09384F1040EBE509EB141EA38A644CB58

Function 004A2DFD Relevance: 10.6, APIs: 7, Instructions: 99windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,000000F0,00000000,00000000), ref: 004A2E1C
GetWindowLongW.USER32(?,000000F0), ref: 004A2E4F
GetWindowLongW.USER32(?,000000F0), ref: 004A2E84
SendMessageW.USER32(?,000000F1,00000000,00000000), ref: 004A2EB6
SendMessageW.USER32(?,000000F1,00000001,00000000), ref: 004A2EE0
GetWindowLongW.USER32(?,000000F0), ref: 004A2EF1
SetWindowLongW.USER32(?,000000F0,00000000), ref: 004A2F0B

Memory Dump Source

Source File: 00000000.00000002.2107394819.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2107065431.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107532194.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107532194.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107645477.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107703493.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: LongWindow$MessageSend
String ID:
API String ID: 2178440468-0
Opcode ID: afcbe08b7f12ab77c33aea948100070413457703b78f4eda8510633d1e4fc66f
Instruction ID: 09217e66e949798d80aafdba6fd8cf359fa017d9f37003bb1065f243eb873d51
Opcode Fuzzy Hash: afcbe08b7f12ab77c33aea948100070413457703b78f4eda8510633d1e4fc66f
Instruction Fuzzy Hash: 9131F430645150AFDB21CF5CDDC4F6637E1EB6A710F150166F9048F2B2CBB5A880EB49

Function 00477726 Relevance: 10.6, APIs: 7, Instructions: 94memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00477769
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 0047778F
SysAllocString.OLEAUT32(00000000), ref: 00477792
SysAllocString.OLEAUT32(?), ref: 004777B0
SysFreeString.OLEAUT32(?), ref: 004777B9
StringFromGUID2.OLE32(?,?,00000028), ref: 004777DE
SysAllocString.OLEAUT32(?), ref: 004777EC

Memory Dump Source

Source File: 00000000.00000002.2107394819.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2107065431.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107532194.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107532194.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107645477.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107703493.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: String$Alloc$ByteCharMultiWide$FreeFrom
String ID:
API String ID: 3761583154-0
Opcode ID: 180a47c1fcd1345fa85ea1b2ddfdbca2e0c41dcdb27b03723cd1d0709d5fde98
Instruction ID: 1907a6c854d28df787dbcbc206c865ff6f7debe4ef7c476506690dd4b1d39068
Opcode Fuzzy Hash: 180a47c1fcd1345fa85ea1b2ddfdbca2e0c41dcdb27b03723cd1d0709d5fde98
Instruction Fuzzy Hash: 6221B276604219AFDB14DFA8DC88CFB77ECEB093647408436F908DB250D674EC468B68

Function 004777FD Relevance: 10.6, APIs: 7, Instructions: 89memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00477842
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00477868
SysAllocString.OLEAUT32(00000000), ref: 0047786B
SysAllocString.OLEAUT32 ref: 0047788C
SysFreeString.OLEAUT32 ref: 00477895
StringFromGUID2.OLE32(?,?,00000028), ref: 004778AF
SysAllocString.OLEAUT32(?), ref: 004778BD

Memory Dump Source

Source File: 00000000.00000002.2107394819.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2107065431.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107532194.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107532194.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107645477.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107703493.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: String$Alloc$ByteCharMultiWide$FreeFrom
String ID:
API String ID: 3761583154-0
Opcode ID: 6f093deb8ea1a3fb840f9c122b8b1c34a5fbf64ee85caf7d8e6f9edfaaaddf24
Instruction ID: 7b05e49c742221ac8033265a869f9c6274cf91dd368ec5728a39e532596ed145
Opcode Fuzzy Hash: 6f093deb8ea1a3fb840f9c122b8b1c34a5fbf64ee85caf7d8e6f9edfaaaddf24
Instruction Fuzzy Hash: 6D216231604114AFDB10AFA8DC88DBB7BECEB097607518126F919CB2A1D678DC45CB6D

Function 004804D2 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 80pipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(0000000C), ref: 004804F2
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 0048052E

Strings

nul, xrefs: 00480567

Memory Dump Source

Source File: 00000000.00000002.2107394819.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2107065431.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107532194.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107532194.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107645477.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107703493.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: CreateHandlePipe
String ID: nul
API String ID: 1424370930-2873401336
Opcode ID: 75f099e1712beaf22993d6797736cfda6e356f7bed940b78d76a406d5909e4f5
Instruction ID: 9a48228d481c7bd7bb189645c54176b79ad7b283bab6f5613cb5bd11d2649014
Opcode Fuzzy Hash: 75f099e1712beaf22993d6797736cfda6e356f7bed940b78d76a406d5909e4f5
Instruction Fuzzy Hash: 95216D75610305AFDB60EF29DC44A9E7BE4AF45724F204E2AF8A1D62E0D7749948CF38

Function 004805A7 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 80pipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(000000F6), ref: 004805C6
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 00480601

Strings

nul, xrefs: 00480639

Memory Dump Source

Source File: 00000000.00000002.2107394819.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2107065431.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107532194.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107532194.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107645477.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107703493.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: CreateHandlePipe
String ID: nul
API String ID: 1424370930-2873401336
Opcode ID: b2f9696a9f57c13ff0eea99611995276ab9cdec46da63bd1386f26d5c8e4c062
Instruction ID: d726e9dae3363738ef992d0155cfbe510bd649dfe070012dba31d1431b556c8d
Opcode Fuzzy Hash: b2f9696a9f57c13ff0eea99611995276ab9cdec46da63bd1386f26d5c8e4c062
Instruction Fuzzy Hash: 39219135510305AFDB60AF698C44A5F77E4AF85720F200F2AE8A1E33E0E7749864CB28

Function 004A40AD Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 75windowCOMMON

Download Yara Rule

APIs

Part of subcall function 0041600E: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 0041604C
Part of subcall function 0041600E: GetStockObject.GDI32(00000011), ref: 00416060
Part of subcall function 0041600E: SendMessageW.USER32(00000000,00000030,00000000), ref: 0041606A

SendMessageW.USER32(00000000,00002001,00000000,FF000000), ref: 004A4112
SendMessageW.USER32(?,00000409,00000000,FF000000), ref: 004A411F
SendMessageW.USER32(?,00000402,00000000,00000000), ref: 004A412A
SendMessageW.USER32(?,00000401,00000000,00640000), ref: 004A4139
SendMessageW.USER32(?,00000404,00000001,00000000), ref: 004A4145

Strings

Msctls_Progress32, xrefs: 004A40E3

Memory Dump Source

Source File: 00000000.00000002.2107394819.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2107065431.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107532194.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107532194.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107645477.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107703493.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: MessageSend$CreateObjectStockWindow
String ID: Msctls_Progress32
API String ID: 1025951953-3636473452
Opcode ID: eb2e48e241f30cabd6ad8765c96a960efee5f0007c069f28fc0c94112b3dec4a
Instruction ID: c9d7ba6ed7162725d3ced616448d1b5bbf84ed62faece9bae52646308c077414
Opcode Fuzzy Hash: eb2e48e241f30cabd6ad8765c96a960efee5f0007c069f28fc0c94112b3dec4a
Instruction Fuzzy Hash: 3311E6B11401197EEF108F64CC85EEB7F5DEF59398F004111B618A6150C776DC61DBA8

Function 0044D7DF Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 0044D7A3: _free.LIBCMT ref: 0044D7CC

_free.LIBCMT ref: 0044D82D

Part of subcall function 004429C8: RtlFreeHeap.NTDLL(00000000,00000000,?,0044D7D1,00000000,00000000,00000000,00000000,?,0044D7F8,00000000,00000007,00000000,?,0044DBF5,00000000), ref: 004429DE
Part of subcall function 004429C8: GetLastError.KERNEL32(00000000,?,0044D7D1,00000000,00000000,00000000,00000000,?,0044D7F8,00000000,00000007,00000000,?,0044DBF5,00000000,00000000), ref: 004429F0

_free.LIBCMT ref: 0044D838
_free.LIBCMT ref: 0044D843
_free.LIBCMT ref: 0044D897
_free.LIBCMT ref: 0044D8A2
_free.LIBCMT ref: 0044D8AD
_free.LIBCMT ref: 0044D8B8

Memory Dump Source

Source File: 00000000.00000002.2107394819.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2107065431.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107532194.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107532194.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107645477.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107703493.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: d5e9bbcb1dbdafe4c8d3bd98f36014f41f46dc5d4a3df644b036f3c2391e0fc8
Instruction ID: c377767b27301cc4aad4fa5b422dd55e7ddbb0a192f5bf0fcbcedc779b9b7479
Opcode Fuzzy Hash: d5e9bbcb1dbdafe4c8d3bd98f36014f41f46dc5d4a3df644b036f3c2391e0fc8
Instruction Fuzzy Hash: 671121B1A40B04ABF921BFB2CC47FCB7BDC6F04704F80482EB299A6692DA7DB5054654

Function 0047DA5A Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 46windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000100,00000000), ref: 0047DA74
LoadStringW.USER32(00000000), ref: 0047DA7B
GetModuleHandleW.KERNEL32(00000000,00001389,?,00000100), ref: 0047DA91
LoadStringW.USER32(00000000), ref: 0047DA98
MessageBoxW.USER32(00000000,?,?,00011010), ref: 0047DADC

Strings

%s (%d) : ==> %s: %s %s, xrefs: 0047DAB9

Memory Dump Source

Source File: 00000000.00000002.2107394819.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2107065431.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107532194.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107532194.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107645477.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107703493.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: HandleLoadModuleString$Message
String ID: %s (%d) : ==> %s: %s %s
API String ID: 4072794657-3128320259
Opcode ID: 9ae9e66c017f939920714558eb0fecf04ebc3d6516ba418c19b3f3a1a321dd28
Instruction ID: a1da462aa9e4c506d35bab5c7eaf66fe5d3b49265c8d1cd150d4c48e4bf2559b
Opcode Fuzzy Hash: 9ae9e66c017f939920714558eb0fecf04ebc3d6516ba418c19b3f3a1a321dd28
Instruction Fuzzy Hash: 1B0186F69002087FE750DBA09DC9EE7376CEB09301F4044A6F70AE2041EA749E844F78

Function 0048096B Relevance: 10.5, APIs: 7, Instructions: 35synchronizationthreadCOMMON

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(016EEB08,016EEB08), ref: 0048097B
EnterCriticalSection.KERNEL32(016EEAE8,00000000), ref: 0048098D
TerminateThread.KERNEL32(?,000001F6), ref: 0048099B
WaitForSingleObject.KERNEL32(?,000003E8), ref: 004809A9
CloseHandle.KERNEL32(?), ref: 004809B8
InterlockedExchange.KERNEL32(016EEB08,000001F6), ref: 004809C8
LeaveCriticalSection.KERNEL32(016EEAE8), ref: 004809CF

Memory Dump Source

Source File: 00000000.00000002.2107394819.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2107065431.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107532194.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107532194.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107645477.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107703493.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: CriticalExchangeInterlockedSection$CloseEnterHandleLeaveObjectSingleTerminateThreadWait
String ID:
API String ID: 3495660284-0
Opcode ID: 90215555e3ef42918418173c8ab6f3141c7f7e97d37f10a1312a54bc034fafd1
Instruction ID: 79c4584fa51b4a0e3771378881f3d9c5bd24afcb0b8ee26a218ab75ad849665e
Opcode Fuzzy Hash: 90215555e3ef42918418173c8ab6f3141c7f7e97d37f10a1312a54bc034fafd1
Instruction Fuzzy Hash: EEF03172542502BBD7815F94EECCBDA7F35FF02702F401026F101508A0CB749465CF98

Function 00491C60 Relevance: 9.3, APIs: 6, Instructions: 298networkCOMMON

Download Yara Rule

APIs

__WSAFDIsSet.WSOCK32(00000000,?,00000000,00000000,?,00000064,00000000), ref: 00491DC0
#17.WSOCK32(00000000,?,?,00000000,?,00000010), ref: 00491DE1
WSAGetLastError.WSOCK32 ref: 00491DF2
htons.WSOCK32(?,?,?,?,?), ref: 00491EDB
inet_ntoa.WSOCK32(?), ref: 00491E8C

Part of subcall function 004739E8: _strlen.LIBCMT ref: 004739F2

Part of subcall function 00493224: MultiByteToWideChar.KERNEL32(00000000,00000001,?,?,00000000,00000000,00000000,?,?,?,?,0048EC0C), ref: 00493240

_strlen.LIBCMT ref: 00491F35

Memory Dump Source

Source File: 00000000.00000002.2107394819.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2107065431.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107532194.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107532194.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107645477.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107703493.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: _strlen$ByteCharErrorLastMultiWidehtonsinet_ntoa
String ID:
API String ID: 3203458085-0
Opcode ID: 8eda8098d50db5123391732863e0495abea73ecd7c3a6f81f95e32a07de9ee62
Instruction ID: 3f16cbace0477e478eccabfe3b91f0a5ccb8d7982bd02e61bfee587c1a98ea02
Opcode Fuzzy Hash: 8eda8098d50db5123391732863e0495abea73ecd7c3a6f81f95e32a07de9ee62
Instruction Fuzzy Hash: 14B1F231204301AFC724EF25C885E6A7BE5AF84318F54856EF4564B3E2DB39ED42CB95

Function 00415D0A Relevance: 9.3, APIs: 6, Instructions: 276COMMON

Download Yara Rule

APIs

GetClientRect.USER32(?,?), ref: 00415D30
GetWindowRect.USER32(?,?), ref: 00415D71
ScreenToClient.USER32(?,?), ref: 00415D99
GetClientRect.USER32(?,?), ref: 00415ED7
GetWindowRect.USER32(?,?), ref: 00415EF8

Memory Dump Source

Source File: 00000000.00000002.2107394819.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2107065431.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107532194.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107532194.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107645477.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107703493.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: Rect$Client$Window$Screen
String ID:
API String ID: 1296646539-0
Opcode ID: 9a7bbd2ee61cc26cc93447fe43f975dc4a29f2f7d440b0fa1e3f85092c77c0b6
Instruction ID: 58ba3854c76b15d91ee6a1e7bd697758bdfb85b9c9fc66b20e6df40114c91a6d
Opcode Fuzzy Hash: 9a7bbd2ee61cc26cc93447fe43f975dc4a29f2f7d440b0fa1e3f85092c77c0b6
Instruction Fuzzy Hash: B7B17B78A0074ADBDB10DFA9C4807EEB7F1FF94310F14841AE8A9D7250D738AA91DB59

Function 004401B7 Relevance: 9.3, APIs: 6, Instructions: 269COMMON

Download Yara Rule

APIs

__allrem.LIBCMT ref: 004400BA
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 004400D6
__allrem.LIBCMT ref: 004400ED
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0044010B
__allrem.LIBCMT ref: 00440122
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00440140

Memory Dump Source

Source File: 00000000.00000002.2107394819.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2107065431.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107532194.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107532194.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107645477.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107703493.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@
String ID:
API String ID: 1992179935-0
Opcode ID: 8fbb49ba762f8ece8e29681380aa111ddf72d6c7443a1a5a7b6c612577c50f6c
Instruction ID: a7bc3b624c1f6bf048d3cb5a78ab0417a2618118eb77044d913ecf2298be7943
Opcode Fuzzy Hash: 8fbb49ba762f8ece8e29681380aa111ddf72d6c7443a1a5a7b6c612577c50f6c
Instruction Fuzzy Hash: 3681F572A007069BF720AE2ACC41B6B73E8AF55328F24453FF951D7781E779D9048B98

Function 004461FE Relevance: 9.2, APIs: 6, Instructions: 216COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000001,00000000,?,?,00000000,00000000,?,004382D9,004382D9,?,?,?,0044644F,00000001,00000001,8BE85006), ref: 00446258
MultiByteToWideChar.KERNEL32(00000001,00000001,?,?,00000000,?,?,?,?,0044644F,00000001,00000001,8BE85006,?,?,?), ref: 004462DE
WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,?,8BE85006,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 004463D8
__freea.LIBCMT ref: 004463E5

Part of subcall function 00443820: RtlAllocateHeap.NTDLL(00000000,?,004E1444,?,0042FDF5,?,?,0041A976,00000010,004E1440,004113FC,?,004113C6,?,00411129), ref: 00443852

__freea.LIBCMT ref: 004463EE
__freea.LIBCMT ref: 00446413

Memory Dump Source

Source File: 00000000.00000002.2107394819.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2107065431.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107532194.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107532194.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107645477.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107703493.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: ByteCharMultiWide__freea$AllocateHeap
String ID:
API String ID: 1414292761-0
Opcode ID: 32a539a2e8659de3411d454d0271453b1558fa1f381ee0f743e755c2849ab4b9
Instruction ID: 08792b7ba3183a3762053034266875ea390e27941e422d4b1903377c80dd72d7
Opcode Fuzzy Hash: 32a539a2e8659de3411d454d0271453b1558fa1f381ee0f743e755c2849ab4b9
Instruction Fuzzy Hash: 48512472600256ABFB259F64CC81EAF7BA9EF46710F16426BFC05D6240DB3CDC40C66A

Function 0049BBDB Relevance: 9.2, APIs: 6, Instructions: 191registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00419CB3: _wcslen.LIBCMT ref: 00419CBD

Part of subcall function 0049C998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,0049B6AE,?,?), ref: 0049C9B5
Part of subcall function 0049C998: _wcslen.LIBCMT ref: 0049C9F1
Part of subcall function 0049C998: _wcslen.LIBCMT ref: 0049CA68
Part of subcall function 0049C998: _wcslen.LIBCMT ref: 0049CA9E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0049BCCA
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 0049BD25
RegCloseKey.ADVAPI32(00000000), ref: 0049BD6A
RegEnumValueW.ADVAPI32(?,-00000001,?,?,00000000,?,00000000,00000000), ref: 0049BD99
RegCloseKey.ADVAPI32(?,?,00000000), ref: 0049BDF3
RegCloseKey.ADVAPI32(?), ref: 0049BDFF

Memory Dump Source

Source File: 00000000.00000002.2107394819.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2107065431.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107532194.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107532194.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107645477.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107703493.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: _wcslen$Close$BuffCharConnectEnumOpenRegistryUpperValue
String ID:
API String ID: 1120388591-0
Opcode ID: c7f86dccda7ea3094d5f0b995f66842e53fc10fdb02f9e4f1ca84e14ba7a64a4
Instruction ID: be57c2d582a13b8435e86927679a46912f523a4374cf047bf12102d224957fb4
Opcode Fuzzy Hash: c7f86dccda7ea3094d5f0b995f66842e53fc10fdb02f9e4f1ca84e14ba7a64a4
Instruction Fuzzy Hash: 8381DD30208200AFCB14DF20D884E6ABBE5FF84308F14896EF4594B2A2DB35ED45CB96

Function 0046F7AD Relevance: 9.2, APIs: 6, Instructions: 183memoryCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(00000035), ref: 0046F7B9
SysAllocString.OLEAUT32(00000001), ref: 0046F860
VariantCopy.OLEAUT32(0046FA64,00000000), ref: 0046F889
VariantClear.OLEAUT32(0046FA64), ref: 0046F8AD
VariantCopy.OLEAUT32(0046FA64,00000000), ref: 0046F8B1
VariantClear.OLEAUT32(?), ref: 0046F8BB

Memory Dump Source

Source File: 00000000.00000002.2107394819.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2107065431.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107532194.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107532194.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107645477.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107703493.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: Variant$ClearCopy$AllocInitString
String ID:
API String ID: 3859894641-0
Opcode ID: 4808cb304ed7bdbbece158bd611d0ed39eeae6a7c303c3986544d899015ef101
Instruction ID: 39739ae8b2f115f53030ea3b63a812cd6793bdd48726e099c0b1ea6ef1983e18
Opcode Fuzzy Hash: 4808cb304ed7bdbbece158bd611d0ed39eeae6a7c303c3986544d899015ef101
Instruction Fuzzy Hash: EC51E971610310BACF10AB66E895B29B3A4EF45314F20447BE946DF291FB789C49C79F

Function 0048910C Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 383COMMON

Download Yara Rule

APIs

Part of subcall function 00417620: _wcslen.LIBCMT ref: 00417625

Part of subcall function 00416B57: _wcslen.LIBCMT ref: 00416B6A

GetOpenFileNameW.COMDLG32(00000058), ref: 004894E5
_wcslen.LIBCMT ref: 00489506
_wcslen.LIBCMT ref: 0048952D
GetSaveFileNameW.COMDLG32(00000058), ref: 00489585

Strings

X, xrefs: 00489412

Memory Dump Source

Source File: 00000000.00000002.2107394819.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2107065431.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107532194.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107532194.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107645477.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107703493.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: _wcslen$FileName$OpenSave
String ID: X
API String ID: 83654149-3081909835
Opcode ID: c6532960a45dfe6d31e17d0884af780df3feb3e68e8c1de0a6656944d00b76fb
Instruction ID: f7a77bbc4ea995dcc8ce3c6660a8f1fb99c9f336fc6429c5337dcca31ac4c31c
Opcode Fuzzy Hash: c6532960a45dfe6d31e17d0884af780df3feb3e68e8c1de0a6656944d00b76fb
Instruction Fuzzy Hash: 29E1B6315047009FD714EF25C881AAEB7E1BF85318F08896EF8999B391DB34DD45CB99

Function 0042920C Relevance: 9.1, APIs: 6, Instructions: 113COMMON

Download Yara Rule

APIs

Part of subcall function 00429BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00429BB2

BeginPaint.USER32(?,?,?), ref: 00429241
GetWindowRect.USER32(?,?), ref: 004292A5
ScreenToClient.USER32(?,?), ref: 004292C2
SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 004292D3
EndPaint.USER32(?,?,?,?,?), ref: 00429321
Rectangle.GDI32(00000000,00000000,00000000,?,?), ref: 004671EA

Part of subcall function 00429339: BeginPath.GDI32(00000000), ref: 00429357

Memory Dump Source

Source File: 00000000.00000002.2107394819.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2107065431.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107532194.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107532194.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107645477.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107703493.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: BeginPaintWindow$ClientLongPathRectRectangleScreenViewport
String ID:
API String ID: 3050599898-0
Opcode ID: 72cad3d36e04ed09d64d74d7880cf55430a2b78e874b7f329a77fe2d10a71600
Instruction ID: 6034aaa4e55575bdf0aa3a0fa7d2e1413272dd3e658d1a97844b9e5c3fc0697a
Opcode Fuzzy Hash: 72cad3d36e04ed09d64d74d7880cf55430a2b78e874b7f329a77fe2d10a71600
Instruction Fuzzy Hash: 8141A170204210AFD710DF25DCC4FBA7BA8EF4A724F04066AF9548B2B2D7389C45DB6A

Function 004807EF Relevance: 9.1, APIs: 6, Instructions: 107fileCOMMON

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(?,000001F5), ref: 0048080C
ReadFile.KERNEL32(?,?,0000FFFF,?,00000000), ref: 00480847
EnterCriticalSection.KERNEL32(?), ref: 00480863
LeaveCriticalSection.KERNEL32(?), ref: 004808DC
ReadFile.KERNEL32(?,?,0000FFFF,00000000,00000000), ref: 004808F3
InterlockedExchange.KERNEL32(?,000001F6), ref: 00480921

Memory Dump Source

Source File: 00000000.00000002.2107394819.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2107065431.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107532194.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107532194.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107645477.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107703493.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: CriticalExchangeFileInterlockedReadSection$EnterLeave
String ID:
API String ID: 3368777196-0
Opcode ID: 6e713bb872c64b4501b20af6c13899468374cf63acecf63f326dd49751d1e5f2
Instruction ID: 23546aaab79aade105d2a92eb994ff35ddc13e6bf4c3c2ecd305efc941eeff80
Opcode Fuzzy Hash: 6e713bb872c64b4501b20af6c13899468374cf63acecf63f326dd49751d1e5f2
Instruction Fuzzy Hash: A0418B71A00205EBDF15AF54DC85AAA7778FF04304F5044BAED00AA297DB34DE68DBA8

Function 004A81DB Relevance: 9.1, APIs: 6, Instructions: 104windowCOMMON

Download Yara Rule

APIs

ShowWindow.USER32(FFFFFFFF,00000000,?,00000000,00000000,?,0046F3AB,00000000,?,?,00000000,?,0046682C,00000004,00000000,00000000), ref: 004A824C
EnableWindow.USER32(?,00000000), ref: 004A8272
ShowWindow.USER32(FFFFFFFF,00000000), ref: 004A82D1
ShowWindow.USER32(?,00000004), ref: 004A82E5
EnableWindow.USER32(?,00000001), ref: 004A830B
SendMessageW.USER32(?,0000130C,00000000,00000000), ref: 004A832F

