Edit tour

Windows Analysis Report
file.exe

Overview

General Information

Sample name:	file.exe
Analysis ID:	1546224
MD5:	f7b759777f1500ce5514a0c154641cf9
SHA1:	c33d678592ebd2db8ebb043def83ffd30043f9d0
SHA256:	022006088fabec8b8dffbc41a8b60542000f829717746cff5954a57f5b3b201a
Tags:	exeuser-Bitsight
Infos:

Detection

Credential Flusher

Score:	72
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

Yara detected Credential Flusher

AI detected suspicious sample

Binary is likely a compiled AutoIt script file

Found API chain indicative of sandbox detection

Machine Learning detection for sample

Connects to many different domains

Contains functionality for execution timing, often used to detect debuggers

Contains functionality for read data from the clipboard

Contains functionality to block mouse and keyboard input (often used to hinder debugging)

Contains functionality to call native functions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Contains functionality to communicate with device drivers

Contains functionality to dynamically determine API calls

Contains functionality to execute programs as a different user

Contains functionality to launch a process as a different user

Contains functionality to launch a program with higher privileges

Contains functionality to modify clipboard data

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to query CPU information (cpuid)

Contains functionality to read the PEB

Contains functionality to read the clipboard data

Contains functionality to retrieve information about pressed keystrokes

Contains functionality to shutdown / reboot the system

Contains functionality to simulate keystroke presses

Contains functionality to simulate mouse events

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Detected potential crypto function

Drops PE files

Enables debug privileges

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

OS version to string mapping found (often used in BOTs)

PE file contains sections with non-standard names

Potential key logger detected (key state polling based)

Sample execution stops while process was sleeping (likely an evasion)

Suricata IDS alerts with low severity for network traffic

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Uses taskkill to terminate processes

Classification

Process Tree

System is w10x64

file.exe (PID: 1840 cmdline: "C:\Users\user\Desktop\file.exe" MD5: F7B759777F1500CE5514A0C154641CF9)

taskkill.exe (PID: 1984 cmdline: taskkill /F /IM firefox.exe /T MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD)

conhost.exe (PID: 1928 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

taskkill.exe (PID: 3324 cmdline: taskkill /F /IM chrome.exe /T MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD)

conhost.exe (PID: 3120 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

taskkill.exe (PID: 3952 cmdline: taskkill /F /IM msedge.exe /T MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD)

conhost.exe (PID: 3456 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

taskkill.exe (PID: 4200 cmdline: taskkill /F /IM opera.exe /T MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD)

conhost.exe (PID: 6680 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

taskkill.exe (PID: 4280 cmdline: taskkill /F /IM brave.exe /T MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD)

conhost.exe (PID: 4268 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

firefox.exe (PID: 3672 cmdline: "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

firefox.exe (PID: 5584 cmdline: "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking --attempting-deelevation MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

firefox.exe (PID: 6768 cmdline: "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

firefox.exe (PID: 4508 cmdline: "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2280 -parentBuildID 20230927232528 -prefsHandle 2216 -prefMapHandle 2208 -prefsLen 25298 -prefMapSize 238442 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {7ac96ae0-b0aa-4a08-ae07-ad8715404c1b} 6768 "\\.\pipe\gecko-crash-server-pipe.6768" 22db096d310 socket MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

firefox.exe (PID: 7284 cmdline: "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3848 -parentBuildID 20230927232528 -prefsHandle 3876 -prefMapHandle 3856 -prefsLen 26313 -prefMapSize 238442 -appDir "C:\Program Files\Mozilla Firefox\browser" - {37f0de6c-b1ae-43d1-aa54-d2569a232f96} 6768 "\\.\pipe\gecko-crash-server-pipe.6768" 22dc2a85f10 rdd MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

firefox.exe (PID: 8104 cmdline: "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5092 -parentBuildID 20230927232528 -sandboxingKind 0 -prefsHandle 1528 -prefMapHandle 4644 -prefsLen 33464 -prefMapSize 238442 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {13d00d77-8c6e-4eed-a5ad-36e9c86da38f} 6768 "\\.\pipe\gecko-crash-server-pipe.6768" 22dcc7dd910 utility MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

cleanup

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
Process Memory Space: file.exe PID: 1840	JoeSecurity_CredentialFlusher	Yara detected Credential Flusher	Joe Security

Suricata Signatures

ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-10-31T16:36:21.685322+0100	2022930	1	A Network Trojan was detected	20.12.23.50	443	192.168.2.8	49732	TCP
2024-10-31T16:36:50.198299+0100	2022930	1	A Network Trojan was detected	20.12.23.50	443	192.168.2.8	64363	TCP

Code function: 1_2_002DEAFF OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,

1_2_002DEAFF

Source: C:\Users\user\Desktop\file.exe

Code function: 1_2_002DED6A OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,

1_2_002DED6A

Source: C:\Users\user\Desktop\file.exe

1_2_002DEAFF

Source: C:\Users\user\Desktop\file.exe

Code function: 1_2_002CAA57 GetKeyboardState,SetKeyboardState,PostMessageW,SendInput,

1_2_002CAA57

Source: C:\Users\user\Desktop\file.exe

Code function: 1_2_002F9576 DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,

1_2_002F9576

System Summary

Binary is likely a compiled AutoIt script file

Source: file.exe	String found in binary or memory: This is a third-party compiled AutoIt script.
Source: file.exe, 00000001.00000002.1552306005.0000000000322000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_0cf8fc57-2
Source: file.exe, 00000001.00000002.1552306005.0000000000322000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_ff4ccb5a-6
Source: file.exe	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_7c6a7f85-6
Source: file.exe	String found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_2932049d-f

Source: C:\Program Files\Mozilla Firefox\firefox.exe	Code function: 18_2_000001F2D6417477 NtQuerySystemInformation,		18_2_000001F2D6417477
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Code function: 18_2_000001F2D6435332 NtQuerySystemInformation,		18_2_000001F2D6435332

Source: C:\Users\user\Desktop\file.exe

Code function: 1_2_002CD5EB: CreateFileW,DeviceIoControl,CloseHandle,

1_2_002CD5EB

Source: C:\Users\user\Desktop\file.exe

Code function: 1_2_002C1201 LogonUserW,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcslen,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,GetProcessHeap,HeapFree,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,

1_2_002C1201

Source: C:\Users\user\Desktop\file.exe

Code function: 1_2_002CE8F6 ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,

1_2_002CE8F6

Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_0026BF40	1_2_0026BF40
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00268060	1_2_00268060
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_002D2046	1_2_002D2046
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_002C8298	1_2_002C8298
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_0029E4FF	1_2_0029E4FF
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_0029676B	1_2_0029676B
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_002F4873	1_2_002F4873
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_0028CAA0	1_2_0028CAA0
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_0026CAF0	1_2_0026CAF0
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_0027CC39	1_2_0027CC39
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00296DD9	1_2_00296DD9
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_0027D064	1_2_0027D064
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_0027B119	1_2_0027B119
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_002691C0	1_2_002691C0
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00281394	1_2_00281394
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00281706	1_2_00281706
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_0028781B	1_2_0028781B
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00267920	1_2_00267920
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_0027997D	1_2_0027997D
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_002819B0	1_2_002819B0
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00287A4A	1_2_00287A4A
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00281C77	1_2_00281C77
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00287CA7	1_2_00287CA7
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_002EBE44	1_2_002EBE44
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00299EEE	1_2_00299EEE
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00281F32	1_2_00281F32
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Code function: 18_2_000001F2D6417477	18_2_000001F2D6417477
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Code function: 18_2_000001F2D6435332	18_2_000001F2D6435332
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Code function: 18_2_000001F2D6435372	18_2_000001F2D6435372
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Code function: 18_2_000001F2D6435A5C	18_2_000001F2D6435A5C

Source: C:\Users\user\Desktop\file.exe	Code function: String function: 00280A30 appears 46 times
Source: C:\Users\user\Desktop\file.exe	Code function: String function: 0027F9F2 appears 40 times
Source: C:\Users\user\Desktop\file.exe	Code function: String function: 00269CB3 appears 31 times

Source: file.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source: classification engine

Classification label: mal72.troj.evad.winEXE@34/34@70/12

Source: C:\Users\user\Desktop\file.exe

Code function: 1_2_002D37B5 GetLastError,FormatMessageW,

1_2_002D37B5

Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_002C10BF AdjustTokenPrivileges,CloseHandle,		1_2_002C10BF
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_002C16C3 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,		1_2_002C16C3

Source: C:\Users\user\Desktop\file.exe

Code function: 1_2_002D51CD SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode,

1_2_002D51CD

Source: C:\Users\user\Desktop\file.exe

Code function: 1_2_002CD4DC CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,

1_2_002CD4DC

Source: C:\Users\user\Desktop\file.exe

Code function: 1_2_002D648E _wcslen,CoInitialize,CoCreateInstance,CoUninitialize,

1_2_002D648E

Source: C:\Users\user\Desktop\file.exe

Code function: 1_2_002642A2 CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource,

1_2_002642A2

Source: C:\Program Files\Mozilla Firefox\firefox.exe

File created: C:\Users\user\AppData\Local\Mozilla\Firefox\SkeletonUILock-c388d246

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3456:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4268:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1928:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3120:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6680:120:WilError_03

Source: C:\Program Files\Mozilla Firefox\firefox.exe

File created: C:\Users\user\AppData\Local\Temp\firefox

Jump to behavior

Source: file.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Windows\SysWOW64\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process

Source: C:\Program Files\Mozilla Firefox\firefox.exe

File read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: firefox.exe, 0000000E.00000003.1679888944.0000022DCC698000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1662579671.0000022DCC698000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1611328609.0000022DCC7BC000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1695442127.0000022DCC6AD000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SELECT * FROM events WHERE timestamp BETWEEN date(:dateFrom) AND date(:dateTo);
Source: firefox.exe, 0000000E.00000003.1679888944.0000022DCC698000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1662579671.0000022DCC698000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1695442127.0000022DCC6AD000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE events (id INTEGER PRIMARY KEY, type INTEGER NOT NULL, count INTEGER NOT NULL, timestamp DATE );
Source: firefox.exe, 0000000E.00000003.1679888944.0000022DCC698000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1662579671.0000022DCC698000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1695442127.0000022DCC6AD000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: INSERT INTO events (type, count, timestamp) VALUES (:type, 1, date(:date));
Source: firefox.exe, 0000000E.00000003.1679888944.0000022DCC698000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1662579671.0000022DCC698000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1695442127.0000022DCC6AD000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SELECT timestamp FROM events ORDER BY timestamp ASC LIMIT 1;;
Source: firefox.exe, 0000000E.00000003.1621460336.0000022DC23CC000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SELECT sum(count) FROM events;
Source: firefox.exe, 0000000E.00000003.1679888944.0000022DCC698000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1662579671.0000022DCC698000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1695442127.0000022DCC6AD000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SELECT timestamp FROM events ORDER BY timestamp ASC LIMIT 1;;Fy6
Source: firefox.exe, 0000000E.00000003.1679888944.0000022DCC698000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1662579671.0000022DCC698000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1695442127.0000022DCC6AD000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: UPDATE events SET count = count + 1 WHERE id = :id;-
Source: firefox.exe, 0000000E.00000003.1679888944.0000022DCC698000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1662579671.0000022DCC698000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1695442127.0000022DCC6AD000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SELECT sum(count) FROM events;9'
Source: firefox.exe, 0000000E.00000003.1679888944.0000022DCC698000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1662579671.0000022DCC698000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1695442127.0000022DCC6AD000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SELECT sum(count) FROM events;9
Source: firefox.exe, 0000000E.00000003.1679888944.0000022DCC698000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1662579671.0000022DCC698000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1695442127.0000022DCC6AD000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SELECT * FROM events WHERE type = :type AND timestamp = date(:date);

Source: file.exe

ReversingLabs: Detection: 47%

Source: unknown	Process created: C:\Users\user\Desktop\file.exe "C:\Users\user\Desktop\file.exe"
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM firefox.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM chrome.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM msedge.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM opera.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM brave.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking
Source: unknown	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking --attempting-deelevation
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2280 -parentBuildID 20230927232528 -prefsHandle 2216 -prefMapHandle 2208 -prefsLen 25298 -prefMapSize 238442 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {7ac96ae0-b0aa-4a08-ae07-ad8715404c1b} 6768 "\\.\pipe\gecko-crash-server-pipe.6768" 22db096d310 socket
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3848 -parentBuildID 20230927232528 -prefsHandle 3876 -prefMapHandle 3856 -prefsLen 26313 -prefMapSize 238442 -appDir "C:\Program Files\Mozilla Firefox\browser" - {37f0de6c-b1ae-43d1-aa54-d2569a232f96} 6768 "\\.\pipe\gecko-crash-server-pipe.6768" 22dc2a85f10 rdd
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5092 -parentBuildID 20230927232528 -sandboxingKind 0 -prefsHandle 1528 -prefMapHandle 4644 -prefsLen 33464 -prefMapSize 238442 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {13d00d77-8c6e-4eed-a5ad-36e9c86da38f} 6768 "\\.\pipe\gecko-crash-server-pipe.6768" 22dcc7dd910 utility
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM firefox.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM chrome.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM msedge.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM opera.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM brave.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2280 -parentBuildID 20230927232528 -prefsHandle 2216 -prefMapHandle 2208 -prefsLen 25298 -prefMapSize 238442 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {7ac96ae0-b0aa-4a08-ae07-ad8715404c1b} 6768 "\\.\pipe\gecko-crash-server-pipe.6768" 22db096d310 socket	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3848 -parentBuildID 20230927232528 -prefsHandle 3876 -prefMapHandle 3856 -prefsLen 26313 -prefMapSize 238442 -appDir "C:\Program Files\Mozilla Firefox\browser" - {37f0de6c-b1ae-43d1-aa54-d2569a232f96} 6768 "\\.\pipe\gecko-crash-server-pipe.6768" 22dc2a85f10 rdd	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5092 -parentBuildID 20230927232528 -sandboxingKind 0 -prefsHandle 1528 -prefMapHandle 4644 -prefsLen 33464 -prefMapSize 238442 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {13d00d77-8c6e-4eed-a5ad-36e9c86da38f} 6768 "\\.\pipe\gecko-crash-server-pipe.6768" 22dcc7dd910 utility	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown	Jump to behavior

Source: C:\Users\user\Desktop\file.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: profapi.dll	Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: file.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: webauthn.pdb source: firefox.exe, 0000000E.00000003.1624141036.0000022DCD00F000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: z:\task_1551543573\build\openh264\gmpopenh264.pdbV source: gmpopenh264.dll.tmp.14.dr
Source:	Binary string: wshbth.pdbGCTL source: firefox.exe, 0000000E.00000003.1671558392.0000022DC004B000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: NapiNSP.pdbUGP source: firefox.exe, 0000000E.00000003.1669667676.0000022DC0041000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: wshbth.pdb source: firefox.exe, 0000000E.00000003.1671558392.0000022DC004B000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: pnrpnsp.pdb source: firefox.exe, 0000000E.00000003.1670802160.0000022DC0041000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: NapiNSP.pdb source: firefox.exe, 0000000E.00000003.1669667676.0000022DC0041000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: netprofm.pdb source: firefox.exe, 0000000E.00000003.1669574613.0000022DCD00F000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: z:\task_1551543573\build\openh264\gmpopenh264.pdb source: gmpopenh264.dll.tmp.14.dr
Source:	Binary string: webauthn.pdbGCTL source: firefox.exe, 0000000E.00000003.1624141036.0000022DCD00F000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: pnrpnsp.pdbUGP source: firefox.exe, 0000000E.00000003.1670802160.0000022DC0041000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: netprofm.pdbUGP source: firefox.exe, 0000000E.00000003.1669574613.0000022DCD00F000.00000004.00000020.00020000.00000000.sdmp

Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Source: C:\Users\user\Desktop\file.exe

Code function: 1_2_002642DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

1_2_002642DE

Source: gmpopenh264.dll.tmp.14.dr

Static PE information: section name: .rodata

Source: C:\Users\user\Desktop\file.exe

Code function: 1_2_00280A76 push ecx; ret

1_2_00280A89

Source: C:\Program Files\Mozilla Firefox\firefox.exe	File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll.tmp			Jump to dropped file
Source: C:\Program Files\Mozilla Firefox\firefox.exe	File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll (copy)			Jump to dropped file

Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_0027F98E GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,		1_2_0027F98E
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_002F1C41 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,		1_2_002F1C41

Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Found API chain indicative of sandbox detection

Source: C:\Users\user\Desktop\file.exe

Sandbox detection routine: GetForegroundWindow, DecisionNode, Sleep

graph_1-95693

Source: C:\Program Files\Mozilla Firefox\firefox.exe

Code function: 18_2_000001F2D6417477 rdtsc

18_2_000001F2D6417477

Source: C:\Users\user\Desktop\file.exe

API coverage: 3.7 %

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_002CDBBE lstrlenW,GetFileAttributesW,FindFirstFileW,FindClose,	1_2_002CDBBE
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_0029C2A2 FindFirstFileExW,	1_2_0029C2A2
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_002D68EE FindFirstFileW,FindClose,	1_2_002D68EE
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_002D698F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToSystemTime,FileTimeToSystemTime,	1_2_002D698F
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_002CD076 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	1_2_002CD076
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_002CD3A9 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	1_2_002CD3A9
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_002D9642 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	1_2_002D9642
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_002D979D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	1_2_002D979D
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_002D9B2B FindFirstFileW,Sleep,FindNextFileW,FindClose,	1_2_002D9B2B
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_002D5C97 FindFirstFileW,FindNextFileW,FindClose,	1_2_002D5C97

Source: C:\Users\user\Desktop\file.exe

Code function: 1_2_002642DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

1_2_002642DE

Source: firefox.exe, 00000012.00000002.2719223175.000001F2D6450000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWV
Source: firefox.exe, 00000014.00000002.2720195915.000001A35FC00000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWO
Source: firefox.exe, 00000010.00000002.2720694083.0000016F9EE00000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dlls
Source: firefox.exe, 00000010.00000002.2714417388.0000016F9E85A000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000010.00000002.2720694083.0000016F9EE00000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000012.00000002.2713659517.000001F2D5B2A000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000014.00000002.2715530230.000001A35F75A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: firefox.exe, 00000010.00000002.2719445787.0000016F9ED14000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW : 2 : 34 : 1 : 1 : 0x20026 : 0x8 : %SystemRoot%\system32\mswsock.dll : : 1234191b-4bf7-4ca7-86e0-dfd7c32b5445
Source: firefox.exe, 00000012.00000002.2719223175.000001F2D6450000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dlll
Source: firefox.exe, 00000010.00000002.2720694083.0000016F9EE00000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000012.00000002.2719223175.000001F2D6450000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\Desktop\file.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Program Files\Mozilla Firefox\firefox.exe

Code function: 18_2_000001F2D6417477 rdtsc

18_2_000001F2D6417477

Source: C:\Users\user\Desktop\file.exe

Code function: 1_2_002DEAA2 BlockInput,

1_2_002DEAA2

Source: C:\Users\user\Desktop\file.exe

Code function: 1_2_00292622 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

1_2_00292622

Source: C:\Users\user\Desktop\file.exe

Code function: 1_2_002642DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

1_2_002642DE

Source: C:\Users\user\Desktop\file.exe

Code function: 1_2_00284CE8 mov eax, dword ptr fs:[00000030h]

1_2_00284CE8

Source: C:\Users\user\Desktop\file.exe

Code function: 1_2_002C0B62 GetSecurityDescriptorDacl,GetAclInformation,GetLengthSid,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,

1_2_002C0B62

Source: C:\Windows\SysWOW64\taskkill.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process token adjusted: Debug	Jump to behavior

Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00292622 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	1_2_00292622
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_0028083F IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	1_2_0028083F
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_002809D5 SetUnhandledExceptionFilter,	1_2_002809D5
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00280C21 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	1_2_00280C21

Source: C:\Users\user\Desktop\file.exe

1_2_002C1201

Source: C:\Users\user\Desktop\file.exe

Code function: 1_2_002A2BA5 KiUserCallbackDispatcher,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

1_2_002A2BA5

Source: C:\Users\user\Desktop\file.exe

Code function: 1_2_002CB226 SendInput,keybd_event,

1_2_002CB226

Source: C:\Users\user\Desktop\file.exe

Code function: 1_2_002E22DA GetForegroundWindow,GetDesktopWindow,GetWindowRect,mouse_event,GetCursorPos,mouse_event,

1_2_002E22DA

Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM firefox.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM chrome.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM msedge.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM opera.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM brave.exe /T	Jump to behavior

Source: C:\Users\user\Desktop\file.exe

1_2_002C0B62

Source: C:\Users\user\Desktop\file.exe

Code function: 1_2_002C1663 AllocateAndInitializeSid,CheckTokenMembership,FreeSid,

1_2_002C1663

Source: file.exe	Binary or memory string: Run Script:AutoIt script files (.au3, .a3x).au3;.a3xAll files (.).au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
Source: file.exe	Binary or memory string: Shell_TrayWnd
Source: firefox.exe, 0000000E.00000003.1628243979.0000022DCD00F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: hSoftware\Policies\Microsoft\Windows\PersonalizationNoChangingStartMenuBackgroundPersonalColors_BackgroundWilStaging_02RtlDisownModuleHeapAllocationRtlQueryFeatureConfigurationRtlRegisterFeatureConfigurationChangeNotificationRtlSubscribeWnfStateChangeNotificationRtlDllShutdownInProgressntdll.dllNtQueryWnfStateDataLocal\SM0:%d:%d:%hs_p0Local\SessionImmersiveColorPreferenceBEGINTHMthmfile\Sessions\%d\Windows\ThemeSectionMessageWindowendthemewndThemeApiConnectionRequest\ThemeApiPortwinsta0SOFTWARE\Microsoft\Windows\CurrentVersion\Themes\PersonalizeAppsUseLightThemeSystemUsesLightThemedefaultshell\themes\uxtheme\render.cppCompositedWindow::WindowdeletedrcacheMDIClientSoftware\Microsoft\Windows\DWMColorPrevalenceSoftware\Microsoft\Windows\CurrentVersion\ImmersiveShellTabletModeMENUAccentColorSoftware\Microsoft\Windows\CurrentVersion\Explorer\AccentDefaultStartColorControl Panel\DesktopAutoColorizationAccentColorMenuStartColorMenuAutoColorSoftware\Microsoft\Windows\CurrentVersion\Themes\History\ColorsSoftware\Microsoft\Windows\CurrentVersion\Themes\HistoryAccentPaletteTab$Shell_TrayWndLocal\SessionImmersiveColorMutex

Source: C:\Users\user\Desktop\file.exe

Code function: 1_2_00280698 cpuid

1_2_00280698

Source: C:\Users\user\Desktop\file.exe

Code function: 1_2_002D8195 GetLocalTime,SystemTimeToFileTime,LocalFileTimeToFileTime,GetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,

1_2_002D8195

Source: C:\Users\user\Desktop\file.exe

Code function: 1_2_002BD27A GetUserNameW,

1_2_002BD27A

Source: C:\Users\user\Desktop\file.exe

Code function: 1_2_0029B952 _free,_free,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,_free,

1_2_0029B952

Source: C:\Users\user\Desktop\file.exe

Code function: 1_2_002642DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

1_2_002642DE

Stealing of Sensitive Information

Yara detected Credential Flusher

Source: Yara match

File source: Process Memory Space: file.exe PID: 1840, type: MEMORYSTR

Source: file.exe	Binary or memory string: WIN_81
Source: file.exe	Binary or memory string: WIN_XP
Source: file.exe	Binary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_11WIN_10WIN_2022WIN_2019WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\AppearanceUSERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte64HKEY_LOCAL_MACHINEHKLMHKEY_CLASSES_ROOTHKCRHKEY_CURRENT_CONFIGHKCCHKEY_CURRENT_USERHKCUHKEY_USERSHKUREG_EXPAND_SZREG_SZREG_MULTI_SZREG_DWORDREG_QWORDREG_BINARYRegDeleteKeyExWadvapi32.dll+.-.\\[\\nrt]\|%%\|%[-+ 0#]?([0-9]\|\)?(\.[0-9]\|\.\)?[hlL]?[diouxXeEfgGs](*UCP)\XISVISIBLEISENABLEDTABLEFTTABRIGHTCURRENTTABSHOWDROPDOWNHIDEDROPDOWNADDSTRINGDELSTRINGFINDSTRINGGETCOUNTSETCURRENTSELECTIONGETCURRENTSELECTIONSELECTSTRINGISCHECKEDCHECKUNCHECKGETSELECTEDGETLINECOUNTGETCURRENTLINEGETCURRENTCOLEDITPASTEGETLINESENDCOMMANDIDGETITEMCOUNTGETSUBITEMCOUNTGETTEXTGETSELECTEDCOUNTISSELECTEDSELECTALLSELECTCLEARSELECTINVERTDESELECTFINDITEMVIEWCHANGEGETTOTALCOUNTCOLLAPSEEXPANDmsctls_statusbar321tooltips_class32%d/%02d/%02dbuttonComboboxListboxSysDateTimePick32SysMonthCal32.icl.exe.dllMsctls_Progress32msctls_trackbar32SysAnimate32msctls_updown32SysTabControl32SysTreeView32SysListView32-----@GUI_DRAGID@GUI_DROPID@GUI_DRAGFILEError text not found (please report)Q\EDEFINEUTF16)UTF)UCP)NO_AUTO_POSSESS)NO_START_OPT)LIMIT_MATCH=LIMIT_RECURSION=CR)LF)CRLF)ANY)ANYCRLF)BSR_ANYCRLF)BSR_UNICODE)argument is not a compiled regular expressionargument not compiled in 16 bit modeinternal error: opcode not recognizedinternal error: missing capturing bracketfailed to get memory
Source: file.exe	Binary or memory string: WIN_XPe
Source: file.exe	Binary or memory string: WIN_VISTA
Source: file.exe	Binary or memory string: WIN_7
Source: file.exe	Binary or memory string: WIN_8

Remote Access Functionality

Yara detected Credential Flusher

Source: Yara match

File source: Process Memory Space: file.exe PID: 1840, type: MEMORYSTR

Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_002E1204 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,listen,WSAGetLastError,closesocket,		1_2_002E1204
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_002E1806 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,		1_2_002E1806

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	2 Valid Accounts	1 Windows Management Instrumentation	1 DLL Side-Loading	1 Exploitation for Privilege Escalation	2 Disable or Modify Tools	21 Input Capture	2 System Time Discovery	Remote Services	1 Archive Collected Data	2 Ingress Tool Transfer	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	1 Native API	2 Valid Accounts	1 DLL Side-Loading	1 Deobfuscate/Decode Files or Information	LSASS Memory	1 Account Discovery	Remote Desktop Protocol	21 Input Capture	12 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	1 Extra Window Memory Injection	2 Obfuscated Files or Information	Security Account Manager	2 File and Directory Discovery	SMB/Windows Admin Shares	3 Clipboard Data	2 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	2 Valid Accounts	1 DLL Side-Loading	NTDS	16 System Information Discovery	Distributed Component Object Model	Input Capture	3 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	21 Access Token Manipulation	1 Extra Window Memory Injection	LSA Secrets	131 Security Software Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	2 Process Injection	1 Masquerading	Cached Domain Credentials	1 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	2 Valid Accounts	DCSync	3 Process Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 Virtualization/Sandbox Evasion	Proc Filesystem	1 Application Window Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	21 Access Token Manipulation	/etc/passwd and /etc/shadow	1 System Owner/User Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement
IP Addresses	Compromise Infrastructure	Supply Chain Compromise	PowerShell	Cron	Cron	2 Process Injection	Network Sniffing	Network Service Discovery	Shared Webroot	Local Data Staging	File Transfer Protocols	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	External Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
file.exe	47%	ReversingLabs	Win32.Trojan.CredentialFlusher
file.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll (copy)	0%	ReversingLabs
C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll.tmp	0%	ReversingLabs