Memory Dump Source

Source File: 00000000.00000002.2107394819.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2107065431.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107532194.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107532194.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107645477.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107703493.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: Window$Show$Enable$MessageSend
String ID:
API String ID: 642888154-0
Opcode ID: b5dc2a36551623c901a162104724f3f712abc3599ad27a2d8ce1f4f42292cd60
Instruction ID: 4885e7855455d33656b92683b48d2dc7f613daad38af60fa9af44eff188f5a09
Opcode Fuzzy Hash: b5dc2a36551623c901a162104724f3f712abc3599ad27a2d8ce1f4f42292cd60
Instruction Fuzzy Hash: 5D418C75601644AFDF21CF15D8D9BA57BE0FB1B714F1801AAEA484F2B3CB36A841CB48

Function 00474C7D Relevance: 9.1, APIs: 6, Instructions: 87windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32(?), ref: 00474C95
SendMessageW.USER32(?,0000000E,00000000,00000000), ref: 00474CB2
SendMessageW.USER32(?,0000000D,00000001,00000000), ref: 00474CEA
_wcslen.LIBCMT ref: 00474D08
CharUpperBuffW.USER32(00000000,00000000,?,?,?,?), ref: 00474D10
_wcsstr.LIBVCRUNTIME ref: 00474D1A

Memory Dump Source

Source File: 00000000.00000002.2107394819.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2107065431.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107532194.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107532194.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107645477.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107703493.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: MessageSend$BuffCharUpperVisibleWindow_wcslen_wcsstr
String ID:
API String ID: 72514467-0
Opcode ID: caf43dc33dc1fd34708f52c5e663b9b6fa67b8b181a66592fcc0e2301e568c09
Instruction ID: 41177ba51f8c10e7beae0a095ce292d86f1b12f90b2af649872799cd8941021b
Opcode Fuzzy Hash: caf43dc33dc1fd34708f52c5e663b9b6fa67b8b181a66592fcc0e2301e568c09
Instruction Fuzzy Hash: CC21FF712041107BE7259B35AD45EBB7F9CDF85750F11807FF809CA151DF69DC0196A4

Function 0048581E Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 336comCOMMON

Download Yara Rule

APIs

Part of subcall function 00413AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00413A97,?,?,00412E7F,?,?,?,00000000), ref: 00413AC2

_wcslen.LIBCMT ref: 0048587B
CoInitialize.OLE32(00000000), ref: 00485995
CoCreateInstance.OLE32(004AFCF8,00000000,00000001,004AFB68,?), ref: 004859AE
CoUninitialize.OLE32 ref: 004859CC

Strings

.lnk, xrefs: 00485876, 004858C1, 00485985

Memory Dump Source

Source File: 00000000.00000002.2107394819.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2107065431.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107532194.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107532194.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107645477.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107703493.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: CreateFullInitializeInstanceNamePathUninitialize_wcslen
String ID: .lnk
API String ID: 3172280962-24824748
Opcode ID: 02f5273dad3f3599585c3c68b88e11e0e4d097715929a94f3ea41ee0264f97f7
Instruction ID: 1f241cee7ad67021fafe78226c8e2e1a15611d7450086d2c0c520245b3ce15a1
Opcode Fuzzy Hash: 02f5273dad3f3599585c3c68b88e11e0e4d097715929a94f3ea41ee0264f97f7
Instruction Fuzzy Hash: CFD144716046019FC714EF25C480A6EBBE2FF89718F14885EF8899B361D739EC45CB9A

Function 0047175D Relevance: 9.1, APIs: 6, Instructions: 68memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00470FB4: GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 00470FCA
Part of subcall function 00470FB4: GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 00470FD6
Part of subcall function 00470FB4: GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 00470FE5
Part of subcall function 00470FB4: HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 00470FEC
Part of subcall function 00470FB4: GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 00471002

GetLengthSid.ADVAPI32(?,00000000,00471335), ref: 004717AE
GetProcessHeap.KERNEL32(00000008,00000000), ref: 004717BA
HeapAlloc.KERNEL32(00000000), ref: 004717C1
CopySid.ADVAPI32(00000000,00000000,?), ref: 004717DA
GetProcessHeap.KERNEL32(00000000,00000000,00471335), ref: 004717EE
HeapFree.KERNEL32(00000000), ref: 004717F5

Memory Dump Source

Source File: 00000000.00000002.2107394819.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2107065431.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107532194.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107532194.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107645477.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107703493.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: Heap$Process$AllocInformationToken$CopyErrorFreeLastLength
String ID:
API String ID: 3008561057-0
Opcode ID: 713752c9510535fc862bbcb1e67439a462adb0fa9335662028b91e6e4304af82
Instruction ID: 39f37885331c193b6c0bd358c72011c24584806004971767b5060491a8fac03d
Opcode Fuzzy Hash: 713752c9510535fc862bbcb1e67439a462adb0fa9335662028b91e6e4304af82
Instruction Fuzzy Hash: 8D118E71601205FFDB189FA8CC89BEFBBA9EB46355F10802AF44597220D739A944CF68

Function 004714CE Relevance: 9.1, APIs: 6, Instructions: 64processCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(0000000A,00000004), ref: 004714FF
OpenProcessToken.ADVAPI32(00000000), ref: 00471506
CreateEnvironmentBlock.USERENV(?,00000004,00000001), ref: 00471515
CloseHandle.KERNEL32(00000004), ref: 00471520
CreateProcessWithLogonW.ADVAPI32(?,?,?,00000000,00000000,?,?,00000000,?,?,?), ref: 0047154F
DestroyEnvironmentBlock.USERENV(00000000), ref: 00471563

Memory Dump Source

Source File: 00000000.00000002.2107394819.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2107065431.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107532194.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107532194.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107645477.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107703493.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: Process$BlockCreateEnvironment$CloseCurrentDestroyHandleLogonOpenTokenWith
String ID:
API String ID: 1413079979-0
Opcode ID: 0d09d6919cd0f005675ec209c84f50e23e76bc35b7ae51b336fd4fb1b33fd804
Instruction ID: 2f1594f55a7c8cb2294521a8c34156db9a8aa7a81e0dec2a4c56a20469988dd3
Opcode Fuzzy Hash: 0d09d6919cd0f005675ec209c84f50e23e76bc35b7ae51b336fd4fb1b33fd804
Instruction Fuzzy Hash: 9011267650020ABBDF118FA8DE89BDF7BA9EF49744F048025FA09A2160C3758E65DB64

Function 00433382 Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,00433379,00432FE5), ref: 00433390
___vcrt_FlsGetValue.LIBVCRUNTIME ref: 0043339E
___vcrt_FlsSetValue.LIBVCRUNTIME ref: 004333B7
SetLastError.KERNEL32(00000000,?,00433379,00432FE5), ref: 00433409

Memory Dump Source

Source File: 00000000.00000002.2107394819.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2107065431.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107532194.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107532194.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107645477.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107703493.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: ErrorLastValue___vcrt_
String ID:
API String ID: 3852720340-0
Opcode ID: 94ba2cdf7e45a0e4205e7e9fe41f9b0dedcb44446320dd45022dafe77fe0749f
Instruction ID: ee87cfb10787d4b11fea635c66c6473afc9bf668c8963e6ba6ff383981fa8817
Opcode Fuzzy Hash: 94ba2cdf7e45a0e4205e7e9fe41f9b0dedcb44446320dd45022dafe77fe0749f
Instruction Fuzzy Hash: 7A01F53220A312BEAA252FB66CC66576B54DB1D77BF20923FF810812F1EF194D01914C

Function 00442D74 Relevance: 9.0, APIs: 6, Instructions: 50COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,00445686,00453CD6,?,00000000,?,00445B6A,?,?,?,?,?,0043E6D1,?,004D8A48), ref: 00442D78
_free.LIBCMT ref: 00442DAB
_free.LIBCMT ref: 00442DD3
SetLastError.KERNEL32(00000000,?,?,?,?,0043E6D1,?,004D8A48,00000010,00414F4A,?,?,00000000,00453CD6), ref: 00442DE0
SetLastError.KERNEL32(00000000,?,?,?,?,0043E6D1,?,004D8A48,00000010,00414F4A,?,?,00000000,00453CD6), ref: 00442DEC
_abort.LIBCMT ref: 00442DF2

Memory Dump Source

Source File: 00000000.00000002.2107394819.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2107065431.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107532194.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107532194.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107645477.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107703493.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: ErrorLast$_free$_abort
String ID:
API String ID: 3160817290-0
Opcode ID: 87b26909f72037bad5c5d086486b1020b940d93f18a23cd448839f0232acdda1
Instruction ID: da92441ee169492da4535394740f22c8a52c034306245e407036841f70511c34
Opcode Fuzzy Hash: 87b26909f72037bad5c5d086486b1020b940d93f18a23cd448839f0232acdda1
Instruction Fuzzy Hash: AEF02DB194590137F65237367E46F5F2A55AFC2765F64002FF824922D2DEFC8801426C

Function 004A8A24 Relevance: 9.0, APIs: 6, Instructions: 49COMMON

Download Yara Rule

APIs

Part of subcall function 00429639: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00429693
Part of subcall function 00429639: SelectObject.GDI32(?,00000000), ref: 004296A2
Part of subcall function 00429639: BeginPath.GDI32(?), ref: 004296B9
Part of subcall function 00429639: SelectObject.GDI32(?,00000000), ref: 004296E2

MoveToEx.GDI32(?,-00000002,00000000,00000000), ref: 004A8A4E
LineTo.GDI32(?,00000003,00000000), ref: 004A8A62
MoveToEx.GDI32(?,00000000,-00000002,00000000), ref: 004A8A70
LineTo.GDI32(?,00000000,00000003), ref: 004A8A80
EndPath.GDI32(?), ref: 004A8A90
StrokePath.GDI32(?), ref: 004A8AA0

Memory Dump Source

Source File: 00000000.00000002.2107394819.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2107065431.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107532194.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107532194.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107645477.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107703493.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: Path$LineMoveObjectSelect$BeginCreateStroke
String ID:
API String ID: 43455801-0
Opcode ID: b6c18d542ec193f35e011439873e7249bcde06685e767de20389c9ba3aade09f
Instruction ID: 2763b2413425744688e43200f531a1f45c9e2f9b88bac5330b09e51f8288fde3
Opcode Fuzzy Hash: b6c18d542ec193f35e011439873e7249bcde06685e767de20389c9ba3aade09f
Instruction Fuzzy Hash: B611177604414CFFEF129F90DC88EAA7FACEB09354F008026BA199A1A1C7719D55DFA4

Function 004751FD Relevance: 9.0, APIs: 6, Instructions: 49COMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 00475218
GetDeviceCaps.GDI32(00000000,00000058), ref: 00475229
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00475230
ReleaseDC.USER32(00000000,00000000), ref: 00475238
MulDiv.KERNEL32(000009EC,?,00000000), ref: 0047524F
MulDiv.KERNEL32(000009EC,00000001,?), ref: 00475261

Memory Dump Source

Source File: 00000000.00000002.2107394819.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2107065431.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107532194.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107532194.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107645477.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107703493.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: CapsDevice$Release
String ID:
API String ID: 1035833867-0
Opcode ID: 56a657c657abbaf1ae1b2fa63b866ad810472cae7daa1520dd3baeb040bf8ccd
Instruction ID: b478207ead9bded2994e5a75cdca39e5f22044c99e0cd918db43bcb14021a8ec
Opcode Fuzzy Hash: 56a657c657abbaf1ae1b2fa63b866ad810472cae7daa1520dd3baeb040bf8ccd
Instruction Fuzzy Hash: AF014475A00714BBEB109BA59C49A9EBFB9EB45751F044066FA04AB381D6709C01CFA4

Function 00411BC3 Relevance: 9.0, APIs: 6, Instructions: 44keyboardCOMMON

Download Yara Rule

APIs

MapVirtualKeyW.USER32(0000005B,00000000), ref: 00411BF4
MapVirtualKeyW.USER32(00000010,00000000), ref: 00411BFC
MapVirtualKeyW.USER32(000000A0,00000000), ref: 00411C07
MapVirtualKeyW.USER32(000000A1,00000000), ref: 00411C12
MapVirtualKeyW.USER32(00000011,00000000), ref: 00411C1A
MapVirtualKeyW.USER32(00000012,00000000), ref: 00411C22

Memory Dump Source

Source File: 00000000.00000002.2107394819.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2107065431.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107532194.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107532194.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107645477.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107703493.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: Virtual
String ID:
API String ID: 4278518827-0
Opcode ID: b82c27ef77be373fb79d768c11b49100e3c2383e9df10edc1a26d8b66baebb76
Instruction ID: d493e9c988888cf1d66a9505dcfddd78373853669c9bcba617f077a56dc52d90
Opcode Fuzzy Hash: b82c27ef77be373fb79d768c11b49100e3c2383e9df10edc1a26d8b66baebb76
Instruction Fuzzy Hash: 880167B0902B5ABDE3008F6A8C85B52FFE8FF19354F04411BA15C4BA42C7F5A864CBE5

Function 0047EB20 Relevance: 9.0, APIs: 6, Instructions: 42windowtimethreadCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,00000000), ref: 0047EB30
SendMessageTimeoutW.USER32(?,00000010,00000000,00000000,00000002,000001F4,?), ref: 0047EB46
GetWindowThreadProcessId.USER32(?,?), ref: 0047EB55
OpenProcess.KERNEL32(001F0FFF,00000000,?,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 0047EB64
TerminateProcess.KERNEL32(00000000,00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 0047EB6E
CloseHandle.KERNEL32(00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 0047EB75

Memory Dump Source

Source File: 00000000.00000002.2107394819.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2107065431.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107532194.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107532194.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107645477.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107703493.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: Process$Message$CloseHandleOpenPostSendTerminateThreadTimeoutWindow
String ID:
API String ID: 839392675-0
Opcode ID: 9833bf06cacfe7257034509a113eb5214938d23b96800fcfedc48189a40a840d
Instruction ID: 9e055b19992bea128c1e96962202570f0e47ffc8bf24a53ce0b8b7c318cd5711
Opcode Fuzzy Hash: 9833bf06cacfe7257034509a113eb5214938d23b96800fcfedc48189a40a840d
Instruction Fuzzy Hash: 3FF05472240158BBE7619B529C4DEEF3E7CEFCBB11F004169F601D1191DBA05A01CAB9

Function 00467439 Relevance: 9.0, APIs: 6, Instructions: 37windowCOMMON

Download Yara Rule

APIs

GetClientRect.USER32(?), ref: 00467452
SendMessageW.USER32(?,00001328,00000000,?), ref: 00467469
GetWindowDC.USER32(?), ref: 00467475
GetPixel.GDI32(00000000,?,?), ref: 00467484
ReleaseDC.USER32(?,00000000), ref: 00467496
GetSysColor.USER32(00000005), ref: 004674B0

Memory Dump Source

Source File: 00000000.00000002.2107394819.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2107065431.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107532194.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107532194.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107645477.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107703493.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: ClientColorMessagePixelRectReleaseSendWindow
String ID:
API String ID: 272304278-0
Opcode ID: 93c9250fc3b27b4d275d6063ab14f121d8382c43f99ff1df49e7e13a0a3fb3de
Instruction ID: 37d12297833d4d9562e8c5ae27ae2f72ad7d91c848f1b1e770cf022df2df1e3b
Opcode Fuzzy Hash: 93c9250fc3b27b4d275d6063ab14f121d8382c43f99ff1df49e7e13a0a3fb3de
Instruction Fuzzy Hash: 6A018B31500215FFEB909F64DD48BAA7FB5FB05311F500071F915A21A1CF311E42AB59

Function 00471874 Relevance: 9.0, APIs: 6, Instructions: 23memorysynchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(?,000000FF), ref: 0047187F
UnloadUserProfile.USERENV(?,?), ref: 0047188B
CloseHandle.KERNEL32(?), ref: 00471894
CloseHandle.KERNEL32(?), ref: 0047189C
GetProcessHeap.KERNEL32(00000000,?), ref: 004718A5
HeapFree.KERNEL32(00000000), ref: 004718AC

Memory Dump Source

Source File: 00000000.00000002.2107394819.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2107065431.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107532194.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107532194.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107645477.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107703493.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: CloseHandleHeap$FreeObjectProcessProfileSingleUnloadUserWait
String ID:
API String ID: 146765662-0
Opcode ID: 9bf72216978b42fe2df08dc3f184cd041d70c36a5b0b1ebf7cab93073d43d17f
Instruction ID: a6468c14aaad85d95ab4b43a71100f0c1fd1e9a74cc05d3d72b1e6cbacef8e77
Opcode Fuzzy Hash: 9bf72216978b42fe2df08dc3f184cd041d70c36a5b0b1ebf7cab93073d43d17f
Instruction Fuzzy Hash: 04E0E576204101BBDB416FA1ED4C90ABF79FF4AB22B108230F22581070CB329421DF58

Function 0041BBE0 Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 232COMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 0041BEB3

Strings

D%N, xrefs: 0041BE9A
D%N, xrefs: 0041BCA2
D%N, xrefs: 0041BDED, 0041BD91, 0041BD1B
D%ND%N, xrefs: 0041BCA5

Memory Dump Source

Source File: 00000000.00000002.2107394819.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2107065431.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107532194.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107532194.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107645477.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107703493.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: Init_thread_footer
String ID: D%N$D%N$D%N$D%ND%N
API String ID: 1385522511-2848982604
Opcode ID: 778719f60a104dcf0ccd177bdf84589ea30439dbf6684f63a5fdf9524693df48
Instruction ID: 6ea5914dde4d3614734cc7f24822dc5fde11845d43a37a4303ff65ac5b2307f6
Opcode Fuzzy Hash: 778719f60a104dcf0ccd177bdf84589ea30439dbf6684f63a5fdf9524693df48
Instruction Fuzzy Hash: 57916875A0020ADFCB18CF59C1906EAB7F1FF59310B24816ED941AB350E779AD81CBD8

Function 00497B7E Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 230COMMON

Download Yara Rule

APIs

Part of subcall function 00430242: EnterCriticalSection.KERNEL32(004E070C,004E1884,?,?,0042198B,004E2518,?,?,?,004112F9,00000000), ref: 0043024D
Part of subcall function 00430242: LeaveCriticalSection.KERNEL32(004E070C,?,0042198B,004E2518,?,?,?,004112F9,00000000), ref: 0043028A

Part of subcall function 00419CB3: _wcslen.LIBCMT ref: 00419CBD

Part of subcall function 004300A3: __onexit.LIBCMT ref: 004300A9

__Init_thread_footer.LIBCMT ref: 00497BFB

Part of subcall function 004301F8: EnterCriticalSection.KERNEL32(004E070C,?,?,00428747,004E2514), ref: 00430202
Part of subcall function 004301F8: LeaveCriticalSection.KERNEL32(004E070C,?,00428747,004E2514), ref: 00430235

Strings

+TF, xrefs: 00497E2E
5, xrefs: 00497C78
G, xrefs: 00497C7F
Variable must be of type 'Object'., xrefs: 00497C3A

Memory Dump Source

Source File: 00000000.00000002.2107394819.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2107065431.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107532194.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107532194.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107645477.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107703493.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: CriticalSection$EnterLeave$Init_thread_footer__onexit_wcslen
String ID: +TF$5$G$Variable must be of type 'Object'.
API String ID: 535116098-4280218163
Opcode ID: f6a16fa33cb159536fb688e2cb3b970e101e5c7a7928e6385b4483ede6bdc62e
Instruction ID: dc8afd1bf4116c1208d511a716ebc4e0fe3f2365de9aa8903e19c7bac440db70
Opcode Fuzzy Hash: f6a16fa33cb159536fb688e2cb3b970e101e5c7a7928e6385b4483ede6bdc62e
Instruction Fuzzy Hash: 6C91AD70A14208EFCF04EF55D8919AEBBB1BF49304F14816EF8065B392DB79AE41CB59

Function 0047C5D0 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 191windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00417620: _wcslen.LIBCMT ref: 00417625

GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 0047C6EE
_wcslen.LIBCMT ref: 0047C735
SetMenuItemInfoW.USER32(?,?,00000000,?), ref: 0047C79C
SetMenuDefaultItem.USER32(?,000000FF,00000000), ref: 0047C7CA

Strings

0, xrefs: 0047C6AF

Memory Dump Source

Source File: 00000000.00000002.2107394819.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2107065431.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107532194.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107532194.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107645477.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107703493.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: ItemMenu$Info_wcslen$Default
String ID: 0
API String ID: 1227352736-4108050209
Opcode ID: 6f2c06fcceb46ee5a417394521afe865c103c218ef31b31dc8b20b061f51f7b5
Instruction ID: 036c8139172a9f7fd1662064223204c19d98b54ff38c2ffca6a104d234804fbf
Opcode Fuzzy Hash: 6f2c06fcceb46ee5a417394521afe865c103c218ef31b31dc8b20b061f51f7b5
Instruction Fuzzy Hash: 4251E3716043019BD7189F29C8C5BEB77E4AF49314F04892FF999D32A1DB78D904CB5A

Function 0049AD64 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 176COMMON

Download Yara Rule

APIs

ShellExecuteExW.SHELL32(0000003C), ref: 0049AEA3

Part of subcall function 00417620: _wcslen.LIBCMT ref: 00417625

GetProcessId.KERNEL32(00000000), ref: 0049AF38
CloseHandle.KERNEL32(00000000), ref: 0049AF67

Strings

<, xrefs: 0049AE6B
@, xrefs: 0049AE72

Memory Dump Source

Source File: 00000000.00000002.2107394819.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2107065431.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107532194.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107532194.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107645477.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107703493.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: CloseExecuteHandleProcessShell_wcslen
String ID: <$@
API String ID: 146682121-1426351568
Opcode ID: da3861950a4e83546d7ae0c68ee95ccce28b5fe26f0bfd751639bb8b38d5d387
Instruction ID: 768865b3bdf31409f9d64233fa41ed74dc96dff1021e3930170bc98b8bc759db
Opcode Fuzzy Hash: da3861950a4e83546d7ae0c68ee95ccce28b5fe26f0bfd751639bb8b38d5d387
Instruction Fuzzy Hash: 4D714970A00615DFCF14DF55C484A9EBBF1BF08318F0484AAE81AAB751CB78ED95CB99

Function 0047719E Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 120comlibraryloaderCOMMON

Download Yara Rule

APIs

CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 00477206
SetErrorMode.KERNEL32(00000001,?,?,?,?,?,?,?,?,?), ref: 0047723C
GetProcAddress.KERNEL32(?,DllGetClassObject), ref: 0047724D
SetErrorMode.KERNEL32(00000000,?,?,?,?,?,?,?,?,?), ref: 004772CF

Strings

DllGetClassObject, xrefs: 00477242

Memory Dump Source

Source File: 00000000.00000002.2107394819.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2107065431.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107532194.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107532194.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107645477.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107703493.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: ErrorMode$AddressCreateInstanceProc
String ID: DllGetClassObject
API String ID: 753597075-1075368562
Opcode ID: 84df3b845cbf5adf0a617163e0c43572df966713748ba81f1eda258850e5e808
Instruction ID: 78e40fe605dddce31242282e7b0a38f9ab9f1a9eb59d5bfeefa87fa2826868c2
Opcode Fuzzy Hash: 84df3b845cbf5adf0a617163e0c43572df966713748ba81f1eda258850e5e808
Instruction Fuzzy Hash: 1A419D71A04204AFDB15CF54C884ADA7BA9EF44314F60C0AEFD099F20AD7B8D944CBA4

Function 004A3D7C Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 101windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 004A3E35
IsMenu.USER32(?), ref: 004A3E4A
InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 004A3E92
DrawMenuBar.USER32 ref: 004A3EA5

Strings

0, xrefs: 004A3D89

Memory Dump Source

Source File: 00000000.00000002.2107394819.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2107065431.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107532194.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107532194.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107645477.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107703493.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: Menu$Item$DrawInfoInsert
String ID: 0
API String ID: 3076010158-4108050209
Opcode ID: be11eda8e55823a4c5dd314aef5c7d7854119da3bd2d32cddc10917f40bcded8
Instruction ID: 358611fc54028fd19411c81743056fbcd683b987c2e189c7972843d632d761f0
Opcode Fuzzy Hash: be11eda8e55823a4c5dd314aef5c7d7854119da3bd2d32cddc10917f40bcded8
Instruction Fuzzy Hash: 81415975A01209EFDB10DF50D884AABBBB5FF5A356F04412AF9059B350E734AE41CF54

Function 00471DE2 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 93windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00419CB3: _wcslen.LIBCMT ref: 00419CBD

Part of subcall function 00473CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00473CCA

SendMessageW.USER32(?,00000188,00000000,00000000), ref: 00471E66
SendMessageW.USER32(?,0000018A,00000000,00000000), ref: 00471E79
SendMessageW.USER32(?,00000189,?,00000000), ref: 00471EA9

Part of subcall function 00416B57: _wcslen.LIBCMT ref: 00416B6A

Strings

ComboBox, xrefs: 00471DF0
ListBox, xrefs: 00471E25

Memory Dump Source

Source File: 00000000.00000002.2107394819.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2107065431.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107532194.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107532194.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107645477.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107703493.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: MessageSend$_wcslen$ClassName
String ID: ComboBox$ListBox
API String ID: 2081771294-1403004172
Opcode ID: eab37a5b54cfa49451ef739c1846035ec58c4f7da949240ec79be3ba199361e7
Instruction ID: 76072e64cfff2d64756e7fc843cbb86739bdd03fa2d33123d0401edc891935ab
Opcode Fuzzy Hash: eab37a5b54cfa49451ef739c1846035ec58c4f7da949240ec79be3ba199361e7
Instruction Fuzzy Hash: 6B213771A00104BEDB14AB69DC56DFFB7B8DF42354B10812FF859A32E0DB3C4D4A8628