Source	Detection	Scanner	Label
https://getpocket.cdn.mozilla.net/v3/firefox/trending-topics?version=2&consumer_key=$apiKey&locale_l	0%	URL Reputation	safe
http://detectportal.firefox.com/	0%	URL Reputation	safe
https://services.addons.mozilla.org/api/v5/addons/browser-mappings/?browser=%BROWSER%	0%	URL Reputation	safe
https://datastudio.google.com/embed/reporting/	0%	URL Reputation	safe
http://www.mozilla.com0	0%	URL Reputation	safe
https://developer.mozilla.org/en-US/docs/Web/Web_Components/Using_custom_elements#using_the_lifecycl	0%	URL Reputation	safe
https://merino.services.mozilla.com/api/v1/suggest	0%	URL Reputation	safe
https://monitor.firefox.com/oauth/init?entrypoint=protection_report_monitor&utm_source=about-protect	0%	URL Reputation	safe
https://www.leboncoin.fr/	0%	URL Reputation	safe
https://spocs.getpocket.com/spocs	0%	URL Reputation	safe
https://shavar.services.mozilla.com	0%	URL Reputation	safe
https://completion.amazon.com/search/complete?q=	0%	URL Reputation	safe
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/social-media-tracking-report	0%	URL Reputation	safe
https://ads.stickyadstv.com/firefox-etp	0%	URL Reputation	safe
https://identity.mozilla.com/ids/ecosystem_telemetryU	0%	URL Reputation	safe
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/send-tab	0%	URL Reputation	safe
https://monitor.firefox.com/breach-details/	0%	URL Reputation	safe
https://versioncheck-bg.addons.mozilla.org/update/VersionCheck.php?reqVersion=%REQ_VERSION%&id=%ITEM	0%	URL Reputation	safe
https://services.addons.mozilla.org/api/v4/addons/addon/	0%	URL Reputation	safe
https://tracking-protection-issues.herokuapp.com/new	0%	URL Reputation	safe
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/password-manager-report	0%	URL Reputation	safe
https://content-signature-2.cdn.mozilla.net/	0%	URL Reputation	safe
https://app.adjust.com/167k4ih?campaign=firefox-desktop&adgroup=pb&creative=focus-omc172&redirect=ht	0%	URL Reputation	safe
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/fingerprinters-report	0%	URL Reputation	safe
https://api.accounts.firefox.com/v1	0%	URL Reputation	safe
https://monitor.firefox.com/?entrypoint=protection_report_monitor&utm_source=about-protections	0%	URL Reputation	safe
https://bugzilla.mozilla.org/show_bug.cgi?id=1283601	0%	URL Reputation	safe
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/shield	0%	URL Reputation	safe
https://getpocket.cdn.mozilla.net/v3/firefox/global-recs?version=3&consumer_key=$apiKey&locale_lang=	0%	URL Reputation	safe
https://bugzilla.mozilla.org/show_bug.cgi?id=1266220	0%	URL Reputation	safe
https://searchfox.org/mozilla-central/source/toolkit/components/search/SearchUtils.jsm#145-152	0%	URL Reputation	safe
https://bugzilla.mo	0%	URL Reputation	safe
https://mitmdetection.services.mozilla.com/	0%	URL Reputation	safe
https://static.adsafeprotected.com/firefox-etp-js	0%	URL Reputation	safe
https://shavar.services.mozilla.com/	0%	URL Reputation	safe
https://contile-images.services.mozilla.com/CuERQnIs4CzqjKBh9os6_h9d4CUDCHO3oiqmAQO6VLM.25122.jpg	0%	URL Reputation	safe
https://spocs.getpocket.com/	0%	URL Reputation	safe
https://services.addons.mozilla.org/api/v4/abuse/report/addon/	0%	URL Reputation	safe
https://services.addons.mozilla.org/api/v4/addons/search/?guid=%IDS%&lang=%LOCALE%	0%	URL Reputation	safe
https://color.firefox.com/?utm_source=firefox-browser&utm_medium=firefox-browser&utm_content=theme-f	0%	URL Reputation	safe
https://monitor.firefox.com/user/breach-stats?includeResolved=true	0%	URL Reputation	safe
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/cross-site-tracking-report	0%	URL Reputation	safe
https://merino.services.mozilla.com/api/v1/suggestabout	0%	URL Reputation	safe
https://bugzilla.mozilla.org/show_bug.cgi?id=1584464	0%	URL Reputation	safe
http://a9.com/-/spec/opensearch/1.0/	0%	URL Reputation	safe
https://safebrowsing.google.com/safebrowsing/diagnostic?site=	0%	URL Reputation	safe
https://monitor.firefox.com/user/dashboard	0%	URL Reputation	safe
https://versioncheck.addons.mozilla.org/update/VersionCheck.php?reqVersion=%REQ_VERSION%&id=%ITEM_ID	0%	URL Reputation	safe
https://monitor.firefox.com/about	0%	URL Reputation	safe
https://account.bellmedia.c	0%	URL Reputation	safe
https://login.microsoftonline.com	0%	URL Reputation	safe
https://coverage.mozilla.org	0%	URL Reputation	safe
http://crl.thawte.com/ThawteTimestampingCA.crl0	0%	URL Reputation	safe
https://firefox-settings-attachments.cdn.mozilla.net/main-workspace/ms-images/f0f51715-7f5e-48de-839	0%	URL Reputation	safe
https://www.zhihu.com/	0%	URL Reputation	safe
http://x1.c.lencr.org/0	0%	URL Reputation	safe
http://x1.i.lencr.org/0	0%	URL Reputation	safe
http://a9.com/-/spec/opensearch/1.1/	0%	URL Reputation	safe
https://infra.spec.whatwg.org/#ascii-whitespace	0%	URL Reputation	safe
https://blocked.cdn.mozilla.net/	0%	URL Reputation	safe
https://json-schema.org/draft/2019-09/schema	0%	URL Reputation	safe
https://profiler.firefox.com	0%	URL Reputation	safe
https://outlook.live.com/default.aspx?rru=compose&to=%s	0%	URL Reputation	safe
https://identity.mozilla.com/apps/relay	0%	URL Reputation	safe
https://mozilla.cloudflare-dns.com/dns-query	0%	URL Reputation	safe
https://support.mozilla.org/kb/refresh-firefox-reset-add-ons-and-settings2	0%	URL Reputation	safe
https://bugzilla.mozilla.org/show_bug.cgi?id=1678448	0%	URL Reputation	safe
https://contile.services.mozilla.com/v1/tiles	0%	URL Reputation	safe
https://firefox.settings.services.mozilla.com/v1/buckets/main/collections/ms-language-packs/records/	0%	URL Reputation	safe
https://monitor.firefox.com/user/preferences	0%	URL Reputation	safe
https://screenshots.firefox.com/	0%	URL Reputation	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
example.org	93.184.215.14	true	false	unknown
star-mini.c10r.facebook.com	157.240.0.35	true	false	unknown
prod.classify-client.prod.webservices.mozgcp.net	35.190.72.216	true	false	unknown
prod.balrog.prod.cloudops.mozgcp.net	35.244.181.201	true	false	unknown
twitter.com	104.244.42.1	true	false	unknown
prod.detectportal.prod.cloudops.mozgcp.net	34.107.221.82	true	false	unknown
services.addons.mozilla.org	151.101.65.91	true	false	unknown
dyna.wikimedia.org	185.15.59.224	true	false	unknown
prod.remote-settings.prod.webservices.mozgcp.net	34.149.100.209	true	false	unknown
contile.services.mozilla.com	34.117.188.166	true	false	unknown
youtube.com	142.250.186.174	true	false	unknown
prod.content-signature-chains.prod.webservices.mozgcp.net	34.160.144.191	true	false	unknown
youtube-ui.l.google.com	172.217.18.110	true	false	unknown
us-west1.prod.sumo.prod.webservices.mozgcp.net	34.149.128.2	true	false	unknown
reddit.map.fastly.net	151.101.129.140	true	false	unknown
ipv4only.arpa	192.0.0.171	true	false	unknown
prod.ads.prod.webservices.mozgcp.net	34.117.188.166	true	false	unknown
push.services.mozilla.com	34.107.243.93	true	false	unknown
normandy-cdn.services.mozilla.com	35.201.103.21	true	false	unknown
telemetry-incoming.r53-2.services.mozilla.com	34.120.208.123	true	false	unknown
www.reddit.com	unknown	unknown	false	unknown
spocs.getpocket.com	unknown	unknown	false	unknown
content-signature-2.cdn.mozilla.net	unknown	unknown	false	unknown
support.mozilla.org	unknown	unknown	false	unknown
firefox.settings.services.mozilla.com	unknown	unknown	false	unknown
www.youtube.com	unknown	unknown	false	unknown
www.facebook.com	unknown	unknown	false	unknown
detectportal.firefox.com	unknown	unknown	false	unknown
normandy.cdn.mozilla.net	unknown	unknown	false	unknown
shavar.services.mozilla.com	unknown	unknown	false	unknown
www.wikipedia.org	unknown	unknown	false	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://play.google.com/store/apps/details?id=org.mozilla.firefox.vpn&referrer=utm_source%3Dfirefox-	firefox.exe, 00000010.00000002.2716047673.0000016F9EB40000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.2718284071.000001F2D6390000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000014.00000002.2715935754.000001A35F860000.00000002.10000000.00040000.00000000.sdmp	false		unknown
https://getpocket.cdn.mozilla.net/v3/firefox/trending-topics?version=2&consumer_key=$apiKey&locale_l	firefox.exe, 00000012.00000002.2715072642.000001F2D5EC7000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000014.00000002.2716818426.000001A35FBC8000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://detectportal.firefox.com/	firefox.exe, 0000000E.00000003.1614351828.0000022DC46BE000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://services.addons.mozilla.org/api/v5/addons/browser-mappings/?browser=%BROWSER%	firefox.exe, 00000010.00000002.2716047673.0000016F9EB40000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.2718284071.000001F2D6390000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000014.00000002.2715935754.000001A35F860000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://datastudio.google.com/embed/reporting/	firefox.exe, 0000000E.00000003.1689070217.0000022DC22E0000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.mozilla.com0	gmpopenh264.dll.tmp.14.dr	false	URL Reputation: safe	unknown
https://developer.mozilla.org/en-US/docs/Web/Web_Components/Using_custom_elements#using_the_lifecycl	firefox.exe, 0000000E.00000003.1637033218.0000022DC453E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1633218879.0000022DC4541000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1558594472.0000022DC4544000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1556753063.0000022DC4544000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1635328749.0000022DC4538000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://merino.services.mozilla.com/api/v1/suggest	firefox.exe, 00000010.00000002.2716611092.0000016F9EC72000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000002.2715072642.000001F2D5E86000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000014.00000002.2716818426.000001A35FB87000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://monitor.firefox.com/oauth/init?entrypoint=protection_report_monitor&utm_source=about-protect	firefox.exe, 00000010.00000002.2716047673.0000016F9EB40000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.2718284071.000001F2D6390000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000014.00000002.2715935754.000001A35F860000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.leboncoin.fr/	firefox.exe, 0000000E.00000003.1553940147.0000022DC8E5D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1696774186.0000022DC8E5F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1681584063.0000022DC8E54000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://spocs.getpocket.com/spocs	firefox.exe, 0000000E.00000003.1683319541.0000022DC46E5000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://shavar.services.mozilla.com	firefox.exe, 0000000E.00000003.1613451683.0000022DC8F3D000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://completion.amazon.com/search/complete?q=	firefox.exe, 0000000E.00000003.1613982459.0000022DC8D1C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1526792767.0000022DC043A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1526488581.0000022DC041E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1526969692.0000022DC0457000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/social-media-tracking-report	firefox.exe, 00000010.00000002.2716047673.0000016F9EB40000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.2718284071.000001F2D6390000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000014.00000002.2715935754.000001A35F860000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://ads.stickyadstv.com/firefox-etp	firefox.exe, 0000000E.00000003.1615757091.0000022DC4381000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://identity.mozilla.com/ids/ecosystem_telemetryU	firefox.exe, 0000000E.00000003.1679888944.0000022DCC698000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1695519295.0000022DCC699000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1662579671.0000022DCC698000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/send-tab	firefox.exe, 00000010.00000002.2716047673.0000016F9EB40000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.2718284071.000001F2D6390000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000014.00000002.2715935754.000001A35F860000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://monitor.firefox.com/breach-details/	firefox.exe, 00000010.00000002.2716047673.0000016F9EB40000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.2718284071.000001F2D6390000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000014.00000002.2715935754.000001A35F860000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://github.com/w3c/csswg-drafts/issues/4650	firefox.exe, 0000000E.00000003.1555951404.0000022DC0F67000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://versioncheck-bg.addons.mozilla.org/update/VersionCheck.php?reqVersion=%REQ_VERSION%&id=%ITEM	firefox.exe, 00000010.00000002.2716047673.0000016F9EB40000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.2718284071.000001F2D6390000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000014.00000002.2715935754.000001A35F860000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.amazon.com/exec/obidos/external-search/	firefox.exe, 0000000E.00000003.1565033340.0000022DC1E69000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1561469740.0000022DC1E69000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1526024199.0000022DC0200000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1527127091.0000022DC0473000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1526792767.0000022DC043A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1526488581.0000022DC041E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1526969692.0000022DC0457000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://bugzilla.mozilla.org/show_bug.cgi?id=1539075https://bugzilla.mozilla.org/show_bug.cgi?id=158	firefox.exe, 0000000E.00000003.1555951404.0000022DC0F67000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://github.com/mozilla-services/screenshots	firefox.exe, 0000000E.00000003.1526024199.0000022DC0200000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1527127091.0000022DC0473000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1526792767.0000022DC043A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1526488581.0000022DC041E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1526969692.0000022DC0457000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://services.addons.mozilla.org/api/v4/addons/addon/	firefox.exe, 00000010.00000002.2716047673.0000016F9EB40000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.2718284071.000001F2D6390000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000014.00000002.2715935754.000001A35F860000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://tracking-protection-issues.herokuapp.com/new	firefox.exe, 00000010.00000002.2716047673.0000016F9EB40000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.2718284071.000001F2D6390000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000014.00000002.2715935754.000001A35F860000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/password-manager-report	firefox.exe, 00000010.00000002.2716047673.0000016F9EB40000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.2718284071.000001F2D6390000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000014.00000002.2715935754.000001A35F860000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://youtube.com/	firefox.exe, 0000000E.00000003.1684032179.0000022DC3C63000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1615525751.0000022DC43D8000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://content-signature-2.cdn.mozilla.net/	firefox.exe, 0000000E.00000003.1681584063.0000022DC8E54000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://app.adjust.com/167k4ih?campaign=firefox-desktop&adgroup=pb&creative=focus-omc172&redirect=ht	firefox.exe, 0000000E.00000003.1662579671.0000022DCC611000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.instagram.com/	firefox.exe, 0000000E.00000003.1568033337.0000022DC1FC8000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/fingerprinters-report	firefox.exe, 00000010.00000002.2716047673.0000016F9EB40000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.2718284071.000001F2D6390000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000014.00000002.2715935754.000001A35F860000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://api.accounts.firefox.com/v1	firefox.exe, 00000010.00000002.2716047673.0000016F9EB40000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.2718284071.000001F2D6390000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000014.00000002.2715935754.000001A35F860000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://support.mozilla.org/products/firefoxgro.allizom.troppus.elMx_wJzrE6l	firefox.exe, 0000000E.00000003.1613861142.0000022DC8EB6000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://www.amazon.com/	firefox.exe, 0000000E.00000003.1553940147.0000022DC8E5D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1681755597.0000022DC8E45000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1696924118.0000022DC8E45000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1681584063.0000022DC8E54000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1676065035.0000022DC8F83000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://addons.mozilla.org/%LOCALE%/%APP%/blocked-addon/%addonID%/%addonVersion%/	firefox.exe, 00000010.00000002.2716047673.0000016F9EB40000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.2718284071.000001F2D6390000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000014.00000002.2715935754.000001A35F860000.00000002.10000000.00040000.00000000.sdmp	false		unknown
https://bugzilla.mozilla.org/show_bug.cgi?id=1607439resource://activity-stream/lib/DiscoveryStreamFe	firefox.exe, 0000000E.00000003.1555951404.0000022DC0F67000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://email.seznam.cz/newMessageScreen?mailto=%sU	firefox.exe, 0000000E.00000003.1529054468.0000022DBE618000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1529255480.0000022DBE633000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1528200986.0000022DBE633000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://monitor.firefox.com/?entrypoint=protection_report_monitor&utm_source=about-protections	firefox.exe, 00000010.00000002.2716047673.0000016F9EB40000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.2718284071.000001F2D6390000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000014.00000002.2715935754.000001A35F860000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
http://ocsp.rootca1.amazontrust.com0:	firefox.exe, 0000000E.00000003.1555455385.0000022DC19F3000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://bridge.sfo1.admarketplace.net/ctp?version=16.0.0&key=1696491991400800003.2&ci=1696491991993.	firefox.exe, 00000010.00000002.2716611092.0000016F9ECC9000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000002.2715072642.000001F2D5EE9000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000014.00000002.2720393838.000001A35FD03000.00000004.00000800.00020000.00000000.sdmp, prefs-1.js.14.dr	false		unknown
https://www.youtube.com/	firefox.exe, 0000000E.00000003.1681755597.0000022DC8E45000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1696924118.0000022DC8E45000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1676065035.0000022DC8F83000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000002.2715072642.000001F2D5E03000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000014.00000002.2716818426.000001A35FB0C000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://bugzilla.mozilla.org/show_bug.cgi?id=1283601	firefox.exe, 0000000E.00000003.1602659212.0000022DC0E45000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1603584578.0000022DC0E4F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1603542657.0000022DC0E6A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1603410924.0000022DC0E4B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1603410924.0000022DC0E5F000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/shield	firefox.exe, 00000010.00000002.2716047673.0000016F9EB40000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.2718284071.000001F2D6390000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000014.00000002.2715935754.000001A35F860000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.bbc.co.uk/	firefox.exe, 0000000E.00000003.1553940147.0000022DC8E5D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1696774186.0000022DC8E5F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1681584063.0000022DC8E54000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://addons.mozilla.org/firefox/addon/to-google-translate/	firefox.exe, 0000000E.00000003.1679888944.0000022DCC611000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1662579671.0000022DCC611000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://getpocket.cdn.mozilla.net/v3/firefox/global-recs?version=3&consumer_key=$apiKey&locale_lang=	firefox.exe, 00000012.00000002.2715072642.000001F2D5EC7000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000014.00000002.2716818426.000001A35FBC8000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://127.0.0.1:	firefox.exe, 0000000E.00000003.1553940147.0000022DC8EA5000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1553940147.0000022DC8ECD000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1553940147.0000022DC8E97000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1553940147.0000022DC8EA2000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1553940147.0000022DC8EE7000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1553940147.0000022DC8EC7000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1555150822.0000022DC3C9B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1553940147.0000022DC8EAD000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1553940147.0000022DC8EDB000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000002.2716047673.0000016F9EB40000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.2718284071.000001F2D6390000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000014.00000002.2715935754.000001A35F860000.00000002.10000000.00040000.00000000.sdmp	false		unknown
https://bugzilla.mozilla.org/show_bug.cgi?id=1266220	firefox.exe, 0000000E.00000003.1602659212.0000022DC0E45000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://searchfox.org/mozilla-central/source/toolkit/components/search/SearchUtils.jsm#145-152	firefox.exe, 0000000E.00000003.1640617185.0000022DC1BEA000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://bugzilla.mo	firefox.exe, 0000000E.00000003.1611625461.0000022DCC790000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://mitmdetection.services.mozilla.com/	firefox.exe, 00000010.00000002.2716047673.0000016F9EB40000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.2718284071.000001F2D6390000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000014.00000002.2715935754.000001A35F860000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://static.adsafeprotected.com/firefox-etp-js	firefox.exe, 0000000E.00000003.1615757091.0000022DC4381000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.google.com/search?client=firefox-b-d&q=next-generation-accessibility-engine-powering-scr	firefox.exe, 0000000E.00000003.1611625461.0000022DCC790000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://youtube.com/account?=	recovery.jsonlz4.tmp.14.dr	false		unknown
https://shavar.services.mozilla.com/	firefox.exe, 0000000E.00000003.1676104137.0000022DC8F3D000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://contile-images.services.mozilla.com/CuERQnIs4CzqjKBh9os6_h9d4CUDCHO3oiqmAQO6VLM.25122.jpg	firefox.exe, 00000010.00000002.2716611092.0000016F9ECC9000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000002.2715072642.000001F2D5EE9000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000014.00000002.2720393838.000001A35FD03000.00000004.00000800.00020000.00000000.sdmp, prefs-1.js.14.dr	false	URL Reputation: safe	unknown
https://spocs.getpocket.com/	firefox.exe, 00000014.00000002.2716818426.000001A35FB13000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://services.addons.mozilla.org/api/v4/abuse/report/addon/	firefox.exe, 00000010.00000002.2716047673.0000016F9EB40000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.2718284071.000001F2D6390000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000014.00000002.2715935754.000001A35F860000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://services.addons.mozilla.org/api/v4/addons/search/?guid=%IDS%&lang=%LOCALE%	firefox.exe, 00000010.00000002.2716047673.0000016F9EB40000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.2718284071.000001F2D6390000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000014.00000002.2715935754.000001A35F860000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://color.firefox.com/?utm_source=firefox-browser&utm_medium=firefox-browser&utm_content=theme-f	firefox.exe, 00000010.00000002.2716047673.0000016F9EB40000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.2718284071.000001F2D6390000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000014.00000002.2715935754.000001A35F860000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.iqiyi.com/	firefox.exe, 0000000E.00000003.1553940147.0000022DC8E5D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1696774186.0000022DC8E5F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1681584063.0000022DC8E54000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://youtube.com/account?=https://accounts.google.co	firefox.exe, 00000012.00000002.2714289932.000001F2D5C90000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://play.google.com/store/apps/details?id=org.mozilla.firefox&referrer=utm_source%3Dprotection_r	firefox.exe, 00000010.00000002.2716047673.0000016F9EB40000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.2718284071.000001F2D6390000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000014.00000002.2715935754.000001A35F860000.00000002.10000000.00040000.00000000.sdmp	false		unknown
https://monitor.firefox.com/user/breach-stats?includeResolved=true	firefox.exe, 00000010.00000002.2716047673.0000016F9EB40000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.2718284071.000001F2D6390000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000014.00000002.2715935754.000001A35F860000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/cross-site-tracking-report	firefox.exe, 00000010.00000002.2716047673.0000016F9EB40000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.2718284071.000001F2D6390000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000014.00000002.2715935754.000001A35F860000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://addons.mozilla.org/	firefox.exe, 0000000E.00000003.1663071603.0000022DCA69B000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://merino.services.mozilla.com/api/v1/suggestabout	firefox.exe, 00000010.00000002.2716611092.0000016F9EC72000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://bugzilla.mozilla.org/show_bug.cgi?id=1584464	firefox.exe, 0000000E.00000003.1555951404.0000022DC0F67000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://a9.com/-/spec/opensearch/1.0/	firefox.exe, 0000000E.00000003.1615026453.0000022DC44C1000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://safebrowsing.google.com/safebrowsing/diagnostic?site=	firefox.exe, 00000010.00000002.2716047673.0000016F9EB40000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.2718284071.000001F2D6390000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000014.00000002.2715935754.000001A35F860000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://monitor.firefox.com/user/dashboard	firefox.exe, 00000010.00000002.2716047673.0000016F9EB40000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.2718284071.000001F2D6390000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000014.00000002.2715935754.000001A35F860000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://versioncheck.addons.mozilla.org/update/VersionCheck.php?reqVersion=%REQ_VERSION%&id=%ITEM_ID	firefox.exe, 00000010.00000002.2716047673.0000016F9EB40000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.2718284071.000001F2D6390000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000014.00000002.2715935754.000001A35F860000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://monitor.firefox.com/about	firefox.exe, 00000010.00000002.2716047673.0000016F9EB40000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.2718284071.000001F2D6390000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000014.00000002.2715935754.000001A35F860000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
http://mozilla.org/MPL/2.0/.	firefox.exe, 0000000E.00000003.1657791364.0000022DC1BE5000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1642351069.0000022DC1EE0000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1655989438.0000022DC1BC2000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1668702153.0000022DC1FE1000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1619614653.0000022DC2AD5000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1686847556.0000022DC23CE000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1652391952.0000022DC1EE4000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1626651348.0000022DC1FC9000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1582311014.0000022DC17C3000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1640617185.0000022DC1BEA000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1554935397.0000022DC43D4000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1638813130.0000022DC1BE3000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1565033340.0000022DC1EA4000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1638813130.0000022DC1BDD000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1685149170.0000022DC2C14000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1556636590.0000022DC45B3000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1615422263.0000022DC447C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1620911773.0000022DC23CE000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1667202816.0000022DC1B61000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1617307411.0000022DC3237000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1556753063.0000022DC452D000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://account.bellmedia.c	firefox.exe, 0000000E.00000003.1684032179.0000022DC3C48000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://youtube.com/	firefox.exe, 0000000E.00000003.1615026453.0000022DC44E8000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://login.microsoftonline.com	firefox.exe, 0000000E.00000003.1684032179.0000022DC3C48000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://coverage.mozilla.org	firefox.exe, 00000010.00000002.2716047673.0000016F9EB40000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.2718284071.000001F2D6390000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000014.00000002.2715935754.000001A35F860000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
http://crl.thawte.com/ThawteTimestampingCA.crl0	gmpopenh264.dll.tmp.14.dr	false	URL Reputation: safe	unknown
https://firefox-settings-attachments.cdn.mozilla.net/main-workspace/ms-images/f0f51715-7f5e-48de-839	firefox.exe, 0000000E.00000003.1559244341.0000022DC2071000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.zhihu.com/	firefox.exe, 0000000E.00000003.1553940147.0000022DC8E5D000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://x1.c.lencr.org/0	firefox.exe, 0000000E.00000003.1611328609.0000022DCC7BC000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1614351828.0000022DC462B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1555455385.0000022DC19F3000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://x1.i.lencr.org/0	firefox.exe, 0000000E.00000003.1611328609.0000022DCC7BC000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1614351828.0000022DC462B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1555455385.0000022DC19F3000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://a9.com/-/spec/opensearch/1.1/	firefox.exe, 0000000E.00000003.1615026453.0000022DC44C1000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://infra.spec.whatwg.org/#ascii-whitespace	firefox.exe, 0000000E.00000003.1637033218.0000022DC453E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1633218879.0000022DC4541000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1558594472.0000022DC4544000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1556753063.0000022DC4544000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1635328749.0000022DC4538000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://blocked.cdn.mozilla.net/	firefox.exe, 00000010.00000002.2716047673.0000016F9EB40000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.2718284071.000001F2D6390000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000014.00000002.2715935754.000001A35F860000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://json-schema.org/draft/2019-09/schema	firefox.exe, 0000000E.00000003.1555951404.0000022DC0F67000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://profiler.firefox.com	firefox.exe, 00000010.00000002.2716047673.0000016F9EB40000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.2718284071.000001F2D6390000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000014.00000002.2715935754.000001A35F860000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://outlook.live.com/default.aspx?rru=compose&to=%s	firefox.exe, 0000000E.00000003.1529054468.0000022DBE618000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1529255480.0000022DBE633000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1528200986.0000022DBE633000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://identity.mozilla.com/apps/relay	firefox.exe, 0000000E.00000003.1621555572.0000022DC23A3000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://mozilla.cloudflare-dns.com/dns-query	firefox.exe, 00000010.00000002.2716047673.0000016F9EB40000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.2718284071.000001F2D6390000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000014.00000002.2715935754.000001A35F860000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://support.mozilla.org/kb/refresh-firefox-reset-add-ons-and-settings2	firefox.exe, 0000000E.00000003.1697903581.0000022DC8A95000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1682657064.0000022DC8A90000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://bugzilla.mozilla.org/show_bug.cgi?id=1678448	firefox.exe, 0000000E.00000003.1602659212.0000022DC0E45000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1603584578.0000022DC0E4F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1603542657.0000022DC0E6A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1603410924.0000022DC0E4B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1603410924.0000022DC0E5F000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://mail.yahoo.co.jp/compose/?To=%s	firefox.exe, 0000000E.00000003.1529054468.0000022DBE618000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1529255480.0000022DBE633000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1528200986.0000022DBE633000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://addons.mozilla.org/firefox/addon/reddit-enhancement-suite/	firefox.exe, 0000000E.00000003.1679888944.0000022DCC611000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1662579671.0000022DCC611000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://contile.services.mozilla.com/v1/tiles	firefox.exe, 0000000E.00000003.1615026453.0000022DC44D7000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1555951404.0000022DC0F67000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000002.2716047673.0000016F9EB40000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.2718284071.000001F2D6390000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000014.00000002.2715935754.000001A35F860000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.amazon.co.uk/	firefox.exe, 0000000E.00000003.1553940147.0000022DC8E5D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1696774186.0000022DC8E5F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1681584063.0000022DC8E54000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://firefox.settings.services.mozilla.com/v1/buckets/main/collections/ms-language-packs/records/	firefox.exe, 0000000E.00000003.1692397500.0000022DCC8EA000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://monitor.firefox.com/user/preferences	firefox.exe, 00000010.00000002.2716047673.0000016F9EB40000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.2718284071.000001F2D6390000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000014.00000002.2715935754.000001A35F860000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://screenshots.firefox.com/	firefox.exe, 0000000E.00000003.1526969692.0000022DC0457000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
142.250.186.174	youtube.com	United States	15169	GOOGLEUS	false
34.149.100.209	prod.remote-settings.prod.webservices.mozgcp.net	United States	2686	ATGS-MMD-ASUS	false
34.107.243.93	push.services.mozilla.com	United States	15169	GOOGLEUS	false
151.101.65.91	services.addons.mozilla.org	United States	54113	FASTLYUS	false
34.107.221.82	prod.detectportal.prod.cloudops.mozgcp.net	United States	15169	GOOGLEUS	false
35.244.181.201	prod.balrog.prod.cloudops.mozgcp.net	United States	15169	GOOGLEUS	false
34.117.188.166	contile.services.mozilla.com	United States	139070	GOOGLE-AS-APGoogleAsiaPacificPteLtdSG	false
35.201.103.21	normandy-cdn.services.mozilla.com	United States	15169	GOOGLEUS	false
35.190.72.216	prod.classify-client.prod.webservices.mozgcp.net	United States	15169	GOOGLEUS	false
34.160.144.191	prod.content-signature-chains.prod.webservices.mozgcp.net	United States	2686	ATGS-MMD-ASUS	false
34.120.208.123	telemetry-incoming.r53-2.services.mozilla.com	United States	15169	GOOGLEUS	false

Private

IP
127.0.0.1

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1546224
Start date and time:	2024-10-31 16:35:07 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 7m 10s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	24
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	file.exe
Detection:	MAL
Classification:	mal72.troj.evad.winEXE@34/34@70/12
EGA Information:	Successful, ratio: 40%
HCA Information:	Successful, ratio: 94% Number of executed functions: 40 Number of non-executed functions: 311
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 54.185.230.140, 35.160.212.113, 52.11.191.138, 142.250.184.206, 2.22.61.59, 2.22.61.56, 142.250.186.78, 142.250.186.138, 142.250.186.170
Excluded domains from analysis (whitelisted): fs.microsoft.com, shavar.prod.mozaws.net, ciscobinary.openh264.org, slscr.update.microsoft.com, incoming.telemetry.mozilla.org, ctldl.windowsupdate.com, a17.rackcdn.com.mdc.edgesuite.net, detectportal.prod.mozaws.net, aus5.mozilla.org, fe3cr.delivery.mp.microsoft.com, a19.dscg10.akamai.net, ocsp.digicert.com, redirector.gvt1.com, 6.0.1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.7.0.0.0.0.3.0.1.3.0.6.2.ip6.arpa, safebrowsing.googleapis.com, location.services.mozilla.com
Execution Graph export aborted for target firefox.exe, PID 6768 because there are no executed function
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtCreateFile calls found.
Report size getting too big, too many NtOpenFile calls found.
VT rate limit hit for: file.exe

Simulations

Behavior and APIs

Time	Type	Description
11:36:19	API Interceptor	1x Sleep call for process: firefox.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
34.117.188.166	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc	Browse
34.149.100.209	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
34.160.144.191	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc	Browse
151.101.65.91	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
services.addons.mozilla.org	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.1.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.193.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.1.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.1.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.65.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.1.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.193.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.129.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.129.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.193.91
example.org	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc	Browse	93.184.215.14
	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc	Browse	93.184.215.14
	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc	Browse	93.184.215.14
	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc	Browse	93.184.215.14
twitter.com	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc	Browse	104.244.42.1
	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.65
	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.193
	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc	Browse	104.244.42.129
	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.1
	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.129
	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc	Browse	104.244.42.1
	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.129
	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.129
	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.1
star-mini.c10r.facebook.com	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc	Browse	157.240.252.35
	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.252.35
	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.251.35
	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc	Browse	157.240.0.35
	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.251.35
	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.0.35
	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc	Browse	157.240.251.35
	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.0.35
	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.0.35
	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.251.35

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
GOOGLE-AS-APGoogleAsiaPacificPteLtdSG	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc	Browse	34.117.188.166
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.117.188.166
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.117.188.166
	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc	Browse	34.117.188.166
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.117.188.166
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.117.188.166
	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc	Browse	34.117.188.166
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.117.188.166
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.117.188.166
	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc	Browse	34.117.188.166
FASTLYUS	https://my.toruftuiov.com/a43a39c3-796e-468c-aae4-b83c862e0918	Get hash	malicious	Unknown	Browse	151.101.3.6
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.1.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.193.91
	http://djaahaf.r.af.d.sendibt2.com	Get hash	malicious	Unknown	Browse	151.101.129.140
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.1.91
	Invoice Ref ++_Donuts.html	Get hash	malicious	Unknown	Browse	151.101.194.137
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.1.91
	Uschamber-TimeSheet Reports.pdf	Get hash	malicious	Unknown	Browse	151.101.66.137
	https://www.chambersschool.org/programs/early-childhood	Get hash	malicious	CAPTCHA Scam ClickFix	Browse	151.101.64.176
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.65.91
ATGS-MMD-ASUS	Metro Plastics Technologies.pdf	Get hash	malicious	Unknown	Browse	34.128.128.0
	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc	Browse	34.160.144.191
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	http://djaahaf.r.af.d.sendibt2.com	Get hash	malicious	Unknown	Browse	34.54.144.50
	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc	Browse	34.160.144.191
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc	Browse	34.160.144.191
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
fb0aa01abe9d8e4037eb3473ca6e2dca	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc	Browse	35.244.181.201 34.149.100.209 34.160.144.191 151.101.65.91 34.120.208.123
	file.exe	Get hash	malicious	Credential Flusher	Browse	35.244.181.201 34.149.100.209 34.160.144.191 151.101.65.91 34.120.208.123
	file.exe	Get hash	malicious	Credential Flusher	Browse	35.244.181.201 34.149.100.209 34.160.144.191 151.101.65.91 34.120.208.123
	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc	Browse	35.244.181.201 34.149.100.209 34.160.144.191 151.101.65.91 34.120.208.123
	file.exe	Get hash	malicious	Credential Flusher	Browse	35.244.181.201 34.149.100.209 34.160.144.191 151.101.65.91 34.120.208.123
	file.exe	Get hash	malicious	Credential Flusher	Browse	35.244.181.201 34.149.100.209 34.160.144.191 151.101.65.91 34.120.208.123
	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc	Browse	35.244.181.201 34.149.100.209 34.160.144.191 151.101.65.91 34.120.208.123
	file.exe	Get hash	malicious	Credential Flusher	Browse	35.244.181.201 34.149.100.209 34.160.144.191 151.101.65.91 34.120.208.123
	file.exe	Get hash	malicious	Credential Flusher	Browse	35.244.181.201 34.149.100.209 34.160.144.191 151.101.65.91 34.120.208.123
	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc	Browse	35.244.181.201 34.149.100.209 34.160.144.191 151.101.65.91 34.120.208.123

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll (copy)	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse

Created / dropped Files

C:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\uninstall_ping_308046B0AF4A39CB_8713d400-52b9-44dc-ae62-bf9b220c7483.json (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	8056
Entropy (8bit):	5.180794821248352
Encrypted:	false
SSDEEP:	192:wT99wMiZVOcbhbVbTbfbRbObtbyEl7nsrdJA6unSrDtTkdmSZS:wT9b7cNhnzFSJMrY1nSrDhkdmeS
MD5:	7CDEE69B20A0CB008B7ED7172D7A71FA
SHA1:	F197AEC4682FA2D0269018C9FDFF07B9AD093566
SHA-256:	0FD582AD756AE6DD6202DC2C05CFF16EACEFDABB1A6FF38DDF9F75B1D12F4EF1
SHA-512:	F86C22BC3396A687E33D9A33304A24FAA3B08B8B4307DE956BCFD622266506492018DE6CF29EEE5B87E1EE07B6B5578CE6642C5DF9EC689548F0BA16D2044FD6
Malicious:	false
Preview:	{"type":"uninstall","id":"8713d400-52b9-44dc-ae62-bf9b220c7483","creationDate":"2024-10-31T16:40:05.787Z","version":4,"application":{"architecture":"x86-64","buildId":"20230927232528","name":"Firefox","version":"118.0.1","displayVersion":"118.0.1","vendor":"Mozilla","platformVersion":"118.0.1","xpcomAbi":"x86_64-msvc","channel":"release"},"payload":{"otherInstalls":0},"clientId":"965729a8-84e4-4cad-a75d-ac8181902c4b","environment":{"build":{"applicationId":"{ec8030f7-c20a-464f-9b0e-13a3a9e97384}","applicationName":"Firefox","architecture":"x86-64","buildId":"20230927232528","version":"118.0.1","vendor":"Mozilla","displayVersion":"118.0.1","platformVersion":"118.0.1","xpcomAbi":"x86_64-msvc","updaterAvailable":true},"partner":{"distributionId":null,"distributionVersion":null,"partnerId":null,"distributor":null,"distributorChannel":null,"partnerNames":[]},"system":{"memoryMB":8191,"virtualMaxMB":134217728,"cpu":{"isWindowsSMode":false,"count":4,"cores":2,"vendor":"GenuineIntel","name":"I

C:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\uninstall_ping_308046B0AF4A39CB_8713d400-52b9-44dc-ae62-bf9b220c7483.json.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	8056
Entropy (8bit):	5.180794821248352
Encrypted:	false
SSDEEP:	192:wT99wMiZVOcbhbVbTbfbRbObtbyEl7nsrdJA6unSrDtTkdmSZS:wT9b7cNhnzFSJMrY1nSrDhkdmeS
MD5:	7CDEE69B20A0CB008B7ED7172D7A71FA
SHA1:	F197AEC4682FA2D0269018C9FDFF07B9AD093566
SHA-256:	0FD582AD756AE6DD6202DC2C05CFF16EACEFDABB1A6FF38DDF9F75B1D12F4EF1
SHA-512:	F86C22BC3396A687E33D9A33304A24FAA3B08B8B4307DE956BCFD622266506492018DE6CF29EEE5B87E1EE07B6B5578CE6642C5DF9EC689548F0BA16D2044FD6
Malicious:	false
Preview:	{"type":"uninstall","id":"8713d400-52b9-44dc-ae62-bf9b220c7483","creationDate":"2024-10-31T16:40:05.787Z","version":4,"application":{"architecture":"x86-64","buildId":"20230927232528","name":"Firefox","version":"118.0.1","displayVersion":"118.0.1","vendor":"Mozilla","platformVersion":"118.0.1","xpcomAbi":"x86_64-msvc","channel":"release"},"payload":{"otherInstalls":0},"clientId":"965729a8-84e4-4cad-a75d-ac8181902c4b","environment":{"build":{"applicationId":"{ec8030f7-c20a-464f-9b0e-13a3a9e97384}","applicationName":"Firefox","architecture":"x86-64","buildId":"20230927232528","version":"118.0.1","vendor":"Mozilla","displayVersion":"118.0.1","platformVersion":"118.0.1","xpcomAbi":"x86_64-msvc","updaterAvailable":true},"partner":{"distributionId":null,"distributionVersion":null,"partnerId":null,"distributor":null,"distributorChannel":null,"partnerNames":[]},"system":{"memoryMB":8191,"virtualMaxMB":134217728,"cpu":{"isWindowsSMode":false,"count":4,"cores":2,"vendor":"GenuineIntel","name":"I

C:\Users\user\AppData\Local\Temp\mozilla-temp-files\mozilla-temp-41

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	ISO Media, MP4 Base Media v1 [ISO 14496-12:2003]
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	0.4593089050301797
Encrypted:	false
SSDEEP:	48:9SP0nUgwyZXYI65yFRX2D3GNTTfyn0Mk1iA:9SDKaIjo3UzyE1L
MD5:	D910AD167F0217587501FDCDB33CC544
SHA1:	2F57441CEFDC781011B53C1C5D29AC54835AFC1D
SHA-256:	E3699D9404A3FFC1AFF0CA8A3972DC0EF38BDAB927741E9F627C7C55CEA42E81
SHA-512:	F1871BF28FF25EE52BDB99C7A80AB715C7CAC164DCD2FD87E681168EE927FD2C5E80E03C91BB638D955A4627213BF575FF4D9EECAEDA7718C128CF2CE8F7CB3D
Malicious:	false
Preview:	... ftypisom....isomiso2avc1mp41....free....mdat..........E...H..,. .#..x264 - core 152 r2851 ba24899 - H.264/MPEG-4 AVC codec - Copyleft 2003-2017 - http://www.videolan.org/x264.html - options: cabac=1 ref=3 deblock=1:0:0 analyse=0x3:0x113 me=hex subme=7 psy=1 psy_rd=1.00:0.00 mixed_ref=1 me_range=16 chroma_me=1 trellis=1 8x8dct=1 cqm=0 deadzone=21,11 fast_pskip=1 chroma_qp_offset=-2 threads=4 lookahead_threads=1 sliced_threads=0 nr=0 decimate=1 interlaced=0 bluray_compat=0 constrained_intra=0 bframes=3 b_pyramid=2 b_adapt=1 b_bias=0 direct=1 weightb=1 open_gop=0 weightp=2 keyint=250 keyint_min=25 scenecut=40 intra_refresh=0 rc_lookahead=40 rc=crf mbtree=1 crf=23.0 qcomp=0.60 qpmin=0 qpmax=69 qpstep=4 ip_ratio=1.40 aq=1:1.00......e...+...s\|.kG3...'.u.."...,J.w.~.d\..(K....!.+..;....h....(.T.*...M......0..~L..8..B..A.y..R..,.zBP.';j.@.].w..........c......C=.'f....gI.$^.......m5V.L...{U..%V[....8......B..i..^,....:...,..5.m.%dA....moov...lmvhd...................(...........

C:\Users\user\AppData\Local\Temp\tmpaddon

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Zip archive data, at least v2.0 to extract, compression method=deflate
Category:	dropped
Size (bytes):	453023
Entropy (8bit):	7.997718157581587
Encrypted:	true
SSDEEP:	12288:tESTeqTI2r4ZbCgUKWKNeRcPMb6qlV7hVZe3:tEsed2Xh9/bdzZe3
MD5:	85430BAED3398695717B0263807CF97C
SHA1:	FFFBEE923CEA216F50FCE5D54219A188A5100F41
SHA-256:	A9F4281F82B3579581C389E8583DC9F477C7FD0E20C9DFC91A2E611E21E3407E
SHA-512:	06511F1F6C6D44D076B3C593528C26A602348D9C41689DBF5FF716B671C3CA5756B12CB2E5869F836DEDCE27B1A5CFE79B93C707FD01F8E84B620923BB61B5F1
Malicious:	false
Preview:	PK.........bN...R..........gmpopenh264.dll..\|.E.0.=..I.....1....4f1q.`.........q.....'+....hm{.z..o_.{w........$..($A!...\|L...B&A2.s.{..Dd......c.U.U..9u.S...K.l`...../.d.-....\|.....&....9......wn..x......i.#O.+.Y.l......+....,3.3f..\..c.SSS,............N...GG...F.'.&.:'.K.Z&.>.@.g..M...M.`............ZR....^jg.G.Kb.o~va.....<Z..1.#.O.e.....D..X..i..$imBW..Q&.......P.....,M.,..:.c...-...\...........-i.K.I..4.a..6.....Ov=...W..F.CH.>...a.'.x...#@f...d..u.1....OV.1o}....g.5.._.3.J.Hi.Z.ipM....b.Z....%.G..F................/..3.q..J.....o...%.g.N..}..).3.N%.!..q........^I.m..~...6.#.~+.....A...I]r...x...<IYj....p0..`S.M@.E..f.=.;!.@.....E..E....... .0.n....Jd..d......uM.-.qI.lR..z..=}..r.D.XLZ....x.$..\|c.1.cUkM.&.Qn]..a]t.h...!.6 7..Jd.DvKJ"Wgd*%n...w...Jni.inmr.@M.$'Z.s....#)%..Rs..:.h....R....\..t.6..'.g.........Uj+F.cr:\|..!..K.W.Y...17......,....r.....>.N..3.R.Y.._\...Ir.DNJdM... .k...&V-....z.%...-...D..i..&...6....7.2T).>..0..%.&.

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\ExperimentStoreData.json (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	6150
Entropy (8bit):	4.943002386448213
Encrypted:	false
SSDEEP:	192:7LFS+O1U6OdwiOdEiVoslH5jV/ZiwBhZ08jzLWw8P:N5dimslH5jVhiwBrk
MD5:	D7ACA0FC8046B1B79933A5E3F791BC0D
SHA1:	4BA95CA23D02E94E9E8BD8687CDACFE789F17F20
SHA-256:	88F1EA121A243C09A6721097BED659F83672595530548B717E83EB868972E487
SHA-512:	15296D541506C2FAEB38C579CDBA92CD63EA5B23B80D445B7D8EF2C156269F0454AEBF70D18778AA63784C2C9CA2F2B10C18B98546AC67539A25BE1E8ADAD0F2
Malicious:	false
Preview:	{"bookmarks-toolbar-default-on":{"slug":"bookmarks-toolbar-default-on","branch":{"slug":"control","ratio":1,"feature":{"value":{},"enabled":false,"featureId":"this-is-included-for-desktop-pre-95-support"},"features":[{"value":{},"enabled":true,"featureId":"bookmarks"}]},"active":true,"enrollmentId":"fbda1f9b-e03c-4207-94bb-3e5ec8a299dc","experimentType":"nimbus","source":"rs-loader","userFacingName":"Bookmarks Toolbar Default On","userFacingDescription":"An experiment that turns the bookmarks toolbar on by default.","lastSeen":"2023-10-05T08:19:30.130Z","featureIds":["bookmarks"],"prefs":[],"isRollout":false},"csv-import-release-rollout":{"slug":"csv-import-release-rollout","branch":{"slug":"enable-csv-import","ratio":1,"feature":{"value":{},"enabled":false,"featureId":"this-is-included-for-desktop-pre-95-support"},"features":[{"value":{"csvImport":true},"enabled":true,"featureId":"cm-csv-import"}]},"active":true,"enrollmentId":"cdbde02e-86fb-4899-ad8a-776106784576","experimentType":"r

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\ExperimentStoreData.json.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	6150
Entropy (8bit):	4.943002386448213
Encrypted:	false
SSDEEP:	192:7LFS+O1U6OdwiOdEiVoslH5jV/ZiwBhZ08jzLWw8P:N5dimslH5jVhiwBrk
MD5:	D7ACA0FC8046B1B79933A5E3F791BC0D
SHA1:	4BA95CA23D02E94E9E8BD8687CDACFE789F17F20
SHA-256:	88F1EA121A243C09A6721097BED659F83672595530548B717E83EB868972E487
SHA-512:	15296D541506C2FAEB38C579CDBA92CD63EA5B23B80D445B7D8EF2C156269F0454AEBF70D18778AA63784C2C9CA2F2B10C18B98546AC67539A25BE1E8ADAD0F2
Malicious:	false
Preview:	{"bookmarks-toolbar-default-on":{"slug":"bookmarks-toolbar-default-on","branch":{"slug":"control","ratio":1,"feature":{"value":{},"enabled":false,"featureId":"this-is-included-for-desktop-pre-95-support"},"features":[{"value":{},"enabled":true,"featureId":"bookmarks"}]},"active":true,"enrollmentId":"fbda1f9b-e03c-4207-94bb-3e5ec8a299dc","experimentType":"nimbus","source":"rs-loader","userFacingName":"Bookmarks Toolbar Default On","userFacingDescription":"An experiment that turns the bookmarks toolbar on by default.","lastSeen":"2023-10-05T08:19:30.130Z","featureIds":["bookmarks"],"prefs":[],"isRollout":false},"csv-import-release-rollout":{"slug":"csv-import-release-rollout","branch":{"slug":"enable-csv-import","ratio":1,"feature":{"value":{},"enabled":false,"featureId":"this-is-included-for-desktop-pre-95-support"},"features":[{"value":{"csvImport":true},"enabled":true,"featureId":"cm-csv-import"}]},"active":true,"enrollmentId":"cdbde02e-86fb-4899-ad8a-776106784576","experimentType":"r

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\addonStartup.json.lz4 (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Mozilla lz4 compressed data, originally 26944 bytes
Category:	dropped
Size (bytes):	6083
Entropy (8bit):	6.619127307031394
Encrypted:	false
SSDEEP:	96:72YbKsKNU2xWrp327tGmD4wBON6hCY9rI7hlSAJVrfzjZXjkTndS12opTKd:7Tx2x2t0FDJ4NF6ILDfzjtedh6TY
MD5:	4B0429E855B6E03691AB046102E56148
SHA1:	03B3130A02A925F8808E134EEAA31E5A722B08CD
SHA-256:	2208D4A406C96EF97A878C9F558D99F21A8FA7932894E95EBE3EEDFF74BF81D2
SHA-512:	2590FEA23791075EAC4734CD5FAC4A7B3A0DABD9EAA24F0A3758C8780C6F5A5460E82258167DEECE4046288027B6BCB574F4A64EE4C48EF16B1BAEC6C6DC34E0
Malicious:	false
Preview:	mozLz40.@i....{"app-system-defaults":{"addon....formautofill@mozilla.org&..Gdependencies":[],"enabled":true,"lastModifiedTime":1695865283000,"loader":null,"path":s.....xpi","recommendationStateA...rootURI":"jar:file:///C:/Program%20Files/M.......refox/browser/features/...... !/...unInSafeMode..wsignedD...telemetryKey..7%40R...:1.0.1","version":"..`},"pic..#in.....T.n..w...........S.......(.[......0....0"},"screenshots..T.r.....[.......(.V....-39.......},"webcompat-reporter...Ofals..&.z.....[.......(.]....=1.5.............<.)....p....d......1.z.!18...5.....startupData...pX.astentL..!er...webRequest%..onBefore...[[{"incognitoi.UtabId..!yp...."main_frame"],"url...."://login.microsoftonline.com/","..@us/L.dwindows...},["blocking"]],...Iimag...https://smartT.".f.....etp/facebook.svg",...Aplay....8`script...P.....-....-testbed.herokuapp\.`shims_..3.jsh.bexampl\|.......Pexten{..Q../?..s...S.J/_2..@&_3U..s7.addthis . ic...officialK......-angularjs/current/dist(..t.min.js...track.adB...net/s

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\addonStartup.json.lz4.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Mozilla lz4 compressed data, originally 26944 bytes
Category:	dropped
Size (bytes):	6083
Entropy (8bit):	6.619127307031394
Encrypted:	false
SSDEEP:	96:72YbKsKNU2xWrp327tGmD4wBON6hCY9rI7hlSAJVrfzjZXjkTndS12opTKd:7Tx2x2t0FDJ4NF6ILDfzjtedh6TY
MD5:	4B0429E855B6E03691AB046102E56148
SHA1:	03B3130A02A925F8808E134EEAA31E5A722B08CD
SHA-256:	2208D4A406C96EF97A878C9F558D99F21A8FA7932894E95EBE3EEDFF74BF81D2
SHA-512:	2590FEA23791075EAC4734CD5FAC4A7B3A0DABD9EAA24F0A3758C8780C6F5A5460E82258167DEECE4046288027B6BCB574F4A64EE4C48EF16B1BAEC6C6DC34E0
Malicious:	false
Preview:	mozLz40.@i....{"app-system-defaults":{"addon....formautofill@mozilla.org&..Gdependencies":[],"enabled":true,"lastModifiedTime":1695865283000,"loader":null,"path":s.....xpi","recommendationStateA...rootURI":"jar:file:///C:/Program%20Files/M.......refox/browser/features/...... !/...unInSafeMode..wsignedD...telemetryKey..7%40R...:1.0.1","version":"..`},"pic..#in.....T.n..w...........S.......(.[......0....0"},"screenshots..T.r.....[.......(.V....-39.......},"webcompat-reporter...Ofals..&.z.....[.......(.]....=1.5.............<.)....p....d......1.z.!18...5.....startupData...pX.astentL..!er...webRequest%..onBefore...[[{"incognitoi.UtabId..!yp...."main_frame"],"url...."://login.microsoftonline.com/","..@us/L.dwindows...},["blocking"]],...Iimag...https://smartT.".f.....etp/facebook.svg",...Aplay....8`script...P.....-....-testbed.herokuapp\.`shims_..3.jsh.bexampl\|.......Pexten{..Q../?..s...S.J/_2..@&_3U..s7.addthis . ic...officialK......-angularjs/current/dist(..t.min.js...track.adB...net/s

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\addons.json (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	24
Entropy (8bit):	3.91829583405449
Encrypted:	false
SSDEEP:	3:YWGifTJE6iHQ:YWGif9EE
MD5:	3088F0272D29FAA42ED452C5E8120B08
SHA1:	C72AA542EF60AFA3DF5DFE1F9FCC06C0B135BE23
SHA-256:	D587CEC944023447DC91BC5F71E2291711BA5ADD337464837909A26F34BC5A06
SHA-512:	B662414EDD6DEF8589304904263584847586ECCA0B0E6296FB3ADB2192D92FB48697C99BD27C4375D192150E3F99102702AF2391117FFF50A9763C74C193D798
Malicious:	false
Preview:	{"schema":6,"addons":[]}

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\addons.json.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	24
Entropy (8bit):	3.91829583405449
Encrypted:	false
SSDEEP:	3:YWGifTJE6iHQ:YWGif9EE
MD5:	3088F0272D29FAA42ED452C5E8120B08
SHA1:	C72AA542EF60AFA3DF5DFE1F9FCC06C0B135BE23
SHA-256:	D587CEC944023447DC91BC5F71E2291711BA5ADD337464837909A26F34BC5A06
SHA-512:	B662414EDD6DEF8589304904263584847586ECCA0B0E6296FB3ADB2192D92FB48697C99BD27C4375D192150E3F99102702AF2391117FFF50A9763C74C193D798
Malicious:	false
Preview:	{"schema":6,"addons":[]}

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\content-prefs.sqlite

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	SQLite 3.x database, user version 5, last written using SQLite version 3042000, page size 32768, file counter 4, database pages 8, cookie 0x6, schema 4, largest root page 8, UTF-8, vacuum mode 1, version-valid-for 4
Category:	dropped
Size (bytes):	262144
Entropy (8bit):	0.04905141882491872
Encrypted:	false
SSDEEP:	24:DLSvwae+Q8Uu50xj0aWe9LxYkKA25Q5tvAA:DKwae+QtMImelekKDa5
MD5:	8736A542C5564A922C47B19D9CC5E0F2
SHA1:	CE9D58967DA9B5356D6C1D8A482F9CE74DA9097A
SHA-256:	97CE5D8AFBB0AA610219C4FAC3927E32C91BFFD9FD971AF68C718E7B27E40077
SHA-512:	99777325893DC7A95FD49B2DA18D32D65F97CC7A8E482D78EDC32F63245457FA5A52750800C074D552D20B6A215604161FDC88763D93C76A8703470C3064196B
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j......\|....~.}.}z}-\|.................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\crashes\store.json.mozlz4 (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Mozilla lz4 compressed data, originally 56 bytes
Category:	dropped
Size (bytes):	66
Entropy (8bit):	4.837595020998689
Encrypted:	false
SSDEEP:	3:3fX/xH8IXl/I3v0lb7iioW:vXpH1RPXt
MD5:	A6338865EB252D0EF8FCF11FA9AF3F0D
SHA1:	CECDD4C4DCAE10C2FFC8EB938121B6231DE48CD3
SHA-256:	078648C042B9B08483CE246B7F01371072541A2E90D1BEB0C8009A6118CBD965
SHA-512:	D950227AC83F4E8246D73F9F35C19E88CE65D0CA5F1EF8CCBB02ED6EFC66B1B7E683E2BA0200279D7CA4B49831FD8C3CEB0584265B10ACCFF2611EC1CA8C0C6C
Malicious:	false
Preview:	mozLz40.8.....{"v":1,"crashes":{},"countsByDay....rruptDate":null}

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\crashes\store.json.mozlz4.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Mozilla lz4 compressed data, originally 56 bytes
Category:	dropped
Size (bytes):	66
Entropy (8bit):	4.837595020998689
Encrypted:	false
SSDEEP:	3:3fX/xH8IXl/I3v0lb7iioW:vXpH1RPXt
MD5:	A6338865EB252D0EF8FCF11FA9AF3F0D
SHA1:	CECDD4C4DCAE10C2FFC8EB938121B6231DE48CD3
SHA-256:	078648C042B9B08483CE246B7F01371072541A2E90D1BEB0C8009A6118CBD965
SHA-512:	D950227AC83F4E8246D73F9F35C19E88CE65D0CA5F1EF8CCBB02ED6EFC66B1B7E683E2BA0200279D7CA4B49831FD8C3CEB0584265B10ACCFF2611EC1CA8C0C6C
Malicious:	false
Preview:	mozLz40.8.....{"v":1,"crashes":{},"countsByDay....rruptDate":null}

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\extensions.json (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	36830
Entropy (8bit):	5.185849187264327
Encrypted:	false
SSDEEP:	768:0I4nvfwkXU4y6f4k4oB4a4IPN84I4/4uw4J424qF4g:0NPa45
MD5:	6C3BE83A836C11F0781A28C5C276611E
SHA1:	826B42D0E82A04A59A96150A478A9C63172B7506
SHA-256:	FB38EDAD3460F248967331080F6C398248DBC215D16E4BAB3E31CE260E1176B7
SHA-512:	EA67C9DF14F00A17C3044EE63DAFA9E7FA9A4B0F04A4D98CC19F2C9794D6D9A215323E13AD354AF60DE1F31288C565EE4455CFE3B9B8F2877DEF20A4151D4921
Malicious:	false
Preview:	{"schemaVersion":35,"addons":[{"id":"formautofill@mozilla.org","syncGUID":"{fc425cd7-ddd8-48c7-9e11-c0b9f650e5fa}","version":"1.0.1","type":"extension","loader":null,"updateURL":null,"installOrigins":null,"manifestVersion":2,"optionsURL":null,"optionsType":null,"optionsBrowserStyle":true,"aboutURL":null,"defaultLocale":{"name":"Form Autofill","creator":null,"developers":null,"translators":null,"contributors":null},"visible":true,"active":true,"userDisabled":false,"appDisabled":false,"embedderDisabled":false,"installDate":1695865283000,"updateDate":1695865283000,"applyBackgroundUpdates":1,"path":"C:\\Program Files\\Mozilla Firefox\\browser\\features\\formautofill@mozilla.org.xpi","skinnable":false,"sourceURI":null,"releaseNotesURI":null,"softDisabled":false,"foreignInstall":false,"strictCompatibility":true,"locales":[],"targetApplications":[{"id":"toolkit@mozilla.org","minVersion":null,"maxVersion":null}],"targetPlatforms":[],"signedDate":null,"seen":true,"dependencies":[],"incognito":"

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\extensions.json.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	36830
Entropy (8bit):	5.185849187264327
Encrypted:	false
SSDEEP:	768:0I4nvfwkXU4y6f4k4oB4a4IPN84I4/4uw4J424qF4g:0NPa45
MD5:	6C3BE83A836C11F0781A28C5C276611E
SHA1:	826B42D0E82A04A59A96150A478A9C63172B7506
SHA-256:	FB38EDAD3460F248967331080F6C398248DBC215D16E4BAB3E31CE260E1176B7
SHA-512:	EA67C9DF14F00A17C3044EE63DAFA9E7FA9A4B0F04A4D98CC19F2C9794D6D9A215323E13AD354AF60DE1F31288C565EE4455CFE3B9B8F2877DEF20A4151D4921
Malicious:	false
Preview:	{"schemaVersion":35,"addons":[{"id":"formautofill@mozilla.org","syncGUID":"{fc425cd7-ddd8-48c7-9e11-c0b9f650e5fa}","version":"1.0.1","type":"extension","loader":null,"updateURL":null,"installOrigins":null,"manifestVersion":2,"optionsURL":null,"optionsType":null,"optionsBrowserStyle":true,"aboutURL":null,"defaultLocale":{"name":"Form Autofill","creator":null,"developers":null,"translators":null,"contributors":null},"visible":true,"active":true,"userDisabled":false,"appDisabled":false,"embedderDisabled":false,"installDate":1695865283000,"updateDate":1695865283000,"applyBackgroundUpdates":1,"path":"C:\\Program Files\\Mozilla Firefox\\browser\\features\\formautofill@mozilla.org.xpi","skinnable":false,"sourceURI":null,"releaseNotesURI":null,"softDisabled":false,"foreignInstall":false,"strictCompatibility":true,"locales":[],"targetApplications":[{"id":"toolkit@mozilla.org","minVersion":null,"maxVersion":null}],"targetPlatforms":[],"signedDate":null,"seen":true,"dependencies":[],"incognito":"

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\favicons.sqlite-shm

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	data
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	0.017262956703125623
Encrypted:	false
SSDEEP:	3:G8lQs2TSlElQs2TtPRp//:G0QjSaQjrpX
MD5:	B7C14EC6110FA820CA6B65F5AEC85911
SHA1:	608EEB7488042453C9CA40F7E1398FC1A270F3F4
SHA-256:	FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB
SHA-512:	D8D75760F29B1E27AC9430BC4F4FFCEC39F1590BE5AEF2BFB5A535850302E067C288EF59CF3B2C5751009A22A6957733F9F80FA18F2B0D33D90C068A3F08F3B0
Malicious:	false
Preview:	..-.....................................8...5.....-.....................................8...5...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1021904
Entropy (8bit):	6.648417932394748
Encrypted:	false
SSDEEP:	12288:vYLdTfFKbNSjv92eFN+3wH+NYriA0Iq6lh6VawYIpAvwHN/Uf1h47HAfg1oet:vYLdTZ923NYrjwNpgwef1hzfg1x
MD5:	FE3355639648C417E8307C6D051E3E37
SHA1:	F54602D4B4778DA21BC97C7238FC66AA68C8EE34
SHA-256:	1ED7877024BE63A049DA98733FD282C16BD620530A4FB580DACEC3A78ACE914E
SHA-512:	8F4030BB2464B98ECCBEA6F06EB186D7216932702D94F6B84C56419E9CF65A18309711AB342D1513BF85AED402BC3535A70DB4395874828F0D35C278DD2EAC9C
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......NH...)...)...)..eM...)..eM...)..eM..)..eM...)...)..i)..XA...)..XA..;)..XA...)...)..g)..cA...)..cA...)..Rich.)..........PE..d....z\.........." .....t................................................................`.........................................P...,...\|...(............P...H...z.................T...........................0...................p............................text...$s.......t.................. ..`.rdata...~...........x..............@..@.data....3..........................@....pdata...H...P...J..................@..@.rodata..............^..............@..@.reloc...............j..............@..B........................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1021904
Entropy (8bit):	6.648417932394748
Encrypted:	false
SSDEEP:	12288:vYLdTfFKbNSjv92eFN+3wH+NYriA0Iq6lh6VawYIpAvwHN/Uf1h47HAfg1oet:vYLdTZ923NYrjwNpgwef1hzfg1x
MD5:	FE3355639648C417E8307C6D051E3E37
SHA1:	F54602D4B4778DA21BC97C7238FC66AA68C8EE34
SHA-256:	1ED7877024BE63A049DA98733FD282C16BD620530A4FB580DACEC3A78ACE914E
SHA-512:	8F4030BB2464B98ECCBEA6F06EB186D7216932702D94F6B84C56419E9CF65A18309711AB342D1513BF85AED402BC3535A70DB4395874828F0D35C278DD2EAC9C
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......NH...)...)...)..eM...)..eM...)..eM..)..eM...)...)..i)..XA...)..XA..;)..XA...)...)..g)..cA...)..cA...)..Rich.)..........PE..d....z\.........." .....t................................................................`.........................................P...,...\|...(............P...H...z.................T...........................0...................p............................text...$s.......t.................. ..`.rdata...~...........x..............@..@.data....3..........................@....pdata...H...P...J..................@..@.rodata..............^..............@..@.reloc...............j..............@..B........................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.info (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	116
Entropy (8bit):	4.968220104601006
Encrypted:	false
SSDEEP:	3:C3OuN9RAM7VDXcEzq+rEakOvTMBv+FdBAIABv+FEn:0BDUmHlvAWeWEn
MD5:	3D33CDC0B3D281E67DD52E14435DD04F
SHA1:	4DB88689282FD4F9E9E6AB95FCBB23DF6E6485DB
SHA-256:	F526E9F98841D987606EFEAFF7F3E017BA9FD516C4BE83890C7F9A093EA4C47B
SHA-512:	A4A96743332CC8EF0F86BC2E6122618BFC75ED46781DADBAC9E580CD73DF89E74738638A2CCCB4CAA4CBBF393D771D7F2C73F825737CDB247362450A0D4A4BC1
Malicious:	false
Preview:	Name: gmpopenh264.Description: GMP Plugin for OpenH264..Version: 1.8.1.APIs: encode-video[h264], decode-video[h264].

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.info.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	116
Entropy (8bit):	4.968220104601006
Encrypted:	false
SSDEEP:	3:C3OuN9RAM7VDXcEzq+rEakOvTMBv+FdBAIABv+FEn:0BDUmHlvAWeWEn
MD5:	3D33CDC0B3D281E67DD52E14435DD04F
SHA1:	4DB88689282FD4F9E9E6AB95FCBB23DF6E6485DB
SHA-256:	F526E9F98841D987606EFEAFF7F3E017BA9FD516C4BE83890C7F9A093EA4C47B
SHA-512:	A4A96743332CC8EF0F86BC2E6122618BFC75ED46781DADBAC9E580CD73DF89E74738638A2CCCB4CAA4CBBF393D771D7F2C73F825737CDB247362450A0D4A4BC1
Malicious:	false
Preview:	Name: gmpopenh264.Description: GMP Plugin for OpenH264..Version: 1.8.1.APIs: encode-video[h264], decode-video[h264].