Function 004A2F17 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 78windowlibraryCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000467,00000000,?), ref: 004A2F8D
LoadLibraryW.KERNEL32(?), ref: 004A2F94
SendMessageW.USER32(?,00000467,00000000,00000000), ref: 004A2FA9
DestroyWindow.USER32(?), ref: 004A2FB1

Strings

SysAnimate32, xrefs: 004A2F68

Memory Dump Source

Source File: 00000000.00000002.2107394819.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2107065431.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107532194.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107532194.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107645477.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107703493.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: MessageSend$DestroyLibraryLoadWindow
String ID: SysAnimate32
API String ID: 3529120543-1011021900
Opcode ID: 5a059ece18695e012411c228c778116c19e0e175ffa8178757ede497c9db3c28
Instruction ID: 1b84eb1fdade81f0549b63b0f3455e8ea16a86318cb4c701d95909bb8856eeed
Opcode Fuzzy Hash: 5a059ece18695e012411c228c778116c19e0e175ffa8178757ede497c9db3c28
Instruction Fuzzy Hash: 5521C371200205AFEB108F68DD80FBB37BDEB6A368F10422AF950D6290D7B5DC51B768

Function 00434D6D Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,00434D1E,004428E9,?,00434CBE,004428E9,004D88B8,0000000C,00434E15,004428E9,00000002), ref: 00434D8D
GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 00434DA0
FreeLibrary.KERNEL32(00000000,?,?,?,00434D1E,004428E9,?,00434CBE,004428E9,004D88B8,0000000C,00434E15,004428E9,00000002,00000000), ref: 00434DC3

Strings

CorExitProcess, xrefs: 00434D98
mscoree.dll, xrefs: 00434D86

Memory Dump Source

Source File: 00000000.00000002.2107394819.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2107065431.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107532194.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107532194.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107645477.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107703493.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: 17d6c6ef9b1753d6ba9eb775796148d862211fa9ea9ac1400f165082f0fac582
Instruction ID: 4a44dd46e48559abad93e14b117633f573e7f023cd2bac84df3a9d42d1da2fbb
Opcode Fuzzy Hash: 17d6c6ef9b1753d6ba9eb775796148d862211fa9ea9ac1400f165082f0fac582
Instruction Fuzzy Hash: E8F03134640208ABDB515F94DC49BDEBFE5EB48752F0001AAE805A2250CB745940DE98

Function 00414E90 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 24libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,?,00414EDD,?,004E1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00414E9C
GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 00414EAE
FreeLibrary.KERNEL32(00000000,?,?,00414EDD,?,004E1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00414EC0

Strings

kernel32.dll, xrefs: 00414E94
Wow64DisableWow64FsRedirection, xrefs: 00414EA8

Memory Dump Source

Source File: 00000000.00000002.2107394819.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2107065431.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107532194.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107532194.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107645477.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107703493.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: Library$AddressFreeLoadProc
String ID: Wow64DisableWow64FsRedirection$kernel32.dll
API String ID: 145871493-3689287502
Opcode ID: 2fcb139f9e97e8b65accf9693ffe75c06bc64cadc27bfd00ff72ecb099ccb975
Instruction ID: 9388f1a29be9f88115b5940574dbe45d4e4491b1a4eb700cbc59b58498d1ec89
Opcode Fuzzy Hash: 2fcb139f9e97e8b65accf9693ffe75c06bc64cadc27bfd00ff72ecb099ccb975
Instruction Fuzzy Hash: E8E0CD35B017229BD2711B257C58B9F6954AFC3F637050127FC04D2304DB68DD4148BD

Function 00414E59 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 22libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,?,00453CDE,?,004E1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00414E62
GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 00414E74
FreeLibrary.KERNEL32(00000000,?,?,00453CDE,?,004E1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00414E87

Strings

kernel32.dll, xrefs: 00414E5B
Wow64RevertWow64FsRedirection, xrefs: 00414E6E

Memory Dump Source

Source File: 00000000.00000002.2107394819.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2107065431.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107532194.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107532194.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107645477.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107703493.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: Library$AddressFreeLoadProc
String ID: Wow64RevertWow64FsRedirection$kernel32.dll
API String ID: 145871493-1355242751
Opcode ID: dc3b485f2ac8406f4e6247426b62578b71c011e96e7fac995004df403e123362
Instruction ID: 989c52f1e93b047bff59084ed21e506efb34e8f80c4f378a66b6b0d8b510ba05
Opcode Fuzzy Hash: dc3b485f2ac8406f4e6247426b62578b71c011e96e7fac995004df403e123362
Instruction Fuzzy Hash: ADD0C2356427226746621B247C18ECB2E18AFC3B213050223F800A2214CF29CD42C9EC

Function 00482947 Relevance: 7.8, APIs: 5, Instructions: 313fileCOMMON

Download Yara Rule

APIs

DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00482C05
DeleteFileW.KERNEL32(?), ref: 00482C87
CopyFileW.KERNEL32(?,?,00000000,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 00482C9D
DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00482CAE
DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00482CC0

Memory Dump Source

Source File: 00000000.00000002.2107394819.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2107065431.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107532194.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107532194.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107645477.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107703493.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: File$Delete$Copy
String ID:
API String ID: 3226157194-0
Opcode ID: 3e1163149c025d58843b5625dea454ceed2315e0d6cb4e0bf22621694f983a2a
Instruction ID: 5cf82a61d61d2dfd5d181f94456cb88ce852856a03885391282a198eab559881
Opcode Fuzzy Hash: 3e1163149c025d58843b5625dea454ceed2315e0d6cb4e0bf22621694f983a2a
Instruction Fuzzy Hash: 4DB17E72D01119ABDF11EFA5CD85EEEBB7CEF48304F0044ABF509A6141EB789A448F69

Function 0049A387 Relevance: 7.8, APIs: 5, Instructions: 256COMMON

Download Yara Rule

APIs

GetCurrentProcessId.KERNEL32 ref: 0049A427
OpenProcess.KERNEL32(00000410,00000000,00000000), ref: 0049A435
GetProcessIoCounters.KERNEL32(00000000,?), ref: 0049A468
CloseHandle.KERNEL32(?), ref: 0049A63D

Memory Dump Source

Source File: 00000000.00000002.2107394819.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2107065431.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107532194.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107532194.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107645477.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107703493.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: Process$CloseCountersCurrentHandleOpen
String ID:
API String ID: 3488606520-0
Opcode ID: 877afe03b3f44d3bd7935d721423133d296b347392f1fb85ba45a9707894c6b2
Instruction ID: 9082ec479254e114fbc28b0797779e1aeb1a99a403012a6b58db033f1b30d769
Opcode Fuzzy Hash: 877afe03b3f44d3bd7935d721423133d296b347392f1fb85ba45a9707894c6b2
Instruction Fuzzy Hash: 50A19371604300AFDB20DF15D885F2ABBE5AF44718F14882EF9999B3D2D7B4EC418B96

Function 0044BB27 Relevance: 7.7, APIs: 5, Instructions: 171timeCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetTimeZoneInformation.KERNEL32(?,00000000,00000000,00000000,?,004B3700), ref: 0044BB91
WideCharToMultiByte.KERNEL32(00000000,00000000,004E121C,000000FF,00000000,0000003F,00000000,?,?), ref: 0044BC09
WideCharToMultiByte.KERNEL32(00000000,00000000,004E1270,000000FF,?,0000003F,00000000,?), ref: 0044BC36
_free.LIBCMT ref: 0044BB7F

Part of subcall function 004429C8: RtlFreeHeap.NTDLL(00000000,00000000,?,0044D7D1,00000000,00000000,00000000,00000000,?,0044D7F8,00000000,00000007,00000000,?,0044DBF5,00000000), ref: 004429DE
Part of subcall function 004429C8: GetLastError.KERNEL32(00000000,?,0044D7D1,00000000,00000000,00000000,00000000,?,0044D7F8,00000000,00000007,00000000,?,0044DBF5,00000000,00000000), ref: 004429F0

_free.LIBCMT ref: 0044BD4B

Memory Dump Source

Source File: 00000000.00000002.2107394819.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2107065431.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107532194.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107532194.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107645477.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107703493.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: ByteCharMultiWide_free$ErrorFreeHeapInformationLastTimeZone
String ID:
API String ID: 1286116820-0
Opcode ID: 89655aef374f3786b320aa648b706b31e08314b5e144f8f6834667acac800707
Instruction ID: 0a4b96cad64463c0c510b95a757c983b12f7399a9e43482ed5795104e8fce694
Opcode Fuzzy Hash: 89655aef374f3786b320aa648b706b31e08314b5e144f8f6834667acac800707
Instruction Fuzzy Hash: 4F51D871D00209AFEB10EF669CC19AEB7B8EF45314B1042AFE554E72A1EB74DD418BD8

Function 0047E3FB Relevance: 7.7, APIs: 5, Instructions: 167filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 0047DDE0: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,0047CF22,?), ref: 0047DDFD

Part of subcall function 0047DDE0: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,0047CF22,?), ref: 0047DE16

Part of subcall function 0047E199: GetFileAttributesW.KERNEL32(?,0047CF95), ref: 0047E19A

lstrcmpiW.KERNEL32(?,?), ref: 0047E473
MoveFileW.KERNEL32(?,?), ref: 0047E4AC
_wcslen.LIBCMT ref: 0047E5EB
_wcslen.LIBCMT ref: 0047E603
SHFileOperationW.SHELL32(?,?,?,?,?,?), ref: 0047E650

Memory Dump Source

Source File: 00000000.00000002.2107394819.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2107065431.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107532194.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107532194.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107645477.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107703493.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: File$FullNamePath_wcslen$AttributesMoveOperationlstrcmpi
String ID:
API String ID: 3183298772-0
Opcode ID: 2520168432b8b636160a162f24862c93690ecb6fc3b4ebb1331a84ccce1f6cf5
Instruction ID: 4a7e949fc09f8578df0285f7f958b2dc41a442f31998295e87a4b7bfad6995a5
Opcode Fuzzy Hash: 2520168432b8b636160a162f24862c93690ecb6fc3b4ebb1331a84ccce1f6cf5
Instruction Fuzzy Hash: 8C516FB24083455BC724EBA1DC819DB73ECAF89344F004A6FE689D3151EF78A588876E

Function 0049B9C9 Relevance: 7.7, APIs: 5, Instructions: 167registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00419CB3: _wcslen.LIBCMT ref: 00419CBD

Part of subcall function 0049C998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,0049B6AE,?,?), ref: 0049C9B5
Part of subcall function 0049C998: _wcslen.LIBCMT ref: 0049C9F1
Part of subcall function 0049C998: _wcslen.LIBCMT ref: 0049CA68
Part of subcall function 0049C998: _wcslen.LIBCMT ref: 0049CA9E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0049BAA5
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 0049BB00
RegEnumKeyExW.ADVAPI32(?,-00000001,?,?,00000000,00000000,00000000,?), ref: 0049BB63
RegCloseKey.ADVAPI32(?,?), ref: 0049BBA6
RegCloseKey.ADVAPI32(00000000), ref: 0049BBB3

Memory Dump Source

Source File: 00000000.00000002.2107394819.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2107065431.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107532194.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107532194.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107645477.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107703493.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: _wcslen$Close$BuffCharConnectEnumOpenRegistryUpper
String ID:
API String ID: 826366716-0
Opcode ID: bafa64b433be41009be818a03790b9a1c939d27772ad57c9136980c2edc90191
Instruction ID: 5041afaf4b4e0da743bf7ef48ad0b16c2d0bc52f8bb74cfb1fbad5ef4f0e9427
Opcode Fuzzy Hash: bafa64b433be41009be818a03790b9a1c939d27772ad57c9136980c2edc90191
Instruction Fuzzy Hash: B161D131208201AFC714DF14C990E6BBBE5FF84308F14896EF4998B2A2DB35ED45CB96

Function 00478BB0 Relevance: 7.7, APIs: 5, Instructions: 159COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00478BCD
VariantClear.OLEAUT32 ref: 00478C3E
VariantClear.OLEAUT32 ref: 00478C9D
VariantClear.OLEAUT32(?), ref: 00478D10
VariantChangeType.OLEAUT32(?,?,00000000,00000013), ref: 00478D3B

Memory Dump Source

Source File: 00000000.00000002.2107394819.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2107065431.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107532194.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107532194.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107645477.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107703493.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: Variant$Clear$ChangeInitType
String ID:
API String ID: 4136290138-0
Opcode ID: 694fcbc8b9cf9751aef9645ff0760a301874e197b115279830d1c5d8bc83d813
Instruction ID: 70ca067523b154fdbb5e6de94d7b85697061bc555aadc03d714f56de2c1ba891
Opcode Fuzzy Hash: 694fcbc8b9cf9751aef9645ff0760a301874e197b115279830d1c5d8bc83d813
Instruction Fuzzy Hash: FC516DB5A00219DFCB10CF58D894AAABBF4FF8D314B15855AE909DB350D734E911CF94

Function 00488AFB Relevance: 7.6, APIs: 5, Instructions: 143COMMON

Download Yara Rule

APIs

GetPrivateProfileSectionW.KERNEL32(00000003,?,00007FFF,?), ref: 00488BAE
GetPrivateProfileSectionW.KERNEL32(?,00000003,00000003,?), ref: 00488BDA
WritePrivateProfileSectionW.KERNEL32(?,?,?), ref: 00488C32
WritePrivateProfileStringW.KERNEL32(00000003,00000000,00000000,?), ref: 00488C57
WritePrivateProfileStringW.KERNEL32(00000000,00000000,00000000,?), ref: 00488C5F

Memory Dump Source

Source File: 00000000.00000002.2107394819.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2107065431.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107532194.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107532194.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107645477.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107703493.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: PrivateProfile$SectionWrite$String
String ID:
API String ID: 2832842796-0
Opcode ID: 265061e54bbd1ddac715d999542e6808f1f03752c43c496240c6187f250042ef
Instruction ID: a829c9f05553940ea5e42b33936484159c4767965be1b7d4bd357bd9017903e4
Opcode Fuzzy Hash: 265061e54bbd1ddac715d999542e6808f1f03752c43c496240c6187f250042ef
Instruction Fuzzy Hash: 6D515F35A00214AFCB01DF65C881AAEBBF5FF49318F08845DE849AB362DB35ED41CB94

Function 00498EE4 Relevance: 7.6, APIs: 5, Instructions: 143libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32(?,00000000,?), ref: 00498F40
GetProcAddress.KERNEL32(00000000,?), ref: 00498FD0
GetProcAddress.KERNEL32(00000000,00000000), ref: 00498FEC
GetProcAddress.KERNEL32(00000000,?), ref: 00499032
FreeLibrary.KERNEL32(00000000), ref: 00499052

Part of subcall function 0042F6C9: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,00000000,?,?,?,00481043,?,7529E610), ref: 0042F6E6
Part of subcall function 0042F6C9: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,0046FA64,00000000,00000000,?,?,00481043,?,7529E610,?,0046FA64), ref: 0042F70D

Memory Dump Source

Source File: 00000000.00000002.2107394819.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2107065431.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107532194.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107532194.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107645477.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107703493.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: AddressProc$ByteCharLibraryMultiWide$FreeLoad
String ID:
API String ID: 666041331-0
Opcode ID: f1dfa2a8af92c6f2fa23fa31397c99e199f4062d0487f0e37f120e8f4857c860
Instruction ID: ba985ac36e7d70186bcf075020540c50bf7674d1c3f7e011078ac1edfa6f5ef5
Opcode Fuzzy Hash: f1dfa2a8af92c6f2fa23fa31397c99e199f4062d0487f0e37f120e8f4857c860
Instruction Fuzzy Hash: 22512935600205DFCB11DF59C4948AEBBF1FF49358B0480AEE8169B362DB35ED86CB95

Function 004A6B76 Relevance: 7.6, APIs: 5, Instructions: 131windowCOMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(00000002,000000F0,?), ref: 004A6C33
SetWindowLongW.USER32(?,000000EC,?), ref: 004A6C4A
SendMessageW.USER32(00000002,00001036,00000000,?), ref: 004A6C73
ShowWindow.USER32(00000002,00000000,00000002,00000002,?,?,?,?,?,?,?,0048AB79,00000000,00000000), ref: 004A6C98
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000027,00000002,?,00000001,00000002,00000002,?,?,?), ref: 004A6CC7

Memory Dump Source

Source File: 00000000.00000002.2107394819.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2107065431.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107532194.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107532194.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107645477.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107703493.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: Window$Long$MessageSendShow
String ID:
API String ID: 3688381893-0
Opcode ID: e4dfb80d215fe2f0abfa13afd2ae1b7df0d614a54378e2a4d9d2adce287eb267
Instruction ID: 3b4f8a48d1fb26aceece9514bb38876a1b8233be03b8539f99eeaf058a13b111
Opcode Fuzzy Hash: e4dfb80d215fe2f0abfa13afd2ae1b7df0d614a54378e2a4d9d2adce287eb267
Instruction Fuzzy Hash: 2841F635600114AFD724CF28CC84FA67FA5EB1B360F0A022AF955AB3E1C779ED41CA58

Function 00442051 Relevance: 7.6, APIs: 5, Instructions: 129COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 004420C3
_free.LIBCMT ref: 004420E3

Memory Dump Source

Source File: 00000000.00000002.2107394819.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2107065431.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107532194.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107532194.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107645477.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107703493.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: daf33a5b8842fb7a8a440f6bb4683ce336f28dd3ef03a246876850ab670c2d30
Instruction ID: dbe4b12d1b5ef9a76a7b268ee01cd29a6b7b1667680eef61006dd1f4afb043e6
Opcode Fuzzy Hash: daf33a5b8842fb7a8a440f6bb4683ce336f28dd3ef03a246876850ab670c2d30
Instruction Fuzzy Hash: 56410472A002009FEB20DF79C981A5EB3F1EF88314F95416AF605EB352D6B5AD01CB84

Function 0042912D Relevance: 7.6, APIs: 5, Instructions: 121keyboardCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 00429141
ScreenToClient.USER32(00000000,?), ref: 0042915E
GetAsyncKeyState.USER32(00000001), ref: 00429183
GetAsyncKeyState.USER32(00000002), ref: 0042919D

Memory Dump Source

Source File: 00000000.00000002.2107394819.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2107065431.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107532194.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107532194.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107645477.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107703493.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: AsyncState$ClientCursorScreen
String ID:
API String ID: 4210589936-0
Opcode ID: 23f58be605c12e13882f6a621315a3a09da15055e6934ad91cd90781d33d268a
Instruction ID: d07b7fb9b1cc10956d52b5274f51739ca756b7f87ede036128ea1593edfdff20
Opcode Fuzzy Hash: 23f58be605c12e13882f6a621315a3a09da15055e6934ad91cd90781d33d268a
Instruction Fuzzy Hash: DB417D31A0821AAADB059F69D844AFEB774FB06324F20822BE425A23D0D7785D50CB96

Function 00483874 Relevance: 7.6, APIs: 5, Instructions: 101windowCOMMON

Download Yara Rule

APIs

GetInputState.USER32 ref: 004838CB
TranslateAcceleratorW.USER32(?,00000000,?), ref: 00483922
TranslateMessage.USER32(?), ref: 0048394B
DispatchMessageW.USER32(?), ref: 00483955
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00483966

Memory Dump Source

Source File: 00000000.00000002.2107394819.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2107065431.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107532194.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107532194.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107645477.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107703493.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: Message$Translate$AcceleratorDispatchInputPeekState
String ID:
API String ID: 2256411358-0
Opcode ID: e6b956bf743025c86a323533d8fb16062911f204e1dfbd9e1c3a221e0b9aef96
Instruction ID: cfab3a0175811c045164ca863a3fe19fea1ccd759c791dfe665831cb9672692f
Opcode Fuzzy Hash: e6b956bf743025c86a323533d8fb16062911f204e1dfbd9e1c3a221e0b9aef96
Instruction Fuzzy Hash: 4B31DAB09443819EEB35EF34D888B7B3BE8AB05B05F040D7BE452862A1D3FC9585CB19

Function 0048CF1A Relevance: 7.6, APIs: 5, Instructions: 93networkfileCOMMON

Download Yara Rule

APIs

InternetQueryDataAvailable.WININET(?,?,00000000,00000000,00000000,?,00000000,?,?,?,0048C21E,00000000), ref: 0048CF38
InternetReadFile.WININET(?,00000000,?,?), ref: 0048CF6F
GetLastError.KERNEL32(?,00000000,?,?,?,0048C21E,00000000), ref: 0048CFB4
SetEvent.KERNEL32(?,?,00000000,?,?,?,0048C21E,00000000), ref: 0048CFC8
SetEvent.KERNEL32(?,?,00000000,?,?,?,0048C21E,00000000), ref: 0048CFF2

Memory Dump Source

Source File: 00000000.00000002.2107394819.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2107065431.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107532194.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107532194.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107645477.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107703493.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: EventInternet$AvailableDataErrorFileLastQueryRead
String ID:
API String ID: 3191363074-0
Opcode ID: 98aec098887ba07bc22ddfb9a368c1993debbb0128ae7de484101cf3804d53d4
Instruction ID: 876457f0adcaf2424fbabab0cef010281955103ad9a08f2b8f0f95e5a748d9fa
Opcode Fuzzy Hash: 98aec098887ba07bc22ddfb9a368c1993debbb0128ae7de484101cf3804d53d4
Instruction Fuzzy Hash: 5C314171504205AFEB20EFA5D8C49AF7BF9EB15354B10486FF606D2280DB38AD459B68

Function 00471901 Relevance: 7.6, APIs: 5, Instructions: 93sleepwindowCOMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 00471915
PostMessageW.USER32(00000001,00000201,00000001), ref: 004719C1
Sleep.KERNEL32(00000000,?,?,?), ref: 004719C9
PostMessageW.USER32(00000001,00000202,00000000), ref: 004719DA
Sleep.KERNEL32(00000000,?,?,?,?), ref: 004719E2

Memory Dump Source

Source File: 00000000.00000002.2107394819.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2107065431.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107532194.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107532194.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107645477.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107703493.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: MessagePostSleep$RectWindow
String ID:
API String ID: 3382505437-0
Opcode ID: 085d660e6e7fb3195bc34f4fdc3be1d84c6fc89de580f156c20b6a24d221a68d
Instruction ID: b81f49960a7c1050747a43b0eeea243e6d0626db0cd380daa65a4b8b37457e6a
Opcode Fuzzy Hash: 085d660e6e7fb3195bc34f4fdc3be1d84c6fc89de580f156c20b6a24d221a68d
Instruction Fuzzy Hash: C931F6B1A00219EFCB10CFACCD98ADE3BB5EB05314F008226FA25A72E0C3749D45CB94

Function 004A5706 Relevance: 7.6, APIs: 5, Instructions: 82windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001053,000000FF,?), ref: 004A5745
SendMessageW.USER32(?,00001074,?,00000001), ref: 004A579D
_wcslen.LIBCMT ref: 004A57AF
_wcslen.LIBCMT ref: 004A57BA
SendMessageW.USER32(?,00001002,00000000,?), ref: 004A5816

Memory Dump Source

Source File: 00000000.00000002.2107394819.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2107065431.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107532194.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107532194.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107645477.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107703493.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: MessageSend$_wcslen
String ID:
API String ID: 763830540-0
Opcode ID: e69d7c13cfee4c0b5b5f4270a619e052e1bff7d024229b3e3a9b4c17043470eb
Instruction ID: a68b5054da3947af00bb4884a75f7ad8ccd26a7aca2bd31704d276795f5bfeb5
Opcode Fuzzy Hash: e69d7c13cfee4c0b5b5f4270a619e052e1bff7d024229b3e3a9b4c17043470eb
Instruction Fuzzy Hash: 7C21D775900608DADB20DF60CD84AEE7B7CFF16324F104117F919EA280D7789985CF59

Function 00490930 Relevance: 7.6, APIs: 5, Instructions: 69COMMON

Download Yara Rule

APIs

IsWindow.USER32(00000000), ref: 00490951
GetForegroundWindow.USER32 ref: 00490968
GetDC.USER32(00000000), ref: 004909A4
GetPixel.GDI32(00000000,?,00000003), ref: 004909B0
ReleaseDC.USER32(00000000,00000003), ref: 004909E8

Memory Dump Source

Source File: 00000000.00000002.2107394819.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2107065431.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107532194.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107532194.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107645477.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107703493.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: Window$ForegroundPixelRelease
String ID:
API String ID: 4156661090-0
Opcode ID: 6f66b99f1474ac2ce5f3f7d840feaef23cf7908b7fcf019991c7a53eafa980e0
Instruction ID: e348afaf92aaf7ff8b2808d734d348c12d10c30eb487fb869ddea32893235637
Opcode Fuzzy Hash: 6f66b99f1474ac2ce5f3f7d840feaef23cf7908b7fcf019991c7a53eafa980e0
Instruction Fuzzy Hash: B421A175600204AFD704EF65C984AAEBBE9EF49704F00843EE84AA7362DB34AC45CB94