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\permissions.sqlite

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	SQLite 3.x database, user version 12, last written using SQLite version 3042000, page size 32768, file counter 4, database pages 3, cookie 0x2, schema 4, UTF-8, version-valid-for 4
Category:	dropped
Size (bytes):	98304
Entropy (8bit):	0.0733309034670187
Encrypted:	false
SSDEEP:	12:DBl/A0OWla0mwPxRymgObsCVR45wcYR4fmnsCVR4zkio:DLhesh7Owd4+ji
MD5:	907CB374B53FC8618045E4C84D6800A8
SHA1:	E793AFD54827BEFAEA3B8DBB5F189453D5EE2997
SHA-256:	FBB86ED2C411EB8F898FF84022B2B4EE21B0339377C8804FC03FDB6CF098E71A
SHA-512:	B2B5B46766B160C64A6B6C40B352128022D9DCD75E25299218882A8972BAFC0A97A2DE0757B193B35F6DD7D52BF3919100F778C2B63B60103F02B1343235400B
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j......~s..F~s........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\places.sqlite-shm

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	data
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	0.03535756160686293
Encrypted:	false
SSDEEP:	3:GtlstFx0IDykzklqAltlstFx0IDykzklqp89//alEl:GtWtYIGkzklqAtWtYIGkzklqp89XuM
MD5:	A7B112A4C8C87C5886288E575607AA43
SHA1:	736B7965DAFE93A5C144AF186BA34714F70ACEEA
SHA-256:	206DF2AECF45483C6FBB15E52D7196F531EDD75C551E0451FA3D3A006DD7EC66
SHA-512:	4C3B8A9CE841BEB62CB89A09D9C4C9A180E76BA72F62D6C6DA3547CAE35A3A2C4D43C52F67867DA2AE7013E06DED7FC95065D4F5AE51B2C7BF51E2EB23A447E6
Malicious:	false
Preview:	..-......................Q..O&&K.Z..A..Y...j.<:...-......................Q..O&&K.Z..A..Y...j.<:.........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\places.sqlite-wal

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	SQLite Write-Ahead Log, version 3007000
Category:	dropped
Size (bytes):	32824
Entropy (8bit):	0.03726671026247075
Encrypted:	false
SSDEEP:	3:Ol1nsEZO7tolNkGb6fqFmG8aEJ/Nmhml8XW3R2:KXwoljb6fqkr/Ehm93w
MD5:	EBC3D03C240D6D1529FCFB271EA0E538
SHA1:	FAF0A330D1B5D3BDF2DD56CFBEB3BDFFA937EA66
SHA-256:	C5808CB52859AAB53B5580880D3B06B92A34FECB846DFB8ECA8CFBC9D0762711
SHA-512:	2F2E08EE118DD9AA9679387AC5645C67835D95037DD47C83B8020C38D3CED8E0F471255B23D851E1996D4D4CEE87728BFD58F7ACB67E38B175164CCE397F777F
Malicious:	false
Preview:	7....-...........Z..A..Y.r]..k>..........Z..A..Y..Q.K&&O................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\prefs-1.js

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	ASCII text, with very long lines (1765), with CRLF line terminators
Category:	dropped
Size (bytes):	13820
Entropy (8bit):	5.468806675949051
Encrypted:	false
SSDEEP:	192:NzQneRdIYbBp6HnmUzaXw6aR+kKWPauD5RDNBw8dZ9mSl:NzeeMmUYLtDgrwuw0
MD5:	43027936AEDDAB9F5BB421EBE990CD0B
SHA1:	6F28ABC21A262D2F315915EC01D68508174D67C4
SHA-256:	3B05CD410738BEED24F76E352B34CC60C75A2AED989BF9C6795DFD744FBD7E57
SHA-512:	02D3F655842E1838231EA54CA2904EC975B80499413D83F6E73CCBBE3FF1C26E18163497F2EE02E538773AC0144303F76B3C2A093D71A69A360C8840F3EFE9E1
Malicious:	false
Preview:	// Mozilla User Preferences....// DO NOT EDIT THIS FILE...//..// If you make changes to this file while the application is running,..// the changes will be overwritten when the application exits...//..// To change a preference value, you can either:..// - modify it via the UI (e.g. via about:config in the browser); or..// - set it within a user.js file in your profile.....user_pref("app.normandy.first_run", false);..user_pref("app.normandy.migrationsApplied", 12);..user_pref("app.normandy.user_id", "38829aa4-f57e-4fd8-bfd3-d094d57ae30f");..user_pref("app.update.auto.migrated", true);..user_pref("app.update.background.rolledout", true);..user_pref("app.update.backgroundErrors", 2);..user_pref("app.update.lastUpdateTime.addon-background-update-timer", 1730392776);..user_pref("app.update.lastUpdateTime.background-update-timer", 1730392776);..user_pref("app.update.lastUpdateTime.browser-cleanup-thumbnails", 1730392776);..user_pref("app.update.lastUpdateTime.recipe-client-addon-run", 173039

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\prefs.js (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	ASCII text, with very long lines (1765), with CRLF line terminators
Category:	dropped
Size (bytes):	13820
Entropy (8bit):	5.468806675949051
Encrypted:	false
SSDEEP:	192:NzQneRdIYbBp6HnmUzaXw6aR+kKWPauD5RDNBw8dZ9mSl:NzeeMmUYLtDgrwuw0
MD5:	43027936AEDDAB9F5BB421EBE990CD0B
SHA1:	6F28ABC21A262D2F315915EC01D68508174D67C4
SHA-256:	3B05CD410738BEED24F76E352B34CC60C75A2AED989BF9C6795DFD744FBD7E57
SHA-512:	02D3F655842E1838231EA54CA2904EC975B80499413D83F6E73CCBBE3FF1C26E18163497F2EE02E538773AC0144303F76B3C2A093D71A69A360C8840F3EFE9E1
Malicious:	false
Preview:	// Mozilla User Preferences....// DO NOT EDIT THIS FILE...//..// If you make changes to this file while the application is running,..// the changes will be overwritten when the application exits...//..// To change a preference value, you can either:..// - modify it via the UI (e.g. via about:config in the browser); or..// - set it within a user.js file in your profile.....user_pref("app.normandy.first_run", false);..user_pref("app.normandy.migrationsApplied", 12);..user_pref("app.normandy.user_id", "38829aa4-f57e-4fd8-bfd3-d094d57ae30f");..user_pref("app.update.auto.migrated", true);..user_pref("app.update.background.rolledout", true);..user_pref("app.update.backgroundErrors", 2);..user_pref("app.update.lastUpdateTime.addon-background-update-timer", 1730392776);..user_pref("app.update.lastUpdateTime.background-update-timer", 1730392776);..user_pref("app.update.lastUpdateTime.browser-cleanup-thumbnails", 1730392776);..user_pref("app.update.lastUpdateTime.recipe-client-addon-run", 173039

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\protections.sqlite

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	SQLite 3.x database, user version 1, last written using SQLite version 3042000, page size 32768, file counter 4, database pages 2, cookie 0x1, schema 4, UTF-8, version-valid-for 4
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.04062825861060003
Encrypted:	false
SSDEEP:	3:lSGBl/l/zl9l/AltllPltlnKollzvulJOlzALRWemFxu7TuRjBFbrl58lcV+wgn8:ltBl/lqN1K4BEJYqWvLue3FMOrMZ0l
MD5:	60C09456D6362C6FBED48C69AA342C3C
SHA1:	58B6E22DAA48C75958B429F662DEC1C011AE74D3
SHA-256:	FE1A432A2CD096B7EEA870D46D07F5197E34B4D10666E6E1C357FAA3F2FE2389
SHA-512:	936DBC887276EF07732783B50EAFE450A8598B0492B8F6C838B337EF3E8A6EA595E7C7A2FA4B3E881887FAAE2D207B953A4C65ED8C964D93118E00D3E03882BD
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.......x..x..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\sessionCheckpoints.json (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	90
Entropy (8bit):	4.194538242412464
Encrypted:	false
SSDEEP:	3:YVXKQJAyiVLQwJtJDBA+AJ2LKZXJ3YFwHY:Y9KQOy6Lb1BA+m2L69Yr
MD5:	C4AB2EE59CA41B6D6A6EA911F35BDC00
SHA1:	5942CD6505FC8A9DABA403B082067E1CDEFDFBC4
SHA-256:	00AD9799527C3FD21F3A85012565EAE817490F3E0D417413BF9567BB5909F6A2
SHA-512:	71EA16900479E6AF161E0AAD08C8D1E9DED5868A8D848E7647272F3002E2F2013E16382B677ABE3C6F17792A26293B9E27EC78E16F00BD24BA3D21072BD1CAE2
Malicious:	false
Preview:	{"profile-after-change":true,"final-ui-startup":true,"sessionstore-windows-restored":true}

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\sessionCheckpoints.json.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	90
Entropy (8bit):	4.194538242412464
Encrypted:	false
SSDEEP:	3:YVXKQJAyiVLQwJtJDBA+AJ2LKZXJ3YFwHY:Y9KQOy6Lb1BA+m2L69Yr
MD5:	C4AB2EE59CA41B6D6A6EA911F35BDC00
SHA1:	5942CD6505FC8A9DABA403B082067E1CDEFDFBC4
SHA-256:	00AD9799527C3FD21F3A85012565EAE817490F3E0D417413BF9567BB5909F6A2
SHA-512:	71EA16900479E6AF161E0AAD08C8D1E9DED5868A8D848E7647272F3002E2F2013E16382B677ABE3C6F17792A26293B9E27EC78E16F00BD24BA3D21072BD1CAE2
Malicious:	false
Preview:	{"profile-after-change":true,"final-ui-startup":true,"sessionstore-windows-restored":true}

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\sessionstore-backups\recovery.baklz4 (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Mozilla lz4 compressed data, originally 5861 bytes
Category:	dropped
Size (bytes):	1566
Entropy (8bit):	6.329798660159735
Encrypted:	false
SSDEEP:	24:v+USUGlcAxSrXLXnIgVf/pnxQwRlszT5sVl3eHVY+qo+pTBamhujJvyODox7Ikmr:GUpOxAXLnR6M3epfyTB4JaNIHiw
MD5:	5573C7021F9E10D234E4B4A084B3F2E5
SHA1:	DFFA1C486E676887BAACA7815B9326622825C800
SHA-256:	D8CD4818EB325B788F866F7D63C9A9406463ED44E22C5075AD3F02961265BDFB
SHA-512:	19656756A9BB955C3F57D7535CB8F42A8969249C58316E2463990D4692D557FB3E38221530973AE043FE2E0A49B4BF1CE11AC8D82B9E4A1A9A6EE8889ABE283B
Malicious:	false
Preview:	mozLz40.......{"version":["ses....restore",1],"windows":[{"tab..bentrie....url":"https://youtube.com/account?=.....rs.googl%...v3/signin/challenge/pwd","title[.C..cacheKey":0,"ID":6,"docshellUU...D"{5d3018ed-a72c-42a1-ac6d-82af6cee9d32}","resultPrincipalURI":null,"hasUserInteracte...true,"triggering8.p_base64z..\"3\":{}^...docIdentifier":7,"persistK..+}],"lastAccessed":1730392778946,"hidden":false,"searchMode...userContextId...attribut...{},"index":1...questedI..p0,"imag....chrome://global/skin/icons/warning.svg"..aselect...,"_closedTZ.@],"_...C..`GroupCF..":-1,"busy...t...Flags":2167541758....dth":1164,"height":891,"screenX":4...Y..Aizem..."maximize......BeforeMin...&..workspace9..890d5fc3-0c48...14-a93a-b8e730a022a1","zD..1...Wm..l........j..:....1":{..mUpdate...startTim..P45250...centCrash..B0},".....Dcook.. hoc..."addons.mozilla.org","valu...A4a32081674711da8c0af7e7198f4a549116c7011a74775b8dc2ae1b10b859df4","path":"/","na..a"taarI\|.Recure...,`.Donly..fexpiry...51018,"originA...."fi

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\sessionstore-backups\recovery.jsonlz4 (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Mozilla lz4 compressed data, originally 5861 bytes
Category:	dropped
Size (bytes):	1566
Entropy (8bit):	6.329798660159735
Encrypted:	false
SSDEEP:	24:v+USUGlcAxSrXLXnIgVf/pnxQwRlszT5sVl3eHVY+qo+pTBamhujJvyODox7Ikmr:GUpOxAXLnR6M3epfyTB4JaNIHiw
MD5:	5573C7021F9E10D234E4B4A084B3F2E5
SHA1:	DFFA1C486E676887BAACA7815B9326622825C800
SHA-256:	D8CD4818EB325B788F866F7D63C9A9406463ED44E22C5075AD3F02961265BDFB
SHA-512:	19656756A9BB955C3F57D7535CB8F42A8969249C58316E2463990D4692D557FB3E38221530973AE043FE2E0A49B4BF1CE11AC8D82B9E4A1A9A6EE8889ABE283B
Malicious:	false
Preview:	mozLz40.......{"version":["ses....restore",1],"windows":[{"tab..bentrie....url":"https://youtube.com/account?=.....rs.googl%...v3/signin/challenge/pwd","title[.C..cacheKey":0,"ID":6,"docshellUU...D"{5d3018ed-a72c-42a1-ac6d-82af6cee9d32}","resultPrincipalURI":null,"hasUserInteracte...true,"triggering8.p_base64z..\"3\":{}^...docIdentifier":7,"persistK..+}],"lastAccessed":1730392778946,"hidden":false,"searchMode...userContextId...attribut...{},"index":1...questedI..p0,"imag....chrome://global/skin/icons/warning.svg"..aselect...,"_closedTZ.@],"_...C..`GroupCF..":-1,"busy...t...Flags":2167541758....dth":1164,"height":891,"screenX":4...Y..Aizem..."maximize......BeforeMin...&..workspace9..890d5fc3-0c48...14-a93a-b8e730a022a1","zD..1...Wm..l........j..:....1":{..mUpdate...startTim..P45250...centCrash..B0},".....Dcook.. hoc..."addons.mozilla.org","valu...A4a32081674711da8c0af7e7198f4a549116c7011a74775b8dc2ae1b10b859df4","path":"/","na..a"taarI\|.Recure...,`.Donly..fexpiry...51018,"originA...."fi

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\sessionstore-backups\recovery.jsonlz4.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Mozilla lz4 compressed data, originally 5861 bytes
Category:	dropped
Size (bytes):	1566
Entropy (8bit):	6.329798660159735
Encrypted:	false
SSDEEP:	24:v+USUGlcAxSrXLXnIgVf/pnxQwRlszT5sVl3eHVY+qo+pTBamhujJvyODox7Ikmr:GUpOxAXLnR6M3epfyTB4JaNIHiw
MD5:	5573C7021F9E10D234E4B4A084B3F2E5
SHA1:	DFFA1C486E676887BAACA7815B9326622825C800
SHA-256:	D8CD4818EB325B788F866F7D63C9A9406463ED44E22C5075AD3F02961265BDFB
SHA-512:	19656756A9BB955C3F57D7535CB8F42A8969249C58316E2463990D4692D557FB3E38221530973AE043FE2E0A49B4BF1CE11AC8D82B9E4A1A9A6EE8889ABE283B
Malicious:	false
Preview:	mozLz40.......{"version":["ses....restore",1],"windows":[{"tab..bentrie....url":"https://youtube.com/account?=.....rs.googl%...v3/signin/challenge/pwd","title[.C..cacheKey":0,"ID":6,"docshellUU...D"{5d3018ed-a72c-42a1-ac6d-82af6cee9d32}","resultPrincipalURI":null,"hasUserInteracte...true,"triggering8.p_base64z..\"3\":{}^...docIdentifier":7,"persistK..+}],"lastAccessed":1730392778946,"hidden":false,"searchMode...userContextId...attribut...{},"index":1...questedI..p0,"imag....chrome://global/skin/icons/warning.svg"..aselect...,"_closedTZ.@],"_...C..`GroupCF..":-1,"busy...t...Flags":2167541758....dth":1164,"height":891,"screenX":4...Y..Aizem..."maximize......BeforeMin...&..workspace9..890d5fc3-0c48...14-a93a-b8e730a022a1","zD..1...Wm..l........j..:....1":{..mUpdate...startTim..P45250...centCrash..B0},".....Dcook.. hoc..."addons.mozilla.org","valu...A4a32081674711da8c0af7e7198f4a549116c7011a74775b8dc2ae1b10b859df4","path":"/","na..a"taarI\|.Recure...,`.Donly..fexpiry...51018,"originA...."fi

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\storage.sqlite

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	SQLite 3.x database, user version 131075, last written using SQLite version 3042000, page size 512, file counter 4, database pages 8, cookie 0x4, schema 4, UTF-8, version-valid-for 4
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	2.042811512334329
Encrypted:	false
SSDEEP:	24:JBkSldh/cEUcR9PzNFPFHx/GJRBdkOrDcRB1trwDeAq2gRMyxr3:jkSWEUo9LXtR+JdkOnohYsl
MD5:	21235938025E2102017AC8C9748948A4
SHA1:	A1EED1C4588724A8396C95FC9923C0A33B360FF8
SHA-256:	E34B06B180E3F73DC8E441650BB7FE694A9D58E927412D6ED40B0852B784824E
SHA-512:	D334B419A2A75179C17D7F53BF65FCC132ADE03B21059F0007ACDBB08284A281D8CE1C1CC598E6A070024D0DAE158E2E9618E121342BE068E87A051FE33D6061
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\targeting.snapshot.json (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	4411
Entropy (8bit):	5.011361417263986
Encrypted:	false
SSDEEP:	48:YrSAYnMudxUQZpExB1+anOpWZOVhFu1VuWxzzcsYMsku7f86SLAVL7DV9F5FtsfH:ycMMTEr5RXxzzcBvbw6KkjVrrc2Rn27
MD5:	2F1E4AAE0B4E3C57A76615AD8F56FB65
SHA1:	5B7D3D14C66D74511A85DA6281EA6D27C5140A67
SHA-256:	433823A45619A7B04094126875B4273EB6B7C57BCA2D5C06AAD819D7296D9F0C
SHA-512:	EC5EFAA4983FC3D972970C80963627F0EA5957D94A4477C7A62570F716E50067C18B685DDD893FB45B2645B870815B63D611DE716E1CFD4D13747F0A4A860171
Malicious:	false
Preview:	{"environment":{"locale":"en-US","localeLanguageCode":"en","browserSettings":{"update":{"channel":"release","enabled":true,"autoDownload":true,"background":true}},"attributionData":{"campaign":"%2528not%2Bset%2529","content":"%2528not%2Bset%2529","dlsource":"mozorg","dltoken":"cd09ae95-e2cf-4b8b-8929-791b0dd48cdd","experiment":"%2528not%2Bset%2529","medium":"referral","source":"www.google.com","ua":"chrome","variation":"%2528not%2Bset%2529"},"currentDate":"2024-10-31T16:39:19.335Z","profileAgeCreated":1696493964214,"usesFirefoxSync":false,"isFxAEnabled":true,"isFxASignedIn":false,"sync":{"desktopDevices":0,"mobileDevices":0,"totalDevices":0},"xpinstallEnabled":true,"addonsInfo":{"addons":{"formautofill@mozilla.org":{"version":"1.0.1","type":"extension","isSystem":true,"isWebExtension":true,"name":"Form Autofill","userDisabled":false,"installDate":"2023-09-28T01:41:23.000Z"},"pictureinpicture@mozilla.org":{"version":"1.0.0","type":"extension","isSystem":true,"isWebExtension":true,"name"

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\targeting.snapshot.json.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	4411
Entropy (8bit):	5.011361417263986
Encrypted:	false
SSDEEP:	48:YrSAYnMudxUQZpExB1+anOpWZOVhFu1VuWxzzcsYMsku7f86SLAVL7DV9F5FtsfH:ycMMTEr5RXxzzcBvbw6KkjVrrc2Rn27
MD5:	2F1E4AAE0B4E3C57A76615AD8F56FB65
SHA1:	5B7D3D14C66D74511A85DA6281EA6D27C5140A67
SHA-256:	433823A45619A7B04094126875B4273EB6B7C57BCA2D5C06AAD819D7296D9F0C
SHA-512:	EC5EFAA4983FC3D972970C80963627F0EA5957D94A4477C7A62570F716E50067C18B685DDD893FB45B2645B870815B63D611DE716E1CFD4D13747F0A4A860171
Malicious:	false
Preview:	{"environment":{"locale":"en-US","localeLanguageCode":"en","browserSettings":{"update":{"channel":"release","enabled":true,"autoDownload":true,"background":true}},"attributionData":{"campaign":"%2528not%2Bset%2529","content":"%2528not%2Bset%2529","dlsource":"mozorg","dltoken":"cd09ae95-e2cf-4b8b-8929-791b0dd48cdd","experiment":"%2528not%2Bset%2529","medium":"referral","source":"www.google.com","ua":"chrome","variation":"%2528not%2Bset%2529"},"currentDate":"2024-10-31T16:39:19.335Z","profileAgeCreated":1696493964214,"usesFirefoxSync":false,"isFxAEnabled":true,"isFxASignedIn":false,"sync":{"desktopDevices":0,"mobileDevices":0,"totalDevices":0},"xpinstallEnabled":true,"addonsInfo":{"addons":{"formautofill@mozilla.org":{"version":"1.0.1","type":"extension","isSystem":true,"isWebExtension":true,"name":"Form Autofill","userDisabled":false,"installDate":"2023-09-28T01:41:23.000Z"},"pictureinpicture@mozilla.org":{"version":"1.0.0","type":"extension","isSystem":true,"isWebExtension":true,"name"

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	6.584708794638725
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	file.exe
File size:	919'552 bytes
MD5:	f7b759777f1500ce5514a0c154641cf9
SHA1:	c33d678592ebd2db8ebb043def83ffd30043f9d0
SHA256:	022006088fabec8b8dffbc41a8b60542000f829717746cff5954a57f5b3b201a
SHA512:	8d02d1b67c24892650f1a1eea06111c5df95838c7bffbc650a0b0c5f053e2a241f8590c2d2a70b5351836b5bee667fbe02f69f7666d010a5e5e2070f20b44d0b
SSDEEP:	12288:CqDEvFo+yo4DdbbMWu/jrQu4M9lBAlKhQcDGB3cuBNGE6iOrpfe4JdaDga/T7:CqDEvCTbMWu7rQYlBQcBiT6rprG8ab7
TLSH:	B3159E0273D1C062FFAB92334B5AF6515BBC69260123E61F13981DB9BE701B1563E7A3
File Content Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......................j:......j:..C...j:......@.*...............................n.......~.............{.......{.......{.........z....

File Icon


Icon Hash:	aaf3e3e3938382a0

Static PE Info

General

Entrypoint:	0x420577
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, TERMINAL_SERVER_AWARE
Time Stamp:	0x6723A242 [Thu Oct 31 15:29:06 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	1
File Version Major:	5
File Version Minor:	1
Subsystem Version Major:	5
Subsystem Version Minor:	1
Import Hash:	948cc502fe9226992dce9417f952fce3

Entrypoint Preview

Instruction
call 00007F65586E34C3h
jmp 00007F65586E2DCFh
push ebp
mov ebp, esp
push esi
push dword ptr [ebp+08h]
mov esi, ecx
call 00007F65586E2FADh
mov dword ptr [esi], 0049FDF0h
mov eax, esi
pop esi
pop ebp
retn 0004h
and dword ptr [ecx+04h], 00000000h
mov eax, ecx
and dword ptr [ecx+08h], 00000000h
mov dword ptr [ecx+04h], 0049FDF8h
mov dword ptr [ecx], 0049FDF0h
ret
push ebp
mov ebp, esp
push esi
push dword ptr [ebp+08h]
mov esi, ecx
call 00007F65586E2F7Ah
mov dword ptr [esi], 0049FE0Ch
mov eax, esi
pop esi
pop ebp
retn 0004h
and dword ptr [ecx+04h], 00000000h
mov eax, ecx
and dword ptr [ecx+08h], 00000000h
mov dword ptr [ecx+04h], 0049FE14h
mov dword ptr [ecx], 0049FE0Ch
ret
push ebp
mov ebp, esp
push esi
mov esi, ecx
lea eax, dword ptr [esi+04h]
mov dword ptr [esi], 0049FDD0h
and dword ptr [eax], 00000000h
and dword ptr [eax+04h], 00000000h
push eax
mov eax, dword ptr [ebp+08h]
add eax, 04h
push eax
call 00007F65586E5B6Dh
pop ecx
pop ecx
mov eax, esi
pop esi
pop ebp
retn 0004h
lea eax, dword ptr [ecx+04h]
mov dword ptr [ecx], 0049FDD0h
push eax
call 00007F65586E5BB8h
pop ecx
ret
push ebp
mov ebp, esp
push esi
mov esi, ecx
lea eax, dword ptr [esi+04h]
mov dword ptr [esi], 0049FDD0h
push eax
call 00007F65586E5BA1h
test byte ptr [ebp+08h], 00000001h
pop ecx

Rich Headers

Programming Language:

[ C ] VS2008 SP1 build 30729
[IMP] VS2008 SP1 build 30729

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xc8e64	0x17c	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xd4000	0x9c28	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xde000	0x7594	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0xb0ff0	0x1c	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0xc3400	0x18	.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0xb1010	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x9c000	0x894	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x9ab1d	0x9ac00	0a1473f3064dcbc32ef93c5c8a90f3a6	False	0.565500681542811	data	6.668273581389308	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x9c000	0x2fb82	0x2fc00	c9cf2468b60bf4f80f136ed54b3989fb	False	0.35289185209424084	data	5.691811547483722	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0xcc000	0x706c	0x4800	53b9025d545d65e23295e30afdbd16d9	False	0.04356553819444445	DOS executable (block device driver @\273\)	0.5846666986982398	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0xd4000	0x9c28	0x9e00	8afd880cebe0b21c0759ac0aaac34d7e	False	0.31571400316455694	data	5.373851115746269	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0xde000	0x7594	0x7600	c68ee8931a32d45eb82dc450ee40efc3	False	0.7628111758474576	data	6.7972128181359786	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0xd45a8	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain	0.7466216216216216
RT_ICON	0xd46d0	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 128, 16 important colors	English	Great Britain	0.3277027027027027
RT_ICON	0xd47f8	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain	0.3885135135135135
RT_ICON	0xd4920	0x2e8	Device independent bitmap graphic, 32 x 64 x 4, image size 0	English	Great Britain	0.3333333333333333
RT_ICON	0xd4c08	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 0	English	Great Britain	0.5
RT_ICON	0xd4d30	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 0	English	Great Britain	0.2835820895522388
RT_ICON	0xd5bd8	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 0	English	Great Britain	0.37906137184115524
RT_ICON	0xd6480	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 0	English	Great Britain	0.23699421965317918
RT_ICON	0xd69e8	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0	English	Great Britain	0.13858921161825727
RT_ICON	0xd8f90	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 0	English	Great Britain	0.25070356472795496
RT_ICON	0xda038	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	English	Great Britain	0.3173758865248227
RT_MENU	0xda4a0	0x50	data	English	Great Britain	0.9
RT_STRING	0xda4f0	0x594	data	English	Great Britain	0.3333333333333333
RT_STRING	0xdaa84	0x68a	data	English	Great Britain	0.2735961768219833
RT_STRING	0xdb110	0x490	data	English	Great Britain	0.3715753424657534
RT_STRING	0xdb5a0	0x5fc	data	English	Great Britain	0.3087467362924282
RT_STRING	0xdbb9c	0x65c	data	English	Great Britain	0.34336609336609336
RT_STRING	0xdc1f8	0x466	data	English	Great Britain	0.3605683836589698
RT_STRING	0xdc660	0x158	Matlab v4 mat-file (little endian) n, numeric, rows 0, columns 0	English	Great Britain	0.502906976744186
RT_RCDATA	0xdc7b8	0xef0	data			1.0028765690376569
RT_GROUP_ICON	0xdd6a8	0x76	data	English	Great Britain	0.6610169491525424
RT_GROUP_ICON	0xdd720	0x14	data	English	Great Britain	1.25
RT_GROUP_ICON	0xdd734	0x14	data	English	Great Britain	1.15
RT_GROUP_ICON	0xdd748	0x14	data	English	Great Britain	1.25
RT_VERSION	0xdd75c	0xdc	data	English	Great Britain	0.6181818181818182
RT_MANIFEST	0xdd838	0x3ef	ASCII text, with CRLF line terminators	English	Great Britain	0.5074478649453823

Imports

DLL	Import
WSOCK32.dll	gethostbyname, recv, send, socket, inet_ntoa, setsockopt, ntohs, WSACleanup, WSAStartup, sendto, htons, __WSAFDIsSet, select, accept, listen, bind, inet_addr, ioctlsocket, recvfrom, WSAGetLastError, closesocket, gethostname, connect
VERSION.dll	GetFileVersionInfoW, VerQueryValueW, GetFileVersionInfoSizeW
WINMM.dll	timeGetTime, waveOutSetVolume, mciSendStringW
COMCTL32.dll	ImageList_ReplaceIcon, ImageList_Destroy, ImageList_Remove, ImageList_SetDragCursorImage, ImageList_BeginDrag, ImageList_DragEnter, ImageList_DragLeave, ImageList_EndDrag, ImageList_DragMove, InitCommonControlsEx, ImageList_Create
MPR.dll	WNetGetConnectionW, WNetCancelConnection2W, WNetUseConnectionW, WNetAddConnection2W
WININET.dll	HttpOpenRequestW, InternetCloseHandle, InternetOpenW, InternetSetOptionW, InternetCrackUrlW, HttpQueryInfoW, InternetQueryOptionW, InternetConnectW, HttpSendRequestW, FtpOpenFileW, FtpGetFileSize, InternetOpenUrlW, InternetReadFile, InternetQueryDataAvailable
PSAPI.DLL	GetProcessMemoryInfo
IPHLPAPI.DLL	IcmpSendEcho, IcmpCloseHandle, IcmpCreateFile
USERENV.dll	DestroyEnvironmentBlock, LoadUserProfileW, CreateEnvironmentBlock, UnloadUserProfile
UxTheme.dll	IsThemeActive
KERNEL32.dll	DuplicateHandle, CreateThread, WaitForSingleObject, HeapAlloc, GetProcessHeap, HeapFree, Sleep, GetCurrentThreadId, MultiByteToWideChar, MulDiv, GetVersionExW, IsWow64Process, GetSystemInfo, FreeLibrary, LoadLibraryA, GetProcAddress, SetErrorMode, GetModuleFileNameW, WideCharToMultiByte, lstrcpyW, lstrlenW, GetModuleHandleW, QueryPerformanceCounter, VirtualFreeEx, OpenProcess, VirtualAllocEx, WriteProcessMemory, ReadProcessMemory, CreateFileW, SetFilePointerEx, SetEndOfFile, ReadFile, WriteFile, FlushFileBuffers, TerminateProcess, CreateToolhelp32Snapshot, Process32FirstW, Process32NextW, SetFileTime, GetFileAttributesW, FindFirstFileW, FindClose, GetLongPathNameW, GetShortPathNameW, DeleteFileW, IsDebuggerPresent, CopyFileExW, MoveFileW, CreateDirectoryW, RemoveDirectoryW, SetSystemPowerState, QueryPerformanceFrequency, LoadResource, LockResource, SizeofResource, OutputDebugStringW, GetTempPathW, GetTempFileNameW, DeviceIoControl, LoadLibraryW, GetLocalTime, CompareStringW, GetCurrentThread, EnterCriticalSection, LeaveCriticalSection, GetStdHandle, CreatePipe, InterlockedExchange, TerminateThread, LoadLibraryExW, FindResourceExW, CopyFileW, VirtualFree, FormatMessageW, GetExitCodeProcess, GetPrivateProfileStringW, WritePrivateProfileStringW, GetPrivateProfileSectionW, WritePrivateProfileSectionW, GetPrivateProfileSectionNamesW, FileTimeToLocalFileTime, FileTimeToSystemTime, SystemTimeToFileTime, LocalFileTimeToFileTime, GetDriveTypeW, GetDiskFreeSpaceExW, GetDiskFreeSpaceW, GetVolumeInformationW, SetVolumeLabelW, CreateHardLinkW, SetFileAttributesW, CreateEventW, SetEvent, GetEnvironmentVariableW, SetEnvironmentVariableW, GlobalLock, GlobalUnlock, GlobalAlloc, GetFileSize, GlobalFree, GlobalMemoryStatusEx, Beep, GetSystemDirectoryW, HeapReAlloc, HeapSize, GetComputerNameW, GetWindowsDirectoryW, GetCurrentProcessId, GetProcessIoCounters, CreateProcessW, GetProcessId, SetPriorityClass, VirtualAlloc, GetCurrentDirectoryW, lstrcmpiW, DecodePointer, GetLastError, RaiseException, InitializeCriticalSectionAndSpinCount, DeleteCriticalSection, InterlockedDecrement, InterlockedIncrement, ResetEvent, WaitForSingleObjectEx, IsProcessorFeaturePresent, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetCurrentProcess, CloseHandle, GetFullPathNameW, GetStartupInfoW, GetSystemTimeAsFileTime, InitializeSListHead, RtlUnwind, SetLastError, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, EncodePointer, ExitProcess, GetModuleHandleExW, ExitThread, ResumeThread, FreeLibraryAndExitThread, GetACP, GetDateFormatW, GetTimeFormatW, LCMapStringW, GetStringTypeW, GetFileType, SetStdHandle, GetConsoleCP, GetConsoleMode, ReadConsoleW, GetTimeZoneInformation, FindFirstFileExW, IsValidCodePage, GetOEMCP, GetCPInfo, GetCommandLineA, GetCommandLineW, GetEnvironmentStringsW, FreeEnvironmentStringsW, SetEnvironmentVariableA, SetCurrentDirectoryW, FindNextFileW, WriteConsoleW
USER32.dll	GetKeyboardLayoutNameW, IsCharAlphaW, IsCharAlphaNumericW, IsCharLowerW, IsCharUpperW, GetMenuStringW, GetSubMenu, GetCaretPos, IsZoomed, GetMonitorInfoW, SetWindowLongW, SetLayeredWindowAttributes, FlashWindow, GetClassLongW, TranslateAcceleratorW, IsDialogMessageW, GetSysColor, InflateRect, DrawFocusRect, DrawTextW, FrameRect, DrawFrameControl, FillRect, PtInRect, DestroyAcceleratorTable, CreateAcceleratorTableW, SetCursor, GetWindowDC, GetSystemMetrics, GetActiveWindow, CharNextW, wsprintfW, RedrawWindow, DrawMenuBar, DestroyMenu, SetMenu, GetWindowTextLengthW, CreateMenu, IsDlgButtonChecked, DefDlgProcW, CallWindowProcW, ReleaseCapture, SetCapture, PeekMessageW, GetInputState, UnregisterHotKey, CharLowerBuffW, MonitorFromPoint, MonitorFromRect, LoadImageW, mouse_event, ExitWindowsEx, SetActiveWindow, FindWindowExW, EnumThreadWindows, SetMenuDefaultItem, InsertMenuItemW, IsMenu, ClientToScreen, GetCursorPos, DeleteMenu, CheckMenuRadioItem, GetMenuItemID, GetMenuItemCount, SetMenuItemInfoW, GetMenuItemInfoW, SetForegroundWindow, IsIconic, FindWindowW, SystemParametersInfoW, LockWindowUpdate, SendInput, GetAsyncKeyState, SetKeyboardState, GetKeyboardState, GetKeyState, VkKeyScanW, LoadStringW, DialogBoxParamW, MessageBeep, EndDialog, SendDlgItemMessageW, GetDlgItem, SetWindowTextW, CopyRect, ReleaseDC, GetDC, EndPaint, BeginPaint, GetClientRect, GetMenu, DestroyWindow, EnumWindows, GetDesktopWindow, IsWindow, IsWindowEnabled, IsWindowVisible, EnableWindow, InvalidateRect, GetWindowLongW, GetWindowThreadProcessId, AttachThreadInput, GetFocus, GetWindowTextW, SendMessageTimeoutW, EnumChildWindows, CharUpperBuffW, GetClassNameW, GetParent, GetDlgCtrlID, SendMessageW, MapVirtualKeyW, PostMessageW, GetWindowRect, SetUserObjectSecurity, CloseDesktop, CloseWindowStation, OpenDesktopW, RegisterHotKey, GetCursorInfo, SetWindowPos, CopyImage, AdjustWindowRectEx, SetRect, SetClipboardData, EmptyClipboard, CountClipboardFormats, CloseClipboard, GetClipboardData, IsClipboardFormatAvailable, OpenClipboard, BlockInput, TrackPopupMenuEx, GetMessageW, SetProcessWindowStation, GetProcessWindowStation, OpenWindowStationW, GetUserObjectSecurity, MessageBoxW, DefWindowProcW, MoveWindow, SetFocus, PostQuitMessage, KillTimer, CreatePopupMenu, RegisterWindowMessageW, SetTimer, ShowWindow, CreateWindowExW, RegisterClassExW, LoadIconW, LoadCursorW, GetSysColorBrush, GetForegroundWindow, MessageBoxA, DestroyIcon, DispatchMessageW, keybd_event, TranslateMessage, ScreenToClient
GDI32.dll	EndPath, DeleteObject, GetTextExtentPoint32W, ExtCreatePen, StrokeAndFillPath, GetDeviceCaps, SetPixel, CloseFigure, LineTo, AngleArc, MoveToEx, Ellipse, CreateCompatibleBitmap, CreateCompatibleDC, PolyDraw, BeginPath, Rectangle, SetViewportOrgEx, GetObjectW, SetBkMode, RoundRect, SetBkColor, CreatePen, SelectObject, StretchBlt, CreateSolidBrush, SetTextColor, CreateFontW, GetTextFaceW, GetStockObject, CreateDCW, GetPixel, DeleteDC, GetDIBits, StrokePath
COMDLG32.dll	GetSaveFileNameW, GetOpenFileNameW
ADVAPI32.dll	GetAce, RegEnumValueW, RegDeleteValueW, RegDeleteKeyW, RegEnumKeyExW, RegSetValueExW, RegOpenKeyExW, RegCloseKey, RegQueryValueExW, RegConnectRegistryW, InitializeSecurityDescriptor, InitializeAcl, AdjustTokenPrivileges, OpenThreadToken, OpenProcessToken, LookupPrivilegeValueW, DuplicateTokenEx, CreateProcessAsUserW, CreateProcessWithLogonW, GetLengthSid, CopySid, LogonUserW, AllocateAndInitializeSid, CheckTokenMembership, FreeSid, GetTokenInformation, RegCreateKeyExW, GetSecurityDescriptorDacl, GetAclInformation, GetUserNameW, AddAce, SetSecurityDescriptorDacl, InitiateSystemShutdownExW
SHELL32.dll	DragFinish, DragQueryPoint, ShellExecuteExW, DragQueryFileW, SHEmptyRecycleBinW, SHGetPathFromIDListW, SHBrowseForFolderW, SHCreateShellItem, SHGetDesktopFolder, SHGetSpecialFolderLocation, SHGetFolderPathW, SHFileOperationW, ExtractIconExW, Shell_NotifyIconW, ShellExecuteW
ole32.dll	CoTaskMemAlloc, CoTaskMemFree, CLSIDFromString, ProgIDFromCLSID, CLSIDFromProgID, OleSetMenuDescriptor, MkParseDisplayName, OleSetContainedObject, CoCreateInstance, IIDFromString, StringFromGUID2, CreateStreamOnHGlobal, OleInitialize, OleUninitialize, CoInitialize, CoUninitialize, GetRunningObjectTable, CoGetInstanceFromFile, CoGetObject, CoInitializeSecurity, CoCreateInstanceEx, CoSetProxyBlanket
OLEAUT32.dll	CreateStdDispatch, CreateDispTypeInfo, UnRegisterTypeLib, UnRegisterTypeLibForUser, RegisterTypeLibForUser, RegisterTypeLib, LoadTypeLibEx, VariantCopyInd, SysReAllocString, SysFreeString, VariantChangeType, SafeArrayDestroyData, SafeArrayUnaccessData, SafeArrayAccessData, SafeArrayAllocData, SafeArrayAllocDescriptorEx, SafeArrayCreateVector, SysStringLen, QueryPathOfRegTypeLib, SysAllocString, VariantInit, VariantClear, DispCallFunc, VariantTimeToSystemTime, VarR8FromDec, SafeArrayGetVartype, SafeArrayDestroyDescriptor, VariantCopy, OleLoadPicture

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	Great Britain

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-10-31T16:36:21.685322+0100	2022930	ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow	1	20.12.23.50	443	192.168.2.8	49732	TCP
2024-10-31T16:36:50.198299+0100	2022930	ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow	1	20.12.23.50	443	192.168.2.8	64363	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 31, 2024 16:36:16.502170086 CET	49711	443	192.168.2.8	35.190.72.216
Oct 31, 2024 16:36:16.502219915 CET	443	49711	35.190.72.216	192.168.2.8
Oct 31, 2024 16:36:16.502849102 CET	49712	443	192.168.2.8	142.250.186.174
Oct 31, 2024 16:36:16.502882004 CET	443	49712	142.250.186.174	192.168.2.8
Oct 31, 2024 16:36:16.502943039 CET	49711	443	192.168.2.8	35.190.72.216
Oct 31, 2024 16:36:16.504904032 CET	49712	443	192.168.2.8	142.250.186.174
Oct 31, 2024 16:36:16.510567904 CET	49711	443	192.168.2.8	35.190.72.216
Oct 31, 2024 16:36:16.510591030 CET	443	49711	35.190.72.216	192.168.2.8
Oct 31, 2024 16:36:16.511976957 CET	49712	443	192.168.2.8	142.250.186.174
Oct 31, 2024 16:36:16.511996031 CET	443	49712	142.250.186.174	192.168.2.8
Oct 31, 2024 16:36:16.544728994 CET	49713	80	192.168.2.8	34.107.221.82
Oct 31, 2024 16:36:16.547086954 CET	49714	443	192.168.2.8	142.250.186.174
Oct 31, 2024 16:36:16.547102928 CET	443	49714	142.250.186.174	192.168.2.8
Oct 31, 2024 16:36:16.548036098 CET	49714	443	192.168.2.8	142.250.186.174
Oct 31, 2024 16:36:16.549587965 CET	49714	443	192.168.2.8	142.250.186.174
Oct 31, 2024 16:36:16.549601078 CET	443	49714	142.250.186.174	192.168.2.8
Oct 31, 2024 16:36:16.549621105 CET	80	49713	34.107.221.82	192.168.2.8
Oct 31, 2024 16:36:16.551918030 CET	49713	80	192.168.2.8	34.107.221.82
Oct 31, 2024 16:36:16.552068949 CET	49713	80	192.168.2.8	34.107.221.82
Oct 31, 2024 16:36:16.557286978 CET	80	49713	34.107.221.82	192.168.2.8
Oct 31, 2024 16:36:17.117691994 CET	443	49711	35.190.72.216	192.168.2.8
Oct 31, 2024 16:36:17.127331972 CET	443	49711	35.190.72.216	192.168.2.8
Oct 31, 2024 16:36:17.134134054 CET	49711	443	192.168.2.8	35.190.72.216
Oct 31, 2024 16:36:17.142873049 CET	80	49713	34.107.221.82	192.168.2.8
Oct 31, 2024 16:36:17.194461107 CET	49713	80	192.168.2.8	34.107.221.82
Oct 31, 2024 16:36:17.247728109 CET	49711	443	192.168.2.8	35.190.72.216
Oct 31, 2024 16:36:17.247750044 CET	443	49711	35.190.72.216	192.168.2.8
Oct 31, 2024 16:36:17.247900009 CET	49711	443	192.168.2.8	35.190.72.216
Oct 31, 2024 16:36:17.248060942 CET	443	49711	35.190.72.216	192.168.2.8
Oct 31, 2024 16:36:17.248321056 CET	49716	443	192.168.2.8	35.190.72.216
Oct 31, 2024 16:36:17.248353958 CET	443	49716	35.190.72.216	192.168.2.8
Oct 31, 2024 16:36:17.250298023 CET	49711	443	192.168.2.8	35.190.72.216
Oct 31, 2024 16:36:17.250329971 CET	49716	443	192.168.2.8	35.190.72.216
Oct 31, 2024 16:36:17.251746893 CET	49716	443	192.168.2.8	35.190.72.216
Oct 31, 2024 16:36:17.251764059 CET	443	49716	35.190.72.216	192.168.2.8
Oct 31, 2024 16:36:17.304748058 CET	49717	443	192.168.2.8	34.117.188.166
Oct 31, 2024 16:36:17.304795980 CET	443	49717	34.117.188.166	192.168.2.8
Oct 31, 2024 16:36:17.308820009 CET	49718	443	192.168.2.8	35.244.181.201
Oct 31, 2024 16:36:17.308851957 CET	443	49718	35.244.181.201	192.168.2.8
Oct 31, 2024 16:36:17.309474945 CET	49717	443	192.168.2.8	34.117.188.166
Oct 31, 2024 16:36:17.309510946 CET	49718	443	192.168.2.8	35.244.181.201
Oct 31, 2024 16:36:17.310952902 CET	49717	443	192.168.2.8	34.117.188.166
Oct 31, 2024 16:36:17.310976028 CET	443	49717	34.117.188.166	192.168.2.8
Oct 31, 2024 16:36:17.311105967 CET	49718	443	192.168.2.8	35.244.181.201
Oct 31, 2024 16:36:17.311117887 CET	443	49718	35.244.181.201	192.168.2.8
Oct 31, 2024 16:36:17.315505981 CET	49719	80	192.168.2.8	34.107.221.82
Oct 31, 2024 16:36:17.319456100 CET	49720	443	192.168.2.8	34.117.188.166
Oct 31, 2024 16:36:17.319473982 CET	443	49720	34.117.188.166	192.168.2.8
Oct 31, 2024 16:36:17.319673061 CET	49720	443	192.168.2.8	34.117.188.166
Oct 31, 2024 16:36:17.320436954 CET	80	49719	34.107.221.82	192.168.2.8
Oct 31, 2024 16:36:17.321154118 CET	49720	443	192.168.2.8	34.117.188.166
Oct 31, 2024 16:36:17.321166992 CET	443	49720	34.117.188.166	192.168.2.8
Oct 31, 2024 16:36:17.321266890 CET	49719	80	192.168.2.8	34.107.221.82
Oct 31, 2024 16:36:17.321374893 CET	49719	80	192.168.2.8	34.107.221.82
Oct 31, 2024 16:36:17.326457024 CET	80	49719	34.107.221.82	192.168.2.8
Oct 31, 2024 16:36:17.329619884 CET	49713	80	192.168.2.8	34.107.221.82
Oct 31, 2024 16:36:17.334810019 CET	80	49713	34.107.221.82	192.168.2.8
Oct 31, 2024 16:36:17.335778952 CET	49713	80	192.168.2.8	34.107.221.82
Oct 31, 2024 16:36:17.367697954 CET	443	49712	142.250.186.174	192.168.2.8
Oct 31, 2024 16:36:17.368710995 CET	443	49712	142.250.186.174	192.168.2.8
Oct 31, 2024 16:36:17.373491049 CET	49712	443	192.168.2.8	142.250.186.174
Oct 31, 2024 16:36:17.373517036 CET	443	49712	142.250.186.174	192.168.2.8
Oct 31, 2024 16:36:17.378498077 CET	49712	443	192.168.2.8	142.250.186.174
Oct 31, 2024 16:36:17.378518105 CET	443	49712	142.250.186.174	192.168.2.8
Oct 31, 2024 16:36:17.378592014 CET	49712	443	192.168.2.8	142.250.186.174
Oct 31, 2024 16:36:17.378698111 CET	443	49712	142.250.186.174	192.168.2.8
Oct 31, 2024 16:36:17.379267931 CET	49712	443	192.168.2.8	142.250.186.174
Oct 31, 2024 16:36:17.427041054 CET	443	49714	142.250.186.174	192.168.2.8
Oct 31, 2024 16:36:17.427117109 CET	49714	443	192.168.2.8	142.250.186.174
Oct 31, 2024 16:36:17.428148031 CET	443	49714	142.250.186.174	192.168.2.8
Oct 31, 2024 16:36:17.428244114 CET	49714	443	192.168.2.8	142.250.186.174
Oct 31, 2024 16:36:17.606756926 CET	49714	443	192.168.2.8	142.250.186.174
Oct 31, 2024 16:36:17.606780052 CET	443	49714	142.250.186.174	192.168.2.8
Oct 31, 2024 16:36:17.606870890 CET	49714	443	192.168.2.8	142.250.186.174
Oct 31, 2024 16:36:17.607145071 CET	443	49714	142.250.186.174	192.168.2.8
Oct 31, 2024 16:36:17.607296944 CET	49721	443	192.168.2.8	142.250.186.174
Oct 31, 2024 16:36:17.607342958 CET	443	49721	142.250.186.174	192.168.2.8
Oct 31, 2024 16:36:17.607362986 CET	49714	443	192.168.2.8	142.250.186.174
Oct 31, 2024 16:36:17.607546091 CET	49721	443	192.168.2.8	142.250.186.174
Oct 31, 2024 16:36:17.608987093 CET	49721	443	192.168.2.8	142.250.186.174
Oct 31, 2024 16:36:17.609002113 CET	443	49721	142.250.186.174	192.168.2.8
Oct 31, 2024 16:36:17.684184074 CET	49722	443	192.168.2.8	34.160.144.191
Oct 31, 2024 16:36:17.684226990 CET	443	49722	34.160.144.191	192.168.2.8
Oct 31, 2024 16:36:17.684848070 CET	49722	443	192.168.2.8	34.160.144.191
Oct 31, 2024 16:36:17.685055971 CET	49722	443	192.168.2.8	34.160.144.191
Oct 31, 2024 16:36:17.685074091 CET	443	49722	34.160.144.191	192.168.2.8
Oct 31, 2024 16:36:17.860820055 CET	443	49716	35.190.72.216	192.168.2.8
Oct 31, 2024 16:36:17.863780975 CET	49716	443	192.168.2.8	35.190.72.216
Oct 31, 2024 16:36:17.870779037 CET	49716	443	192.168.2.8	35.190.72.216
Oct 31, 2024 16:36:17.870788097 CET	443	49716	35.190.72.216	192.168.2.8
Oct 31, 2024 16:36:17.870867968 CET	49716	443	192.168.2.8	35.190.72.216
Oct 31, 2024 16:36:17.870944023 CET	443	49716	35.190.72.216	192.168.2.8
Oct 31, 2024 16:36:17.871828079 CET	49716	443	192.168.2.8	35.190.72.216
Oct 31, 2024 16:36:17.916851044 CET	80	49719	34.107.221.82	192.168.2.8
Oct 31, 2024 16:36:17.917289019 CET	49719	80	192.168.2.8	34.107.221.82
Oct 31, 2024 16:36:17.922774076 CET	80	49719	34.107.221.82	192.168.2.8
Oct 31, 2024 16:36:17.922821045 CET	49719	80	192.168.2.8	34.107.221.82
Oct 31, 2024 16:36:17.931914091 CET	443	49718	35.244.181.201	192.168.2.8
Oct 31, 2024 16:36:17.931998014 CET	49718	443	192.168.2.8	35.244.181.201
Oct 31, 2024 16:36:17.932728052 CET	443	49720	34.117.188.166	192.168.2.8
Oct 31, 2024 16:36:17.932987928 CET	49720	443	192.168.2.8	34.117.188.166
Oct 31, 2024 16:36:17.935256958 CET	49718	443	192.168.2.8	35.244.181.201
Oct 31, 2024 16:36:17.935275078 CET	443	49718	35.244.181.201	192.168.2.8
Oct 31, 2024 16:36:17.935547113 CET	443	49718	35.244.181.201	192.168.2.8
Oct 31, 2024 16:36:17.938589096 CET	443	49717	34.117.188.166	192.168.2.8
Oct 31, 2024 16:36:17.939439058 CET	49718	443	192.168.2.8	35.244.181.201
Oct 31, 2024 16:36:17.939519882 CET	49718	443	192.168.2.8	35.244.181.201
Oct 31, 2024 16:36:17.939626932 CET	443	49718	35.244.181.201	192.168.2.8
Oct 31, 2024 16:36:17.939738035 CET	49718	443	192.168.2.8	35.244.181.201
Oct 31, 2024 16:36:17.939757109 CET	49717	443	192.168.2.8	34.117.188.166
Oct 31, 2024 16:36:17.943923950 CET	49720	443	192.168.2.8	34.117.188.166
Oct 31, 2024 16:36:17.943947077 CET	443	49720	34.117.188.166	192.168.2.8
Oct 31, 2024 16:36:17.944117069 CET	443	49720	34.117.188.166	192.168.2.8
Oct 31, 2024 16:36:17.944185972 CET	49720	443	192.168.2.8	34.117.188.166
Oct 31, 2024 16:36:17.944192886 CET	443	49720	34.117.188.166	192.168.2.8
Oct 31, 2024 16:36:17.944514036 CET	49720	443	192.168.2.8	34.117.188.166
Oct 31, 2024 16:36:17.944962978 CET	49723	443	192.168.2.8	34.117.188.166
Oct 31, 2024 16:36:17.944989920 CET	443	49723	34.117.188.166	192.168.2.8
Oct 31, 2024 16:36:17.945082903 CET	49723	443	192.168.2.8	34.117.188.166
Oct 31, 2024 16:36:17.946574926 CET	49723	443	192.168.2.8	34.117.188.166
Oct 31, 2024 16:36:17.946587086 CET	443	49723	34.117.188.166	192.168.2.8
Oct 31, 2024 16:36:17.946652889 CET	49717	443	192.168.2.8	34.117.188.166
Oct 31, 2024 16:36:17.946666956 CET	443	49717	34.117.188.166	192.168.2.8
Oct 31, 2024 16:36:17.946713924 CET	49717	443	192.168.2.8	34.117.188.166
Oct 31, 2024 16:36:17.946862936 CET	443	49717	34.117.188.166	192.168.2.8
Oct 31, 2024 16:36:17.946938038 CET	49717	443	192.168.2.8	34.117.188.166
Oct 31, 2024 16:36:18.092905045 CET	49724	80	192.168.2.8	34.107.221.82
Oct 31, 2024 16:36:18.098129988 CET	80	49724	34.107.221.82	192.168.2.8
Oct 31, 2024 16:36:18.101865053 CET	49724	80	192.168.2.8	34.107.221.82
Oct 31, 2024 16:36:18.102032900 CET	49724	80	192.168.2.8	34.107.221.82
Oct 31, 2024 16:36:18.107151031 CET	80	49724	34.107.221.82	192.168.2.8
Oct 31, 2024 16:36:18.297566891 CET	443	49722	34.160.144.191	192.168.2.8
Oct 31, 2024 16:36:18.300169945 CET	49722	443	192.168.2.8	34.160.144.191
Oct 31, 2024 16:36:18.303251028 CET	49722	443	192.168.2.8	34.160.144.191
Oct 31, 2024 16:36:18.303270102 CET	443	49722	34.160.144.191	192.168.2.8
Oct 31, 2024 16:36:18.303761959 CET	443	49722	34.160.144.191	192.168.2.8
Oct 31, 2024 16:36:18.305861950 CET	49722	443	192.168.2.8	34.160.144.191
Oct 31, 2024 16:36:18.305967093 CET	49722	443	192.168.2.8	34.160.144.191
Oct 31, 2024 16:36:18.306301117 CET	443	49722	34.160.144.191	192.168.2.8
Oct 31, 2024 16:36:18.306318998 CET	49726	443	192.168.2.8	34.160.144.191
Oct 31, 2024 16:36:18.306364059 CET	443	49726	34.160.144.191	192.168.2.8
Oct 31, 2024 16:36:18.306370974 CET	49722	443	192.168.2.8	34.160.144.191
Oct 31, 2024 16:36:18.306560993 CET	49726	443	192.168.2.8	34.160.144.191
Oct 31, 2024 16:36:18.306705952 CET	49726	443	192.168.2.8	34.160.144.191
Oct 31, 2024 16:36:18.306723118 CET	443	49726	34.160.144.191	192.168.2.8
Oct 31, 2024 16:36:18.465063095 CET	443	49721	142.250.186.174	192.168.2.8
Oct 31, 2024 16:36:18.465219021 CET	49721	443	192.168.2.8	142.250.186.174
Oct 31, 2024 16:36:18.465744019 CET	443	49721	142.250.186.174	192.168.2.8
Oct 31, 2024 16:36:18.466195107 CET	49721	443	192.168.2.8	142.250.186.174
Oct 31, 2024 16:36:18.470985889 CET	49721	443	192.168.2.8	142.250.186.174
Oct 31, 2024 16:36:18.470997095 CET	443	49721	142.250.186.174	192.168.2.8
Oct 31, 2024 16:36:18.471093893 CET	49721	443	192.168.2.8	142.250.186.174
Oct 31, 2024 16:36:18.471163988 CET	443	49721	142.250.186.174	192.168.2.8
Oct 31, 2024 16:36:18.471226931 CET	49721	443	192.168.2.8	142.250.186.174
Oct 31, 2024 16:36:18.553819895 CET	443	49723	34.117.188.166	192.168.2.8
Oct 31, 2024 16:36:18.553881884 CET	49723	443	192.168.2.8	34.117.188.166
Oct 31, 2024 16:36:18.558816910 CET	49723	443	192.168.2.8	34.117.188.166
Oct 31, 2024 16:36:18.558820963 CET	443	49723	34.117.188.166	192.168.2.8
Oct 31, 2024 16:36:18.558856964 CET	49723	443	192.168.2.8	34.117.188.166
Oct 31, 2024 16:36:18.558959007 CET	443	49723	34.117.188.166	192.168.2.8
Oct 31, 2024 16:36:18.559071064 CET	49723	443	192.168.2.8	34.117.188.166
Oct 31, 2024 16:36:18.710045099 CET	80	49724	34.107.221.82	192.168.2.8
Oct 31, 2024 16:36:18.761496067 CET	49724	80	192.168.2.8	34.107.221.82
Oct 31, 2024 16:36:18.819334030 CET	49727	443	192.168.2.8	34.117.188.166
Oct 31, 2024 16:36:18.819379091 CET	443	49727	34.117.188.166	192.168.2.8
Oct 31, 2024 16:36:18.819526911 CET	49724	80	192.168.2.8	34.107.221.82
Oct 31, 2024 16:36:18.820811987 CET	49728	80	192.168.2.8	34.107.221.82
Oct 31, 2024 16:36:18.821346998 CET	49727	443	192.168.2.8	34.117.188.166
Oct 31, 2024 16:36:18.822875023 CET	49727	443	192.168.2.8	34.117.188.166
Oct 31, 2024 16:36:18.822890997 CET	443	49727	34.117.188.166	192.168.2.8
Oct 31, 2024 16:36:18.824439049 CET	80	49724	34.107.221.82	192.168.2.8
Oct 31, 2024 16:36:18.826071978 CET	80	49728	34.107.221.82	192.168.2.8
Oct 31, 2024 16:36:18.826365948 CET	49728	80	192.168.2.8	34.107.221.82
Oct 31, 2024 16:36:18.826505899 CET	49728	80	192.168.2.8	34.107.221.82
Oct 31, 2024 16:36:18.831294060 CET	80	49728	34.107.221.82	192.168.2.8
Oct 31, 2024 16:36:18.932866096 CET	443	49726	34.160.144.191	192.168.2.8
Oct 31, 2024 16:36:18.932941914 CET	49726	443	192.168.2.8	34.160.144.191
Oct 31, 2024 16:36:18.936201096 CET	49726	443	192.168.2.8	34.160.144.191
Oct 31, 2024 16:36:18.936212063 CET	443	49726	34.160.144.191	192.168.2.8
Oct 31, 2024 16:36:18.936532974 CET	443	49726	34.160.144.191	192.168.2.8
Oct 31, 2024 16:36:18.938632011 CET	49726	443	192.168.2.8	34.160.144.191
Oct 31, 2024 16:36:18.938729048 CET	49726	443	192.168.2.8	34.160.144.191
Oct 31, 2024 16:36:18.938805103 CET	443	49726	34.160.144.191	192.168.2.8
Oct 31, 2024 16:36:18.938870907 CET	49726	443	192.168.2.8	34.160.144.191
Oct 31, 2024 16:36:18.946185112 CET	80	49724	34.107.221.82	192.168.2.8
Oct 31, 2024 16:36:18.969340086 CET	49728	80	192.168.2.8	34.107.221.82
Oct 31, 2024 16:36:18.980516911 CET	49729	80	192.168.2.8	34.107.221.82
Oct 31, 2024 16:36:18.985543966 CET	80	49729	34.107.221.82	192.168.2.8
Oct 31, 2024 16:36:18.986605883 CET	49729	80	192.168.2.8	34.107.221.82
Oct 31, 2024 16:36:18.986756086 CET	49729	80	192.168.2.8	34.107.221.82
Oct 31, 2024 16:36:18.991909027 CET	80	49729	34.107.221.82	192.168.2.8
Oct 31, 2024 16:36:18.993304968 CET	49724	80	192.168.2.8	34.107.221.82
Oct 31, 2024 16:36:19.020308971 CET	80	49728	34.107.221.82	192.168.2.8
Oct 31, 2024 16:36:19.048146963 CET	49724	80	192.168.2.8	34.107.221.82
Oct 31, 2024 16:36:19.053141117 CET	80	49724	34.107.221.82	192.168.2.8
Oct 31, 2024 16:36:19.174902916 CET	80	49724	34.107.221.82	192.168.2.8
Oct 31, 2024 16:36:19.226313114 CET	49724	80	192.168.2.8	34.107.221.82
Oct 31, 2024 16:36:19.308871031 CET	80	49728	34.107.221.82	192.168.2.8
Oct 31, 2024 16:36:19.309866905 CET	49728	80	192.168.2.8	34.107.221.82
Oct 31, 2024 16:36:19.380117893 CET	49729	80	192.168.2.8	34.107.221.82
Oct 31, 2024 16:36:19.428204060 CET	80	49729	34.107.221.82	192.168.2.8
Oct 31, 2024 16:36:19.430135012 CET	443	49727	34.117.188.166	192.168.2.8
Oct 31, 2024 16:36:19.442521095 CET	49727	443	192.168.2.8	34.117.188.166
Oct 31, 2024 16:36:19.451531887 CET	49727	443	192.168.2.8	34.117.188.166
Oct 31, 2024 16:36:19.451545000 CET	443	49727	34.117.188.166	192.168.2.8
Oct 31, 2024 16:36:19.451642036 CET	49727	443	192.168.2.8	34.117.188.166
Oct 31, 2024 16:36:19.451730013 CET	443	49727	34.117.188.166	192.168.2.8
Oct 31, 2024 16:36:19.452038050 CET	49731	443	192.168.2.8	34.117.188.166
Oct 31, 2024 16:36:19.452086926 CET	443	49731	34.117.188.166	192.168.2.8
Oct 31, 2024 16:36:19.462595940 CET	49727	443	192.168.2.8	34.117.188.166
Oct 31, 2024 16:36:19.462717056 CET	49731	443	192.168.2.8	34.117.188.166
Oct 31, 2024 16:36:19.463042974 CET	80	49729	34.107.221.82	192.168.2.8
Oct 31, 2024 16:36:19.466799021 CET	49731	443	192.168.2.8	34.117.188.166
Oct 31, 2024 16:36:19.466820002 CET	443	49731	34.117.188.166	192.168.2.8
Oct 31, 2024 16:36:19.468355894 CET	49729	80	192.168.2.8	34.107.221.82
Oct 31, 2024 16:36:20.073594093 CET	443	49731	34.117.188.166	192.168.2.8
Oct 31, 2024 16:36:20.073607922 CET	443	49731	34.117.188.166	192.168.2.8
Oct 31, 2024 16:36:20.077068090 CET	49731	443	192.168.2.8	34.117.188.166
Oct 31, 2024 16:36:20.081430912 CET	49731	443	192.168.2.8	34.117.188.166
Oct 31, 2024 16:36:20.081446886 CET	443	49731	34.117.188.166	192.168.2.8
Oct 31, 2024 16:36:20.081576109 CET	49731	443	192.168.2.8	34.117.188.166
Oct 31, 2024 16:36:20.081593990 CET	443	49731	34.117.188.166	192.168.2.8
Oct 31, 2024 16:36:20.081659079 CET	49731	443	192.168.2.8	34.117.188.166
Oct 31, 2024 16:36:20.226870060 CET	49724	80	192.168.2.8	34.107.221.82
Oct 31, 2024 16:36:20.231827021 CET	80	49724	34.107.221.82	192.168.2.8
Oct 31, 2024 16:36:20.233639956 CET	49734	80	192.168.2.8	34.107.221.82
Oct 31, 2024 16:36:20.238548040 CET	80	49734	34.107.221.82	192.168.2.8
Oct 31, 2024 16:36:20.239733934 CET	49734	80	192.168.2.8	34.107.221.82
Oct 31, 2024 16:36:20.239906073 CET	49734	80	192.168.2.8	34.107.221.82
Oct 31, 2024 16:36:20.244793892 CET	80	49734	34.107.221.82	192.168.2.8
Oct 31, 2024 16:36:20.354006052 CET	80	49724	34.107.221.82	192.168.2.8
Oct 31, 2024 16:36:20.372745037 CET	49734	80	192.168.2.8	34.107.221.82
Oct 31, 2024 16:36:20.381617069 CET	49736	80	192.168.2.8	34.107.221.82
Oct 31, 2024 16:36:20.386804104 CET	80	49736	34.107.221.82	192.168.2.8
Oct 31, 2024 16:36:20.389118910 CET	49736	80	192.168.2.8	34.107.221.82
Oct 31, 2024 16:36:20.389442921 CET	49736	80	192.168.2.8	34.107.221.82
Oct 31, 2024 16:36:20.394275904 CET	80	49736	34.107.221.82	192.168.2.8
Oct 31, 2024 16:36:20.401300907 CET	49724	80	192.168.2.8	34.107.221.82
Oct 31, 2024 16:36:20.424197912 CET	80	49734	34.107.221.82	192.168.2.8
Oct 31, 2024 16:36:20.734760046 CET	80	49734	34.107.221.82	192.168.2.8
Oct 31, 2024 16:36:20.736304045 CET	49734	80	192.168.2.8	34.107.221.82
Oct 31, 2024 16:36:20.993447065 CET	80	49736	34.107.221.82	192.168.2.8
Oct 31, 2024 16:36:21.038409948 CET	49736	80	192.168.2.8	34.107.221.82
Oct 31, 2024 16:36:22.263010025 CET	49740	443	192.168.2.8	34.107.243.93
Oct 31, 2024 16:36:22.263056993 CET	443	49740	34.107.243.93	192.168.2.8
Oct 31, 2024 16:36:22.273283958 CET	49740	443	192.168.2.8	34.107.243.93
Oct 31, 2024 16:36:22.274996042 CET	49740	443	192.168.2.8	34.107.243.93
Oct 31, 2024 16:36:22.275017023 CET	443	49740	34.107.243.93	192.168.2.8
Oct 31, 2024 16:36:22.400758028 CET	49741	443	192.168.2.8	35.244.181.201
Oct 31, 2024 16:36:22.400806904 CET	443	49741	35.244.181.201	192.168.2.8
Oct 31, 2024 16:36:22.401264906 CET	49741	443	192.168.2.8	35.244.181.201
Oct 31, 2024 16:36:22.401397943 CET	49741	443	192.168.2.8	35.244.181.201
Oct 31, 2024 16:36:22.401412010 CET	443	49741	35.244.181.201	192.168.2.8
Oct 31, 2024 16:36:22.474952936 CET	49742	443	192.168.2.8	34.120.208.123
Oct 31, 2024 16:36:22.475001097 CET	443	49742	34.120.208.123	192.168.2.8
Oct 31, 2024 16:36:22.475704908 CET	49742	443	192.168.2.8	34.120.208.123
Oct 31, 2024 16:36:22.477186918 CET	49742	443	192.168.2.8	34.120.208.123
Oct 31, 2024 16:36:22.477202892 CET	443	49742	34.120.208.123	192.168.2.8
Oct 31, 2024 16:36:22.776910067 CET	49743	443	192.168.2.8	34.149.100.209
Oct 31, 2024 16:36:22.776962042 CET	443	49743	34.149.100.209	192.168.2.8
Oct 31, 2024 16:36:22.777229071 CET	49743	443	192.168.2.8	34.149.100.209
Oct 31, 2024 16:36:22.778609991 CET	49743	443	192.168.2.8	34.149.100.209
Oct 31, 2024 16:36:22.778621912 CET	443	49743	34.149.100.209	192.168.2.8
Oct 31, 2024 16:36:22.886285067 CET	443	49740	34.107.243.93	192.168.2.8
Oct 31, 2024 16:36:22.886302948 CET	443	49740	34.107.243.93	192.168.2.8
Oct 31, 2024 16:36:22.886396885 CET	49740	443	192.168.2.8	34.107.243.93
Oct 31, 2024 16:36:22.900131941 CET	49740	443	192.168.2.8	34.107.243.93
Oct 31, 2024 16:36:22.900146008 CET	443	49740	34.107.243.93	192.168.2.8
Oct 31, 2024 16:36:22.900216103 CET	49740	443	192.168.2.8	34.107.243.93
Oct 31, 2024 16:36:22.900331020 CET	443	49740	34.107.243.93	192.168.2.8
Oct 31, 2024 16:36:22.903564930 CET	49724	80	192.168.2.8	34.107.221.82
Oct 31, 2024 16:36:22.904576063 CET	49740	443	192.168.2.8	34.107.243.93
Oct 31, 2024 16:36:22.908479929 CET	80	49724	34.107.221.82	192.168.2.8
Oct 31, 2024 16:36:23.009706974 CET	443	49741	35.244.181.201	192.168.2.8
Oct 31, 2024 16:36:23.009927988 CET	49741	443	192.168.2.8	35.244.181.201
Oct 31, 2024 16:36:23.030764103 CET	80	49724	34.107.221.82	192.168.2.8
Oct 31, 2024 16:36:23.085011005 CET	49724	80	192.168.2.8	34.107.221.82
Oct 31, 2024 16:36:23.089215994 CET	443	49742	34.120.208.123	192.168.2.8
Oct 31, 2024 16:36:23.089755058 CET	49742	443	192.168.2.8	34.120.208.123
Oct 31, 2024 16:36:23.391427994 CET	443	49743	34.149.100.209	192.168.2.8
Oct 31, 2024 16:36:23.391495943 CET	49743	443	192.168.2.8	34.149.100.209
Oct 31, 2024 16:36:24.240956068 CET	49741	443	192.168.2.8	35.244.181.201
Oct 31, 2024 16:36:24.240998983 CET	443	49741	35.244.181.201	192.168.2.8
Oct 31, 2024 16:36:24.241369963 CET	443	49741	35.244.181.201	192.168.2.8
Oct 31, 2024 16:36:24.255810022 CET	49741	443	192.168.2.8	35.244.181.201
Oct 31, 2024 16:36:24.255883932 CET	49741	443	192.168.2.8	35.244.181.201
Oct 31, 2024 16:36:24.256030083 CET	443	49741	35.244.181.201	192.168.2.8
Oct 31, 2024 16:36:24.256438017 CET	49743	443	192.168.2.8	34.149.100.209
Oct 31, 2024 16:36:24.256468058 CET	443	49743	34.149.100.209	192.168.2.8
Oct 31, 2024 16:36:24.256494045 CET	49743	443	192.168.2.8	34.149.100.209
Oct 31, 2024 16:36:24.256758928 CET	443	49743	34.149.100.209	192.168.2.8
Oct 31, 2024 16:36:24.265431881 CET	49741	443	192.168.2.8	35.244.181.201
Oct 31, 2024 16:36:24.265441895 CET	49743	443	192.168.2.8	34.149.100.209
Oct 31, 2024 16:36:24.273072004 CET	49742	443	192.168.2.8	34.120.208.123
Oct 31, 2024 16:36:24.273097992 CET	443	49742	34.120.208.123	192.168.2.8
Oct 31, 2024 16:36:24.273185968 CET	49742	443	192.168.2.8	34.120.208.123
Oct 31, 2024 16:36:24.273371935 CET	443	49742	34.120.208.123	192.168.2.8
Oct 31, 2024 16:36:24.285741091 CET	49742	443	192.168.2.8	34.120.208.123
Oct 31, 2024 16:36:24.306679964 CET	49736	80	192.168.2.8	34.107.221.82
Oct 31, 2024 16:36:24.311624050 CET	80	49736	34.107.221.82	192.168.2.8
Oct 31, 2024 16:36:24.433661938 CET	80	49736	34.107.221.82	192.168.2.8
Oct 31, 2024 16:36:24.474792004 CET	49736	80	192.168.2.8	34.107.221.82
Oct 31, 2024 16:36:26.715745926 CET	49724	80	192.168.2.8	34.107.221.82
Oct 31, 2024 16:36:26.721556902 CET	80	49724	34.107.221.82	192.168.2.8
Oct 31, 2024 16:36:26.843426943 CET	80	49724	34.107.221.82	192.168.2.8
Oct 31, 2024 16:36:26.897562981 CET	49724	80	192.168.2.8	34.107.221.82
Oct 31, 2024 16:36:27.947376013 CET	49744	443	192.168.2.8	34.120.208.123
Oct 31, 2024 16:36:27.947402000 CET	443	49744	34.120.208.123	192.168.2.8
Oct 31, 2024 16:36:27.947835922 CET	49744	443	192.168.2.8	34.120.208.123
Oct 31, 2024 16:36:27.949279070 CET	49744	443	192.168.2.8	34.120.208.123
Oct 31, 2024 16:36:27.949294090 CET	443	49744	34.120.208.123	192.168.2.8
Oct 31, 2024 16:36:28.542552948 CET	49736	80	192.168.2.8	34.107.221.82
Oct 31, 2024 16:36:28.547447920 CET	80	49736	34.107.221.82	192.168.2.8
Oct 31, 2024 16:36:28.559396029 CET	49745	443	192.168.2.8	34.107.243.93
Oct 31, 2024 16:36:28.559422016 CET	443	49745	34.107.243.93	192.168.2.8
Oct 31, 2024 16:36:28.559564114 CET	49745	443	192.168.2.8	34.107.243.93
Oct 31, 2024 16:36:28.561008930 CET	49745	443	192.168.2.8	34.107.243.93
Oct 31, 2024 16:36:28.561024904 CET	443	49745	34.107.243.93	192.168.2.8
Oct 31, 2024 16:36:28.566893101 CET	443	49744	34.120.208.123	192.168.2.8
Oct 31, 2024 16:36:28.567048073 CET	49744	443	192.168.2.8	34.120.208.123
Oct 31, 2024 16:36:28.570391893 CET	49744	443	192.168.2.8	34.120.208.123
Oct 31, 2024 16:36:28.570396900 CET	443	49744	34.120.208.123	192.168.2.8
Oct 31, 2024 16:36:28.570458889 CET	49744	443	192.168.2.8	34.120.208.123
Oct 31, 2024 16:36:28.570539951 CET	443	49744	34.120.208.123	192.168.2.8
Oct 31, 2024 16:36:28.570986986 CET	49744	443	192.168.2.8	34.120.208.123
Oct 31, 2024 16:36:28.669487000 CET	80	49736	34.107.221.82	192.168.2.8
Oct 31, 2024 16:36:28.724967957 CET	49736	80	192.168.2.8	34.107.221.82
Oct 31, 2024 16:36:28.737483978 CET	49746	443	192.168.2.8	34.149.100.209
Oct 31, 2024 16:36:28.737523079 CET	443	49746	34.149.100.209	192.168.2.8
Oct 31, 2024 16:36:28.739293098 CET	49746	443	192.168.2.8	34.149.100.209
Oct 31, 2024 16:36:28.740591049 CET	49746	443	192.168.2.8	34.149.100.209
Oct 31, 2024 16:36:28.740612984 CET	443	49746	34.149.100.209	192.168.2.8
Oct 31, 2024 16:36:29.176688910 CET	443	49745	34.107.243.93	192.168.2.8
Oct 31, 2024 16:36:29.177952051 CET	49745	443	192.168.2.8	34.107.243.93
Oct 31, 2024 16:36:29.270531893 CET	49745	443	192.168.2.8	34.107.243.93
Oct 31, 2024 16:36:29.270545959 CET	443	49745	34.107.243.93	192.168.2.8
Oct 31, 2024 16:36:29.270616055 CET	49745	443	192.168.2.8	34.107.243.93
Oct 31, 2024 16:36:29.270844936 CET	443	49745	34.107.243.93	192.168.2.8
Oct 31, 2024 16:36:29.270910025 CET	49745	443	192.168.2.8	34.107.243.93
Oct 31, 2024 16:36:29.351526022 CET	443	49746	34.149.100.209	192.168.2.8
Oct 31, 2024 16:36:29.351603985 CET	49746	443	192.168.2.8	34.149.100.209
Oct 31, 2024 16:36:29.356416941 CET	49746	443	192.168.2.8	34.149.100.209
Oct 31, 2024 16:36:29.356422901 CET	443	49746	34.149.100.209	192.168.2.8
Oct 31, 2024 16:36:29.356477976 CET	49746	443	192.168.2.8	34.149.100.209
Oct 31, 2024 16:36:29.356645107 CET	443	49746	34.149.100.209	192.168.2.8
Oct 31, 2024 16:36:29.356714010 CET	49746	443	192.168.2.8	34.149.100.209
Oct 31, 2024 16:36:29.715470076 CET	49724	80	192.168.2.8	34.107.221.82
Oct 31, 2024 16:36:29.717077017 CET	49747	443	192.168.2.8	34.120.208.123
Oct 31, 2024 16:36:29.717127085 CET	443	49747	34.120.208.123	192.168.2.8
Oct 31, 2024 16:36:29.718189001 CET	49747	443	192.168.2.8	34.120.208.123
Oct 31, 2024 16:36:29.719703913 CET	49747	443	192.168.2.8	34.120.208.123
Oct 31, 2024 16:36:29.719727039 CET	443	49747	34.120.208.123	192.168.2.8
Oct 31, 2024 16:36:29.720623016 CET	80	49724	34.107.221.82	192.168.2.8
Oct 31, 2024 16:36:29.792732954 CET	49748	443	192.168.2.8	34.149.100.209
Oct 31, 2024 16:36:29.792778969 CET	443	49748	34.149.100.209	192.168.2.8
Oct 31, 2024 16:36:29.792860031 CET	49748	443	192.168.2.8	34.149.100.209
Oct 31, 2024 16:36:29.792980909 CET	49748	443	192.168.2.8	34.149.100.209
Oct 31, 2024 16:36:29.792994976 CET	443	49748	34.149.100.209	192.168.2.8
Oct 31, 2024 16:36:29.842184067 CET	80	49724	34.107.221.82	192.168.2.8
Oct 31, 2024 16:36:29.890726089 CET	49724	80	192.168.2.8	34.107.221.82
Oct 31, 2024 16:36:29.981875896 CET	49736	80	192.168.2.8	34.107.221.82
Oct 31, 2024 16:36:30.082226992 CET	80	49736	34.107.221.82	192.168.2.8
Oct 31, 2024 16:36:30.206803083 CET	80	49736	34.107.221.82	192.168.2.8
Oct 31, 2024 16:36:30.260621071 CET	49736	80	192.168.2.8	34.107.221.82
Oct 31, 2024 16:36:30.337210894 CET	443	49747	34.120.208.123	192.168.2.8
Oct 31, 2024 16:36:30.337287903 CET	49747	443	192.168.2.8	34.120.208.123
Oct 31, 2024 16:36:30.422939062 CET	443	49748	34.149.100.209	192.168.2.8
Oct 31, 2024 16:36:30.423055887 CET	49748	443	192.168.2.8	34.149.100.209
Oct 31, 2024 16:36:30.741406918 CET	49748	443	192.168.2.8	34.149.100.209
Oct 31, 2024 16:36:30.741446018 CET	443	49748	34.149.100.209	192.168.2.8
Oct 31, 2024 16:36:30.741942883 CET	443	49748	34.149.100.209	192.168.2.8
Oct 31, 2024 16:36:30.756686926 CET	49747	443	192.168.2.8	34.120.208.123
Oct 31, 2024 16:36:30.756726027 CET	443	49747	34.120.208.123	192.168.2.8
Oct 31, 2024 16:36:30.756778955 CET	49747	443	192.168.2.8	34.120.208.123
Oct 31, 2024 16:36:30.757249117 CET	443	49747	34.120.208.123	192.168.2.8
Oct 31, 2024 16:36:30.757571936 CET	49747	443	192.168.2.8	34.120.208.123
Oct 31, 2024 16:36:30.767904043 CET	49748	443	192.168.2.8	34.149.100.209
Oct 31, 2024 16:36:30.767962933 CET	49748	443	192.168.2.8	34.149.100.209
Oct 31, 2024 16:36:30.768172026 CET	443	49748	34.149.100.209	192.168.2.8
Oct 31, 2024 16:36:30.768277884 CET	49748	443	192.168.2.8	34.149.100.209
Oct 31, 2024 16:36:30.973263025 CET	49724	80	192.168.2.8	34.107.221.82
Oct 31, 2024 16:36:30.978188992 CET	80	49724	34.107.221.82	192.168.2.8
Oct 31, 2024 16:36:31.013801098 CET	49749	443	192.168.2.8	34.120.208.123
Oct 31, 2024 16:36:31.013843060 CET	443	49749	34.120.208.123	192.168.2.8
Oct 31, 2024 16:36:31.017015934 CET	49749	443	192.168.2.8	34.120.208.123
Oct 31, 2024 16:36:31.100861073 CET	80	49724	34.107.221.82	192.168.2.8
Oct 31, 2024 16:36:31.147650003 CET	49724	80	192.168.2.8	34.107.221.82
Oct 31, 2024 16:36:31.150000095 CET	49749	443	192.168.2.8	34.120.208.123
Oct 31, 2024 16:36:31.150013924 CET	443	49749	34.120.208.123	192.168.2.8
Oct 31, 2024 16:36:31.162491083 CET	49750	443	192.168.2.8	34.120.208.123
Oct 31, 2024 16:36:31.162543058 CET	443	49750	34.120.208.123	192.168.2.8
Oct 31, 2024 16:36:31.162643909 CET	49751	443	192.168.2.8	34.120.208.123
Oct 31, 2024 16:36:31.162673950 CET	443	49751	34.120.208.123	192.168.2.8
Oct 31, 2024 16:36:31.162764072 CET	49752	443	192.168.2.8	34.120.208.123
Oct 31, 2024 16:36:31.162796021 CET	443	49752	34.120.208.123	192.168.2.8
Oct 31, 2024 16:36:31.163331032 CET	49750	443	192.168.2.8	34.120.208.123
Oct 31, 2024 16:36:31.163340092 CET	49752	443	192.168.2.8	34.120.208.123
Oct 31, 2024 16:36:31.163341045 CET	49751	443	192.168.2.8	34.120.208.123
Oct 31, 2024 16:36:31.163512945 CET	49750	443	192.168.2.8	34.120.208.123
Oct 31, 2024 16:36:31.163527966 CET	443	49750	34.120.208.123	192.168.2.8
Oct 31, 2024 16:36:31.163666010 CET	49752	443	192.168.2.8	34.120.208.123
Oct 31, 2024 16:36:31.163676977 CET	443	49752	34.120.208.123	192.168.2.8
Oct 31, 2024 16:36:31.163762093 CET	49751	443	192.168.2.8	34.120.208.123
Oct 31, 2024 16:36:31.163772106 CET	443	49751	34.120.208.123	192.168.2.8
Oct 31, 2024 16:36:31.165771961 CET	49736	80	192.168.2.8	34.107.221.82
Oct 31, 2024 16:36:31.170384884 CET	49753	443	192.168.2.8	34.120.208.123
Oct 31, 2024 16:36:31.170420885 CET	443	49753	34.120.208.123	192.168.2.8
Oct 31, 2024 16:36:31.170722961 CET	49753	443	192.168.2.8	34.120.208.123
Oct 31, 2024 16:36:31.170909882 CET	80	49736	34.107.221.82	192.168.2.8
Oct 31, 2024 16:36:31.172199011 CET	49753	443	192.168.2.8	34.120.208.123
Oct 31, 2024 16:36:31.172214031 CET	443	49753	34.120.208.123	192.168.2.8
Oct 31, 2024 16:36:31.293533087 CET	80	49736	34.107.221.82	192.168.2.8
Oct 31, 2024 16:36:31.348218918 CET	49736	80	192.168.2.8	34.107.221.82
Oct 31, 2024 16:36:31.760085106 CET	443	49749	34.120.208.123	192.168.2.8
Oct 31, 2024 16:36:31.760236979 CET	49749	443	192.168.2.8	34.120.208.123
Oct 31, 2024 16:36:31.771538019 CET	443	49752	34.120.208.123	192.168.2.8
Oct 31, 2024 16:36:31.771611929 CET	49752	443	192.168.2.8	34.120.208.123
Oct 31, 2024 16:36:31.772474051 CET	443	49750	34.120.208.123	192.168.2.8
Oct 31, 2024 16:36:31.772543907 CET	49750	443	192.168.2.8	34.120.208.123
Oct 31, 2024 16:36:31.782267094 CET	443	49751	34.120.208.123	192.168.2.8
Oct 31, 2024 16:36:31.782356977 CET	49751	443	192.168.2.8	34.120.208.123
Oct 31, 2024 16:36:31.793520927 CET	443	49753	34.120.208.123	192.168.2.8
Oct 31, 2024 16:36:31.793605089 CET	49753	443	192.168.2.8	34.120.208.123
Oct 31, 2024 16:36:31.999690056 CET	49749	443	192.168.2.8	34.120.208.123
Oct 31, 2024 16:36:31.999711037 CET	443	49749	34.120.208.123	192.168.2.8
Oct 31, 2024 16:36:32.000092030 CET	443	49749	34.120.208.123	192.168.2.8
Oct 31, 2024 16:36:32.002077103 CET	49750	443	192.168.2.8	34.120.208.123
Oct 31, 2024 16:36:32.002103090 CET	443	49750	34.120.208.123	192.168.2.8
Oct 31, 2024 16:36:32.002580881 CET	443	49750	34.120.208.123	192.168.2.8
Oct 31, 2024 16:36:32.004271984 CET	49752	443	192.168.2.8	34.120.208.123
Oct 31, 2024 16:36:32.004312038 CET	443	49752	34.120.208.123	192.168.2.8
Oct 31, 2024 16:36:32.004683018 CET	443	49752	34.120.208.123	192.168.2.8
Oct 31, 2024 16:36:32.006784916 CET	49751	443	192.168.2.8	34.120.208.123
Oct 31, 2024 16:36:32.006808043 CET	443	49751	34.120.208.123	192.168.2.8
Oct 31, 2024 16:36:32.007174015 CET	443	49751	34.120.208.123	192.168.2.8
Oct 31, 2024 16:36:32.012398005 CET	49749	443	192.168.2.8	34.120.208.123
Oct 31, 2024 16:36:32.012648106 CET	443	49749	34.120.208.123	192.168.2.8