Function 0044CDBD Relevance: 7.6, APIs: 5, Instructions: 68COMMON

Download Yara Rule

APIs

GetEnvironmentStringsW.KERNEL32 ref: 0044CDC6
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0044CDE9

Part of subcall function 00443820: RtlAllocateHeap.NTDLL(00000000,?,004E1444,?,0042FDF5,?,?,0041A976,00000010,004E1440,004113FC,?,004113C6,?,00411129), ref: 00443852

WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 0044CE0F
_free.LIBCMT ref: 0044CE22
FreeEnvironmentStringsW.KERNEL32(00000000), ref: 0044CE31

Memory Dump Source

Source File: 00000000.00000002.2107394819.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2107065431.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107532194.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107532194.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107645477.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107703493.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: ByteCharEnvironmentMultiStringsWide$AllocateFreeHeap_free
String ID:
API String ID: 336800556-0
Opcode ID: 08e1ae7251d896a1960962ce4e7754ec2ea01e1cf9f5a629c3fc0d4c9517cf23
Instruction ID: e5c4b19c28e31fe9e747232f6dac4d4b5fa34164c6cd0ee705155136c413902d
Opcode Fuzzy Hash: 08e1ae7251d896a1960962ce4e7754ec2ea01e1cf9f5a629c3fc0d4c9517cf23
Instruction Fuzzy Hash: DB0175726026157F376116B76CC8D7BAD6DDAC7BA1329012AFD05C6201DF698D0291B8

Function 00429639 Relevance: 7.6, APIs: 5, Instructions: 66COMMON

Download Yara Rule

APIs

ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00429693
SelectObject.GDI32(?,00000000), ref: 004296A2
BeginPath.GDI32(?), ref: 004296B9
SelectObject.GDI32(?,00000000), ref: 004296E2

Memory Dump Source

Source File: 00000000.00000002.2107394819.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2107065431.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107532194.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107532194.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107645477.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107703493.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: ObjectSelect$BeginCreatePath
String ID:
API String ID: 3225163088-0
Opcode ID: 4853d94e95593719ae1833e5db8daf04a16c977158f633886e731729882d6b15
Instruction ID: 1dc2e6510d7a8b3376017f75bc0bbea1bcce5f88e2b3ab9b9b44a86e2b92b094
Opcode Fuzzy Hash: 4853d94e95593719ae1833e5db8daf04a16c977158f633886e731729882d6b15
Instruction Fuzzy Hash: 1921A1B0A42355EBDB118F64EC88BAA3BA4BF11355F500236F4109A2B2D3785C81CF9C

Function 00475711 Relevance: 7.6, APIs: 5, Instructions: 61COMMON

Download Yara Rule

APIs

_memcmp.LIBVCRUNTIME ref: 00475726
_memcmp.LIBVCRUNTIME ref: 00475744
_memcmp.LIBVCRUNTIME ref: 00475757
_memcmp.LIBVCRUNTIME ref: 0047576F
_memcmp.LIBVCRUNTIME ref: 00475787

Memory Dump Source

Source File: 00000000.00000002.2107394819.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2107065431.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107532194.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107532194.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107645477.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107703493.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: _memcmp
String ID:
API String ID: 2931989736-0
Opcode ID: 7af7611d85b753bd4b00e5a3d71d25766f0c44141e088f0aad73b1a16dcb494e
Instruction ID: 95fe706676b1af874f0c5f7b09a68588c1f1f1fbdab0b9d9e0dbd6ae1940ddaf
Opcode Fuzzy Hash: 7af7611d85b753bd4b00e5a3d71d25766f0c44141e088f0aad73b1a16dcb494e
Instruction Fuzzy Hash: 200192A1641A09BAA20C55129D82FFB635C9B253A8F108037FD089EA41F7ADED1582AD

Function 00442DF8 Relevance: 7.6, APIs: 5, Instructions: 53COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,?,0043F2DE,00443863,004E1444,?,0042FDF5,?,?,0041A976,00000010,004E1440,004113FC,?,004113C6), ref: 00442DFD
_free.LIBCMT ref: 00442E32
_free.LIBCMT ref: 00442E59
SetLastError.KERNEL32(00000000,00411129), ref: 00442E66
SetLastError.KERNEL32(00000000,00411129), ref: 00442E6F

Memory Dump Source

Source File: 00000000.00000002.2107394819.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2107065431.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107532194.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107532194.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107645477.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107703493.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: ErrorLast$_free
String ID:
API String ID: 3170660625-0
Opcode ID: 18d39f4f35d788565a69eccbb32a4c16798351e5bd8cd9fe340a28c4741db5af
Instruction ID: 2a8e50c9df9d9ed104c4451fdea57554a7bd7abfa23c90cdcfea427223f98d00
Opcode Fuzzy Hash: 18d39f4f35d788565a69eccbb32a4c16798351e5bd8cd9fe340a28c4741db5af
Instruction Fuzzy Hash: 7A01F97224560167F61267366E85D2F2659ABD27A97F5003FF825E2293EEFCCC01412C

Function 0047000E Relevance: 7.5, APIs: 5, Instructions: 47stringCOMMON

Download Yara Rule

APIs

CLSIDFromProgID.OLE32(?,?,?,00000000,?,?,?,-C000001E,00000001,?,0046FF41,80070057,?,?,?,0047035E), ref: 0047002B
ProgIDFromCLSID.OLE32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0046FF41,80070057,?,?), ref: 00470046
lstrcmpiW.KERNEL32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0046FF41,80070057,?,?), ref: 00470054
CoTaskMemFree.OLE32(00000000,?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0046FF41,80070057,?), ref: 00470064
CLSIDFromString.OLE32(?,?,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0046FF41,80070057,?,?), ref: 00470070

Memory Dump Source

Source File: 00000000.00000002.2107394819.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2107065431.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107532194.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107532194.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107645477.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107703493.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: From$Prog$FreeStringTasklstrcmpi
String ID:
API String ID: 3897988419-0
Opcode ID: e89e9185c9af94200255ca9a4afe8ad41df043aa060daf5fe0e1f4606f23c83a
Instruction ID: 23021f586f535801a659cad62ed450542fa43cbbbcdb01b6b7b344be3df9142e
Opcode Fuzzy Hash: e89e9185c9af94200255ca9a4afe8ad41df043aa060daf5fe0e1f4606f23c83a
Instruction Fuzzy Hash: D901A272601204FFDB505F68EC44BEA7EEDEF44762F148129F909D6210D779DD409BA4

Function 0047E97B Relevance: 7.5, APIs: 5, Instructions: 47sleepCOMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?), ref: 0047E997
QueryPerformanceFrequency.KERNEL32(?), ref: 0047E9A5
Sleep.KERNEL32(00000000), ref: 0047E9AD
QueryPerformanceCounter.KERNEL32(?), ref: 0047E9B7
Sleep.KERNEL32 ref: 0047E9F3

Memory Dump Source

Source File: 00000000.00000002.2107394819.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2107065431.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107532194.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107532194.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107645477.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107703493.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: PerformanceQuery$CounterSleep$Frequency
String ID:
API String ID: 2833360925-0
Opcode ID: 2179a7372f7dbf06ae8ae120ef0d17ef4bee33749576cdcef1aed6ef2d0e4017
Instruction ID: f2088184f57336d844a909f770ddc2b3d6f329e7bd0d8ac59f20cd0a270141e8
Opcode Fuzzy Hash: 2179a7372f7dbf06ae8ae120ef0d17ef4bee33749576cdcef1aed6ef2d0e4017
Instruction Fuzzy Hash: BA01A1B2D01529DBCF409FE6DD886DDBB78FF0E300F004296D601B2241CB384551CB69

Function 004710F9 Relevance: 7.5, APIs: 5, Instructions: 46memoryCOMMON

Download Yara Rule

APIs

GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00471114
GetLastError.KERNEL32(?,00000000,00000000,?,?,00470B9B,?,?,?), ref: 00471120
GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,00470B9B,?,?,?), ref: 0047112F
HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,00470B9B,?,?,?), ref: 00471136
GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 0047114D

Memory Dump Source

Source File: 00000000.00000002.2107394819.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2107065431.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107532194.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107532194.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107645477.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107703493.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: HeapObjectSecurityUser$AllocErrorLastProcess
String ID:
API String ID: 842720411-0
Opcode ID: 7f78811814a72b0c02fdbb5afd4f8e47da716614da87759c790437b700499d45
Instruction ID: 3f38b739c9eebb035901a3d6181a786c075046380bdc294c554717718219e434
Opcode Fuzzy Hash: 7f78811814a72b0c02fdbb5afd4f8e47da716614da87759c790437b700499d45
Instruction Fuzzy Hash: CC011D79200205BFDB514FA9DC89AAB3F6EEF8A360B504425FA46D7360DA31DD009E64

Function 00470FB4 Relevance: 7.5, APIs: 5, Instructions: 43memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 00470FCA
GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 00470FD6
GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 00470FE5
HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 00470FEC
GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 00471002

Memory Dump Source

Source File: 00000000.00000002.2107394819.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2107065431.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107532194.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107532194.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107645477.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107703493.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: HeapInformationToken$AllocErrorLastProcess
String ID:
API String ID: 44706859-0
Opcode ID: 2c84c71b5a7be7f69b4e30d5384410c2d2d18b4f021ee88ab878231e16aa690e
Instruction ID: b8981c4fdc8285d3277d01006d97029e100e31809b1bdea7f56964640f9af566
Opcode Fuzzy Hash: 2c84c71b5a7be7f69b4e30d5384410c2d2d18b4f021ee88ab878231e16aa690e
Instruction Fuzzy Hash: F2F0A975200301ABDB210FA89C89F973FADEF8A762F104825FA09D6260DE70DC408A64

Function 00471014 Relevance: 7.5, APIs: 5, Instructions: 43memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 0047102A
GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 00471036
GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00471045
HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 0047104C
GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00471062

Memory Dump Source

Source File: 00000000.00000002.2107394819.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2107065431.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107532194.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107532194.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107645477.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107703493.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: HeapInformationToken$AllocErrorLastProcess
String ID:
API String ID: 44706859-0
Opcode ID: e20494f3a47d287b625f89700a330764807d549aeea3c630d1e7064eb03ff2b7
Instruction ID: 40e34e9eae8a88c544268f3db91f3f00edc97a0506d78080eabd363fde28ffe1
Opcode Fuzzy Hash: e20494f3a47d287b625f89700a330764807d549aeea3c630d1e7064eb03ff2b7
Instruction Fuzzy Hash: 0DF0A975200301ABDB211FA8EC88F973FADEF8A761F104425FA09E6260DE70D8408A64

Function 0048030F Relevance: 7.5, APIs: 6, Instructions: 41COMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32(?,?,?,?,0048017D,?,004832FC,?,00000001,00452592,?), ref: 00480324
CloseHandle.KERNEL32(?,?,?,?,0048017D,?,004832FC,?,00000001,00452592,?), ref: 00480331
CloseHandle.KERNEL32(?,?,?,?,0048017D,?,004832FC,?,00000001,00452592,?), ref: 0048033E
CloseHandle.KERNEL32(?,?,?,?,0048017D,?,004832FC,?,00000001,00452592,?), ref: 0048034B
CloseHandle.KERNEL32(?,?,?,?,0048017D,?,004832FC,?,00000001,00452592,?), ref: 00480358
CloseHandle.KERNEL32(?,?,?,?,0048017D,?,004832FC,?,00000001,00452592,?), ref: 00480365

Memory Dump Source

Source File: 00000000.00000002.2107394819.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2107065431.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107532194.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107532194.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107645477.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107703493.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: f34691dd8f73bd4e4db5348961348b5a9e62097038b719dd2a7259ee131cb3a4
Instruction ID: c32c7e71f5cdd539bc6d4072fb9e5749306e480631bf004e3a27d4ae3b5c44a9
Opcode Fuzzy Hash: f34691dd8f73bd4e4db5348961348b5a9e62097038b719dd2a7259ee131cb3a4
Instruction Fuzzy Hash: 1101DC72800B019FCB30AF66D88080BFBF9BE602053058E3FD19252A30C3B4A948CF84

Function 0044D73A Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 0044D752

Part of subcall function 004429C8: RtlFreeHeap.NTDLL(00000000,00000000,?,0044D7D1,00000000,00000000,00000000,00000000,?,0044D7F8,00000000,00000007,00000000,?,0044DBF5,00000000), ref: 004429DE
Part of subcall function 004429C8: GetLastError.KERNEL32(00000000,?,0044D7D1,00000000,00000000,00000000,00000000,?,0044D7F8,00000000,00000007,00000000,?,0044DBF5,00000000,00000000), ref: 004429F0

_free.LIBCMT ref: 0044D764
_free.LIBCMT ref: 0044D776
_free.LIBCMT ref: 0044D788
_free.LIBCMT ref: 0044D79A

Memory Dump Source

Source File: 00000000.00000002.2107394819.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2107065431.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107532194.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107532194.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107645477.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107703493.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 143f466ed7a907e6981e3a3d70175cf5e3502c2cea1d21b49757def193a6f240
Instruction ID: 14dbad4606ffe41d2f073dcaad61d9b2f57bc155d9c8a2c59d83fd0eab05b2ef
Opcode Fuzzy Hash: 143f466ed7a907e6981e3a3d70175cf5e3502c2cea1d21b49757def193a6f240
Instruction Fuzzy Hash: 16F012B2A45205ABA621FB66FAC5C177BDDBB44715BD40C1BF048D7601C778FC80866C

Function 00475C44 Relevance: 7.5, APIs: 5, Instructions: 40windowtimeCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003E9), ref: 00475C58
GetWindowTextW.USER32(00000000,?,00000100), ref: 00475C6F
MessageBeep.USER32(00000000), ref: 00475C87
KillTimer.USER32(?,0000040A), ref: 00475CA3
EndDialog.USER32(?,00000001), ref: 00475CBD

Memory Dump Source

Source File: 00000000.00000002.2107394819.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2107065431.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107532194.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107532194.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107645477.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107703493.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: BeepDialogItemKillMessageTextTimerWindow
String ID:
API String ID: 3741023627-0
Opcode ID: bb59ec5287a00e61e4ab1e5b9356a4277eba31e13a9486c6b36868533097a465
Instruction ID: 9a317d90fb9fe38d13e78c233653d40680c15c65805b64baaf6f06db39f602f6
Opcode Fuzzy Hash: bb59ec5287a00e61e4ab1e5b9356a4277eba31e13a9486c6b36868533097a465
Instruction Fuzzy Hash: F3018630500B04AFFB215B10DD8EFE67BB8BB01B05F04456AA587A50E1DBF4A9898A99

Function 004422A0 Relevance: 7.5, APIs: 5, Instructions: 30COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 004422BE

Part of subcall function 004429C8: RtlFreeHeap.NTDLL(00000000,00000000,?,0044D7D1,00000000,00000000,00000000,00000000,?,0044D7F8,00000000,00000007,00000000,?,0044DBF5,00000000), ref: 004429DE
Part of subcall function 004429C8: GetLastError.KERNEL32(00000000,?,0044D7D1,00000000,00000000,00000000,00000000,?,0044D7F8,00000000,00000007,00000000,?,0044DBF5,00000000,00000000), ref: 004429F0

_free.LIBCMT ref: 004422D0
_free.LIBCMT ref: 004422E3
_free.LIBCMT ref: 004422F4
_free.LIBCMT ref: 00442305

Memory Dump Source

Source File: 00000000.00000002.2107394819.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2107065431.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107532194.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107532194.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107645477.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107703493.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: bd1493f46af5fbeff70f7d3d265acb9415c9f2c44b8aa34cf693d3a80b904407
Instruction ID: ded007adef903f19d41836a550c5a512f8eca7a9e8d7194f03c9851f85b970ad
Opcode Fuzzy Hash: bd1493f46af5fbeff70f7d3d265acb9415c9f2c44b8aa34cf693d3a80b904407
Instruction Fuzzy Hash: DCF054F45411919BAA12BF56BDC180D3B64F718761780056BF410EA372C7F91452EFEC

Function 004295C5 Relevance: 7.5, APIs: 5, Instructions: 29COMMON

Download Yara Rule

APIs

EndPath.GDI32(?), ref: 004295D4
StrokeAndFillPath.GDI32(?,?,004671F7,00000000,?,?,?), ref: 004295F0
SelectObject.GDI32(?,00000000), ref: 00429603
DeleteObject.GDI32 ref: 00429616
StrokePath.GDI32(?), ref: 00429631

Memory Dump Source

Source File: 00000000.00000002.2107394819.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2107065431.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107532194.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107532194.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107645477.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107703493.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: Path$ObjectStroke$DeleteFillSelect
String ID:
API String ID: 2625713937-0
Opcode ID: 431a56af6126d74fb934f5478809107661f17544e590573119585be63491499a
Instruction ID: 95a409aef37bcee009baea42993923f6b71e8e16e567864d5747744f86aa7a26
Opcode Fuzzy Hash: 431a56af6126d74fb934f5478809107661f17544e590573119585be63491499a
Instruction Fuzzy Hash: 08F0AF7114A244EBDB164FA4ED8C7653FA1BB02322F408234F425591F3CB388991CF2C

Function 00440F47 Relevance: 7.4, APIs: 2, Strings: 2, Instructions: 389COMMONLIBRARYCODE

Download Yara Rule

APIs

__freea.LIBCMT ref: 004410F9
__freea.LIBCMT ref: 00441117

Part of subcall function 00441537: _free.LIBCMT ref: 0044154F

Strings

am/pm, xrefs: 0044117A
a/p, xrefs: 004411DE

Memory Dump Source

Source File: 00000000.00000002.2107394819.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2107065431.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107532194.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107532194.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107645477.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107703493.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: __freea$_free
String ID: a/p$am/pm
API String ID: 3432400110-3206640213
Opcode ID: ac29a15a75f5bae84f4bf38eaca9e3f7c03b467563d47b9fea527550e3e37074
Instruction ID: 0ceb46b2ee8850823f06aeb7929aa029d6cc207dcfd13acb96d393fe0527b033
Opcode Fuzzy Hash: ac29a15a75f5bae84f4bf38eaca9e3f7c03b467563d47b9fea527550e3e37074
Instruction Fuzzy Hash: 9BD1DE31A002069AFB249F68C845ABBB7B0FF05700F28415BE911ABB61D37D9DC1CB99

Function 004961D0 Relevance: 7.3, APIs: 1, Strings: 3, Instructions: 324COMMON

Download Yara Rule

APIs

Part of subcall function 00430242: EnterCriticalSection.KERNEL32(004E070C,004E1884,?,?,0042198B,004E2518,?,?,?,004112F9,00000000), ref: 0043024D
Part of subcall function 00430242: LeaveCriticalSection.KERNEL32(004E070C,?,0042198B,004E2518,?,?,?,004112F9,00000000), ref: 0043028A

Part of subcall function 004300A3: __onexit.LIBCMT ref: 004300A9

__Init_thread_footer.LIBCMT ref: 00496238

Part of subcall function 004301F8: EnterCriticalSection.KERNEL32(004E070C,?,?,00428747,004E2514), ref: 00430202
Part of subcall function 004301F8: LeaveCriticalSection.KERNEL32(004E070C,?,00428747,004E2514), ref: 00430235

Part of subcall function 0048359C: LoadStringW.USER32(00000066,?,00000FFF,00000000), ref: 004835E4
Part of subcall function 0048359C: LoadStringW.USER32(004E2390,?,00000FFF,?), ref: 0048360A

Strings

x#N, xrefs: 0049633A
x#N, xrefs: 0049636F
x#N, xrefs: 00496353

Memory Dump Source

Source File: 00000000.00000002.2107394819.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2107065431.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107532194.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107532194.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107645477.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107703493.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: CriticalSection$EnterLeaveLoadString$Init_thread_footer__onexit
String ID: x#N$x#N$x#N
API String ID: 1072379062-56826683
Opcode ID: 39147560ad18f31416446e838bdff74776310c3d71ce3773bbb55d3b3734d6f4
Instruction ID: c9ba9791fd84f5f4aa6aa16194e221c61a93dfe8eef98ed134441fb040390de9
Opcode Fuzzy Hash: 39147560ad18f31416446e838bdff74776310c3d71ce3773bbb55d3b3734d6f4
Instruction Fuzzy Hash: C3C17F71A00105AFCF14EF99D890EBEBBB9EF48314F12806EE9059B251D778ED45CB98

Function 00445AA9 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 186COMMONLIBRARYCODE

Download Yara Rule

Strings

JOA, xrefs: 00445BA8, 00445C6C

Memory Dump Source

Source File: 00000000.00000002.2107394819.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2107065431.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107532194.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107532194.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107645477.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107703493.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID:
String ID: JOA
API String ID: 0-4101436360
Opcode ID: 87deaf03650484b5bfb456725a0e376c9996693db3396a84479cb781f0a7f70a
Instruction ID: 81db98df509d698b7c7209a264c5ff66790e7bc3a0b2e1f92e08d4c7083a60d6
Opcode Fuzzy Hash: 87deaf03650484b5bfb456725a0e376c9996693db3396a84479cb781f0a7f70a
Instruction Fuzzy Hash: 4151C171D006099FEF209FA5C885FAFBBB4EF09314F14005BF405A7293D6799902CB6A

Function 00448A61 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 124COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,00000002,00000000,?,?,?,00000000,?,?,?,?), ref: 00448B6E
GetLastError.KERNEL32(?,?,00000000,?,?,?,?,?,?,?,?,00000000,00001000,?), ref: 00448B7A
__dosmaperr.LIBCMT ref: 00448B81

Strings

.C, xrefs: 00448A63

Memory Dump Source

Source File: 00000000.00000002.2107394819.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2107065431.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107532194.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107532194.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107645477.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107703493.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: ByteCharErrorLastMultiWide__dosmaperr
String ID: .C
API String ID: 2434981716-1181961956
Opcode ID: b4b5be51b042283190a2174b5a85a689248d549f55c904eed8fcce7da5501a6a
Instruction ID: 876e3e89d12ec28d3a816206eda3b7418d01e9375f873fec0301dd9fe1d29aae
Opcode Fuzzy Hash: b4b5be51b042283190a2174b5a85a689248d549f55c904eed8fcce7da5501a6a
Instruction Fuzzy Hash: A5418E70604085AFFB249F24CC81A7E7FA5DB86304F2841AFF85497242DE799C53979C

Function 00472716 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 121windowCOMMON

Download Yara Rule

APIs

Part of subcall function 0047B403: WriteProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,004721D0,?,?,00000034,00000800,?,00000034), ref: 0047B42D

SendMessageW.USER32(?,00001104,00000000,00000000), ref: 00472760

Part of subcall function 0047B3CE: ReadProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,004721FF,?,?,00000800,?,00001073,00000000,?,?), ref: 0047B3F8

Part of subcall function 0047B32A: GetWindowThreadProcessId.USER32(?,?), ref: 0047B355
Part of subcall function 0047B32A: OpenProcess.KERNEL32(00000438,00000000,?,?,?,00472194,00000034,?,?,00001004,00000000,00000000), ref: 0047B365
Part of subcall function 0047B32A: VirtualAllocEx.KERNEL32(00000000,00000000,?,00001000,00000004,?,?,00472194,00000034,?,?,00001004,00000000,00000000), ref: 0047B37B

SendMessageW.USER32(?,00001111,00000000,00000000), ref: 004727CD
SendMessageW.USER32(?,00001111,00000000,00000000), ref: 0047281A

Strings

@, xrefs: 00472832

Memory Dump Source

Source File: 00000000.00000002.2107394819.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2107065431.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107532194.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107532194.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107645477.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107703493.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: Process$MessageSend$Memory$AllocOpenReadThreadVirtualWindowWrite
String ID: @
API String ID: 4150878124-2766056989
Opcode ID: e75cdcd01f02b8d1c994f5de6ad2e6fb2f374daa85f874f4d6fa5a51d1b83f7d
Instruction ID: ece7c4acca13ec0c699f4aa41f657afa398bf470d499fc4f00e7c5bbaa8e9516
Opcode Fuzzy Hash: e75cdcd01f02b8d1c994f5de6ad2e6fb2f374daa85f874f4d6fa5a51d1b83f7d
Instruction Fuzzy Hash: AB413072900218AFDB10DFA4CD41BDEBBB8EF05304F00819AFA59B7181DB756E85CB95

Function 0044172E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 115COMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\Desktop\file.exe,00000104), ref: 00441769
_free.LIBCMT ref: 00441834
_free.LIBCMT ref: 0044183E

Strings

C:\Users\user\Desktop\file.exe, xrefs: 00441760, 00441767, 00441796, 004417CE

Memory Dump Source

Source File: 00000000.00000002.2107394819.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2107065431.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107532194.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107532194.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107645477.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107703493.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: _free$FileModuleName
String ID: C:\Users\user\Desktop\file.exe
API String ID: 2506810119-517116171
Opcode ID: b4561e3ece174b7b87abf092e99de7caf8d94870fbd739fdd3e471e05f8cf732
Instruction ID: e6daf98204c1486b4033c53dace1f45ae52d7552e79a54cd432265da8d768396
Opcode Fuzzy Hash: b4561e3ece174b7b87abf092e99de7caf8d94870fbd739fdd3e471e05f8cf732
Instruction Fuzzy Hash: 4C318371A40258ABEB21DB9A9C81D9FBBFCEB85310B1441ABF504A7221D6744A80CB98

Function 0047C27D Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 114windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(00000004,00000000,00000000,?), ref: 0047C306
DeleteMenu.USER32(?,00000007,00000000), ref: 0047C34C
DeleteMenu.USER32(?,00000000,00000000,?,00000000,00000000,004E1990,016F5500), ref: 0047C395

Strings

0, xrefs: 0047C2DF

Memory Dump Source

Source File: 00000000.00000002.2107394819.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2107065431.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107532194.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107532194.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107645477.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107703493.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: Menu$Delete$InfoItem
String ID: 0
API String ID: 135850232-4108050209
Opcode ID: 861342acafa3479daa35de97740a82bca3f1f25c9ee3e0d31f31d9a706338fd6
Instruction ID: ca7b83f462996cfa4db5589584a919406778e3f4ac46951a50779401c90e84e1
Opcode Fuzzy Hash: 861342acafa3479daa35de97740a82bca3f1f25c9ee3e0d31f31d9a706338fd6
Instruction Fuzzy Hash: 2E418F712043019FD720DF25D884B9ABBE8AB85324F14C61EFDA9972D1D778A904CB6A

Function 004A4416 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 106COMMON

Download Yara Rule

APIs

SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000013,?,?,SysTreeView32,004ACC08,00000000,?,?,?,?), ref: 004A44AA
GetWindowLongW.USER32 ref: 004A44C7
SetWindowLongW.USER32(?,000000F0,00000000), ref: 004A44D7

Strings

SysTreeView32, xrefs: 004A447C

Memory Dump Source

Source File: 00000000.00000002.2107394819.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2107065431.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107532194.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107532194.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107645477.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107703493.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: Window$Long
String ID: SysTreeView32
API String ID: 847901565-1698111956
Opcode ID: 880e6787fa4053b923dd72c85b75bc62b710673df055dd979284f2a8ff52493d
Instruction ID: e45ae8497fde00ea699975e0baa6b1a08c5326ba50c8acc82a69c4faa1a0856d
Opcode Fuzzy Hash: 880e6787fa4053b923dd72c85b75bc62b710673df055dd979284f2a8ff52493d
Instruction Fuzzy Hash: A831B231200205AFDB208F78DC45BDB7BA9EB9A338F20472AF975922D0D7B8EC509754

Function 00476E71 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 92memoryCOMMON

Download Yara Rule

APIs

SysReAllocString.OLEAUT32(?,?), ref: 00476EED
VariantCopyInd.OLEAUT32(?,?), ref: 00476F08
VariantClear.OLEAUT32(?), ref: 00476F12

Strings

*jG, xrefs: 00476E8B, 00476E90, 00476EF8

Memory Dump Source

Source File: 00000000.00000002.2107394819.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2107065431.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107532194.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107532194.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107645477.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107703493.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: Variant$AllocClearCopyString
String ID: *jG
API String ID: 2173805711-3174124858
Opcode ID: 532eaa85fe75b0e4e21517a9be614e7ddc8613fb8b063b750d59b156a4094bf4
Instruction ID: ca92d3ab91f30acc51170f67dcaca04aec4c3d6986c15e87d1a0a1d2b614d77a
Opcode Fuzzy Hash: 532eaa85fe75b0e4e21517a9be614e7ddc8613fb8b063b750d59b156a4094bf4
Instruction Fuzzy Hash: 8F319071704606DBCB04AF65E8909FE3777EF45308B1144AAF90A4B2A1C7389952DBDD

Function 0049304E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 90networkCOMMON

Download Yara Rule

APIs

Part of subcall function 0049335B: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,?,?,?,?,00493077,?,?), ref: 00493378

inet_addr.WSOCK32(?,?,?,?,?,00000000), ref: 0049307A
_wcslen.LIBCMT ref: 0049309B
htons.WSOCK32(00000000,?,?,00000000), ref: 00493106

Strings

255.255.255.255, xrefs: 00493095, 0049309A

Memory Dump Source

Source File: 00000000.00000002.2107394819.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2107065431.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107532194.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107532194.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107645477.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107703493.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: ByteCharMultiWide_wcslenhtonsinet_addr
String ID: 255.255.255.255
API String ID: 946324512-2422070025
Opcode ID: b846ea03849b7cf3a037420d21f80fadcfd4415dea69e6d5f869bc7357fa7a48
Instruction ID: 2309739ad176778b1fbb4edccff78af1228bb4c28be928dd8ee4c6289cc451b6
Opcode Fuzzy Hash: b846ea03849b7cf3a037420d21f80fadcfd4415dea69e6d5f869bc7357fa7a48
Instruction Fuzzy Hash: A331D5352002019FCF20DF69C486EAA7FE0EF56319F24806AE9158B3A2D779EE45C765

Function 004A4653 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 87windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000469,?,00000000), ref: 004A4705
SendMessageW.USER32(00000000,00000465,00000000,80017FFF), ref: 004A4713
DestroyWindow.USER32(00000000,00000000,?,?,?,00000000,msctls_updown32,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 004A471A

Strings

msctls_updown32, xrefs: 004A4684

Memory Dump Source

Source File: 00000000.00000002.2107394819.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2107065431.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107532194.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107532194.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107645477.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107703493.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: MessageSend$DestroyWindow
String ID: msctls_updown32
API String ID: 4014797782-2298589950
Opcode ID: d4944e9b556eb0b9e5f146698d3d0f3c0d53e2fd79fa4ba854c3605969a50de7
Instruction ID: 342302416842dbe5e8a820cf96fba1abf55ab34af325e8514b308ddfa1708659
Opcode Fuzzy Hash: d4944e9b556eb0b9e5f146698d3d0f3c0d53e2fd79fa4ba854c3605969a50de7
Instruction Fuzzy Hash: CD2162B5601244AFDB10DF68DCC1DBB37ADEB9B398B04005AFA009B361DB74EC51CA64

Function 004795AD Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 85COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 0047961D

Strings

#notrayicon, xrefs: 004795B7
#requireadmin, xrefs: 004795D9
#OnAutoItStartRegister, xrefs: 004795F3

Memory Dump Source

Source File: 00000000.00000002.2107394819.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2107065431.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107532194.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107532194.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107645477.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107703493.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: _wcslen
String ID: #OnAutoItStartRegister$#notrayicon$#requireadmin
API String ID: 176396367-2734436370
Opcode ID: 64dcfe73b405c8eb4813e3623093163506a3265835af3dd6e88bae5ae9de11da
Instruction ID: aa405bb422afbe7927a0bb2e7d602d9b8112f0a1fb63b39fa494f1d455cd9b62
Opcode Fuzzy Hash: 64dcfe73b405c8eb4813e3623093163506a3265835af3dd6e88bae5ae9de11da
Instruction Fuzzy Hash: 06212E7210462166D331AB269C02FF773E89F65314F54802FF94D97241EB5DAD45C29D

Function 004A37B7 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000180,00000000,?), ref: 004A3840
SendMessageW.USER32(?,00000186,00000000,00000000), ref: 004A3850
MoveWindow.USER32(00000000,?,?,?,?,00000000,?,?,Listbox,00000000,00000000,?,?,?,?,?), ref: 004A3876

Strings

Listbox, xrefs: 004A380F

Memory Dump Source

Source File: 00000000.00000002.2107394819.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2107065431.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107532194.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107532194.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107645477.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107703493.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: MessageSend$MoveWindow
String ID: Listbox
API String ID: 3315199576-2633736733
Opcode ID: 4774221057044af95b8dc44b54bbd4d565a11c2dd4b0e2acd17bb3da107af83f
Instruction ID: bdf332832c4d3c633d1f203710be3d44e1e59fcd21e73d3262a835f34456e84d
Opcode Fuzzy Hash: 4774221057044af95b8dc44b54bbd4d565a11c2dd4b0e2acd17bb3da107af83f
Instruction Fuzzy Hash: 862107726001187BEF11DF54CC80FBB376EEF9A754F10812AF9009B290D679DC518794

Function 004849F4 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 78COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 00484A08
GetVolumeInformationW.KERNEL32(?,?,00007FFF,?,00000000,00000000,00000000,00000000), ref: 00484A5C
SetErrorMode.KERNEL32(00000000,?,?,004ACC08), ref: 00484AD0

Strings

%lu, xrefs: 00484A6F

Memory Dump Source

Source File: 00000000.00000002.2107394819.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2107065431.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107532194.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107532194.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107645477.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107703493.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: ErrorMode$InformationVolume
String ID: %lu
API String ID: 2507767853-685833217
Opcode ID: fa5d26eb0e0566b1e5d05ecefd26c460b1112efcd8688c8e78f352778cbdedf0
Instruction ID: c4e3ee8dfc34bc2c52ffc4d8305aea6d59b9c2d21503e4231c32b609fe6cbba1
Opcode Fuzzy Hash: fa5d26eb0e0566b1e5d05ecefd26c460b1112efcd8688c8e78f352778cbdedf0
Instruction Fuzzy Hash: 0D318075A00109AFD710DF54C885EAE7BF8EF49308F1480AAE809DB352DB75ED45CB65

Function 004A41EB Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 67windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000405,00000000,00000000), ref: 004A424F
SendMessageW.USER32(?,00000406,00000000,00640000), ref: 004A4264
SendMessageW.USER32(?,00000414,0000000A,00000000), ref: 004A4271

Strings

msctls_trackbar32, xrefs: 004A4226

Memory Dump Source

Source File: 00000000.00000002.2107394819.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2107065431.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107532194.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107532194.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107645477.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107703493.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: MessageSend
String ID: msctls_trackbar32
API String ID: 3850602802-1010561917
Opcode ID: 803734ff345fb930105773d849f1d0ed670929e1412b7aff903d1749a56e7ad4
Instruction ID: d34ff235fa9ffbdd703f64f95d5d4ad6ceb2d31c266f3ebcbd5deaee30c8d840
Opcode Fuzzy Hash: 803734ff345fb930105773d849f1d0ed670929e1412b7aff903d1749a56e7ad4
Instruction Fuzzy Hash: 6A113A322402087EEF205F25CC45FAB3BACEFD6764F010126FA40E6190D2B5DC518B18

Function 00472F52 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 67windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00416B57: _wcslen.LIBCMT ref: 00416B6A

Part of subcall function 00472DA7: SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,?), ref: 00472DC5
Part of subcall function 00472DA7: GetWindowThreadProcessId.USER32(?,00000000), ref: 00472DD6
Part of subcall function 00472DA7: GetCurrentThreadId.KERNEL32 ref: 00472DDD
Part of subcall function 00472DA7: AttachThreadInput.USER32(00000000,?,00000000,00000000), ref: 00472DE4

GetFocus.USER32 ref: 00472F78

Part of subcall function 00472DEE: GetParent.USER32(00000000), ref: 00472DF9

GetClassNameW.USER32(?,?,00000100), ref: 00472FC3
EnumChildWindows.USER32(?,0047303B), ref: 00472FEB

Strings

%s%d, xrefs: 00472FFF

Memory Dump Source

Source File: 00000000.00000002.2107394819.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2107065431.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107532194.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107532194.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107645477.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107703493.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: Thread$AttachChildClassCurrentEnumFocusInputMessageNameParentProcessSendTimeoutWindowWindows_wcslen
String ID: %s%d
API String ID: 1272988791-1110647743
Opcode ID: 938b035bf15ce9bc11b5fdff85247d92f06d5eca47bf9eac341b8ee427d3f23e
Instruction ID: 7cba6459d84f60ebceb6e958ef49e9b8f75ae700e1641ecb818d52fbb0678e4f
Opcode Fuzzy Hash: 938b035bf15ce9bc11b5fdff85247d92f06d5eca47bf9eac341b8ee427d3f23e
Instruction Fuzzy Hash: 0911E4B16002056BCF50BF718CC5FEE376AAF84308F04807BF90D9B252DE7899499B68

Function 004A5882 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(?,?,?,00000030), ref: 004A58C1
SetMenuItemInfoW.USER32(?,?,?,00000030), ref: 004A58EE
DrawMenuBar.USER32(?), ref: 004A58FD

Strings

0, xrefs: 004A588F

Memory Dump Source

Source File: 00000000.00000002.2107394819.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2107065431.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107532194.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107532194.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107645477.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107703493.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: Menu$InfoItem$Draw
String ID: 0
API String ID: 3227129158-4108050209
Opcode ID: 09c96403d485ad9761e12f6e50c2bdb1dd3a95b975ccce58339d0c9bcef00b1a
Instruction ID: 6cce3f63e860bbd74be7087d248058969e21914c936b1b22677b24cb85b8bc67
Opcode Fuzzy Hash: 09c96403d485ad9761e12f6e50c2bdb1dd3a95b975ccce58339d0c9bcef00b1a
Instruction Fuzzy Hash: 68018471500218EFDB519F11EC44BAFBBB8FF46360F1080AAF849DA251DB348A84DF25

Function 0046D3A0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 30libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32(?,GetSystemWow64DirectoryW), ref: 0046D3BF
FreeLibrary.KERNEL32 ref: 0046D3E5

Strings

GetSystemWow64DirectoryW, xrefs: 0046D3B9
X64, xrefs: 0046D2A8

Memory Dump Source

Source File: 00000000.00000002.2107394819.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2107065431.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107532194.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107532194.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107645477.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107703493.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: AddressFreeLibraryProc
String ID: GetSystemWow64DirectoryW$X64
API String ID: 3013587201-2590602151
Opcode ID: f1f536a6f2a6af520e501bc44b8f85bf0ddf890d1d1d9cf08b3cb1e71b5a83b9
Instruction ID: eb3fd32eb4a23ec234452eacef63ff6ae43b5d4cafe3d40ef5ada43a0b1292ec
Opcode Fuzzy Hash: f1f536a6f2a6af520e501bc44b8f85bf0ddf890d1d1d9cf08b3cb1e71b5a83b9
Instruction Fuzzy Hash: C3F055B1F05A208BD7B102115CB4AAA3720AF11702B98C1A7EC02E9308F72CCC818ADF

Function 0047007F Relevance: 6.3, APIs: 4, Instructions: 322COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2107394819.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2107065431.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107532194.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107532194.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107645477.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107703493.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b4e7a76b08c311a0456e80ac93ce77fd7f81d2607a6960046681a79c580d8619
Instruction ID: 30904cbb3f1f7f3b0e0d26bc88f3c04b36d29190e2af97f3209cc02610a4562d
Opcode Fuzzy Hash: b4e7a76b08c311a0456e80ac93ce77fd7f81d2607a6960046681a79c580d8619
Instruction Fuzzy Hash: 64C16C75A0120AEFDB14CFA4C894EAEB7B5FF48304F208599E909EB251D735ED42CB94

Function 0049342E Relevance: 6.3, APIs: 4, Instructions: 257COMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 00493459
CoUninitialize.OLE32 ref: 00493463
VariantInit.OLEAUT32(?), ref: 0049346E
VariantClear.OLEAUT32(?), ref: 0049371B

Memory Dump Source

Source File: 00000000.00000002.2107394819.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2107065431.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107532194.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107532194.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107645477.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107703493.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: Variant$ClearInitInitializeUninitialize
String ID:
API String ID: 1998397398-0
Opcode ID: 3983d4b5174a8f8509d461ca3e6607f8c9bae26427699d4236e4aa1a94cb39a0
Instruction ID: 35e2ece6c6adc5468c17c6a0e55e15e1f88f114d03215012f1905c35e75a5f7d
Opcode Fuzzy Hash: 3983d4b5174a8f8509d461ca3e6607f8c9bae26427699d4236e4aa1a94cb39a0
Instruction Fuzzy Hash: 4DA16E75204300AFCB10DF25C485A5ABBE5FF89719F04885EF94A9B362DB38ED41CB5A

Function 00470436 Relevance: 6.2, APIs: 4, Instructions: 230COMMON

Download Yara Rule

APIs

ProgIDFromCLSID.OLE32(?,00000000,?,00000000,00000800,00000000,?,004AFC08,?), ref: 004705F0
CoTaskMemFree.OLE32(00000000,00000000,?,00000000,00000800,00000000,?,004AFC08,?), ref: 00470608
CLSIDFromProgID.OLE32(?,?,00000000,004ACC40,000000FF,?,00000000,00000800,00000000,?,004AFC08,?), ref: 0047062D
_memcmp.LIBVCRUNTIME ref: 0047064E

Memory Dump Source

Source File: 00000000.00000002.2107394819.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2107065431.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107532194.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107532194.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107645477.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107703493.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: FromProg$FreeTask_memcmp
String ID:
API String ID: 314563124-0
Opcode ID: 49d480c9e0232dd85253fb5e1a619da80e2ee7ae5ab4adc54cd0f5f3244fd1b8
Instruction ID: 6666d4d76a5eabef93e750efca45d4cb71ebea393a0ee7ec06c185f2e6e5e93f
Opcode Fuzzy Hash: 49d480c9e0232dd85253fb5e1a619da80e2ee7ae5ab4adc54cd0f5f3244fd1b8
Instruction Fuzzy Hash: CB813971A00109EFCB04DF94C984EEEB7B9FF89315F208159F506AB250DB75AE06CB64

Function 0049A67C Relevance: 6.2, APIs: 4, Instructions: 175processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 0049A6AC
Process32FirstW.KERNEL32(00000000,?), ref: 0049A6BA

Part of subcall function 00419CB3: _wcslen.LIBCMT ref: 00419CBD

Process32NextW.KERNEL32(00000000,?), ref: 0049A79C
CloseHandle.KERNEL32(00000000), ref: 0049A7AB

Part of subcall function 0042CE60: CompareStringW.KERNEL32(00000409,00000001,?,00000000,00000000,?,?,00000000,?,00453303,?), ref: 0042CE8A

Memory Dump Source

Source File: 00000000.00000002.2107394819.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2107065431.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107532194.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107532194.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107645477.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107703493.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: Process32$CloseCompareCreateFirstHandleNextSnapshotStringToolhelp32_wcslen
String ID:
API String ID: 1991900642-0
Opcode ID: d3bc3f1d386050d24e0a5202824667c5ec072c02e6a1227486468522d91f1b14
Instruction ID: df926239ac5d77136032d197bdc39203963052ccd754074aa1f0b18be269c5cb
Opcode Fuzzy Hash: d3bc3f1d386050d24e0a5202824667c5ec072c02e6a1227486468522d91f1b14
Instruction Fuzzy Hash: 0A518171508300AFC710EF25C886A5BBBF8FF89758F40492EF58597251EB34E944CB96

Function 00451391 Relevance: 6.2, APIs: 4, Instructions: 152COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 004514C0

Memory Dump Source

Source File: 00000000.00000002.2107394819.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2107065431.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107532194.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107532194.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107645477.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107703493.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: 8d07611b345f147778ec4bee98ff6eab5d28410972cbdfc56c99cc14b695cf94
Instruction ID: 9b124a8551b40aada1c48fc126a7b84a76fc1153a0df3f8410306c87279c5abc
Opcode Fuzzy Hash: 8d07611b345f147778ec4bee98ff6eab5d28410972cbdfc56c99cc14b695cf94
Instruction Fuzzy Hash: 52414131900100A7EB256BBA8C45B6F3AA4EF47379F14126BFC14D62F3E67C48495269

Function 004A6278 Relevance: 6.1, APIs: 4, Instructions: 138COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 004A62E2
ScreenToClient.USER32(?,?), ref: 004A6315
MoveWindow.USER32(?,?,?,?,000000FF,00000001,?,?,?,?,?), ref: 004A6382

Memory Dump Source

Source File: 00000000.00000002.2107394819.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2107065431.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107532194.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107532194.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107645477.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107703493.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: Window$ClientMoveRectScreen
String ID:
API String ID: 3880355969-0
Opcode ID: 4825c11e2167e88004f225f39307592f56ba0d89aacb7d7a96589b554e058f78
Instruction ID: 11bd6ad433e23e12338e730dfdeedd3a83641ac58d97fca0e4aa8655945ee193
Opcode Fuzzy Hash: 4825c11e2167e88004f225f39307592f56ba0d89aacb7d7a96589b554e058f78
Instruction Fuzzy Hash: 77515C75A00209EFCF10DF68D880AAE7BB5EB66360F15816AF8159B3A1D734ED81CB54

Function 00491AD6 Relevance: 6.1, APIs: 4, Instructions: 138networkCOMMON

Download Yara Rule

APIs

socket.WSOCK32(00000002,00000002,00000011), ref: 00491AFD
WSAGetLastError.WSOCK32 ref: 00491B0B
#21.WSOCK32(?,0000FFFF,00000020,00000002,00000004), ref: 00491B8A
WSAGetLastError.WSOCK32 ref: 00491B94

Memory Dump Source

Source File: 00000000.00000002.2107394819.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2107065431.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107532194.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107532194.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107645477.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107703493.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: ErrorLast$socket
String ID:
API String ID: 1881357543-0
Opcode ID: 42d8a671c9e0dea82dfdaa88628f17149bc70e7fda7e18c5f1127a4de40f3cb9
Instruction ID: 5838e8bb0a7c4d6a5d4fc4d59643e5c8a4caa6b83900d64a435e38f72263d2ed
Opcode Fuzzy Hash: 42d8a671c9e0dea82dfdaa88628f17149bc70e7fda7e18c5f1127a4de40f3cb9
Instruction Fuzzy Hash: B041E334600201AFDB20AF25C886F667BE5AB44708F54C45DF91A8F3D3D77AED828B94

Function 0044B41F Relevance: 6.1, APIs: 4, Instructions: 133COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2107394819.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2107065431.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107532194.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107532194.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107645477.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107703493.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 827480882dd9c1f8c197c620b9e981d251778628a1b402f35e200e47cb506d8b
Instruction ID: dd47dff0d69632b1fc069f2b275dbdf994a5d5a1e7ba879f1174c8a7cf57d6d5
Opcode Fuzzy Hash: 827480882dd9c1f8c197c620b9e981d251778628a1b402f35e200e47cb506d8b
Instruction Fuzzy Hash: 21411571A00704BFE7249F39CC42BAABBA9EB88714F10852FF555DB292D379E90187D4

Function 004856D9 Relevance: 6.1, APIs: 4, Instructions: 110fileCOMMON

Download Yara Rule

APIs

CreateHardLinkW.KERNEL32(00000002,?,00000000), ref: 00485783
GetLastError.KERNEL32(?,00000000), ref: 004857A9
DeleteFileW.KERNEL32(00000002,?,00000000), ref: 004857CE
CreateHardLinkW.KERNEL32(00000002,?,00000000,?,00000000), ref: 004857FA

Memory Dump Source

Source File: 00000000.00000002.2107394819.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2107065431.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107532194.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107532194.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107645477.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107703493.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: CreateHardLink$DeleteErrorFileLast
String ID:
API String ID: 3321077145-0
Opcode ID: 5f0f4c100b1a50d0fc1f14d23f28f5df87dd9aa909db56d5ac9ec0e2c783b0c0
Instruction ID: 1e1c1169006bbf6b6143515db2d0c20cab159cc2f3de8a0992a1fa34eb0b59a9
Opcode Fuzzy Hash: 5f0f4c100b1a50d0fc1f14d23f28f5df87dd9aa909db56d5ac9ec0e2c783b0c0
Instruction Fuzzy Hash: 15414135600610DFCB11EF15C484A5EBBF2EF49318B18C89AE84A5B361CB38FD41CB95

Function 0044D8C3 Relevance: 6.1, APIs: 4, Instructions: 110COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,00000000,?,00436D71,00000000,00000000,004382D9,?,004382D9,?,00000001,00436D71,?,00000001,004382D9,004382D9), ref: 0044D910
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 0044D999
GetStringTypeW.KERNEL32(?,00000000,00000000,?), ref: 0044D9AB
__freea.LIBCMT ref: 0044D9B4

Part of subcall function 00443820: RtlAllocateHeap.NTDLL(00000000,?,004E1444,?,0042FDF5,?,?,0041A976,00000010,004E1440,004113FC,?,004113C6,?,00411129), ref: 00443852

Memory Dump Source

Source File: 00000000.00000002.2107394819.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2107065431.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107532194.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107532194.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107645477.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107703493.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: ByteCharMultiWide$AllocateHeapStringType__freea
String ID:
API String ID: 2652629310-0
Opcode ID: db6fc114a5125d9c4aeb1be850741bfce174e58f50b987c98a5e3acc735e1d1d
Instruction ID: e8bde2569c75b5926976a0984e8d8c2a6f801f9ae542add750c0619c37f1fac0
Opcode Fuzzy Hash: db6fc114a5125d9c4aeb1be850741bfce174e58f50b987c98a5e3acc735e1d1d
Instruction Fuzzy Hash: 9231CDB2A0020AABEF249F65DC81EAF7BA5EF41710F05016AFC04D6290EB39CD50CB94