Oct 31, 2024 16:36:32.013637066 CET	49750	443	192.168.2.8	34.120.208.123
Oct 31, 2024 16:36:32.013699055 CET	49750	443	192.168.2.8	34.120.208.123
Oct 31, 2024 16:36:32.013797045 CET	49749	443	192.168.2.8	34.120.208.123
Oct 31, 2024 16:36:32.013818026 CET	443	49749	34.120.208.123	192.168.2.8
Oct 31, 2024 16:36:32.013886929 CET	443	49750	34.120.208.123	192.168.2.8
Oct 31, 2024 16:36:32.014386892 CET	49752	443	192.168.2.8	34.120.208.123
Oct 31, 2024 16:36:32.014470100 CET	49751	443	192.168.2.8	34.120.208.123
Oct 31, 2024 16:36:32.014543056 CET	49752	443	192.168.2.8	34.120.208.123
Oct 31, 2024 16:36:32.014581919 CET	443	49752	34.120.208.123	192.168.2.8
Oct 31, 2024 16:36:32.014708996 CET	49751	443	192.168.2.8	34.120.208.123
Oct 31, 2024 16:36:32.014812946 CET	443	49751	34.120.208.123	192.168.2.8
Oct 31, 2024 16:36:32.016060114 CET	49750	443	192.168.2.8	34.120.208.123
Oct 31, 2024 16:36:32.016084909 CET	49752	443	192.168.2.8	34.120.208.123
Oct 31, 2024 16:36:32.016395092 CET	49751	443	192.168.2.8	34.120.208.123
Oct 31, 2024 16:36:32.017071009 CET	49753	443	192.168.2.8	34.120.208.123
Oct 31, 2024 16:36:32.017102957 CET	443	49753	34.120.208.123	192.168.2.8
Oct 31, 2024 16:36:32.017164946 CET	49753	443	192.168.2.8	34.120.208.123
Oct 31, 2024 16:36:32.017262936 CET	443	49753	34.120.208.123	192.168.2.8
Oct 31, 2024 16:36:32.018424988 CET	49753	443	192.168.2.8	34.120.208.123
Oct 31, 2024 16:36:32.019181967 CET	49724	80	192.168.2.8	34.107.221.82
Oct 31, 2024 16:36:32.021662951 CET	49754	443	192.168.2.8	34.120.208.123
Oct 31, 2024 16:36:32.021691084 CET	443	49754	34.120.208.123	192.168.2.8
Oct 31, 2024 16:36:32.021773100 CET	49754	443	192.168.2.8	34.120.208.123
Oct 31, 2024 16:36:32.023663044 CET	49754	443	192.168.2.8	34.120.208.123
Oct 31, 2024 16:36:32.023679018 CET	443	49754	34.120.208.123	192.168.2.8
Oct 31, 2024 16:36:32.024112940 CET	80	49724	34.107.221.82	192.168.2.8
Oct 31, 2024 16:36:32.146589041 CET	80	49724	34.107.221.82	192.168.2.8
Oct 31, 2024 16:36:32.150212049 CET	49736	80	192.168.2.8	34.107.221.82
Oct 31, 2024 16:36:32.155144930 CET	80	49736	34.107.221.82	192.168.2.8
Oct 31, 2024 16:36:32.197443008 CET	49724	80	192.168.2.8	34.107.221.82
Oct 31, 2024 16:36:32.223342896 CET	443	49749	34.120.208.123	192.168.2.8
Oct 31, 2024 16:36:32.223484039 CET	49749	443	192.168.2.8	34.120.208.123
Oct 31, 2024 16:36:32.278994083 CET	80	49736	34.107.221.82	192.168.2.8
Oct 31, 2024 16:36:32.335544109 CET	49736	80	192.168.2.8	34.107.221.82
Oct 31, 2024 16:36:32.631361008 CET	443	49754	34.120.208.123	192.168.2.8
Oct 31, 2024 16:36:32.631449938 CET	49754	443	192.168.2.8	34.120.208.123
Oct 31, 2024 16:36:32.637177944 CET	49754	443	192.168.2.8	34.120.208.123
Oct 31, 2024 16:36:32.637191057 CET	443	49754	34.120.208.123	192.168.2.8
Oct 31, 2024 16:36:32.637342930 CET	443	49754	34.120.208.123	192.168.2.8
Oct 31, 2024 16:36:32.637424946 CET	49754	443	192.168.2.8	34.120.208.123
Oct 31, 2024 16:36:32.637434006 CET	443	49754	34.120.208.123	192.168.2.8
Oct 31, 2024 16:36:32.637624979 CET	49754	443	192.168.2.8	34.120.208.123
Oct 31, 2024 16:36:32.642024994 CET	49724	80	192.168.2.8	34.107.221.82
Oct 31, 2024 16:36:32.644563913 CET	49755	443	192.168.2.8	34.120.208.123
Oct 31, 2024 16:36:32.644610882 CET	443	49755	34.120.208.123	192.168.2.8
Oct 31, 2024 16:36:32.644969940 CET	49755	443	192.168.2.8	34.120.208.123
Oct 31, 2024 16:36:32.646370888 CET	49755	443	192.168.2.8	34.120.208.123
Oct 31, 2024 16:36:32.646384954 CET	443	49755	34.120.208.123	192.168.2.8
Oct 31, 2024 16:36:32.647085905 CET	80	49724	34.107.221.82	192.168.2.8
Oct 31, 2024 16:36:32.768856049 CET	80	49724	34.107.221.82	192.168.2.8
Oct 31, 2024 16:36:32.774650097 CET	49736	80	192.168.2.8	34.107.221.82
Oct 31, 2024 16:36:32.779973984 CET	80	49736	34.107.221.82	192.168.2.8
Oct 31, 2024 16:36:32.823925972 CET	49724	80	192.168.2.8	34.107.221.82
Oct 31, 2024 16:36:32.902070999 CET	80	49736	34.107.221.82	192.168.2.8
Oct 31, 2024 16:36:32.952923059 CET	49736	80	192.168.2.8	34.107.221.82
Oct 31, 2024 16:36:33.274377108 CET	443	49755	34.120.208.123	192.168.2.8
Oct 31, 2024 16:36:33.274529934 CET	49755	443	192.168.2.8	34.120.208.123
Oct 31, 2024 16:36:33.280184031 CET	49755	443	192.168.2.8	34.120.208.123
Oct 31, 2024 16:36:33.280213118 CET	443	49755	34.120.208.123	192.168.2.8
Oct 31, 2024 16:36:33.280320883 CET	49755	443	192.168.2.8	34.120.208.123
Oct 31, 2024 16:36:33.280424118 CET	443	49755	34.120.208.123	192.168.2.8
Oct 31, 2024 16:36:33.282370090 CET	49755	443	192.168.2.8	34.120.208.123
Oct 31, 2024 16:36:33.283617020 CET	49724	80	192.168.2.8	34.107.221.82
Oct 31, 2024 16:36:33.288491964 CET	80	49724	34.107.221.82	192.168.2.8
Oct 31, 2024 16:36:33.410394907 CET	80	49724	34.107.221.82	192.168.2.8
Oct 31, 2024 16:36:33.413655043 CET	49736	80	192.168.2.8	34.107.221.82
Oct 31, 2024 16:36:33.418592930 CET	80	49736	34.107.221.82	192.168.2.8
Oct 31, 2024 16:36:33.454377890 CET	49724	80	192.168.2.8	34.107.221.82
Oct 31, 2024 16:36:33.540066957 CET	80	49736	34.107.221.82	192.168.2.8
Oct 31, 2024 16:36:33.601535082 CET	49736	80	192.168.2.8	34.107.221.82
Oct 31, 2024 16:36:39.818883896 CET	49756	443	192.168.2.8	34.107.243.93
Oct 31, 2024 16:36:39.818907022 CET	443	49756	34.107.243.93	192.168.2.8
Oct 31, 2024 16:36:39.818994999 CET	49756	443	192.168.2.8	34.107.243.93
Oct 31, 2024 16:36:39.820426941 CET	49756	443	192.168.2.8	34.107.243.93
Oct 31, 2024 16:36:39.820440054 CET	443	49756	34.107.243.93	192.168.2.8
Oct 31, 2024 16:36:40.431725979 CET	443	49756	34.107.243.93	192.168.2.8
Oct 31, 2024 16:36:40.431835890 CET	49756	443	192.168.2.8	34.107.243.93
Oct 31, 2024 16:36:40.436428070 CET	49756	443	192.168.2.8	34.107.243.93
Oct 31, 2024 16:36:40.436448097 CET	443	49756	34.107.243.93	192.168.2.8
Oct 31, 2024 16:36:40.436508894 CET	49756	443	192.168.2.8	34.107.243.93
Oct 31, 2024 16:36:40.436831951 CET	443	49756	34.107.243.93	192.168.2.8
Oct 31, 2024 16:36:40.437422037 CET	49756	443	192.168.2.8	34.107.243.93
Oct 31, 2024 16:36:40.439569950 CET	49724	80	192.168.2.8	34.107.221.82
Oct 31, 2024 16:36:40.444900036 CET	80	49724	34.107.221.82	192.168.2.8
Oct 31, 2024 16:36:40.567774057 CET	80	49724	34.107.221.82	192.168.2.8
Oct 31, 2024 16:36:40.571798086 CET	49736	80	192.168.2.8	34.107.221.82
Oct 31, 2024 16:36:40.576740980 CET	80	49736	34.107.221.82	192.168.2.8
Oct 31, 2024 16:36:40.609671116 CET	49724	80	192.168.2.8	34.107.221.82
Oct 31, 2024 16:36:40.698872089 CET	80	49736	34.107.221.82	192.168.2.8
Oct 31, 2024 16:36:40.741188049 CET	49736	80	192.168.2.8	34.107.221.82
Oct 31, 2024 16:36:45.668729067 CET	49757	443	192.168.2.8	35.244.181.201
Oct 31, 2024 16:36:45.668765068 CET	443	49757	35.244.181.201	192.168.2.8
Oct 31, 2024 16:36:45.669919014 CET	49757	443	192.168.2.8	35.244.181.201
Oct 31, 2024 16:36:45.670136929 CET	49757	443	192.168.2.8	35.244.181.201
Oct 31, 2024 16:36:45.670146942 CET	443	49757	35.244.181.201	192.168.2.8
Oct 31, 2024 16:36:45.845525026 CET	49758	443	192.168.2.8	34.149.100.209
Oct 31, 2024 16:36:45.845561981 CET	443	49758	34.149.100.209	192.168.2.8
Oct 31, 2024 16:36:45.846060991 CET	49759	443	192.168.2.8	35.190.72.216
Oct 31, 2024 16:36:45.846071959 CET	443	49759	35.190.72.216	192.168.2.8
Oct 31, 2024 16:36:45.854924917 CET	49758	443	192.168.2.8	34.149.100.209
Oct 31, 2024 16:36:45.854948044 CET	49759	443	192.168.2.8	35.190.72.216
Oct 31, 2024 16:36:45.855470896 CET	49758	443	192.168.2.8	34.149.100.209
Oct 31, 2024 16:36:45.855484009 CET	443	49758	34.149.100.209	192.168.2.8
Oct 31, 2024 16:36:45.857680082 CET	49759	443	192.168.2.8	35.190.72.216
Oct 31, 2024 16:36:45.857687950 CET	443	49759	35.190.72.216	192.168.2.8
Oct 31, 2024 16:36:45.928368092 CET	49760	443	192.168.2.8	151.101.65.91
Oct 31, 2024 16:36:45.928401947 CET	443	49760	151.101.65.91	192.168.2.8
Oct 31, 2024 16:36:45.929789066 CET	49761	443	192.168.2.8	35.201.103.21
Oct 31, 2024 16:36:45.929810047 CET	443	49761	35.201.103.21	192.168.2.8
Oct 31, 2024 16:36:45.939604998 CET	49760	443	192.168.2.8	151.101.65.91
Oct 31, 2024 16:36:45.939614058 CET	49761	443	192.168.2.8	35.201.103.21
Oct 31, 2024 16:36:45.939745903 CET	49760	443	192.168.2.8	151.101.65.91
Oct 31, 2024 16:36:45.939760923 CET	443	49760	151.101.65.91	192.168.2.8
Oct 31, 2024 16:36:45.941412926 CET	49761	443	192.168.2.8	35.201.103.21
Oct 31, 2024 16:36:45.941420078 CET	443	49761	35.201.103.21	192.168.2.8
Oct 31, 2024 16:36:46.520217896 CET	443	49757	35.244.181.201	192.168.2.8
Oct 31, 2024 16:36:46.520334959 CET	49757	443	192.168.2.8	35.244.181.201
Oct 31, 2024 16:36:46.523705006 CET	49757	443	192.168.2.8	35.244.181.201
Oct 31, 2024 16:36:46.523720980 CET	443	49757	35.244.181.201	192.168.2.8
Oct 31, 2024 16:36:46.524034977 CET	443	49757	35.244.181.201	192.168.2.8
Oct 31, 2024 16:36:46.526762009 CET	49757	443	192.168.2.8	35.244.181.201
Oct 31, 2024 16:36:46.526926994 CET	49757	443	192.168.2.8	35.244.181.201
Oct 31, 2024 16:36:46.526930094 CET	443	49757	35.244.181.201	192.168.2.8
Oct 31, 2024 16:36:46.526946068 CET	443	49757	35.244.181.201	192.168.2.8
Oct 31, 2024 16:36:46.527487040 CET	49757	443	192.168.2.8	35.244.181.201
Oct 31, 2024 16:36:46.531394005 CET	49724	80	192.168.2.8	34.107.221.82
Oct 31, 2024 16:36:46.534076929 CET	443	49758	34.149.100.209	192.168.2.8
Oct 31, 2024 16:36:46.534112930 CET	443	49758	34.149.100.209	192.168.2.8
Oct 31, 2024 16:36:46.534183979 CET	49758	443	192.168.2.8	34.149.100.209
Oct 31, 2024 16:36:46.535346985 CET	443	49759	35.190.72.216	192.168.2.8
Oct 31, 2024 16:36:46.535361052 CET	443	49759	35.190.72.216	192.168.2.8
Oct 31, 2024 16:36:46.535412073 CET	49759	443	192.168.2.8	35.190.72.216
Oct 31, 2024 16:36:46.536744118 CET	80	49724	34.107.221.82	192.168.2.8
Oct 31, 2024 16:36:46.537153959 CET	49758	443	192.168.2.8	34.149.100.209
Oct 31, 2024 16:36:46.537159920 CET	443	49758	34.149.100.209	192.168.2.8
Oct 31, 2024 16:36:46.537851095 CET	443	49758	34.149.100.209	192.168.2.8
Oct 31, 2024 16:36:46.542684078 CET	49758	443	192.168.2.8	34.149.100.209
Oct 31, 2024 16:36:46.542870998 CET	443	49758	34.149.100.209	192.168.2.8
Oct 31, 2024 16:36:46.543011904 CET	49758	443	192.168.2.8	34.149.100.209
Oct 31, 2024 16:36:46.543019056 CET	443	49758	34.149.100.209	192.168.2.8
Oct 31, 2024 16:36:46.543487072 CET	49759	443	192.168.2.8	35.190.72.216
Oct 31, 2024 16:36:46.543489933 CET	443	49759	35.190.72.216	192.168.2.8
Oct 31, 2024 16:36:46.543576002 CET	49759	443	192.168.2.8	35.190.72.216
Oct 31, 2024 16:36:46.543634892 CET	443	49759	35.190.72.216	192.168.2.8
Oct 31, 2024 16:36:46.543916941 CET	49759	443	192.168.2.8	35.190.72.216
Oct 31, 2024 16:36:46.550000906 CET	443	49761	35.201.103.21	192.168.2.8
Oct 31, 2024 16:36:46.550015926 CET	443	49761	35.201.103.21	192.168.2.8
Oct 31, 2024 16:36:46.550082922 CET	49761	443	192.168.2.8	35.201.103.21
Oct 31, 2024 16:36:46.554732084 CET	49761	443	192.168.2.8	35.201.103.21
Oct 31, 2024 16:36:46.554735899 CET	443	49761	35.201.103.21	192.168.2.8
Oct 31, 2024 16:36:46.554800987 CET	49761	443	192.168.2.8	35.201.103.21
Oct 31, 2024 16:36:46.554949999 CET	443	49761	35.201.103.21	192.168.2.8
Oct 31, 2024 16:36:46.555476904 CET	49761	443	192.168.2.8	35.201.103.21
Oct 31, 2024 16:36:46.559075117 CET	49762	443	192.168.2.8	34.149.100.209
Oct 31, 2024 16:36:46.559107065 CET	443	49762	34.149.100.209	192.168.2.8
Oct 31, 2024 16:36:46.559180975 CET	49762	443	192.168.2.8	34.149.100.209
Oct 31, 2024 16:36:46.559303045 CET	49762	443	192.168.2.8	34.149.100.209
Oct 31, 2024 16:36:46.559319973 CET	443	49762	34.149.100.209	192.168.2.8
Oct 31, 2024 16:36:46.580212116 CET	443	49760	151.101.65.91	192.168.2.8
Oct 31, 2024 16:36:46.580225945 CET	443	49760	151.101.65.91	192.168.2.8
Oct 31, 2024 16:36:46.580317020 CET	49760	443	192.168.2.8	151.101.65.91
Oct 31, 2024 16:36:46.583123922 CET	49760	443	192.168.2.8	151.101.65.91
Oct 31, 2024 16:36:46.583132982 CET	443	49760	151.101.65.91	192.168.2.8
Oct 31, 2024 16:36:46.583355904 CET	443	49760	151.101.65.91	192.168.2.8
Oct 31, 2024 16:36:46.585690022 CET	49760	443	192.168.2.8	151.101.65.91
Oct 31, 2024 16:36:46.585767031 CET	49760	443	192.168.2.8	151.101.65.91
Oct 31, 2024 16:36:46.585827112 CET	443	49760	151.101.65.91	192.168.2.8
Oct 31, 2024 16:36:46.588247061 CET	49760	443	192.168.2.8	151.101.65.91
Oct 31, 2024 16:36:46.595252991 CET	49763	443	192.168.2.8	35.244.181.201
Oct 31, 2024 16:36:46.595280886 CET	443	49763	35.244.181.201	192.168.2.8
Oct 31, 2024 16:36:46.596003056 CET	49763	443	192.168.2.8	35.244.181.201
Oct 31, 2024 16:36:46.603925943 CET	49763	443	192.168.2.8	35.244.181.201
Oct 31, 2024 16:36:46.603936911 CET	443	49763	35.244.181.201	192.168.2.8
Oct 31, 2024 16:36:46.604394913 CET	49764	443	192.168.2.8	35.244.181.201
Oct 31, 2024 16:36:46.604423046 CET	443	49764	35.244.181.201	192.168.2.8
Oct 31, 2024 16:36:46.605262995 CET	49765	443	192.168.2.8	35.244.181.201
Oct 31, 2024 16:36:46.605278969 CET	443	49765	35.244.181.201	192.168.2.8
Oct 31, 2024 16:36:46.605798960 CET	49764	443	192.168.2.8	35.244.181.201
Oct 31, 2024 16:36:46.605979919 CET	49765	443	192.168.2.8	35.244.181.201
Oct 31, 2024 16:36:46.605983973 CET	49764	443	192.168.2.8	35.244.181.201
Oct 31, 2024 16:36:46.605992079 CET	443	49764	35.244.181.201	192.168.2.8
Oct 31, 2024 16:36:46.606107950 CET	49765	443	192.168.2.8	35.244.181.201
Oct 31, 2024 16:36:46.606115103 CET	443	49765	35.244.181.201	192.168.2.8
Oct 31, 2024 16:36:46.658994913 CET	80	49724	34.107.221.82	192.168.2.8
Oct 31, 2024 16:36:46.661875010 CET	49736	80	192.168.2.8	34.107.221.82
Oct 31, 2024 16:36:46.667032003 CET	80	49736	34.107.221.82	192.168.2.8
Oct 31, 2024 16:36:46.704145908 CET	49724	80	192.168.2.8	34.107.221.82
Oct 31, 2024 16:36:46.751357079 CET	443	49758	34.149.100.209	192.168.2.8
Oct 31, 2024 16:36:46.751450062 CET	49758	443	192.168.2.8	34.149.100.209
Oct 31, 2024 16:36:46.799864054 CET	80	49736	34.107.221.82	192.168.2.8
Oct 31, 2024 16:36:46.842348099 CET	49736	80	192.168.2.8	34.107.221.82
Oct 31, 2024 16:36:47.167002916 CET	443	49762	34.149.100.209	192.168.2.8
Oct 31, 2024 16:36:47.167078018 CET	49762	443	192.168.2.8	34.149.100.209
Oct 31, 2024 16:36:47.170615911 CET	49762	443	192.168.2.8	34.149.100.209
Oct 31, 2024 16:36:47.170627117 CET	443	49762	34.149.100.209	192.168.2.8
Oct 31, 2024 16:36:47.170936108 CET	443	49762	34.149.100.209	192.168.2.8
Oct 31, 2024 16:36:47.173547983 CET	49762	443	192.168.2.8	34.149.100.209
Oct 31, 2024 16:36:47.173649073 CET	49762	443	192.168.2.8	34.149.100.209
Oct 31, 2024 16:36:47.173712969 CET	443	49762	34.149.100.209	192.168.2.8
Oct 31, 2024 16:36:47.174405098 CET	49762	443	192.168.2.8	34.149.100.209
Oct 31, 2024 16:36:47.191386938 CET	49724	80	192.168.2.8	34.107.221.82
Oct 31, 2024 16:36:47.196312904 CET	80	49724	34.107.221.82	192.168.2.8
Oct 31, 2024 16:36:47.213814974 CET	443	49765	35.244.181.201	192.168.2.8
Oct 31, 2024 16:36:47.213886023 CET	49765	443	192.168.2.8	35.244.181.201
Oct 31, 2024 16:36:47.216952085 CET	49765	443	192.168.2.8	35.244.181.201
Oct 31, 2024 16:36:47.216962099 CET	443	49765	35.244.181.201	192.168.2.8
Oct 31, 2024 16:36:47.217181921 CET	443	49765	35.244.181.201	192.168.2.8
Oct 31, 2024 16:36:47.219824076 CET	49765	443	192.168.2.8	35.244.181.201
Oct 31, 2024 16:36:47.219922066 CET	49765	443	192.168.2.8	35.244.181.201
Oct 31, 2024 16:36:47.220045090 CET	443	49765	35.244.181.201	192.168.2.8
Oct 31, 2024 16:36:47.220235109 CET	49765	443	192.168.2.8	35.244.181.201
Oct 31, 2024 16:36:47.281883001 CET	443	49764	35.244.181.201	192.168.2.8
Oct 31, 2024 16:36:47.281985998 CET	49764	443	192.168.2.8	35.244.181.201
Oct 31, 2024 16:36:47.284917116 CET	49764	443	192.168.2.8	35.244.181.201
Oct 31, 2024 16:36:47.284925938 CET	443	49764	35.244.181.201	192.168.2.8
Oct 31, 2024 16:36:47.285181999 CET	443	49764	35.244.181.201	192.168.2.8
Oct 31, 2024 16:36:47.286428928 CET	443	49763	35.244.181.201	192.168.2.8
Oct 31, 2024 16:36:47.286748886 CET	49763	443	192.168.2.8	35.244.181.201
Oct 31, 2024 16:36:47.289093971 CET	49763	443	192.168.2.8	35.244.181.201
Oct 31, 2024 16:36:47.289102077 CET	443	49763	35.244.181.201	192.168.2.8
Oct 31, 2024 16:36:47.289463997 CET	443	49763	35.244.181.201	192.168.2.8
Oct 31, 2024 16:36:47.290451050 CET	49764	443	192.168.2.8	35.244.181.201
Oct 31, 2024 16:36:47.290508032 CET	49764	443	192.168.2.8	35.244.181.201
Oct 31, 2024 16:36:47.290630102 CET	443	49764	35.244.181.201	192.168.2.8
Oct 31, 2024 16:36:47.293106079 CET	49763	443	192.168.2.8	35.244.181.201
Oct 31, 2024 16:36:47.293167114 CET	49763	443	192.168.2.8	35.244.181.201
Oct 31, 2024 16:36:47.293349981 CET	443	49763	35.244.181.201	192.168.2.8
Oct 31, 2024 16:36:47.296098948 CET	49764	443	192.168.2.8	35.244.181.201
Oct 31, 2024 16:36:47.296112061 CET	49763	443	192.168.2.8	35.244.181.201
Oct 31, 2024 16:36:47.318449020 CET	80	49724	34.107.221.82	192.168.2.8
Oct 31, 2024 16:36:47.332535982 CET	49736	80	192.168.2.8	34.107.221.82
Oct 31, 2024 16:36:47.337521076 CET	80	49736	34.107.221.82	192.168.2.8
Oct 31, 2024 16:36:47.374946117 CET	49724	80	192.168.2.8	34.107.221.82
Oct 31, 2024 16:36:47.460244894 CET	80	49736	34.107.221.82	192.168.2.8
Oct 31, 2024 16:36:47.506513119 CET	49736	80	192.168.2.8	34.107.221.82
Oct 31, 2024 16:36:57.334980965 CET	49724	80	192.168.2.8	34.107.221.82
Oct 31, 2024 16:36:57.339899063 CET	80	49724	34.107.221.82	192.168.2.8
Oct 31, 2024 16:36:57.473064899 CET	49736	80	192.168.2.8	34.107.221.82
Oct 31, 2024 16:36:57.690612078 CET	80	49736	34.107.221.82	192.168.2.8
Oct 31, 2024 16:37:00.871391058 CET	64364	443	192.168.2.8	34.107.243.93
Oct 31, 2024 16:37:00.871423960 CET	443	64364	34.107.243.93	192.168.2.8
Oct 31, 2024 16:37:00.871803999 CET	64364	443	192.168.2.8	34.107.243.93
Oct 31, 2024 16:37:00.873234987 CET	64364	443	192.168.2.8	34.107.243.93
Oct 31, 2024 16:37:00.873248100 CET	443	64364	34.107.243.93	192.168.2.8
Oct 31, 2024 16:37:01.481868982 CET	443	64364	34.107.243.93	192.168.2.8
Oct 31, 2024 16:37:01.481945992 CET	64364	443	192.168.2.8	34.107.243.93
Oct 31, 2024 16:37:01.487330914 CET	64364	443	192.168.2.8	34.107.243.93
Oct 31, 2024 16:37:01.487341881 CET	443	64364	34.107.243.93	192.168.2.8
Oct 31, 2024 16:37:01.487435102 CET	64364	443	192.168.2.8	34.107.243.93
Oct 31, 2024 16:37:01.487457037 CET	443	64364	34.107.243.93	192.168.2.8
Oct 31, 2024 16:37:01.488982916 CET	64364	443	192.168.2.8	34.107.243.93
Oct 31, 2024 16:37:01.490819931 CET	49724	80	192.168.2.8	34.107.221.82
Oct 31, 2024 16:37:01.497464895 CET	80	49724	34.107.221.82	192.168.2.8
Oct 31, 2024 16:37:01.620563984 CET	80	49724	34.107.221.82	192.168.2.8
Oct 31, 2024 16:37:01.624103069 CET	49736	80	192.168.2.8	34.107.221.82
Oct 31, 2024 16:37:01.629228115 CET	80	49736	34.107.221.82	192.168.2.8
Oct 31, 2024 16:37:01.668889999 CET	49724	80	192.168.2.8	34.107.221.82
Oct 31, 2024 16:37:01.750726938 CET	80	49736	34.107.221.82	192.168.2.8
Oct 31, 2024 16:37:01.800434113 CET	49736	80	192.168.2.8	34.107.221.82
Oct 31, 2024 16:37:11.638345003 CET	49724	80	192.168.2.8	34.107.221.82
Oct 31, 2024 16:37:11.643266916 CET	80	49724	34.107.221.82	192.168.2.8
Oct 31, 2024 16:37:11.754277945 CET	49736	80	192.168.2.8	34.107.221.82
Oct 31, 2024 16:37:12.098009109 CET	80	49736	34.107.221.82	192.168.2.8
Oct 31, 2024 16:37:14.768105030 CET	64365	443	192.168.2.8	34.120.208.123
Oct 31, 2024 16:37:14.768165112 CET	443	64365	34.120.208.123	192.168.2.8
Oct 31, 2024 16:37:14.768234015 CET	64366	443	192.168.2.8	34.120.208.123
Oct 31, 2024 16:37:14.768285990 CET	443	64366	34.120.208.123	192.168.2.8
Oct 31, 2024 16:37:14.768359900 CET	64367	443	192.168.2.8	34.120.208.123
Oct 31, 2024 16:37:14.768368959 CET	443	64367	34.120.208.123	192.168.2.8
Oct 31, 2024 16:37:14.768498898 CET	64368	443	192.168.2.8	34.120.208.123
Oct 31, 2024 16:37:14.768536091 CET	443	64368	34.120.208.123	192.168.2.8
Oct 31, 2024 16:37:14.768624067 CET	64369	443	192.168.2.8	34.120.208.123
Oct 31, 2024 16:37:14.768657923 CET	443	64369	34.120.208.123	192.168.2.8
Oct 31, 2024 16:37:14.768704891 CET	64365	443	192.168.2.8	34.120.208.123
Oct 31, 2024 16:37:14.768718004 CET	64366	443	192.168.2.8	34.120.208.123
Oct 31, 2024 16:37:14.768732071 CET	64367	443	192.168.2.8	34.120.208.123
Oct 31, 2024 16:37:14.768857956 CET	64365	443	192.168.2.8	34.120.208.123
Oct 31, 2024 16:37:14.768868923 CET	443	64365	34.120.208.123	192.168.2.8
Oct 31, 2024 16:37:14.769016981 CET	64368	443	192.168.2.8	34.120.208.123
Oct 31, 2024 16:37:14.769016981 CET	64368	443	192.168.2.8	34.120.208.123
Oct 31, 2024 16:37:14.769047976 CET	64367	443	192.168.2.8	34.120.208.123
Oct 31, 2024 16:37:14.769057989 CET	443	64367	34.120.208.123	192.168.2.8
Oct 31, 2024 16:37:14.769058943 CET	443	64368	34.120.208.123	192.168.2.8
Oct 31, 2024 16:37:14.769114017 CET	64366	443	192.168.2.8	34.120.208.123
Oct 31, 2024 16:37:14.769125938 CET	443	64366	34.120.208.123	192.168.2.8
Oct 31, 2024 16:37:14.769700050 CET	64369	443	192.168.2.8	34.120.208.123
Oct 31, 2024 16:37:14.769840002 CET	64369	443	192.168.2.8	34.120.208.123
Oct 31, 2024 16:37:14.769845963 CET	443	64369	34.120.208.123	192.168.2.8
Oct 31, 2024 16:37:14.801350117 CET	64370	443	192.168.2.8	34.120.208.123
Oct 31, 2024 16:37:14.801383018 CET	443	64370	34.120.208.123	192.168.2.8
Oct 31, 2024 16:37:14.802047014 CET	64370	443	192.168.2.8	34.120.208.123
Oct 31, 2024 16:37:14.802418947 CET	64370	443	192.168.2.8	34.120.208.123
Oct 31, 2024 16:37:14.802433968 CET	443	64370	34.120.208.123	192.168.2.8
Oct 31, 2024 16:37:16.128045082 CET	443	64367	34.120.208.123	192.168.2.8
Oct 31, 2024 16:37:16.128123999 CET	443	64365	34.120.208.123	192.168.2.8
Oct 31, 2024 16:37:16.128134012 CET	64367	443	192.168.2.8	34.120.208.123
Oct 31, 2024 16:37:16.129528999 CET	64365	443	192.168.2.8	34.120.208.123
Oct 31, 2024 16:37:16.132179976 CET	64367	443	192.168.2.8	34.120.208.123
Oct 31, 2024 16:37:16.132190943 CET	443	64367	34.120.208.123	192.168.2.8
Oct 31, 2024 16:37:16.132472992 CET	443	64367	34.120.208.123	192.168.2.8
Oct 31, 2024 16:37:16.134922981 CET	64365	443	192.168.2.8	34.120.208.123
Oct 31, 2024 16:37:16.134927988 CET	443	64365	34.120.208.123	192.168.2.8
Oct 31, 2024 16:37:16.135251999 CET	443	64365	34.120.208.123	192.168.2.8
Oct 31, 2024 16:37:16.136333942 CET	443	64368	34.120.208.123	192.168.2.8
Oct 31, 2024 16:37:16.137039900 CET	64368	443	192.168.2.8	34.120.208.123
Oct 31, 2024 16:37:16.139247894 CET	443	64366	34.120.208.123	192.168.2.8
Oct 31, 2024 16:37:16.139332056 CET	64368	443	192.168.2.8	34.120.208.123
Oct 31, 2024 16:37:16.139344931 CET	443	64368	34.120.208.123	192.168.2.8
Oct 31, 2024 16:37:16.139488935 CET	64366	443	192.168.2.8	34.120.208.123
Oct 31, 2024 16:37:16.139578104 CET	443	64369	34.120.208.123	192.168.2.8
Oct 31, 2024 16:37:16.139599085 CET	443	64368	34.120.208.123	192.168.2.8
Oct 31, 2024 16:37:16.140098095 CET	64369	443	192.168.2.8	34.120.208.123
Oct 31, 2024 16:37:16.142043114 CET	64366	443	192.168.2.8	34.120.208.123
Oct 31, 2024 16:37:16.142050028 CET	443	64366	34.120.208.123	192.168.2.8
Oct 31, 2024 16:37:16.142389059 CET	443	64366	34.120.208.123	192.168.2.8
Oct 31, 2024 16:37:16.145184994 CET	64369	443	192.168.2.8	34.120.208.123
Oct 31, 2024 16:37:16.145209074 CET	443	64369	34.120.208.123	192.168.2.8
Oct 31, 2024 16:37:16.145567894 CET	443	64369	34.120.208.123	192.168.2.8
Oct 31, 2024 16:37:16.146620989 CET	64367	443	192.168.2.8	34.120.208.123
Oct 31, 2024 16:37:16.146858931 CET	443	64367	34.120.208.123	192.168.2.8
Oct 31, 2024 16:37:16.146918058 CET	64367	443	192.168.2.8	34.120.208.123
Oct 31, 2024 16:37:16.146928072 CET	443	64367	34.120.208.123	192.168.2.8
Oct 31, 2024 16:37:16.147628069 CET	443	64370	34.120.208.123	192.168.2.8
Oct 31, 2024 16:37:16.147691965 CET	64365	443	192.168.2.8	34.120.208.123
Oct 31, 2024 16:37:16.147774935 CET	64365	443	192.168.2.8	34.120.208.123
Oct 31, 2024 16:37:16.147886038 CET	443	64365	34.120.208.123	192.168.2.8
Oct 31, 2024 16:37:16.148188114 CET	64371	443	192.168.2.8	34.120.208.123
Oct 31, 2024 16:37:16.148233891 CET	443	64371	34.120.208.123	192.168.2.8
Oct 31, 2024 16:37:16.148421049 CET	64372	443	192.168.2.8	34.120.208.123
Oct 31, 2024 16:37:16.148448944 CET	443	64372	34.120.208.123	192.168.2.8
Oct 31, 2024 16:37:16.153645992 CET	64368	443	192.168.2.8	34.120.208.123
Oct 31, 2024 16:37:16.153881073 CET	443	64368	34.120.208.123	192.168.2.8
Oct 31, 2024 16:37:16.153981924 CET	64368	443	192.168.2.8	34.120.208.123
Oct 31, 2024 16:37:16.153995991 CET	443	64368	34.120.208.123	192.168.2.8
Oct 31, 2024 16:37:16.154535055 CET	64366	443	192.168.2.8	34.120.208.123
Oct 31, 2024 16:37:16.154622078 CET	64366	443	192.168.2.8	34.120.208.123
Oct 31, 2024 16:37:16.154737949 CET	64369	443	192.168.2.8	34.120.208.123
Oct 31, 2024 16:37:16.154755116 CET	443	64366	34.120.208.123	192.168.2.8
Oct 31, 2024 16:37:16.154812098 CET	64369	443	192.168.2.8	34.120.208.123
Oct 31, 2024 16:37:16.154947042 CET	64370	443	192.168.2.8	34.120.208.123
Oct 31, 2024 16:37:16.154999971 CET	443	64369	34.120.208.123	192.168.2.8
Oct 31, 2024 16:37:16.155179977 CET	64365	443	192.168.2.8	34.120.208.123
Oct 31, 2024 16:37:16.155256033 CET	64366	443	192.168.2.8	34.120.208.123
Oct 31, 2024 16:37:16.155276060 CET	64369	443	192.168.2.8	34.120.208.123
Oct 31, 2024 16:37:16.155276060 CET	64371	443	192.168.2.8	34.120.208.123
Oct 31, 2024 16:37:16.155278921 CET	64372	443	192.168.2.8	34.120.208.123
Oct 31, 2024 16:37:16.155507088 CET	64368	443	192.168.2.8	34.120.208.123
Oct 31, 2024 16:37:16.158257961 CET	64370	443	192.168.2.8	34.120.208.123
Oct 31, 2024 16:37:16.158282042 CET	443	64370	34.120.208.123	192.168.2.8
Oct 31, 2024 16:37:16.158564091 CET	443	64370	34.120.208.123	192.168.2.8
Oct 31, 2024 16:37:16.158641100 CET	64371	443	192.168.2.8	34.120.208.123
Oct 31, 2024 16:37:16.158665895 CET	443	64371	34.120.208.123	192.168.2.8
Oct 31, 2024 16:37:16.158714056 CET	64372	443	192.168.2.8	34.120.208.123
Oct 31, 2024 16:37:16.158725023 CET	443	64372	34.120.208.123	192.168.2.8
Oct 31, 2024 16:37:16.160989046 CET	64370	443	192.168.2.8	34.120.208.123
Oct 31, 2024 16:37:16.161083937 CET	64370	443	192.168.2.8	34.120.208.123
Oct 31, 2024 16:37:16.161148071 CET	443	64370	34.120.208.123	192.168.2.8
Oct 31, 2024 16:37:16.161371946 CET	64370	443	192.168.2.8	34.120.208.123
Oct 31, 2024 16:37:16.192080021 CET	49724	80	192.168.2.8	34.107.221.82
Oct 31, 2024 16:37:16.197151899 CET	80	49724	34.107.221.82	192.168.2.8
Oct 31, 2024 16:37:16.319554090 CET	80	49724	34.107.221.82	192.168.2.8
Oct 31, 2024 16:37:16.355334044 CET	443	64367	34.120.208.123	192.168.2.8
Oct 31, 2024 16:37:16.356465101 CET	64367	443	192.168.2.8	34.120.208.123
Oct 31, 2024 16:37:16.367928028 CET	49724	80	192.168.2.8	34.107.221.82
Oct 31, 2024 16:37:16.413722992 CET	49736	80	192.168.2.8	34.107.221.82
Oct 31, 2024 16:37:16.418847084 CET	80	49736	34.107.221.82	192.168.2.8
Oct 31, 2024 16:37:16.540224075 CET	80	49736	34.107.221.82	192.168.2.8
Oct 31, 2024 16:37:16.584173918 CET	49736	80	192.168.2.8	34.107.221.82
Oct 31, 2024 16:37:16.764111042 CET	443	64372	34.120.208.123	192.168.2.8
Oct 31, 2024 16:37:16.764126062 CET	443	64372	34.120.208.123	192.168.2.8
Oct 31, 2024 16:37:16.764183998 CET	64372	443	192.168.2.8	34.120.208.123
Oct 31, 2024 16:37:16.767113924 CET	64372	443	192.168.2.8	34.120.208.123
Oct 31, 2024 16:37:16.767127037 CET	443	64372	34.120.208.123	192.168.2.8
Oct 31, 2024 16:37:16.767426014 CET	443	64372	34.120.208.123	192.168.2.8
Oct 31, 2024 16:37:16.770416975 CET	64372	443	192.168.2.8	34.120.208.123
Oct 31, 2024 16:37:16.770533085 CET	64372	443	192.168.2.8	34.120.208.123
Oct 31, 2024 16:37:16.770612001 CET	443	64372	34.120.208.123	192.168.2.8
Oct 31, 2024 16:37:16.773144960 CET	64372	443	192.168.2.8	34.120.208.123
Oct 31, 2024 16:37:16.774285078 CET	443	64371	34.120.208.123	192.168.2.8
Oct 31, 2024 16:37:16.774297953 CET	443	64371	34.120.208.123	192.168.2.8
Oct 31, 2024 16:37:16.775015116 CET	49724	80	192.168.2.8	34.107.221.82
Oct 31, 2024 16:37:16.776585102 CET	64371	443	192.168.2.8	34.120.208.123
Oct 31, 2024 16:37:16.779881954 CET	80	49724	34.107.221.82	192.168.2.8
Oct 31, 2024 16:37:16.780761003 CET	64371	443	192.168.2.8	34.120.208.123
Oct 31, 2024 16:37:16.780781031 CET	443	64371	34.120.208.123	192.168.2.8
Oct 31, 2024 16:37:16.781066895 CET	443	64371	34.120.208.123	192.168.2.8
Oct 31, 2024 16:37:16.783979893 CET	64371	443	192.168.2.8	34.120.208.123
Oct 31, 2024 16:37:16.784111023 CET	64371	443	192.168.2.8	34.120.208.123
Oct 31, 2024 16:37:16.784168959 CET	443	64371	34.120.208.123	192.168.2.8
Oct 31, 2024 16:37:16.784732103 CET	64371	443	192.168.2.8	34.120.208.123
Oct 31, 2024 16:37:16.784751892 CET	64371	443	192.168.2.8	34.120.208.123
Oct 31, 2024 16:37:16.902718067 CET	80	49724	34.107.221.82	192.168.2.8
Oct 31, 2024 16:37:16.954112053 CET	49724	80	192.168.2.8	34.107.221.82
Oct 31, 2024 16:37:16.981266022 CET	49736	80	192.168.2.8	34.107.221.82
Oct 31, 2024 16:37:16.986176968 CET	80	49736	34.107.221.82	192.168.2.8
Oct 31, 2024 16:37:17.107328892 CET	80	49736	34.107.221.82	192.168.2.8
Oct 31, 2024 16:37:17.154597998 CET	49736	80	192.168.2.8	34.107.221.82
Oct 31, 2024 16:37:21.588507891 CET	49724	80	192.168.2.8	34.107.221.82
Oct 31, 2024 16:37:21.593383074 CET	80	49724	34.107.221.82	192.168.2.8
Oct 31, 2024 16:37:21.715522051 CET	80	49724	34.107.221.82	192.168.2.8
Oct 31, 2024 16:37:21.718739986 CET	49736	80	192.168.2.8	34.107.221.82
Oct 31, 2024 16:37:21.723515034 CET	80	49736	34.107.221.82	192.168.2.8
Oct 31, 2024 16:37:21.767900944 CET	49724	80	192.168.2.8	34.107.221.82
Oct 31, 2024 16:37:21.845153093 CET	80	49736	34.107.221.82	192.168.2.8
Oct 31, 2024 16:37:21.899658918 CET	49736	80	192.168.2.8	34.107.221.82
Oct 31, 2024 16:37:31.726898909 CET	49724	80	192.168.2.8	34.107.221.82
Oct 31, 2024 16:37:31.731878996 CET	80	49724	34.107.221.82	192.168.2.8
Oct 31, 2024 16:37:31.858438015 CET	49736	80	192.168.2.8	34.107.221.82
Oct 31, 2024 16:37:31.863646984 CET	80	49736	34.107.221.82	192.168.2.8
Oct 31, 2024 16:37:41.740643024 CET	49724	80	192.168.2.8	34.107.221.82
Oct 31, 2024 16:37:41.745565891 CET	80	49724	34.107.221.82	192.168.2.8
Oct 31, 2024 16:37:41.872373104 CET	49736	80	192.168.2.8	34.107.221.82
Oct 31, 2024 16:37:41.877306938 CET	80	49736	34.107.221.82	192.168.2.8
Oct 31, 2024 16:37:42.695097923 CET	64376	443	192.168.2.8	34.107.243.93
Oct 31, 2024 16:37:42.695143938 CET	443	64376	34.107.243.93	192.168.2.8
Oct 31, 2024 16:37:42.695385933 CET	64376	443	192.168.2.8	34.107.243.93
Oct 31, 2024 16:37:42.696974993 CET	64376	443	192.168.2.8	34.107.243.93
Oct 31, 2024 16:37:42.696995974 CET	443	64376	34.107.243.93	192.168.2.8
Oct 31, 2024 16:37:43.315104008 CET	443	64376	34.107.243.93	192.168.2.8
Oct 31, 2024 16:37:43.315284014 CET	64376	443	192.168.2.8	34.107.243.93
Oct 31, 2024 16:37:43.320491076 CET	64376	443	192.168.2.8	34.107.243.93
Oct 31, 2024 16:37:43.320523024 CET	443	64376	34.107.243.93	192.168.2.8
Oct 31, 2024 16:37:43.320574045 CET	64376	443	192.168.2.8	34.107.243.93
Oct 31, 2024 16:37:43.320744038 CET	443	64376	34.107.243.93	192.168.2.8
Oct 31, 2024 16:37:43.321412086 CET	64376	443	192.168.2.8	34.107.243.93
Oct 31, 2024 16:37:43.323498964 CET	49724	80	192.168.2.8	34.107.221.82
Oct 31, 2024 16:37:43.328298092 CET	80	49724	34.107.221.82	192.168.2.8
Oct 31, 2024 16:37:43.451353073 CET	80	49724	34.107.221.82	192.168.2.8
Oct 31, 2024 16:37:43.455127954 CET	49736	80	192.168.2.8	34.107.221.82
Oct 31, 2024 16:37:43.460201025 CET	80	49736	34.107.221.82	192.168.2.8
Oct 31, 2024 16:37:43.492115974 CET	49724	80	192.168.2.8	34.107.221.82
Oct 31, 2024 16:37:43.582159042 CET	80	49736	34.107.221.82	192.168.2.8
Oct 31, 2024 16:37:43.630249977 CET	49736	80	192.168.2.8	34.107.221.82
Oct 31, 2024 16:37:53.458584070 CET	49724	80	192.168.2.8	34.107.221.82
Oct 31, 2024 16:37:53.463546038 CET	80	49724	34.107.221.82	192.168.2.8
Oct 31, 2024 16:37:53.590164900 CET	49736	80	192.168.2.8	34.107.221.82
Oct 31, 2024 16:37:53.595221996 CET	80	49736	34.107.221.82	192.168.2.8
Oct 31, 2024 16:38:03.464709044 CET	49724	80	192.168.2.8	34.107.221.82
Oct 31, 2024 16:38:03.469815016 CET	80	49724	34.107.221.82	192.168.2.8
Oct 31, 2024 16:38:03.618166924 CET	49736	80	192.168.2.8	34.107.221.82
Oct 31, 2024 16:38:03.623034000 CET	80	49736	34.107.221.82	192.168.2.8
Oct 31, 2024 16:38:13.470252991 CET	49724	80	192.168.2.8	34.107.221.82
Oct 31, 2024 16:38:13.475366116 CET	80	49724	34.107.221.82	192.168.2.8
Oct 31, 2024 16:38:13.639571905 CET	49736	80	192.168.2.8	34.107.221.82
Oct 31, 2024 16:38:13.644644976 CET	80	49736	34.107.221.82	192.168.2.8