Function 004A52C1 Relevance: 6.1, APIs: 4, Instructions: 104windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001024,00000000,?), ref: 004A5352
GetWindowLongW.USER32(?,000000F0), ref: 004A5375
SetWindowLongW.USER32(?,000000F0,00000000), ref: 004A5382
InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 004A53A8

Memory Dump Source

Source File: 00000000.00000002.2107394819.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2107065431.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107532194.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107532194.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107645477.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107703493.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: LongWindow$InvalidateMessageRectSend
String ID:
API String ID: 3340791633-0
Opcode ID: cac88b56cb4744f60406c7bb9657527409bd96b5b70ef398f1faf8076d212c98
Instruction ID: 5e8ae4d23a4f02b47f2ee34d72c6edb614801b4ce34adc7abb237c8f3a33946b
Opcode Fuzzy Hash: cac88b56cb4744f60406c7bb9657527409bd96b5b70ef398f1faf8076d212c98
Instruction Fuzzy Hash: F231E430A55A08FFEF309E14DE45BEA3761ABA6390F584113FE11962E1C7B89D40DB4A

Function 0047AB9C Relevance: 6.1, APIs: 4, Instructions: 103keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,75A8C0D0,?,00008000), ref: 0047ABF1
SetKeyboardState.USER32(00000080,?,00008000), ref: 0047AC0D
PostMessageW.USER32(00000000,00000101,00000000), ref: 0047AC74
SendInput.USER32(00000001,?,0000001C,75A8C0D0,?,00008000), ref: 0047ACC6

Memory Dump Source

Source File: 00000000.00000002.2107394819.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2107065431.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107532194.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107532194.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107645477.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107703493.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: 2e85973924a3b6836fea5be79c1db061b3275b2a578a557089be282fa5378c83
Instruction ID: 9b7cd69b858423b3bd1728dbb7ac65d4c7f4aa9068d8a61e12e4371e9a0aec77
Opcode Fuzzy Hash: 2e85973924a3b6836fea5be79c1db061b3275b2a578a557089be282fa5378c83
Instruction Fuzzy Hash: E031F830A006187FEF36CB658809BFF7BA5ABC5310F04C21BE489522D1C37D89A5879B

Function 004A7674 Relevance: 6.1, APIs: 4, Instructions: 102windowCOMMON

Download Yara Rule

APIs

ClientToScreen.USER32(?,?), ref: 004A769A
GetWindowRect.USER32(?,?), ref: 004A7710
PtInRect.USER32(?,?,004A8B89), ref: 004A7720
MessageBeep.USER32(00000000), ref: 004A778C

Memory Dump Source

Source File: 00000000.00000002.2107394819.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2107065431.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107532194.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107532194.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107645477.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107703493.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: Rect$BeepClientMessageScreenWindow
String ID:
API String ID: 1352109105-0
Opcode ID: ad9f01b04d0407ebe58d1bd6a8efa648627726e7214698e0dfb4ece4a22d255d
Instruction ID: 281c847e5ef4d4bb3d3a3a44e00c7075ba0e0596c4a0cda96c2079c6931409f3
Opcode Fuzzy Hash: ad9f01b04d0407ebe58d1bd6a8efa648627726e7214698e0dfb4ece4a22d255d
Instruction Fuzzy Hash: 0D419F78605254DFCB21CF58CC94EAA77F4BB5A314F1541AAE4149B362C738B941CF98

Function 004A16DA Relevance: 6.1, APIs: 4, Instructions: 101COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32 ref: 004A16EB

Part of subcall function 00473A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 00473A57
Part of subcall function 00473A3D: GetCurrentThreadId.KERNEL32 ref: 00473A5E
Part of subcall function 00473A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,004725B3), ref: 00473A65

GetCaretPos.USER32(?), ref: 004A16FF
ClientToScreen.USER32(00000000,?), ref: 004A174C
GetForegroundWindow.USER32 ref: 004A1752

Memory Dump Source

Source File: 00000000.00000002.2107394819.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2107065431.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107532194.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107532194.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107645477.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107703493.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: ThreadWindow$Foreground$AttachCaretClientCurrentInputProcessScreen
String ID:
API String ID: 2759813231-0
Opcode ID: c1dc95facfe6ee1440833f223fb5cfa58ea6465fa3fc6fbec1d51d8f98b5bfc7
Instruction ID: 7f96c364aa62962e8546d8dc61a75a9c9848e96c4e7ba32d5638bef45d9228bd
Opcode Fuzzy Hash: c1dc95facfe6ee1440833f223fb5cfa58ea6465fa3fc6fbec1d51d8f98b5bfc7
Instruction Fuzzy Hash: 73313D75D00249AFC700EFAAC8C18EEBBF9EF49308B5080AAE415E7251D635DE45CBA4

Function 004A8FC9 Relevance: 6.1, APIs: 4, Instructions: 78windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00429BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00429BB2

GetCursorPos.USER32(?), ref: 004A9001
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000,?,00467711,?,?,?,?,?), ref: 004A9016
GetCursorPos.USER32(?), ref: 004A905E
DefDlgProcW.USER32(?,0000007B,?,?,?,?,?,?,?,?,?,?,00467711,?,?,?), ref: 004A9094

Memory Dump Source

Source File: 00000000.00000002.2107394819.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2107065431.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107532194.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107532194.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107645477.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107703493.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: Cursor$LongMenuPopupProcTrackWindow
String ID:
API String ID: 2864067406-0
Opcode ID: 92e249b46de13416d1d93ccc39a885b4193c78241ceac73206379186a51af7de
Instruction ID: 935d4800c79c01b11d80747103308528a3e2cbb5f504a3cd88e748a6b9cab65d
Opcode Fuzzy Hash: 92e249b46de13416d1d93ccc39a885b4193c78241ceac73206379186a51af7de
Instruction Fuzzy Hash: 4B219F35604018FFCB258F94D898EEB7BB9EB4A390F14806AF9054B262C3399D90DB64

Function 0047D2C1 Relevance: 6.1, APIs: 4, Instructions: 78COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNEL32(?,004ACB68), ref: 0047D2FB
GetLastError.KERNEL32 ref: 0047D30A
CreateDirectoryW.KERNEL32(?,00000000), ref: 0047D319
CreateDirectoryW.KERNEL32(?,00000000,00000000,000000FF,004ACB68), ref: 0047D376

Memory Dump Source

Source File: 00000000.00000002.2107394819.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2107065431.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107532194.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107532194.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107645477.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107703493.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: CreateDirectory$AttributesErrorFileLast
String ID:
API String ID: 2267087916-0
Opcode ID: 2cbf998efb7b84d7c9b93faf74577725f69a0ba50cd196103bfbaaf45d0c1633
Instruction ID: a93264fde7d96f01c7be7b17843a0f24cf62a776a4c71e9b68568ef6115461f8
Opcode Fuzzy Hash: 2cbf998efb7b84d7c9b93faf74577725f69a0ba50cd196103bfbaaf45d0c1633
Instruction Fuzzy Hash: E72194709142019F8700DF24C8814EB77F4AE56368F108A1FF899C72A1DB35DD46CB9B

Function 00471571 Relevance: 6.1, APIs: 4, Instructions: 78memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00471014: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 0047102A
Part of subcall function 00471014: GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 00471036
Part of subcall function 00471014: GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00471045
Part of subcall function 00471014: HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 0047104C
Part of subcall function 00471014: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00471062

LookupPrivilegeValueW.ADVAPI32(00000000,?,?), ref: 004715BE
_memcmp.LIBVCRUNTIME ref: 004715E1
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00471617
HeapFree.KERNEL32(00000000), ref: 0047161E

Memory Dump Source

Source File: 00000000.00000002.2107394819.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2107065431.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107532194.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107532194.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107645477.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107703493.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: Heap$InformationProcessToken$AllocErrorFreeLastLookupPrivilegeValue_memcmp
String ID:
API String ID: 1592001646-0
Opcode ID: 67ddbd88e4e5af09870c64dc9d6605923ecca63a1c17edca9303cd8587e4c3c5
Instruction ID: d9dfff3dabab45ceb8714f1668bca5812e270d89e350ba0174a533abbe99d602
Opcode Fuzzy Hash: 67ddbd88e4e5af09870c64dc9d6605923ecca63a1c17edca9303cd8587e4c3c5
Instruction Fuzzy Hash: 2921AE71E00108EFDF04DFA8C944BEFB7B8EF45344F18845AE445AB250E734AA04DB94

Function 004A2782 Relevance: 6.1, APIs: 4, Instructions: 75COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000EC), ref: 004A280A
SetWindowLongW.USER32(?,000000EC,00000000), ref: 004A2824
SetWindowLongW.USER32(?,000000EC,00000000), ref: 004A2832
SetLayeredWindowAttributes.USER32(?,00000000,?,00000002), ref: 004A2840

Memory Dump Source

Source File: 00000000.00000002.2107394819.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2107065431.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107532194.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107532194.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107645477.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107703493.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: Window$Long$AttributesLayered
String ID:
API String ID: 2169480361-0
Opcode ID: 32d6e3762ba7350183a8e24eaf63ea573b5a21e05bf2005e2b599879745df4f7
Instruction ID: db56252bdc6e01d2df789c08ab52efa053a809606eb9348d55a1efcbf3e682fd
Opcode Fuzzy Hash: 32d6e3762ba7350183a8e24eaf63ea573b5a21e05bf2005e2b599879745df4f7
Instruction Fuzzy Hash: 6A212735204510BFD7149B18C944FAA7B95EF56328F14421EF4268B2D2C7B9FC82C7D4

Function 004778F5 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 71stringCOMMON

Download Yara Rule

APIs

Part of subcall function 00478D7D: lstrlenW.KERNEL32(?,00000002,000000FF,?,?,?,0047790A,?,000000FF,?,00478754,00000000,?,0000001C,?,?), ref: 00478D8C
Part of subcall function 00478D7D: lstrcpyW.KERNEL32(00000000,?,?,0047790A,?,000000FF,?,00478754,00000000,?,0000001C,?,?,00000000), ref: 00478DB2
Part of subcall function 00478D7D: lstrcmpiW.KERNEL32(00000000,?,0047790A,?,000000FF,?,00478754,00000000,?,0000001C,?,?), ref: 00478DE3

lstrlenW.KERNEL32(?,00000002,000000FF,?,000000FF,?,00478754,00000000,?,0000001C,?,?,00000000), ref: 00477923
lstrcpyW.KERNEL32(00000000,?,?,00478754,00000000,?,0000001C,?,?,00000000), ref: 00477949
lstrcmpiW.KERNEL32(00000002,cdecl,?,00478754,00000000,?,0000001C,?,?,00000000), ref: 00477984

Strings

cdecl, xrefs: 0047797B

Memory Dump Source

Source File: 00000000.00000002.2107394819.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2107065431.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107532194.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107532194.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107645477.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107703493.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: lstrcmpilstrcpylstrlen
String ID: cdecl
API String ID: 4031866154-3896280584
Opcode ID: e6ce1e76948cc15f4165c043d0b2b774ffefbd0a7f6723b23e9d76211a45fa76
Instruction ID: f817beb4e83c21496eaef826c97270e96265de037aa7a0ba54ec5e5f834742d1
Opcode Fuzzy Hash: e6ce1e76948cc15f4165c043d0b2b774ffefbd0a7f6723b23e9d76211a45fa76
Instruction Fuzzy Hash: 961106BA201201ABDB259F35D844EBB77A9FF95354B90802FF90AC7364EB359801C799

Function 004A7CC2 Relevance: 6.1, APIs: 4, Instructions: 70COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000F0), ref: 004A7D0B
SetWindowLongW.USER32(00000000,000000F0,?), ref: 004A7D2A
SetWindowLongW.USER32(00000000,000000EC,000000FF), ref: 004A7D42
SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,?,?,?,?,?,?,?,?,0048B7AD,00000000), ref: 004A7D6B

Part of subcall function 00429BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00429BB2

Memory Dump Source

Source File: 00000000.00000002.2107394819.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2107065431.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107532194.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107532194.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107645477.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107703493.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: Window$Long
String ID:
API String ID: 847901565-0
Opcode ID: 4d116b3a2b0ef00409dc8062ed860a11a21c4d6f944aa111f0220a360637a86c
Instruction ID: 2ff3fdd6f282687191af6c6a1e9b2827e79318cc6051e5ebe701b8a412397121
Opcode Fuzzy Hash: 4d116b3a2b0ef00409dc8062ed860a11a21c4d6f944aa111f0220a360637a86c
Instruction Fuzzy Hash: 2711D271604664AFCB209F28CC44EAA3BA4BF46360B154325F835CB2F0D7349D11CB48

Function 004A5660 Relevance: 6.1, APIs: 4, Instructions: 67windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001060,?,00000004), ref: 004A56BB
_wcslen.LIBCMT ref: 004A56CD
_wcslen.LIBCMT ref: 004A56D8
SendMessageW.USER32(?,00001002,00000000,?), ref: 004A5816

Memory Dump Source

Source File: 00000000.00000002.2107394819.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2107065431.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107532194.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107532194.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107645477.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107703493.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: MessageSend_wcslen
String ID:
API String ID: 455545452-0
Opcode ID: 40fbca56e91c3880ad024139c5cd30f0f34810fba1066e50c22e1c13d253272d
Instruction ID: 93121e1a561321c9f23ce53c36f06316e67adc567e77f579c6c7e89628b9b1c7
Opcode Fuzzy Hash: 40fbca56e91c3880ad024139c5cd30f0f34810fba1066e50c22e1c13d253272d
Instruction Fuzzy Hash: 8111E47160060496DB20DF618D81AEF377CBF26364F10402BF905D6181EB789984CB69

Function 00441D09 Relevance: 6.1, APIs: 4, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2107394819.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2107065431.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107532194.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107532194.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107645477.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107703493.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 693c1b9348d53e0b407e5a73963cad68b971c5e093a46b6d6118ecbda7eda00f
Instruction ID: 9c390f9af195b6f70818d3e09ce3d1c66d0ad593979d0d7e4b33f55b196544e3
Opcode Fuzzy Hash: 693c1b9348d53e0b407e5a73963cad68b971c5e093a46b6d6118ecbda7eda00f
Instruction Fuzzy Hash: C101A2F2B056163EF62116796CC0F27661DDF423B8B34032BF531512E2DB78AC814178

Function 00471A27 Relevance: 6.1, APIs: 4, Instructions: 56windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,000000B0,?,?), ref: 00471A47
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00471A59
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00471A6F
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00471A8A

Memory Dump Source

Source File: 00000000.00000002.2107394819.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2107065431.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107532194.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107532194.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107645477.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107703493.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 7644f6fb94bcaf4e820bbc0acd5abd0986869e14feafce7cfe9c983fb9f9b38c
Instruction ID: c9cefd1887674e26659ef604a5fb5134bf2a5a4f64c1251a1edf0bb595c37f8d
Opcode Fuzzy Hash: 7644f6fb94bcaf4e820bbc0acd5abd0986869e14feafce7cfe9c983fb9f9b38c
Instruction Fuzzy Hash: 51113C3AD01219FFEB10DBA9CD85FEDBB78EB04750F204092E604B7290D6716E50DB98

Function 0047E1D6 Relevance: 6.1, APIs: 4, Instructions: 55synchronizationthreadwindowCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 0047E1FD
MessageBoxW.USER32(?,?,?,?), ref: 0047E230
WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?), ref: 0047E246
CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 0047E24D

Memory Dump Source

Source File: 00000000.00000002.2107394819.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2107065431.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107532194.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107532194.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107645477.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107703493.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: CloseCurrentHandleMessageObjectSingleThreadWait
String ID:
API String ID: 2880819207-0
Opcode ID: c104f3af63004dd52515a7bc3390fe84f3dc41de93c5742a118a384d4a9fb2ca
Instruction ID: b6a6a592197608a640e563703b85459fdc524964f18a76730567629e4bcabd6a
Opcode Fuzzy Hash: c104f3af63004dd52515a7bc3390fe84f3dc41de93c5742a118a384d4a9fb2ca
Instruction Fuzzy Hash: 9C110876A04254BBD7019BA99C45ADF7FAC9B49310F1083A6F818E7292D6748D008BA8

Function 0043D1CC Relevance: 6.1, APIs: 4, Instructions: 55threadCOMMON

Download Yara Rule

APIs

CreateThread.KERNEL32(00000000,?,0043CFF9,00000000,00000004,00000000), ref: 0043D218
GetLastError.KERNEL32 ref: 0043D224
__dosmaperr.LIBCMT ref: 0043D22B
ResumeThread.KERNEL32(00000000), ref: 0043D249

Memory Dump Source

Source File: 00000000.00000002.2107394819.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2107065431.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107532194.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107532194.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107645477.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107703493.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: Thread$CreateErrorLastResume__dosmaperr
String ID:
API String ID: 173952441-0
Opcode ID: 52d39bbaf73147edf9d085802b1177c033876b141600fdaad03e42d67c866e35
Instruction ID: 51834051b16dd18420ce9ff13f306668a1988137b665389d80b9f0c1e11753a7
Opcode Fuzzy Hash: 52d39bbaf73147edf9d085802b1177c033876b141600fdaad03e42d67c866e35
Instruction Fuzzy Hash: 94012632C04104BBDB105BA6EC05BAF7E68DF8A334F20126AF824921D0CF75C805C7A9

Function 004A9EF3 Relevance: 6.1, APIs: 4, Instructions: 55COMMON

Download Yara Rule

APIs

Part of subcall function 00429BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00429BB2

GetClientRect.USER32(?,?), ref: 004A9F31
GetCursorPos.USER32(?), ref: 004A9F3B
ScreenToClient.USER32(?,?), ref: 004A9F46
DefDlgProcW.USER32(?,00000020,?,00000000,?,?,?), ref: 004A9F7A

Memory Dump Source

Source File: 00000000.00000002.2107394819.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2107065431.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107532194.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107532194.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107645477.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107703493.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: Client$CursorLongProcRectScreenWindow
String ID:
API String ID: 4127811313-0
Opcode ID: b2dec96a9606d0f0bf73f7233cd8aa875d21695e8f204e159abdd8693184b314
Instruction ID: 98fec1e1e37514280c8ac5d622cc9169f06ebb00828e5fc2c4889cfb7e3194a3
Opcode Fuzzy Hash: b2dec96a9606d0f0bf73f7233cd8aa875d21695e8f204e159abdd8693184b314
Instruction Fuzzy Hash: D6113632A0015AAFDF14DF69D8859EE7BB8FB0A315F000466F901E7151D338BE81CBA9

Function 0041600E Relevance: 6.1, APIs: 4, Instructions: 53windowCOMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 0041604C
GetStockObject.GDI32(00000011), ref: 00416060
SendMessageW.USER32(00000000,00000030,00000000), ref: 0041606A

Memory Dump Source

Source File: 00000000.00000002.2107394819.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2107065431.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107532194.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107532194.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107645477.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107703493.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: CreateMessageObjectSendStockWindow
String ID:
API String ID: 3970641297-0
Opcode ID: a74eaccfdf4773ea6a60f566481b17940b87a479eb4b1f57cbe54407961b4cc1
Instruction ID: ba29f56646e72325f0e0a788eb15f6c67daab6a637d514e49be6388f97691490
Opcode Fuzzy Hash: a74eaccfdf4773ea6a60f566481b17940b87a479eb4b1f57cbe54407961b4cc1
Instruction Fuzzy Hash: DE116172501549BFEF528FA49C84EEB7F69EF0D354F050116FA1456110D736DCA0DBA4

Function 00433B3C Relevance: 6.1, APIs: 4, Instructions: 53COMMONLIBRARYCODE

Download Yara Rule

APIs

___BuildCatchObject.LIBVCRUNTIME ref: 00433B56

Part of subcall function 00433AA3: BuildCatchObjectHelperInternal.LIBVCRUNTIME ref: 00433AD2
Part of subcall function 00433AA3: ___AdjustPointer.LIBCMT ref: 00433AED

_UnwindNestedFrames.LIBCMT ref: 00433B6B
__FrameHandler3::FrameUnwindToState.LIBVCRUNTIME ref: 00433B7C
CallCatchBlock.LIBVCRUNTIME ref: 00433BA4

Memory Dump Source

Source File: 00000000.00000002.2107394819.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2107065431.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107532194.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107532194.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107645477.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107703493.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: Catch$BuildFrameObjectUnwind$AdjustBlockCallFramesHandler3::HelperInternalNestedPointerState
String ID:
API String ID: 737400349-0
Opcode ID: 12ea49abee573113f57dbd3ec3a577afcc9c348439d29e6cbe32e78011ac24d3
Instruction ID: 68d22ebf473e438da906f1ad14b5d256cb04ca95e965f870ed07a3eb120ae729
Opcode Fuzzy Hash: 12ea49abee573113f57dbd3ec3a577afcc9c348439d29e6cbe32e78011ac24d3
Instruction Fuzzy Hash: 85012932100148BBDF126E96CC42EEB7B79EF9C759F04501AFE4866121C73AE961DBA4

Function 00443073 Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(00000000,00000000,00000800,004113C6,00000000,00000000,?,0044301A,004113C6,00000000,00000000,00000000,?,0044328B,00000006,FlsSetValue), ref: 004430A5
GetLastError.KERNEL32(?,0044301A,004113C6,00000000,00000000,00000000,?,0044328B,00000006,FlsSetValue,004B2290,FlsSetValue,00000000,00000364,?,00442E46), ref: 004430B1
LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,0044301A,004113C6,00000000,00000000,00000000,?,0044328B,00000006,FlsSetValue,004B2290,FlsSetValue,00000000), ref: 004430BF

Memory Dump Source

Source File: 00000000.00000002.2107394819.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2107065431.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107532194.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107532194.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107645477.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107703493.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: LibraryLoad$ErrorLast
String ID:
API String ID: 3177248105-0
Opcode ID: 85e838e7c8c9946ee77f27aec168ce9842e41902318da09ad6c22b4c183db6d9
Instruction ID: 20370f9e5c0777ce75d17edaff14bb9f75e7d6c47a18ce68a7c3708be8396776
Opcode Fuzzy Hash: 85e838e7c8c9946ee77f27aec168ce9842e41902318da09ad6c22b4c183db6d9
Instruction Fuzzy Hash: 29012B32741222ABEB314F789C84A577F98AF06F62B200731F906E7244C725D901C6E8

Function 00477464 Relevance: 6.1, APIs: 4, Instructions: 51registryCOMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(?,?,00000104,00000000), ref: 0047747F
LoadTypeLibEx.OLEAUT32(?,00000002,?), ref: 00477497
RegisterTypeLib.OLEAUT32(?,?,00000000), ref: 004774AC
RegisterTypeLibForUser.OLEAUT32(?,?,00000000), ref: 004774CA

Memory Dump Source

Source File: 00000000.00000002.2107394819.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2107065431.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107532194.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107532194.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107645477.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107703493.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: Type$Register$FileLoadModuleNameUser
String ID:
API String ID: 1352324309-0
Opcode ID: 82e96085e238b30f4895549be0b81f59032c72a1c61f9501471e776f2b5b00dc
Instruction ID: 5d4b0b2c14d54208af231344c9bde40a44e53b31e1d546870ab09c4f8815ee54
Opcode Fuzzy Hash: 82e96085e238b30f4895549be0b81f59032c72a1c61f9501471e776f2b5b00dc
Instruction Fuzzy Hash: 5111ADB1209310ABE7208F24DD48FE27FFCEB04B00F50C56AE61AD6191D7B4E904DBA9

Function 0047B0A8 Relevance: 6.0, APIs: 4, Instructions: 50sleepCOMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,0047ACD3,?,00008000), ref: 0047B0C4
Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,0047ACD3,?,00008000), ref: 0047B0E9
QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,0047ACD3,?,00008000), ref: 0047B0F3
Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,0047ACD3,?,00008000), ref: 0047B126

Memory Dump Source

Source File: 00000000.00000002.2107394819.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2107065431.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107532194.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107532194.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107645477.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107703493.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: CounterPerformanceQuerySleep
String ID:
API String ID: 2875609808-0
Opcode ID: 79138d6bb3f5784e058b7eb508b89335c1e2aed42c0ca19fde1b66e9572b415d
Instruction ID: 48d7e74df17b6057cc97bd64d346efdc4ee027ff9fb537a47fbbac906ef5a239
Opcode Fuzzy Hash: 79138d6bb3f5784e058b7eb508b89335c1e2aed42c0ca19fde1b66e9572b415d
Instruction Fuzzy Hash: 86117C30E01528D7CF00AFA4EAA87EEBF78FF0A311F408096D945B2241CB3445518B99

Function 004A7E14 Relevance: 6.0, APIs: 4, Instructions: 46COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 004A7E33
ScreenToClient.USER32(?,?), ref: 004A7E4B
ScreenToClient.USER32(?,?), ref: 004A7E6F
InvalidateRect.USER32(?,?,?,?,?,?,?,?,?,?,?,?), ref: 004A7E8A

Memory Dump Source

Source File: 00000000.00000002.2107394819.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2107065431.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107532194.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107532194.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107645477.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107703493.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: ClientRectScreen$InvalidateWindow
String ID:
API String ID: 357397906-0
Opcode ID: f4560ed03012a49d04bd550790c41d4b3ef3fa89bbf29b696fb577c13db41c4e
Instruction ID: 61f820cc36747897e45c3b5af39981a38d50400be079b78ae5df7258617dea20
Opcode Fuzzy Hash: f4560ed03012a49d04bd550790c41d4b3ef3fa89bbf29b696fb577c13db41c4e
Instruction Fuzzy Hash: 2A1153B9D0020AAFDB51CF98C884AEEBBF9FF19310F509066E915E3210D735AA54CF94

Function 00472DA7 Relevance: 6.0, APIs: 4, Instructions: 34threadwindowtimeCOMMON

Download Yara Rule

APIs

SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,?), ref: 00472DC5
GetWindowThreadProcessId.USER32(?,00000000), ref: 00472DD6
GetCurrentThreadId.KERNEL32 ref: 00472DDD
AttachThreadInput.USER32(00000000,?,00000000,00000000), ref: 00472DE4

Memory Dump Source

Source File: 00000000.00000002.2107394819.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2107065431.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107532194.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107532194.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107645477.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107703493.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: Thread$AttachCurrentInputMessageProcessSendTimeoutWindow
String ID:
API String ID: 2710830443-0
Opcode ID: 1961b794c472422b4c0de5b98f74789b9ee487e4c7e277c354c126e401f34e1a
Instruction ID: b87f01c5f10060a412492a9b1b870ec1c2e0f909fe0a99c32d192a9ea3c82a0e
Opcode Fuzzy Hash: 1961b794c472422b4c0de5b98f74789b9ee487e4c7e277c354c126e401f34e1a
Instruction Fuzzy Hash: 3AE092B16412247BD7705B729C4DFEB3E6CEF43BA1F004026F109D10809AE4C841C6B4

Function 004A8863 Relevance: 6.0, APIs: 4, Instructions: 31COMMON

Download Yara Rule

APIs

Part of subcall function 00429639: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00429693
Part of subcall function 00429639: SelectObject.GDI32(?,00000000), ref: 004296A2
Part of subcall function 00429639: BeginPath.GDI32(?), ref: 004296B9
Part of subcall function 00429639: SelectObject.GDI32(?,00000000), ref: 004296E2

MoveToEx.GDI32(?,00000000,00000000,00000000), ref: 004A8887
LineTo.GDI32(?,?,?), ref: 004A8894
EndPath.GDI32(?), ref: 004A88A4
StrokePath.GDI32(?), ref: 004A88B2

Memory Dump Source

Source File: 00000000.00000002.2107394819.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2107065431.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107532194.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107532194.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107645477.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107703493.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: Path$ObjectSelect$BeginCreateLineMoveStroke
String ID:
API String ID: 1539411459-0
Opcode ID: eea3409c18f287947b44ebd05b5ab5a1801d7610fb28201d391157bbadf28e96
Instruction ID: 9556261b7eb524f335d09c0165836ef93800bf7b0f5930650f5c2abbaad27742
Opcode Fuzzy Hash: eea3409c18f287947b44ebd05b5ab5a1801d7610fb28201d391157bbadf28e96
Instruction Fuzzy Hash: 7CF09A36045258FADB122F94AC4DFCE3F59AF16310F408015FA01650E2CB780511CFAD

Function 004298B0 Relevance: 6.0, APIs: 4, Instructions: 23COMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000008), ref: 004298CC
SetTextColor.GDI32(?,?), ref: 004298D6
SetBkMode.GDI32(?,00000001), ref: 004298E9
GetStockObject.GDI32(00000005), ref: 004298F1

Memory Dump Source

Source File: 00000000.00000002.2107394819.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2107065431.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107532194.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107532194.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107645477.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107703493.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: Color$ModeObjectStockText
String ID:
API String ID: 4037423528-0
Opcode ID: f7eb25c1e1786a791e1d19045a287f18faec2516a04ed175f5ca662420be32dc
Instruction ID: ba928036872f7c2ef7d45635bf9db5963d2cb7e7167ecdbaa58ff43519a9b47b
Opcode Fuzzy Hash: f7eb25c1e1786a791e1d19045a287f18faec2516a04ed175f5ca662420be32dc
Instruction Fuzzy Hash: 2BE06D31344280BADB615B74BC49BE93F60EB1333AF04822AF6FA581E1C77646809F15

Function 0047162B Relevance: 6.0, APIs: 4, Instructions: 22threadCOMMON

Download Yara Rule

APIs

GetCurrentThread.KERNEL32 ref: 00471634
OpenThreadToken.ADVAPI32(00000000,?,?,?,004711D9), ref: 0047163B
GetCurrentProcess.KERNEL32(00000028,?,?,?,?,004711D9), ref: 00471648
OpenProcessToken.ADVAPI32(00000000,?,?,?,004711D9), ref: 0047164F

Memory Dump Source

Source File: 00000000.00000002.2107394819.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2107065431.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107532194.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107532194.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107645477.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107703493.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: CurrentOpenProcessThreadToken
String ID:
API String ID: 3974789173-0
Opcode ID: 3455ba413995880fce21473448f674a75f37527053fdd77434d96a189192f8ac
Instruction ID: fc1552233b3613aa2d6fdab28cc4cfd17764255a119102564ca2bce572a92ddd
Opcode Fuzzy Hash: 3455ba413995880fce21473448f674a75f37527053fdd77434d96a189192f8ac
Instruction Fuzzy Hash: E9E08632601211DBD7601FE49D4DBC73F7CAF56791F148829F646D9090D6384540C798

Function 0046D858 Relevance: 6.0, APIs: 4, Instructions: 19COMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 0046D858
GetDC.USER32(00000000), ref: 0046D862
GetDeviceCaps.GDI32(00000000,0000000C), ref: 0046D882
ReleaseDC.USER32(?), ref: 0046D8A3

Memory Dump Source

Source File: 00000000.00000002.2107394819.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2107065431.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107532194.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107532194.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107645477.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107703493.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: CapsDesktopDeviceReleaseWindow
String ID:
API String ID: 2889604237-0
Opcode ID: 206cc2fc030c076f2b7c3619b743b9ddd9b82a3a9a72c99e9cdd2e31203dea83
Instruction ID: 5cd352858558942da78eaa85d93ec0daa9dc37f8ad9d541f3266bd3bf05a2fe0
Opcode Fuzzy Hash: 206cc2fc030c076f2b7c3619b743b9ddd9b82a3a9a72c99e9cdd2e31203dea83
Instruction Fuzzy Hash: A9E01270D00204DFCB819FA1D84C6ADBFB1FB09310F108019E806E7350C73885429F49

Function 0046D86C Relevance: 6.0, APIs: 4, Instructions: 18COMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 0046D86C
GetDC.USER32(00000000), ref: 0046D876
GetDeviceCaps.GDI32(00000000,0000000C), ref: 0046D882
ReleaseDC.USER32(?), ref: 0046D8A3

Memory Dump Source

Source File: 00000000.00000002.2107394819.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2107065431.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107532194.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107532194.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107645477.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107703493.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: CapsDesktopDeviceReleaseWindow
String ID:
API String ID: 2889604237-0
Opcode ID: c0d85b0cddf737debb096954d77e914dde948dd14f08f53024f61bdc02d8737b
Instruction ID: 825e38040d51ddbf8777e13db2eadb6bd739364f02a09a82e73b8fb59e16a5ab
Opcode Fuzzy Hash: c0d85b0cddf737debb096954d77e914dde948dd14f08f53024f61bdc02d8737b
Instruction Fuzzy Hash: 04E01A70C00204DFCB819FA0D8886ADBFB1BB08310B108019E80AE7350CB3899029F48

Function 00484D87 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 230shareCOMMON

Download Yara Rule

APIs

Part of subcall function 00417620: _wcslen.LIBCMT ref: 00417625

WNetUseConnectionW.MPR(00000000,?,0000002A,00000000,?,?,0000002A,?), ref: 00484ED4

Strings

LPT, xrefs: 00484DFB
*, xrefs: 00484E10

Memory Dump Source

Source File: 00000000.00000002.2107394819.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2107065431.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107532194.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107532194.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107645477.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107703493.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: Connection_wcslen
String ID: *$LPT
API String ID: 1725874428-3443410124
Opcode ID: 651b0672a41a13d61d4a69e81e3b628ef7213c33d5a8a01f811f93e03d678a97
Instruction ID: 1d94090c200c6dc0b7fed4ee2d11222909032772910f6fb92928970a3701b455
Opcode Fuzzy Hash: 651b0672a41a13d61d4a69e81e3b628ef7213c33d5a8a01f811f93e03d678a97
Instruction Fuzzy Hash: 46916075A002059FCB14EF58C484EAEBBF1AF84308F15849EE90A9F352D739ED85CB95

Function 0043E27D Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 189COMMON

Download Yara Rule

APIs

__startOneArgErrorHandling.LIBCMT ref: 0043E30D

Strings

pow, xrefs: 0043E2E5, 0043E302

Memory Dump Source

Source File: 00000000.00000002.2107394819.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2107065431.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107532194.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107532194.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107645477.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107703493.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: ErrorHandling__start
String ID: pow
API String ID: 3213639722-2276729525
Opcode ID: c541477f9eae421b223ac337b0553308c7fd5bd5869586c5af4cc5cd1a3c9164
Instruction ID: c04d28ee5ea6f7961f791f7f5e75919c2dd3efe30ca746397c05a6efdeb3ef80
Opcode Fuzzy Hash: c541477f9eae421b223ac337b0553308c7fd5bd5869586c5af4cc5cd1a3c9164
Instruction Fuzzy Hash: 0B518D61E1D10297EB117726C9413BB3B94EB14740F309AABE495423E9DB3C8C839A4E

Function 00497771 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 189COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(0046569E,00000000,?,004ACC08,?,00000000,00000000), ref: 004978DD

Part of subcall function 00416B57: _wcslen.LIBCMT ref: 00416B6A

CharUpperBuffW.USER32(0046569E,00000000,?,004ACC08,00000000,?,00000000,00000000), ref: 0049783B

Strings

<sM, xrefs: 004977C8

Memory Dump Source

Source File: 00000000.00000002.2107394819.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2107065431.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107532194.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107532194.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107645477.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107703493.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: BuffCharUpper$_wcslen
String ID: <sM
API String ID: 3544283678-3729773310
Opcode ID: f3db5a3388ff9245d280ae6737f90ae8dc5fe8fd67483ddd8dfe024b49ad6a48
Instruction ID: c92a08bf669e093a4a5771680f773d93d8dc16ad8186d56231a0307501107d1c
Opcode Fuzzy Hash: f3db5a3388ff9245d280ae6737f90ae8dc5fe8fd67483ddd8dfe024b49ad6a48
Instruction Fuzzy Hash: A2615D72924118AACF04FBA5CC91DFEB774FF14704B54412BE542A3191EF38AA85CBA9

Function 0042E187 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 184COMMON

Download Yara Rule

Strings

#, xrefs: 0042E1B1

Memory Dump Source

Source File: 00000000.00000002.2107394819.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2107065431.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107532194.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107532194.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107645477.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107703493.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID:
String ID: #
API String ID: 0-1885708031
Opcode ID: 49aebef3dcc2cd57a60b8b02a18426e1ef4311093efaf2207705df9fb1dd40ec
Instruction ID: d1494864bbdaf89f30e31f60b50c8359592faf2ee6d2f9fca1b07af47b4668a6
Opcode Fuzzy Hash: 49aebef3dcc2cd57a60b8b02a18426e1ef4311093efaf2207705df9fb1dd40ec
Instruction Fuzzy Hash: BC511339600256DFDB14DF2AD0816FA7BA4EF15310F64405BE8929B390E6389D43CBAA

Function 0042F291 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 144sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(00000000), ref: 0042F2A2
GlobalMemoryStatusEx.KERNEL32(?), ref: 0042F2BB

Strings

@, xrefs: 0042F2AF

Memory Dump Source

Source File: 00000000.00000002.2107394819.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2107065431.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107532194.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107532194.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107645477.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107703493.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: GlobalMemorySleepStatus
String ID: @
API String ID: 2783356886-2766056989
Opcode ID: dc8d2e6aadaa68db752db86bd477804e8a53291406bff81c9315c621c7055a8e
Instruction ID: 5de2cd8dd683cedd83241b537659f01411918906c5e7ea9c5befa9025096f3bb
Opcode Fuzzy Hash: dc8d2e6aadaa68db752db86bd477804e8a53291406bff81c9315c621c7055a8e
Instruction Fuzzy Hash: A95146714087449BD320AF11DC86BAFBBF8FF85304F81885EF1D9421A5EB348569CB6A

Function 00495745 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 125COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,?,00000003,?,?), ref: 004957E0
_wcslen.LIBCMT ref: 004957EC

Strings

CALLARGARRAY, xrefs: 004957E6, 004957EB

Memory Dump Source

Source File: 00000000.00000002.2107394819.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2107065431.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107532194.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107532194.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107645477.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107703493.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: BuffCharUpper_wcslen
String ID: CALLARGARRAY
API String ID: 157775604-1150593374
Opcode ID: c439e19d234ab86891cfd1eb45a8405e5bd45a0b99f2506c10ac96a9aaa29ff0
Instruction ID: fecf3f0de0c00c7a87670555f7d7806ca9bdb838620be0d1e54a475a5b7f74bc
Opcode Fuzzy Hash: c439e19d234ab86891cfd1eb45a8405e5bd45a0b99f2506c10ac96a9aaa29ff0
Instruction Fuzzy Hash: 5A41B131A001059FCF04EFAAC8818EEBBB5EF59324F20806EE505A7351D7389D81CB98

Function 0048D0F4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 98networkCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 0048D130
InternetCrackUrlW.WININET(?,00000000,00000000,0000007C), ref: 0048D13A

Strings

|, xrefs: 0048D10B

Memory Dump Source

Source File: 00000000.00000002.2107394819.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2107065431.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107532194.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107532194.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107645477.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107703493.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: CrackInternet_wcslen
String ID: |
API String ID: 596671847-2343686810
Opcode ID: 0f42ad192cde520660dceabc2e82da7ebe21aa6c3c6d06947fb414a29ed9cbbe
Instruction ID: 4ec16e2f8a02741809843c60be763da7acbd863f6feddf6464bfc120ed63ca6c
Opcode Fuzzy Hash: 0f42ad192cde520660dceabc2e82da7ebe21aa6c3c6d06947fb414a29ed9cbbe
Instruction Fuzzy Hash: 7C315D71D01209ABCF15EFA5CC85AEF7FB9FF08304F00001AF815A6261DB39AA56CB58

Function 004A356C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 96COMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?,?,?), ref: 004A3621
MoveWindow.USER32(?,?,?,?,?,00000001,?,?,?), ref: 004A365C

Strings

static, xrefs: 004A35BC

Memory Dump Source

Source File: 00000000.00000002.2107394819.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2107065431.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107532194.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107532194.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107645477.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107703493.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: Window$DestroyMove
String ID: static
API String ID: 2139405536-2160076837
Opcode ID: 1f71df5a5a77e6e7771f92438353676df90a110b90d831d3826a04c599156710
Instruction ID: 8937a241c43aba85c805cb7b0db8d41b42f9b532453bcbb288420416fe032ca8
Opcode Fuzzy Hash: 1f71df5a5a77e6e7771f92438353676df90a110b90d831d3826a04c599156710
Instruction Fuzzy Hash: 7D319071500204AEDB20DF68DC80EFB73A9FF59724F10861EF8A597290DA39ED81D768

Function 004A4537 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 95windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000027,00001132,00000000,?), ref: 004A461F
SendMessageW.USER32(?,00001105,00000000,00000000), ref: 004A4634

Strings

', xrefs: 004A458E

Memory Dump Source

Source File: 00000000.00000002.2107394819.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2107065431.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107532194.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107532194.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107645477.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107703493.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: MessageSend
String ID: '
API String ID: 3850602802-1997036262
Opcode ID: f25b8ee910870c299010f727b1a0761f46c2517f703832a08c5d93b4dc2b909a
Instruction ID: 278866432a75f6133ca306e8ddf808b26519ac4dd7dbd476b3541e700e7534b6
Opcode Fuzzy Hash: f25b8ee910870c299010f727b1a0761f46c2517f703832a08c5d93b4dc2b909a
Instruction Fuzzy Hash: 39311B74E01209AFDB14CF69C990BDE7BB5FF9A300F14406AEA059B391D7B4A941CF94

Function 004A31EF Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000143,00000000,?), ref: 004A327C
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 004A3287

Strings

Combobox, xrefs: 004A3249

Memory Dump Source

Source File: 00000000.00000002.2107394819.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2107065431.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107532194.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107532194.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107645477.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107703493.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: MessageSend
String ID: Combobox
API String ID: 3850602802-2096851135
Opcode ID: b1d59199b9493c6c8e63c270eb6c027d4a14f9ca47bf8893780fb42ba3ea9825
Instruction ID: 54686100568eec7a8c935302bead1e7db38eb0012482e362aaae7e6dfa3c28c5
Opcode Fuzzy Hash: b1d59199b9493c6c8e63c270eb6c027d4a14f9ca47bf8893780fb42ba3ea9825
Instruction Fuzzy Hash: EF1193722002086FEF119E94DC81FAB3B5AEB663A5F10416AF9149B290E6399D518764

Function 004A3710 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 67COMMON

Download Yara Rule

APIs

Part of subcall function 0041600E: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 0041604C
Part of subcall function 0041600E: GetStockObject.GDI32(00000011), ref: 00416060
Part of subcall function 0041600E: SendMessageW.USER32(00000000,00000030,00000000), ref: 0041606A

GetWindowRect.USER32(00000000,?), ref: 004A377A
GetSysColor.USER32(00000012), ref: 004A3794

Strings

static, xrefs: 004A3757

Memory Dump Source

Source File: 00000000.00000002.2107394819.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2107065431.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107532194.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107532194.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107645477.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107703493.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: Window$ColorCreateMessageObjectRectSendStock
String ID: static
API String ID: 1983116058-2160076837
Opcode ID: e85d33f2f1c8c52e90ed52269ce52bcf9719eb891b3c35dd2b9530ef3ea4f1b7
Instruction ID: bdd8f7fc03df8967f961e44d2b56473a3d04c898315fbc28adba98d6e1c52ab1
Opcode Fuzzy Hash: e85d33f2f1c8c52e90ed52269ce52bcf9719eb891b3c35dd2b9530ef3ea4f1b7
Instruction Fuzzy Hash: D3116AB6610209AFDF00DFA8CC45EFA7BF8FB19304F004529F955E2250E739E8519B64

Function 0048CD1E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66networkCOMMON

Download Yara Rule

APIs

InternetOpenW.WININET(?,00000000,00000000,00000000,00000000), ref: 0048CD7D
InternetSetOptionW.WININET(00000000,00000032,?,00000008), ref: 0048CDA6

Strings

<local>, xrefs: 0048CD66

Memory Dump Source

Source File: 00000000.00000002.2107394819.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2107065431.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107532194.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107532194.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107645477.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107703493.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: Internet$OpenOption
String ID: <local>
API String ID: 942729171-4266983199
Opcode ID: 4afbfe6e8ee70762d17c05ffac33ec09628ccfd59cf3e82305d0ced5c9b477a6
Instruction ID: 19456566e32879ac0b5af74dc50621a8bdbcddc167b6e4dcd556ac2dc9d8c7df
Opcode Fuzzy Hash: 4afbfe6e8ee70762d17c05ffac33ec09628ccfd59cf3e82305d0ced5c9b477a6
Instruction Fuzzy Hash: 7A11E3712416327AD7246B668CC4EEBBEE8EB127A4F004637B10983180D7789841D7F4

Function 004A3429 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 64windowCOMMON

Download Yara Rule

APIs

GetWindowTextLengthW.USER32(00000000), ref: 004A34AB
SendMessageW.USER32(?,000000B1,00000000,00000000), ref: 004A34BA

Strings

edit, xrefs: 004A348F

Memory Dump Source

Source File: 00000000.00000002.2107394819.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2107065431.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107532194.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107532194.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107645477.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107703493.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: LengthMessageSendTextWindow
String ID: edit
API String ID: 2978978980-2167791130
Opcode ID: 4e3cd975b0a13c5e1b44f130cbb2c8e140051d1bd924939cc63ceb11bdba65cd
Instruction ID: a6e0907f39db4a5a7b6c3bb6136229ef838c7ab2d80f2b8e05752251d133655b
Opcode Fuzzy Hash: 4e3cd975b0a13c5e1b44f130cbb2c8e140051d1bd924939cc63ceb11bdba65cd
Instruction Fuzzy Hash: 9611C471100104AFEB118E64DC80EFB3B69EF2A379F504325F960972D0D739DC519B58

Function 00476C86 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 56COMMON

Download Yara Rule

APIs

Part of subcall function 00419CB3: _wcslen.LIBCMT ref: 00419CBD

CharUpperBuffW.USER32(?,?,?), ref: 00476CB6
_wcslen.LIBCMT ref: 00476CC2

Strings

STOP, xrefs: 00476CBC, 00476CC1

Memory Dump Source

Source File: 00000000.00000002.2107394819.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2107065431.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107532194.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107532194.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107645477.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107703493.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: _wcslen$BuffCharUpper
String ID: STOP
API String ID: 1256254125-2411985666
Opcode ID: 28679206a62af0a6341246020714314981fdf7c4775266c18473adb34a187ebb
Instruction ID: fe879a97793a3b7b280228da589abbb9b2d4c344b4264b584bd2dda403f9af9e
Opcode Fuzzy Hash: 28679206a62af0a6341246020714314981fdf7c4775266c18473adb34a187ebb
Instruction Fuzzy Hash: 660148326109268ACB219FBDDC809FF33A6EA60314702492AE85692280EB39D940C648

Function 00471CDE Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 52windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00419CB3: _wcslen.LIBCMT ref: 00419CBD

Part of subcall function 00473CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00473CCA

SendMessageW.USER32(?,000001A2,000000FF,?), ref: 00471D4C

Strings

ComboBox, xrefs: 00471CEB
ListBox, xrefs: 00471D16

Memory Dump Source

Source File: 00000000.00000002.2107394819.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2107065431.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107532194.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107532194.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107645477.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107703493.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: 754bd2daca0ae118a86f4789fe8cf7d4a8e1b534b7b5685d598d8ad6ccd6b750
Instruction ID: 914823559c697b7bf5af6e385ce19973813a0a27070786d89d12d907195b4341
Opcode Fuzzy Hash: 754bd2daca0ae118a86f4789fe8cf7d4a8e1b534b7b5685d598d8ad6ccd6b750
Instruction Fuzzy Hash: E2012831600214ABCB24EFA8CC61DFF7368EB02394B10451FF866573D1EE3869088AA8

Function 00471BD8 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00419CB3: _wcslen.LIBCMT ref: 00419CBD

Part of subcall function 00473CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00473CCA

SendMessageW.USER32(?,00000180,00000000,?), ref: 00471C46

Strings

ComboBox, xrefs: 00471BE5
ListBox, xrefs: 00471C10

Memory Dump Source

Source File: 00000000.00000002.2107394819.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2107065431.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107532194.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107532194.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107645477.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107703493.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: 4c5d420a037254e331186d5a6b6747f452be9085ff02c8fc159ab0cf92dde320
Instruction ID: 11eca5a5cf8bca3fd7a44a9eab4ff858f99e890d3ed6015f3b0095c26d1f9fdd
Opcode Fuzzy Hash: 4c5d420a037254e331186d5a6b6747f452be9085ff02c8fc159ab0cf92dde320
Instruction Fuzzy Hash: 5A01FC717801046ECB15EBD4C962AFF77A89B11380F20001FE90B772D1EE289E08D6BD

Function 00471C5C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 49windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00419CB3: _wcslen.LIBCMT ref: 00419CBD

Part of subcall function 00473CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00473CCA

SendMessageW.USER32(?,00000182,?,00000000), ref: 00471CC8

Strings

ComboBox, xrefs: 00471C69
ListBox, xrefs: 00471C94

Memory Dump Source

Source File: 00000000.00000002.2107394819.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2107065431.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107532194.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107532194.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107645477.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107703493.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: 78fc446232209b0b3c7e05bd25b074cdb5fa567e49b447faa858cc3da8dc3a8a
Instruction ID: 2ac1804088f680de8ca56071237e32e4dc760bc0a5e2c22bd6785422de5ffd33
Opcode Fuzzy Hash: 78fc446232209b0b3c7e05bd25b074cdb5fa567e49b447faa858cc3da8dc3a8a
Instruction Fuzzy Hash: ED01DB717801146BCB15EBD5CA12AFF77A89B11384F14401BB84673391EA289F08D6BD

Function 0042A4D6 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 47COMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 0042A529