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 31, 2024 16:36:16.491949081 CET	60785	53	192.168.2.8	1.1.1.1
Oct 31, 2024 16:36:16.494218111 CET	51399	53	192.168.2.8	1.1.1.1
Oct 31, 2024 16:36:16.499033928 CET	53	60785	1.1.1.1	192.168.2.8
Oct 31, 2024 16:36:16.504991055 CET	62143	53	192.168.2.8	1.1.1.1
Oct 31, 2024 16:36:16.506125927 CET	61095	53	192.168.2.8	1.1.1.1
Oct 31, 2024 16:36:16.507093906 CET	56879	53	192.168.2.8	1.1.1.1
Oct 31, 2024 16:36:16.512275934 CET	53	62143	1.1.1.1	192.168.2.8
Oct 31, 2024 16:36:16.512970924 CET	53	61095	1.1.1.1	192.168.2.8
Oct 31, 2024 16:36:16.513963938 CET	53	56879	1.1.1.1	192.168.2.8
Oct 31, 2024 16:36:16.514610052 CET	53765	53	192.168.2.8	1.1.1.1
Oct 31, 2024 16:36:16.514995098 CET	57367	53	192.168.2.8	1.1.1.1
Oct 31, 2024 16:36:16.516386032 CET	60092	53	192.168.2.8	1.1.1.1
Oct 31, 2024 16:36:16.521975040 CET	53	57367	1.1.1.1	192.168.2.8
Oct 31, 2024 16:36:16.522191048 CET	53	53765	1.1.1.1	192.168.2.8
Oct 31, 2024 16:36:16.523232937 CET	53	60092	1.1.1.1	192.168.2.8
Oct 31, 2024 16:36:17.282347918 CET	60122	53	192.168.2.8	1.1.1.1
Oct 31, 2024 16:36:17.282424927 CET	63940	53	192.168.2.8	1.1.1.1
Oct 31, 2024 16:36:17.289328098 CET	53	60122	1.1.1.1	192.168.2.8
Oct 31, 2024 16:36:17.289470911 CET	53	63940	1.1.1.1	192.168.2.8
Oct 31, 2024 16:36:17.295916080 CET	59482	53	192.168.2.8	1.1.1.1
Oct 31, 2024 16:36:17.302787066 CET	53	59482	1.1.1.1	192.168.2.8
Oct 31, 2024 16:36:17.305665016 CET	50636	53	192.168.2.8	1.1.1.1
Oct 31, 2024 16:36:17.307336092 CET	56652	53	192.168.2.8	1.1.1.1
Oct 31, 2024 16:36:17.309339046 CET	65359	53	192.168.2.8	1.1.1.1
Oct 31, 2024 16:36:17.312840939 CET	53	50636	1.1.1.1	192.168.2.8
Oct 31, 2024 16:36:17.313307047 CET	49160	53	192.168.2.8	1.1.1.1
Oct 31, 2024 16:36:17.315913916 CET	53	65359	1.1.1.1	192.168.2.8
Oct 31, 2024 16:36:17.318120956 CET	53308	53	192.168.2.8	1.1.1.1
Oct 31, 2024 16:36:17.319591999 CET	57517	53	192.168.2.8	1.1.1.1
Oct 31, 2024 16:36:17.320574999 CET	53	49160	1.1.1.1	192.168.2.8
Oct 31, 2024 16:36:17.322943926 CET	52507	53	192.168.2.8	1.1.1.1
Oct 31, 2024 16:36:17.324769974 CET	53	53308	1.1.1.1	192.168.2.8
Oct 31, 2024 16:36:17.326695919 CET	53	57517	1.1.1.1	192.168.2.8
Oct 31, 2024 16:36:17.329767942 CET	53	52507	1.1.1.1	192.168.2.8
Oct 31, 2024 16:36:17.335571051 CET	59811	53	192.168.2.8	1.1.1.1
Oct 31, 2024 16:36:17.343844891 CET	53	59811	1.1.1.1	192.168.2.8
Oct 31, 2024 16:36:17.674909115 CET	61895	53	192.168.2.8	1.1.1.1
Oct 31, 2024 16:36:17.682213068 CET	53	61895	1.1.1.1	192.168.2.8
Oct 31, 2024 16:36:17.684643030 CET	50093	53	192.168.2.8	1.1.1.1
Oct 31, 2024 16:36:17.693064928 CET	53	50093	1.1.1.1	192.168.2.8
Oct 31, 2024 16:36:17.693841934 CET	61986	53	192.168.2.8	1.1.1.1
Oct 31, 2024 16:36:17.700670004 CET	53	61986	1.1.1.1	192.168.2.8
Oct 31, 2024 16:36:18.150182009 CET	64437	53	192.168.2.8	1.1.1.1
Oct 31, 2024 16:36:18.186405897 CET	53	64265	1.1.1.1	192.168.2.8
Oct 31, 2024 16:36:18.820096016 CET	55324	53	192.168.2.8	1.1.1.1
Oct 31, 2024 16:36:20.394089937 CET	61261	53	192.168.2.8	1.1.1.1
Oct 31, 2024 16:36:20.401197910 CET	53	61261	1.1.1.1	192.168.2.8
Oct 31, 2024 16:36:20.402544975 CET	53146	53	192.168.2.8	1.1.1.1
Oct 31, 2024 16:36:20.409383059 CET	53	53146	1.1.1.1	192.168.2.8
Oct 31, 2024 16:36:20.410372972 CET	54151	53	192.168.2.8	1.1.1.1
Oct 31, 2024 16:36:20.417578936 CET	53	54151	1.1.1.1	192.168.2.8
Oct 31, 2024 16:36:22.269891024 CET	52523	53	192.168.2.8	1.1.1.1
Oct 31, 2024 16:36:22.278347015 CET	53	52523	1.1.1.1	192.168.2.8
Oct 31, 2024 16:36:22.297343016 CET	61100	53	192.168.2.8	1.1.1.1
Oct 31, 2024 16:36:22.305108070 CET	53	61100	1.1.1.1	192.168.2.8
Oct 31, 2024 16:36:22.331899881 CET	64522	53	192.168.2.8	1.1.1.1
Oct 31, 2024 16:36:22.339575052 CET	53	64522	1.1.1.1	192.168.2.8
Oct 31, 2024 16:36:22.387448072 CET	61237	53	192.168.2.8	1.1.1.1
Oct 31, 2024 16:36:22.394969940 CET	53	61237	1.1.1.1	192.168.2.8
Oct 31, 2024 16:36:22.475379944 CET	59221	53	192.168.2.8	1.1.1.1
Oct 31, 2024 16:36:22.482146025 CET	53	59221	1.1.1.1	192.168.2.8
Oct 31, 2024 16:36:22.486787081 CET	61008	53	192.168.2.8	1.1.1.1
Oct 31, 2024 16:36:22.493551016 CET	53	61008	1.1.1.1	192.168.2.8
Oct 31, 2024 16:36:22.598263025 CET	55210	53	192.168.2.8	1.1.1.1
Oct 31, 2024 16:36:22.774871111 CET	53	55210	1.1.1.1	192.168.2.8
Oct 31, 2024 16:36:22.777523041 CET	55229	53	192.168.2.8	1.1.1.1
Oct 31, 2024 16:36:22.785094023 CET	53	55229	1.1.1.1	192.168.2.8
Oct 31, 2024 16:36:22.801013947 CET	57396	53	192.168.2.8	1.1.1.1
Oct 31, 2024 16:36:22.808187008 CET	53	57396	1.1.1.1	192.168.2.8
Oct 31, 2024 16:36:22.904298067 CET	63334	53	192.168.2.8	1.1.1.1
Oct 31, 2024 16:36:27.940334082 CET	49380	53	192.168.2.8	1.1.1.1
Oct 31, 2024 16:36:27.948112965 CET	53	49380	1.1.1.1	192.168.2.8
Oct 31, 2024 16:36:27.960128069 CET	52763	53	192.168.2.8	1.1.1.1
Oct 31, 2024 16:36:27.960302114 CET	63828	53	192.168.2.8	1.1.1.1
Oct 31, 2024 16:36:27.960449934 CET	62434	53	192.168.2.8	1.1.1.1
Oct 31, 2024 16:36:27.967207909 CET	53	63828	1.1.1.1	192.168.2.8
Oct 31, 2024 16:36:27.967223883 CET	53	52763	1.1.1.1	192.168.2.8
Oct 31, 2024 16:36:27.967538118 CET	53	62434	1.1.1.1	192.168.2.8
Oct 31, 2024 16:36:28.429563999 CET	64834	53	192.168.2.8	1.1.1.1
Oct 31, 2024 16:36:28.429672956 CET	51309	53	192.168.2.8	1.1.1.1
Oct 31, 2024 16:36:28.429820061 CET	52683	53	192.168.2.8	1.1.1.1
Oct 31, 2024 16:36:28.436794996 CET	53	51309	1.1.1.1	192.168.2.8
Oct 31, 2024 16:36:28.437714100 CET	53	52683	1.1.1.1	192.168.2.8
Oct 31, 2024 16:36:28.437725067 CET	53	64834	1.1.1.1	192.168.2.8
Oct 31, 2024 16:36:28.440705061 CET	55001	53	192.168.2.8	1.1.1.1
Oct 31, 2024 16:36:28.443720102 CET	61924	53	192.168.2.8	1.1.1.1
Oct 31, 2024 16:36:28.445959091 CET	54463	53	192.168.2.8	1.1.1.1
Oct 31, 2024 16:36:28.447952032 CET	53	55001	1.1.1.1	192.168.2.8
Oct 31, 2024 16:36:28.450625896 CET	53	61924	1.1.1.1	192.168.2.8
Oct 31, 2024 16:36:28.453419924 CET	53	54463	1.1.1.1	192.168.2.8
Oct 31, 2024 16:36:28.456120014 CET	55694	53	192.168.2.8	1.1.1.1
Oct 31, 2024 16:36:28.457163095 CET	55991	53	192.168.2.8	1.1.1.1
Oct 31, 2024 16:36:28.464510918 CET	53	55694	1.1.1.1	192.168.2.8
Oct 31, 2024 16:36:28.465976954 CET	53	55991	1.1.1.1	192.168.2.8
Oct 31, 2024 16:36:28.466463089 CET	52797	53	192.168.2.8	1.1.1.1
Oct 31, 2024 16:36:28.466692924 CET	62750	53	192.168.2.8	1.1.1.1
Oct 31, 2024 16:36:28.473998070 CET	53	62750	1.1.1.1	192.168.2.8
Oct 31, 2024 16:36:28.474057913 CET	53	52797	1.1.1.1	192.168.2.8
Oct 31, 2024 16:36:28.474519014 CET	55619	53	192.168.2.8	1.1.1.1
Oct 31, 2024 16:36:28.474962950 CET	56831	53	192.168.2.8	1.1.1.1
Oct 31, 2024 16:36:28.481709003 CET	53	55619	1.1.1.1	192.168.2.8
Oct 31, 2024 16:36:28.482292891 CET	53	56831	1.1.1.1	192.168.2.8
Oct 31, 2024 16:36:28.551207066 CET	60802	53	192.168.2.8	1.1.1.1
Oct 31, 2024 16:36:28.558141947 CET	53	60802	1.1.1.1	192.168.2.8
Oct 31, 2024 16:36:28.559168100 CET	51901	53	192.168.2.8	1.1.1.1
Oct 31, 2024 16:36:28.565932989 CET	53	51901	1.1.1.1	192.168.2.8
Oct 31, 2024 16:36:32.644910097 CET	51964	53	192.168.2.8	1.1.1.1
Oct 31, 2024 16:36:32.652096987 CET	53	51964	1.1.1.1	192.168.2.8
Oct 31, 2024 16:36:39.810805082 CET	62543	53	192.168.2.8	1.1.1.1
Oct 31, 2024 16:36:39.817929029 CET	53	62543	1.1.1.1	192.168.2.8
Oct 31, 2024 16:36:39.818803072 CET	57172	53	192.168.2.8	1.1.1.1
Oct 31, 2024 16:36:39.825892925 CET	53	57172	1.1.1.1	192.168.2.8
Oct 31, 2024 16:36:45.816900015 CET	54059	53	192.168.2.8	1.1.1.1
Oct 31, 2024 16:36:45.857379913 CET	57643	53	192.168.2.8	1.1.1.1
Oct 31, 2024 16:36:45.918704987 CET	53	54059	1.1.1.1	192.168.2.8
Oct 31, 2024 16:36:45.919311047 CET	53	57643	1.1.1.1	192.168.2.8
Oct 31, 2024 16:36:45.926275015 CET	50314	53	192.168.2.8	1.1.1.1
Oct 31, 2024 16:36:45.929244995 CET	52046	53	192.168.2.8	1.1.1.1
Oct 31, 2024 16:36:45.930246115 CET	59020	53	192.168.2.8	1.1.1.1
Oct 31, 2024 16:36:45.932924986 CET	53	50314	1.1.1.1	192.168.2.8
Oct 31, 2024 16:36:45.938201904 CET	53	59020	1.1.1.1	192.168.2.8
Oct 31, 2024 16:36:45.939544916 CET	53	52046	1.1.1.1	192.168.2.8
Oct 31, 2024 16:36:45.944562912 CET	51128	53	192.168.2.8	1.1.1.1
Oct 31, 2024 16:36:45.945632935 CET	61294	53	192.168.2.8	1.1.1.1
Oct 31, 2024 16:36:45.951611996 CET	53	51128	1.1.1.1	192.168.2.8
Oct 31, 2024 16:36:45.953018904 CET	53	61294	1.1.1.1	192.168.2.8
Oct 31, 2024 16:36:48.286355972 CET	53	49404	162.159.36.2	192.168.2.8
Oct 31, 2024 16:36:48.939651012 CET	53	56331	1.1.1.1	192.168.2.8
Oct 31, 2024 16:37:00.871745110 CET	52313	53	192.168.2.8	1.1.1.1
Oct 31, 2024 16:37:00.878645897 CET	53	52313	1.1.1.1	192.168.2.8
Oct 31, 2024 16:37:15.542282104 CET	52690	53	192.168.2.8	1.1.1.1
Oct 31, 2024 16:37:15.549391985 CET	53	52690	1.1.1.1	192.168.2.8
Oct 31, 2024 16:37:42.683167934 CET	61902	53	192.168.2.8	1.1.1.1
Oct 31, 2024 16:37:42.690525055 CET	53	61902	1.1.1.1	192.168.2.8
Oct 31, 2024 16:37:42.691586971 CET	58415	53	192.168.2.8	1.1.1.1
Oct 31, 2024 16:37:42.699023962 CET	53	58415	1.1.1.1	192.168.2.8
Oct 31, 2024 16:37:43.323810101 CET	57175	53	192.168.2.8	1.1.1.1

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Oct 31, 2024 16:36:16.491949081 CET	192.168.2.8	1.1.1.1	0x5bde	Standard query (0)	youtube.com	A (IP address)	IN (0x0001)	false
Oct 31, 2024 16:36:16.494218111 CET	192.168.2.8	1.1.1.1	0xac87	Standard query (0)	detectportal.firefox.com	A (IP address)	IN (0x0001)	false
Oct 31, 2024 16:36:16.504991055 CET	192.168.2.8	1.1.1.1	0x9655	Standard query (0)	prod.classify-client.prod.webservices.mozgcp.net	A (IP address)	IN (0x0001)	false
Oct 31, 2024 16:36:16.506125927 CET	192.168.2.8	1.1.1.1	0x7973	Standard query (0)	youtube.com	A (IP address)	IN (0x0001)	false
Oct 31, 2024 16:36:16.507093906 CET	192.168.2.8	1.1.1.1	0xe990	Standard query (0)	prod.detectportal.prod.cloudops.mozgcp.net	A (IP address)	IN (0x0001)	false
Oct 31, 2024 16:36:16.514610052 CET	192.168.2.8	1.1.1.1	0x1cf2	Standard query (0)	prod.classify-client.prod.webservices.mozgcp.net	28	IN (0x0001)	false
Oct 31, 2024 16:36:16.514995098 CET	192.168.2.8	1.1.1.1	0xaa19	Standard query (0)	youtube.com	28	IN (0x0001)	false
Oct 31, 2024 16:36:16.516386032 CET	192.168.2.8	1.1.1.1	0x47f3	Standard query (0)	prod.detectportal.prod.cloudops.mozgcp.net	28	IN (0x0001)	false
Oct 31, 2024 16:36:17.282347918 CET	192.168.2.8	1.1.1.1	0x83c6	Standard query (0)	example.org	A (IP address)	IN (0x0001)	false
Oct 31, 2024 16:36:17.282424927 CET	192.168.2.8	1.1.1.1	0x10ff	Standard query (0)	ipv4only.arpa	A (IP address)	IN (0x0001)	false
Oct 31, 2024 16:36:17.295916080 CET	192.168.2.8	1.1.1.1	0xc15f	Standard query (0)	contile.services.mozilla.com	A (IP address)	IN (0x0001)	false
Oct 31, 2024 16:36:17.305665016 CET	192.168.2.8	1.1.1.1	0x3c18	Standard query (0)	contile.services.mozilla.com	A (IP address)	IN (0x0001)	false
Oct 31, 2024 16:36:17.307336092 CET	192.168.2.8	1.1.1.1	0xea0b	Standard query (0)	detectportal.firefox.com	A (IP address)	IN (0x0001)	false
Oct 31, 2024 16:36:17.309339046 CET	192.168.2.8	1.1.1.1	0xefe0	Standard query (0)	spocs.getpocket.com	A (IP address)	IN (0x0001)	false
Oct 31, 2024 16:36:17.313307047 CET	192.168.2.8	1.1.1.1	0x12cb	Standard query (0)	prod.balrog.prod.cloudops.mozgcp.net	A (IP address)	IN (0x0001)	false
Oct 31, 2024 16:36:17.318120956 CET	192.168.2.8	1.1.1.1	0xaebf	Standard query (0)	contile.services.mozilla.com	28	IN (0x0001)	false
Oct 31, 2024 16:36:17.319591999 CET	192.168.2.8	1.1.1.1	0xb69c	Standard query (0)	prod.ads.prod.webservices.mozgcp.net	A (IP address)	IN (0x0001)	false
Oct 31, 2024 16:36:17.322943926 CET	192.168.2.8	1.1.1.1	0xc9ec	Standard query (0)	prod.balrog.prod.cloudops.mozgcp.net	28	IN (0x0001)	false
Oct 31, 2024 16:36:17.335571051 CET	192.168.2.8	1.1.1.1	0xb2ac	Standard query (0)	prod.ads.prod.webservices.mozgcp.net	28	IN (0x0001)	false
Oct 31, 2024 16:36:17.674909115 CET	192.168.2.8	1.1.1.1	0x2dcb	Standard query (0)	content-signature-2.cdn.mozilla.net	A (IP address)	IN (0x0001)	false
Oct 31, 2024 16:36:17.684643030 CET	192.168.2.8	1.1.1.1	0x2126	Standard query (0)	prod.content-signature-chains.prod.webservices.mozgcp.net	A (IP address)	IN (0x0001)	false
Oct 31, 2024 16:36:17.693841934 CET	192.168.2.8	1.1.1.1	0x1467	Standard query (0)	prod.content-signature-chains.prod.webservices.mozgcp.net	28	IN (0x0001)	false
Oct 31, 2024 16:36:18.150182009 CET	192.168.2.8	1.1.1.1	0x7e43	Standard query (0)	shavar.services.mozilla.com	A (IP address)	IN (0x0001)	false
Oct 31, 2024 16:36:18.820096016 CET	192.168.2.8	1.1.1.1	0xbc9f	Standard query (0)	detectportal.firefox.com	A (IP address)	IN (0x0001)	false
Oct 31, 2024 16:36:20.394089937 CET	192.168.2.8	1.1.1.1	0x49bf	Standard query (0)	push.services.mozilla.com	A (IP address)	IN (0x0001)	false
Oct 31, 2024 16:36:20.402544975 CET	192.168.2.8	1.1.1.1	0x2c49	Standard query (0)	push.services.mozilla.com	A (IP address)	IN (0x0001)	false
Oct 31, 2024 16:36:20.410372972 CET	192.168.2.8	1.1.1.1	0x6ff5	Standard query (0)	push.services.mozilla.com	28	IN (0x0001)	false
Oct 31, 2024 16:36:22.269891024 CET	192.168.2.8	1.1.1.1	0x2d30	Standard query (0)	support.mozilla.org	A (IP address)	IN (0x0001)	false
Oct 31, 2024 16:36:22.297343016 CET	192.168.2.8	1.1.1.1	0x6a90	Standard query (0)	us-west1.prod.sumo.prod.webservices.mozgcp.net	A (IP address)	IN (0x0001)	false
Oct 31, 2024 16:36:22.331899881 CET	192.168.2.8	1.1.1.1	0x4445	Standard query (0)	us-west1.prod.sumo.prod.webservices.mozgcp.net	28	IN (0x0001)	false
Oct 31, 2024 16:36:22.387448072 CET	192.168.2.8	1.1.1.1	0xe8f6	Standard query (0)	prod.balrog.prod.cloudops.mozgcp.net	28	IN (0x0001)	false
Oct 31, 2024 16:36:22.475379944 CET	192.168.2.8	1.1.1.1	0xd1f7	Standard query (0)	telemetry-incoming.r53-2.services.mozilla.com	A (IP address)	IN (0x0001)	false
Oct 31, 2024 16:36:22.486787081 CET	192.168.2.8	1.1.1.1	0x8654	Standard query (0)	telemetry-incoming.r53-2.services.mozilla.com	28	IN (0x0001)	false
Oct 31, 2024 16:36:22.598263025 CET	192.168.2.8	1.1.1.1	0x7ccf	Standard query (0)	firefox.settings.services.mozilla.com	A (IP address)	IN (0x0001)	false
Oct 31, 2024 16:36:22.777523041 CET	192.168.2.8	1.1.1.1	0x8583	Standard query (0)	prod.remote-settings.prod.webservices.mozgcp.net	A (IP address)	IN (0x0001)	false
Oct 31, 2024 16:36:22.801013947 CET	192.168.2.8	1.1.1.1	0x8ad3	Standard query (0)	prod.remote-settings.prod.webservices.mozgcp.net	28	IN (0x0001)	false
Oct 31, 2024 16:36:22.904298067 CET	192.168.2.8	1.1.1.1	0x31ef	Standard query (0)	detectportal.firefox.com	A (IP address)	IN (0x0001)	false
Oct 31, 2024 16:36:27.940334082 CET	192.168.2.8	1.1.1.1	0xaeec	Standard query (0)	telemetry-incoming.r53-2.services.mozilla.com	28	IN (0x0001)	false
Oct 31, 2024 16:36:27.960128069 CET	192.168.2.8	1.1.1.1	0x40b4	Standard query (0)	www.youtube.com	A (IP address)	IN (0x0001)	false
Oct 31, 2024 16:36:27.960302114 CET	192.168.2.8	1.1.1.1	0x13ce	Standard query (0)	www.facebook.com	A (IP address)	IN (0x0001)	false
Oct 31, 2024 16:36:27.960449934 CET	192.168.2.8	1.1.1.1	0x92d9	Standard query (0)	www.wikipedia.org	A (IP address)	IN (0x0001)	false
Oct 31, 2024 16:36:28.429563999 CET	192.168.2.8	1.1.1.1	0x115d	Standard query (0)	dyna.wikimedia.org	A (IP address)	IN (0x0001)	false
Oct 31, 2024 16:36:28.429672956 CET	192.168.2.8	1.1.1.1	0x74a3	Standard query (0)	youtube-ui.l.google.com	A (IP address)	IN (0x0001)	false
Oct 31, 2024 16:36:28.429820061 CET	192.168.2.8	1.1.1.1	0x9fa3	Standard query (0)	star-mini.c10r.facebook.com	A (IP address)	IN (0x0001)	false
Oct 31, 2024 16:36:28.440705061 CET	192.168.2.8	1.1.1.1	0x913	Standard query (0)	youtube-ui.l.google.com	28	IN (0x0001)	false
Oct 31, 2024 16:36:28.443720102 CET	192.168.2.8	1.1.1.1	0x9065	Standard query (0)	star-mini.c10r.facebook.com	28	IN (0x0001)	false
Oct 31, 2024 16:36:28.445959091 CET	192.168.2.8	1.1.1.1	0x896a	Standard query (0)	dyna.wikimedia.org	28	IN (0x0001)	false
Oct 31, 2024 16:36:28.456120014 CET	192.168.2.8	1.1.1.1	0xa6fc	Standard query (0)	www.reddit.com	A (IP address)	IN (0x0001)	false
Oct 31, 2024 16:36:28.457163095 CET	192.168.2.8	1.1.1.1	0x1c70	Standard query (0)	twitter.com	A (IP address)	IN (0x0001)	false
Oct 31, 2024 16:36:28.466463089 CET	192.168.2.8	1.1.1.1	0x6bfd	Standard query (0)	reddit.map.fastly.net	A (IP address)	IN (0x0001)	false
Oct 31, 2024 16:36:28.466692924 CET	192.168.2.8	1.1.1.1	0x9367	Standard query (0)	twitter.com	A (IP address)	IN (0x0001)	false
Oct 31, 2024 16:36:28.474519014 CET	192.168.2.8	1.1.1.1	0x6c2f	Standard query (0)	twitter.com	28	IN (0x0001)	false
Oct 31, 2024 16:36:28.474962950 CET	192.168.2.8	1.1.1.1	0xe157	Standard query (0)	reddit.map.fastly.net	28	IN (0x0001)	false
Oct 31, 2024 16:36:28.551207066 CET	192.168.2.8	1.1.1.1	0x8f2b	Standard query (0)	push.services.mozilla.com	A (IP address)	IN (0x0001)	false
Oct 31, 2024 16:36:28.559168100 CET	192.168.2.8	1.1.1.1	0x123	Standard query (0)	push.services.mozilla.com	28	IN (0x0001)	false
Oct 31, 2024 16:36:32.644910097 CET	192.168.2.8	1.1.1.1	0xfd68	Standard query (0)	telemetry-incoming.r53-2.services.mozilla.com	28	IN (0x0001)	false
Oct 31, 2024 16:36:39.810805082 CET	192.168.2.8	1.1.1.1	0x544c	Standard query (0)	push.services.mozilla.com	A (IP address)	IN (0x0001)	false
Oct 31, 2024 16:36:39.818803072 CET	192.168.2.8	1.1.1.1	0x19d6	Standard query (0)	push.services.mozilla.com	28	IN (0x0001)	false
Oct 31, 2024 16:36:45.816900015 CET	192.168.2.8	1.1.1.1	0x7f6d	Standard query (0)	services.addons.mozilla.org	A (IP address)	IN (0x0001)	false
Oct 31, 2024 16:36:45.857379913 CET	192.168.2.8	1.1.1.1	0x1f7e	Standard query (0)	normandy.cdn.mozilla.net	A (IP address)	IN (0x0001)	false
Oct 31, 2024 16:36:45.926275015 CET	192.168.2.8	1.1.1.1	0x5774	Standard query (0)	prod.balrog.prod.cloudops.mozgcp.net	28	IN (0x0001)	false
Oct 31, 2024 16:36:45.929244995 CET	192.168.2.8	1.1.1.1	0x11fe	Standard query (0)	services.addons.mozilla.org	A (IP address)	IN (0x0001)	false
Oct 31, 2024 16:36:45.930246115 CET	192.168.2.8	1.1.1.1	0xbcbf	Standard query (0)	normandy-cdn.services.mozilla.com	A (IP address)	IN (0x0001)	false
Oct 31, 2024 16:36:45.944562912 CET	192.168.2.8	1.1.1.1	0xd94b	Standard query (0)	services.addons.mozilla.org	28	IN (0x0001)	false
Oct 31, 2024 16:36:45.945632935 CET	192.168.2.8	1.1.1.1	0x34f8	Standard query (0)	normandy-cdn.services.mozilla.com	28	IN (0x0001)	false
Oct 31, 2024 16:37:00.871745110 CET	192.168.2.8	1.1.1.1	0x5505	Standard query (0)	push.services.mozilla.com	28	IN (0x0001)	false
Oct 31, 2024 16:37:15.542282104 CET	192.168.2.8	1.1.1.1	0x18dc	Standard query (0)	telemetry-incoming.r53-2.services.mozilla.com	28	IN (0x0001)	false
Oct 31, 2024 16:37:42.683167934 CET	192.168.2.8	1.1.1.1	0xa523	Standard query (0)	push.services.mozilla.com	A (IP address)	IN (0x0001)	false
Oct 31, 2024 16:37:42.691586971 CET	192.168.2.8	1.1.1.1	0x39d7	Standard query (0)	push.services.mozilla.com	28	IN (0x0001)	false
Oct 31, 2024 16:37:43.323810101 CET	192.168.2.8	1.1.1.1	0x70ae	Standard query (0)	detectportal.firefox.com	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Oct 31, 2024 16:36:16.498167038 CET	1.1.1.1	192.168.2.8	0xf46c	No error (0)	prod.classify-client.prod.webservices.mozgcp.net		35.190.72.216	A (IP address)	IN (0x0001)	false
Oct 31, 2024 16:36:16.499033928 CET	1.1.1.1	192.168.2.8	0x5bde	No error (0)	youtube.com		142.250.186.174	A (IP address)	IN (0x0001)	false
Oct 31, 2024 16:36:16.501461983 CET	1.1.1.1	192.168.2.8	0xac87	No error (0)	detectportal.firefox.com	detectportal.prod.mozaws.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 31, 2024 16:36:16.501461983 CET	1.1.1.1	192.168.2.8	0xac87	No error (0)	prod.detectportal.prod.cloudops.mozgcp.net		34.107.221.82	A (IP address)	IN (0x0001)	false
Oct 31, 2024 16:36:16.512275934 CET	1.1.1.1	192.168.2.8	0x9655	No error (0)	prod.classify-client.prod.webservices.mozgcp.net		35.190.72.216	A (IP address)	IN (0x0001)	false
Oct 31, 2024 16:36:16.512970924 CET	1.1.1.1	192.168.2.8	0x7973	No error (0)	youtube.com		142.250.185.206	A (IP address)	IN (0x0001)	false
Oct 31, 2024 16:36:16.513963938 CET	1.1.1.1	192.168.2.8	0xe990	No error (0)	prod.detectportal.prod.cloudops.mozgcp.net		34.107.221.82	A (IP address)	IN (0x0001)	false
Oct 31, 2024 16:36:16.521975040 CET	1.1.1.1	192.168.2.8	0xaa19	No error (0)	youtube.com			28	IN (0x0001)	false
Oct 31, 2024 16:36:16.523232937 CET	1.1.1.1	192.168.2.8	0x47f3	No error (0)	prod.detectportal.prod.cloudops.mozgcp.net			28	IN (0x0001)	false
Oct 31, 2024 16:36:17.289328098 CET	1.1.1.1	192.168.2.8	0x83c6	No error (0)	example.org		93.184.215.14	A (IP address)	IN (0x0001)	false
Oct 31, 2024 16:36:17.289470911 CET	1.1.1.1	192.168.2.8	0x10ff	No error (0)	ipv4only.arpa		192.0.0.171	A (IP address)	IN (0x0001)	false
Oct 31, 2024 16:36:17.289470911 CET	1.1.1.1	192.168.2.8	0x10ff	No error (0)	ipv4only.arpa		192.0.0.170	A (IP address)	IN (0x0001)	false
Oct 31, 2024 16:36:17.302787066 CET	1.1.1.1	192.168.2.8	0xc15f	No error (0)	contile.services.mozilla.com		34.117.188.166	A (IP address)	IN (0x0001)	false
Oct 31, 2024 16:36:17.302836895 CET	1.1.1.1	192.168.2.8	0x80af	No error (0)	balrog-aus5.r53-2.services.mozilla.com	prod.balrog.prod.cloudops.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 31, 2024 16:36:17.302836895 CET	1.1.1.1	192.168.2.8	0x80af	No error (0)	prod.balrog.prod.cloudops.mozgcp.net		35.244.181.201	A (IP address)	IN (0x0001)	false
Oct 31, 2024 16:36:17.312840939 CET	1.1.1.1	192.168.2.8	0x3c18	No error (0)	contile.services.mozilla.com		34.117.188.166	A (IP address)	IN (0x0001)	false
Oct 31, 2024 16:36:17.314093113 CET	1.1.1.1	192.168.2.8	0xea0b	No error (0)	detectportal.firefox.com	detectportal.prod.mozaws.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 31, 2024 16:36:17.314093113 CET	1.1.1.1	192.168.2.8	0xea0b	No error (0)	prod.detectportal.prod.cloudops.mozgcp.net		34.107.221.82	A (IP address)	IN (0x0001)	false
Oct 31, 2024 16:36:17.315913916 CET	1.1.1.1	192.168.2.8	0xefe0	No error (0)	spocs.getpocket.com	prod.ads.prod.webservices.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 31, 2024 16:36:17.315913916 CET	1.1.1.1	192.168.2.8	0xefe0	No error (0)	prod.ads.prod.webservices.mozgcp.net		34.117.188.166	A (IP address)	IN (0x0001)	false
Oct 31, 2024 16:36:17.320574999 CET	1.1.1.1	192.168.2.8	0x12cb	No error (0)	prod.balrog.prod.cloudops.mozgcp.net		35.244.181.201	A (IP address)	IN (0x0001)	false
Oct 31, 2024 16:36:17.326695919 CET	1.1.1.1	192.168.2.8	0xb69c	No error (0)	prod.ads.prod.webservices.mozgcp.net		34.117.188.166	A (IP address)	IN (0x0001)	false
Oct 31, 2024 16:36:17.682213068 CET	1.1.1.1	192.168.2.8	0x2dcb	No error (0)	content-signature-2.cdn.mozilla.net	content-signature-chains.prod.autograph.services.mozaws.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 31, 2024 16:36:17.682213068 CET	1.1.1.1	192.168.2.8	0x2dcb	No error (0)	content-signature-chains.prod.autograph.services.mozaws.net	prod.content-signature-chains.prod.webservices.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 31, 2024 16:36:17.682213068 CET	1.1.1.1	192.168.2.8	0x2dcb	No error (0)	prod.content-signature-chains.prod.webservices.mozgcp.net		34.160.144.191	A (IP address)	IN (0x0001)	false
Oct 31, 2024 16:36:17.693064928 CET	1.1.1.1	192.168.2.8	0x2126	No error (0)	prod.content-signature-chains.prod.webservices.mozgcp.net		34.160.144.191	A (IP address)	IN (0x0001)	false
Oct 31, 2024 16:36:17.700670004 CET	1.1.1.1	192.168.2.8	0x1467	No error (0)	prod.content-signature-chains.prod.webservices.mozgcp.net			28	IN (0x0001)	false
Oct 31, 2024 16:36:18.158065081 CET	1.1.1.1	192.168.2.8	0x7e43	No error (0)	shavar.services.mozilla.com	shavar.prod.mozaws.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 31, 2024 16:36:18.827325106 CET	1.1.1.1	192.168.2.8	0xbc9f	No error (0)	detectportal.firefox.com	detectportal.prod.mozaws.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 31, 2024 16:36:18.827325106 CET	1.1.1.1	192.168.2.8	0xbc