Part of subcall function 00419CB3: _wcslen.LIBCMT ref: 00419CBD

Strings

3yF, xrefs: 0042A545, 0042A54D, 0042A552
,%N, xrefs: 0042A509

Memory Dump Source

Source File: 00000000.00000002.2107394819.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2107065431.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107532194.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107532194.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107645477.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107703493.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: Init_thread_footer_wcslen
String ID: ,%N$3yF
API String ID: 2551934079-1307360129
Opcode ID: 7b2f2f27f5562ce8b3f0f84e7b84a4e513193e90cb91a220e176ecfec074d2a4
Instruction ID: 418cc78926548de2aaadc308080e2dde2569313f4241651e4a3aa4fbcfa0507b
Opcode Fuzzy Hash: 7b2f2f27f5562ce8b3f0f84e7b84a4e513193e90cb91a220e176ecfec074d2a4
Instruction Fuzzy Hash: 8B014C3270012067C500F769F967A9E73649B09715F90006FFD025B2C3DE9CAD818A8F

Function 00471D68 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 46windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00419CB3: _wcslen.LIBCMT ref: 00419CBD

Part of subcall function 00473CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00473CCA

SendMessageW.USER32(?,0000018B,00000000,00000000), ref: 00471DD3

Strings

ComboBox, xrefs: 00471D75
ListBox, xrefs: 00471DA0

Memory Dump Source

Source File: 00000000.00000002.2107394819.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2107065431.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107532194.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107532194.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107645477.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107703493.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: d89a502856e5c39345818e1652a6763f8d1621af43f45de5698e166956a836ad
Instruction ID: 2df90902ee7775ed1b6f2547434549fadf35ecf2c0f6341087b614a88b0ce741
Opcode Fuzzy Hash: d89a502856e5c39345818e1652a6763f8d1621af43f45de5698e166956a836ad
Instruction Fuzzy Hash: 09F0FE71B5021466C714F7A5CC62BFF7768AB01344F04091BF866632D1DE786D08866C

Function 004A8172 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 40processCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000020,00000000,00000000,004E3018,004E305C), ref: 004A81BF
CloseHandle.KERNEL32 ref: 004A81D1

Strings

\0N, xrefs: 004A818A

Memory Dump Source

Source File: 00000000.00000002.2107394819.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2107065431.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107532194.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107532194.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107645477.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107703493.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: CloseCreateHandleProcess
String ID: \0N
API String ID: 3712363035-3569702050
Opcode ID: 60acf8a30cfbb372649baab865151f6d3e172417c6cf7604e4b4697a06d41dfd
Instruction ID: ac006691daa3690efdf5ddb45997eb7ada6350a0a05ec75d14e756c896bc5d97
Opcode Fuzzy Hash: 60acf8a30cfbb372649baab865151f6d3e172417c6cf7604e4b4697a06d41dfd
Instruction Fuzzy Hash: 3DF054B1640340BAE6616F616C89FB73A5CDB05756F004475BF08DA1A3D6798E0083BC

Function 0049747E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 36COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00497493
_wcslen.LIBCMT ref: 004974B9

Strings

3, 3, 16, 1, xrefs: 00497483

Memory Dump Source

Source File: 00000000.00000002.2107394819.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2107065431.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107532194.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107532194.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107645477.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107703493.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: _wcslen
String ID: 3, 3, 16, 1
API String ID: 176396367-3042988571
Opcode ID: 1cde1e7e7372e767e44e90f64e3df7da0352d4813d922a60028896fabef41036
Instruction ID: 90c704d3f70c523181b90308de5ed625ea18abe4a02a594f8ea51ce15fdf8812
Opcode Fuzzy Hash: 1cde1e7e7372e767e44e90f64e3df7da0352d4813d922a60028896fabef41036
Instruction Fuzzy Hash: 1EE02B42224220149731127B9CC1BBF5F89CFCD7A0B14283FF985C2367EA9C9D9193A8

Function 00470B15 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 28windowCOMMON

Download Yara Rule

APIs

MessageBoxW.USER32(00000000,Error allocating memory.,AutoIt,00000010), ref: 00470B23

Strings

Error allocating memory., xrefs: 00470B1C
AutoIt, xrefs: 00470B17

Memory Dump Source

Source File: 00000000.00000002.2107394819.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2107065431.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107532194.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107532194.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107645477.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107703493.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: Message
String ID: AutoIt$Error allocating memory.
API String ID: 2030045667-4017498283
Opcode ID: 1b92fcc235e49e22df80f057f0a5a2a2ae32d868758f160a935454db7edad014
Instruction ID: a42289d3ac2214fb02ac44b21cf6d6b90d49e3f233e2d72406c7fd7d07a05a55
Opcode Fuzzy Hash: 1b92fcc235e49e22df80f057f0a5a2a2ae32d868758f160a935454db7edad014
Instruction Fuzzy Hash: A9E0D83134431826D21037957C43FCA7A848F06B24F60447FF758555C38FE9649046ED

Function 00430D42 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22COMMON

Download Yara Rule

APIs

Part of subcall function 0042F7C9: InitializeCriticalSectionAndSpinCount.KERNEL32(?,00000000,?,00430D71,?,?,?,0041100A), ref: 0042F7CE

IsDebuggerPresent.KERNEL32(?,?,?,0041100A), ref: 00430D75
OutputDebugStringW.KERNEL32(ERROR : Unable to initialize critical section in CAtlBaseModule,?,?,?,0041100A), ref: 00430D84

Strings

ERROR : Unable to initialize critical section in CAtlBaseModule, xrefs: 00430D7F

Memory Dump Source

Source File: 00000000.00000002.2107394819.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2107065431.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107532194.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107532194.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107645477.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107703493.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: CountCriticalDebugDebuggerInitializeOutputPresentSectionSpinString
String ID: ERROR : Unable to initialize critical section in CAtlBaseModule
API String ID: 55579361-631824599
Opcode ID: 2c39a0950ae133ec544b63240841dce21304ca243dc62553b66265d6e6fb363c
Instruction ID: fed07d5464822113cbf13297c14df28a0f1cf339b4b02f850a8d5e0c6761e53d
Opcode Fuzzy Hash: 2c39a0950ae133ec544b63240841dce21304ca243dc62553b66265d6e6fb363c
Instruction Fuzzy Hash: 7FE06D702003518BD3709FB9E4543867BE0AF19744F008A7EE486C6651DBB8E4888B99

Function 0042E398 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 21COMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 0042E3D5

Strings

8%N, xrefs: 0042E3CA
0%N, xrefs: 0042E3B5

Memory Dump Source

Source File: 00000000.00000002.2107394819.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2107065431.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107532194.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107532194.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107645477.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107703493.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: Init_thread_footer
String ID: 0%N$8%N
API String ID: 1385522511-4178720944
Opcode ID: 1a65213d45a7382c7eb62b61db8cafba2428eeae527ef17dadff786e3ed0ca5f
Instruction ID: fe2658506b5da9ddbca61f73aa50c2cbb097b142b5be2b8b4e8245d42afc07b8
Opcode Fuzzy Hash: 1a65213d45a7382c7eb62b61db8cafba2428eeae527ef17dadff786e3ed0ca5f
Instruction Fuzzy Hash: 50E02031500A74DBC604D71BB7A4AAF3359AB09325BD012BFE401CB2D6DBFC5841874D

Function 00483017 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 18COMMON

Download Yara Rule

APIs

GetTempPathW.KERNEL32(00000104,?,00000001), ref: 0048302F
GetTempFileNameW.KERNEL32(?,aut,00000000,?), ref: 00483044

Strings

aut, xrefs: 00483038

Memory Dump Source

Source File: 00000000.00000002.2107394819.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2107065431.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107532194.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107532194.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107645477.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107703493.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: Temp$FileNamePath
String ID: aut
API String ID: 3285503233-3010740371
Opcode ID: 11c526f36e3c188cb80f89da331bfd841544ce71cd9543a0fd7ae46f3d6a4e90
Instruction ID: acc32a86bd11759125ece02d5ff1fd36f6b75eef3aca50bf20289742e6806fbc
Opcode Fuzzy Hash: 11c526f36e3c188cb80f89da331bfd841544ce71cd9543a0fd7ae46f3d6a4e90
Instruction Fuzzy Hash: 0FD05E7290032867DA60A7A4AD4EFCB3F6CDB06750F0002A2B696E2191DAB49984CAD4

Function 0046D21C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 17timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?), ref: 0046D220

Strings

%.3d, xrefs: 0046D22B
X64, xrefs: 0046D2A8

Memory Dump Source

Source File: 00000000.00000002.2107394819.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2107065431.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107532194.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107532194.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107645477.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107703493.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: LocalTime
String ID: %.3d$X64
API String ID: 481472006-1077770165
Opcode ID: 81253f641a5f5a98bce394ca3813c4d588d245ec96745857b2e480dcbb16bba2
Instruction ID: b52bc46e5dbfe121733fdbbb5c8bc0e645825aa0327b4366d18fcb6b8ed470db
Opcode Fuzzy Hash: 81253f641a5f5a98bce394ca3813c4d588d245ec96745857b2e480dcbb16bba2
Instruction Fuzzy Hash: 1FD012A1E08118E9CB9096D0DC559B9B77CAB09301FA084A3F80691040F72CD50AA76B

Function 004A2356 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON

Download Yara Rule

APIs

FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 004A236C
PostMessageW.USER32(00000000), ref: 004A2373

Part of subcall function 0047E97B: Sleep.KERNEL32 ref: 0047E9F3

Strings

Shell_TrayWnd, xrefs: 004A2365

Memory Dump Source

Source File: 00000000.00000002.2107394819.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2107065431.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107532194.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107532194.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107645477.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107703493.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: FindMessagePostSleepWindow
String ID: Shell_TrayWnd
API String ID: 529655941-2988720461
Opcode ID: ef623e423fce3f4c13e426aeadd1932239369e4a202ec3da9f49cd73249a9671
Instruction ID: ac2c67cecc9d447b77a96a90aaa07736c04624373e17cb5b240df6172f4988f3
Opcode Fuzzy Hash: ef623e423fce3f4c13e426aeadd1932239369e4a202ec3da9f49cd73249a9671
Instruction Fuzzy Hash: 7BD0C972781310BAE6A4A7719C4FFC66A189B16B14F114A277755AA1D0C9A4A8018A5C

Function 004A2322 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON

Download Yara Rule

APIs

FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 004A232C
PostMessageW.USER32(00000000,00000111,00000197,00000000), ref: 004A233F

Part of subcall function 0047E97B: Sleep.KERNEL32 ref: 0047E9F3

Strings

Shell_TrayWnd, xrefs: 004A2325

Memory Dump Source

Source File: 00000000.00000002.2107394819.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2107065431.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107532194.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107532194.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107645477.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107703493.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: FindMessagePostSleepWindow
String ID: Shell_TrayWnd
API String ID: 529655941-2988720461
Opcode ID: af98946ad667410fa349bd09b5931b714950f24c2c57bd5ad1c7f2d7ad803ee7
Instruction ID: fbc913306e8adad24e6f473218d0bebb824e358e1fcdcdf04cf82b47add152f2
Opcode Fuzzy Hash: af98946ad667410fa349bd09b5931b714950f24c2c57bd5ad1c7f2d7ad803ee7
Instruction Fuzzy Hash: 02D02272380310B7E6A4B731DC4FFC67E089B01B00F004A277309AA1D0C8F4A800CA0C

Function 0044BDFD Relevance: 5.1, APIs: 4, Instructions: 139COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,00000009,?,00000000,00000000,?,?,?,00000000,?,?,?,?,?,00000000,?), ref: 0044BE93
GetLastError.KERNEL32 ref: 0044BEA1
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 0044BEFC

Memory Dump Source

Source File: 00000000.00000002.2107394819.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.2107065431.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107532194.00000000004AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107532194.00000000004D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107645477.00000000004DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2107703493.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_file.jbxd

Similarity

API ID: ByteCharMultiWide$ErrorLast
String ID:
API String ID: 1717984340-0
Opcode ID: a84eb85021e8eb5e9d6ef0a14d8cf467337e9c20b204cceea047fb96caf03d36
Instruction ID: 1947c439c0b93cd07f071c629bc83deeccab36d190e152f0ca2929ce10f0a4f5
Opcode Fuzzy Hash: a84eb85021e8eb5e9d6ef0a14d8cf467337e9c20b204cceea047fb96caf03d36
Instruction Fuzzy Hash: F441F634600206AFEF218F65CC44ABBBBA4EF46310F24816BF95D972A1DB35CC05DB99

Source: Joe Sandbox View	IP Address: 34.149.100.209 34.149.100.209
Source: Joe Sandbox View	IP Address: 151.101.65.91 151.101.65.91
Source: Joe Sandbox View	IP Address: 34.117.188.166 34.117.188.166
Source: Joe Sandbox View	IP Address: 34.160.144.191 34.160.144.191

Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache

Source: firefox.exe, 0000000E.00000003.2264883662.000001FD97BC4000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2278522595.000001FD97BC4000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2192927419.000001FD97BC4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: 8://www.facebook.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000E.00000003.2261963316.000001FD9AE76000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: 8://www.youtube.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000E.00000003.2263922764.000001FD97DAB000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2195089644.000001FD977A5000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2195089644.000001FD977A9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: 8https://www.facebook.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000E.00000003.2263922764.000001FD97DAB000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2195089644.000001FD977A5000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2195089644.000001FD977A9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: 8https://www.youtube.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000E.00000003.2264883662.000001FD97BC4000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2278522595.000001FD97BC4000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2192927419.000001FD97BC4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: 8www.facebook.com equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000E.00000003.2261963316.000001FD9AE76000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: 8www.youtube.com equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000E.00000003.2295473958.000001FD90629000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: `https://www.facebook.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000E.00000003.2295473958.000001FD90629000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: `https://www.youtube.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000E.00000003.2282425029.000001FD91BCB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://vk.com/,https://www.youtube.com/,https://ok.ru/,https://www.avito.ru/,https://www.aliexpress.com/,https://www.wikipedia.org/ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000E.00000003.2263922764.000001FD97DAB000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2195089644.000001FD977A5000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2115517369.000001FD90767000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.facebook.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000E.00000003.2263922764.000001FD97DAB000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2195089644.000001FD977A5000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2195089644.000001FD977A9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000E.00000003.2282425029.000001FD91BCB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://allegro.pl/,https://www.wikipedia.org/,https://www.olx.pl/,https://www.wykop.pl/ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000E.00000003.2282425029.000001FD91BCB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://allegro.pl/,https://www.wikipedia.org/,https://www.olx.pl/,https://www.wykop.pl/ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000E.00000003.2282425029.000001FD91BCB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.amazon.com/,https://www.reddit.com/,https://www.wikipedia.org/,https://twitter.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000E.00000003.2282425029.000001FD91BCB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.amazon.com/,https://www.reddit.com/,https://www.wikipedia.org/,https://twitter.com/ equals www.twitter.com (Twitter)
Source: firefox.exe, 0000000E.00000003.2282425029.000001FD91BCB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.amazon.com/,https://www.reddit.com/,https://www.wikipedia.org/,https://twitter.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000E.00000003.2282425029.000001FD91BCB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.amazon.de/,https://www.ebay.de/,https://www.wikipedia.org/,https://www.reddit.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000E.00000003.2282425029.000001FD91BCB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.amazon.de/,https://www.ebay.de/,https://www.wikipedia.org/,https://www.reddit.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000E.00000003.2282425029.000001FD91BCB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.reddit.com/,https://www.amazon.co.uk/,https://www.bbc.co.uk/,https://www.ebay.co.uk/ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000E.00000003.2282425029.000001FD91BCB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.reddit.com/,https://www.amazon.co.uk/,https://www.bbc.co.uk/,https://www.ebay.co.uk/ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000E.00000003.2282425029.000001FD91BCB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.reddit.com/,https://www.wikipedia.org/,https://www.amazon.ca/,https://twitter.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000E.00000003.2282425029.000001FD91BCB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.reddit.com/,https://www.wikipedia.org/,https://www.amazon.ca/,https://twitter.com/ equals www.twitter.com (Twitter)
Source: firefox.exe, 0000000E.00000003.2282425029.000001FD91BCB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.reddit.com/,https://www.wikipedia.org/,https://www.amazon.ca/,https://twitter.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000E.00000003.2282425029.000001FD91BCB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.amazon.fr/,https://www.leboncoin.fr/,https://twitter.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000E.00000003.2282425029.000001FD91BCB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.amazon.fr/,https://www.leboncoin.fr/,https://twitter.com/ equals www.twitter.com (Twitter)
Source: firefox.exe, 0000000E.00000003.2282425029.000001FD91BCB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.amazon.fr/,https://www.leboncoin.fr/,https://twitter.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000E.00000003.2282425029.000001FD91BCB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.amazon.fr/,https://www.leboncoin.fr/,https://twitter.com/L equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000E.00000003.2282425029.000001FD91BCB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.amazon.fr/,https://www.leboncoin.fr/,https://twitter.com/L equals www.twitter.com (Twitter)
Source: firefox.exe, 0000000E.00000003.2282425029.000001FD91BCB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.amazon.fr/,https://www.leboncoin.fr/,https://twitter.com/L equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000E.00000003.2282425029.000001FD91BCB000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000011.00000002.3291396322.000001A85930A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000002.3292273154.000001DD4AF0C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000E.00000003.2282425029.000001FD91BCB000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000011.00000002.3291396322.000001A85930A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000002.3292273154.000001DD4AF0C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/ equals www.twitter.com (Twitter)
Source: firefox.exe, 0000000E.00000003.2282425029.000001FD91BCB000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000011.00000002.3291396322.000001A85930A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000002.3292273154.000001DD4AF0C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000E.00000003.2261963316.000001FD9AE76000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: moz-extension://bfdd6cf3-6cd6-4fa2-bc72-2c3d2e7d20f8/injections/js/bug1842437-www.youtube.com-performance-now-precision.js equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000E.00000003.2264883662.000001FD97BC4000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2278522595.000001FD97BC4000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2192927419.000001FD97BC4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: www.facebook.com equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000E.00000003.2261963316.000001FD9AE76000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2292127229.000001FD90E3C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: www.youtube.com equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000E.00000003.2287718029.000001FD97C5F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: www.youtube.com- equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000E.00000003.2296015826.000001FD8FFED000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2294026666.000001FD906A3000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2292081285.000001FD90E7C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: x://www.facebook.com/platform/impression.php equals www.facebook.com (Facebook)

Source: global traffic	DNS traffic detected: DNS query: prod.classify-client.prod.webservices.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: youtube.com
Source: global traffic	DNS traffic detected: DNS query: detectportal.firefox.com
Source: global traffic	DNS traffic detected: DNS query: prod.detectportal.prod.cloudops.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: contile.services.mozilla.com
Source: global traffic	DNS traffic detected: DNS query: spocs.getpocket.com
Source: global traffic	DNS traffic detected: DNS query: prod.ads.prod.webservices.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: prod.balrog.prod.cloudops.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: example.org
Source: global traffic	DNS traffic detected: DNS query: ipv4only.arpa
Source: global traffic	DNS traffic detected: DNS query: content-signature-2.cdn.mozilla.net
Source: global traffic	DNS traffic detected: DNS query: prod.content-signature-chains.prod.webservices.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: shavar.services.mozilla.com
Source: global traffic	DNS traffic detected: DNS query: support.mozilla.org
Source: global traffic	DNS traffic detected: DNS query: us-west1.prod.sumo.prod.webservices.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: push.services.mozilla.com
Source: global traffic	DNS traffic detected: DNS query: telemetry-incoming.r53-2.services.mozilla.com
Source: global traffic	DNS traffic detected: DNS query: firefox.settings.services.mozilla.com
Source: global traffic	DNS traffic detected: DNS query: prod.remote-settings.prod.webservices.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: www.youtube.com
Source: global traffic	DNS traffic detected: DNS query: www.facebook.com
Source: global traffic	DNS traffic detected: DNS query: www.wikipedia.org
Source: global traffic	DNS traffic detected: DNS query: star-mini.c10r.facebook.com
Source: global traffic	DNS traffic detected: DNS query: youtube-ui.l.google.com
Source: global traffic	DNS traffic detected: DNS query: dyna.wikimedia.org
Source: global traffic	DNS traffic detected: DNS query: www.reddit.com
Source: global traffic	DNS traffic detected: DNS query: twitter.com
Source: global traffic	DNS traffic detected: DNS query: reddit.map.fastly.net
Source: global traffic	DNS traffic detected: DNS query: services.addons.mozilla.org
Source: global traffic	DNS traffic detected: DNS query: normandy.cdn.mozilla.net
Source: global traffic	DNS traffic detected: DNS query: normandy-cdn.services.mozilla.com

Source: unknown	HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.5:49717 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.160.144.191:443 -> 192.168.2.5:49722 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.5:49733 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.5:49736 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.5:49737 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.5:49828 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 151.101.65.91:443 -> 192.168.2.5:49830 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.149.100.209:443 -> 192.168.2.5:49829 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.5:49839 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.5:49838 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.5:49837 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.149.100.209:443 -> 192.168.2.5:49841 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.5:50001 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.5:50002 version: TLS 1.2

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: unknown	Network traffic detected: HTTP traffic on port 49733 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49744
Source: unknown	Network traffic detected: HTTP traffic on port 49710 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49727 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49720 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49939 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49939
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49816
Source: unknown	Network traffic detected: HTTP traffic on port 49717 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49736 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49737
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49736
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49735
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49734
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49733
Source: unknown	Network traffic detected: HTTP traffic on port 49816 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49841 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49732
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49731
Source: unknown	Network traffic detected: HTTP traffic on port 49732 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49837 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49711 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50027
Source: unknown	Network traffic detected: HTTP traffic on port 49830 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49714 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49727
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49725
Source: unknown	Network traffic detected: HTTP traffic on port 49735 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49756 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49722
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49720
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49841
Source: unknown	Network traffic detected: HTTP traffic on port 49731 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49838 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49712 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49725 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49828 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50001 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49719 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49722 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49831 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49719
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49718
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49839
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49717
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49838
Source: unknown	Network traffic detected: HTTP traffic on port 49715 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49716
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49837
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49715
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49714
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49712
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49756
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49711
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49832
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49710
Source: unknown	Network traffic detected: HTTP traffic on port 49734 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49831
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49830
Source: unknown	Network traffic detected: HTTP traffic on port 49839 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50001
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50002
Source: unknown	Network traffic detected: HTTP traffic on port 49744 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50002 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49829 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49832 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50027 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49829
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49828
Source: unknown	Network traffic detected: HTTP traffic on port 49716 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49737 -> 443

Description:	Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access, network devices, and remote desktop.Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence.
Tactics:	Defense Evasion, Initial Access, Persistence, Privilege Escalation
Data Sources:	Logon Session: Logon Session Creation, Logon Session: Logon Session Metadata, User Account: User Account Authentication
Platforms:	Azure AD, Containers, Google Workspace, IaaS, Linux, macOS, Network, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in an attempt to elevate privileges. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. Security constructs such as permission levels will often hinder access to information and use of certain techniques, so adversaries will likely need to perform privilege escalation to include use of software exploitation to circumvent those restrictions.
Tactics:	Privilege Escalation
Data Sources:	Driver: Driver Load, Process: Process Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject malicious code into process via Extra Window Memory (EWM) in order to evade process-based defenses as well as possibly elevate privileges. EWM injection is a method of executing arbitrary code in the address space of a separate live process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Process: OS API Execution
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of valid accounts, usernames, or email addresses on a system or within a compromised environment. This information can help adversaries determine which accounts exist, which can aid in follow-on behavior such as brute-forcing, spear-phishing attacks, or account takeovers (e.g., Valid Accounts ).
Tactics:	Discovery
Data Sources:	Command: Command Execution, File: File Access, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report file.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Memory Dumps

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\uninstall_ping_308046B0AF4A39CB_b672c5e8-b960-444e-ac57-75a237ddab58.json (copy)

C:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\uninstall_ping_308046B0AF4A39CB_b672c5e8-b960-444e-ac57-75a237ddab58.json.tmp

C:\Users\user\AppData\Local\Temp\mozilla-temp-files\mozilla-temp-41

C:\Users\user\AppData\Local\Temp\tmpaddon

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\ExperimentStoreData.json (copy)

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\ExperimentStoreData.json.tmp

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\addonStartup.json.lz4 (copy)

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\addonStartup.json.lz4.tmp

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\addons.json (copy)

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\addons.json.tmp

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\content-prefs.sqlite

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\crashes\store.json.mozlz4 (copy)

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\crashes\store.json.mozlz4.tmp

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\extensions.json (copy)

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\extensions.json.tmp

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\favicons.sqlite-shm

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll (copy)

Windows Analysis Report
file.exe

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems. Operating systems may contain commands to initiate a shutdown/reboot of a machine or network device. In some cases, these commands may also be used to initiate a shutdown/reboot of a remote computer or network device via Network Device CLI (e.g. `reload` ).
Tactics:	Impact
Data Sources:	Command: Command Execution, Process: Process Creation, Sensor Health: Host Status
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre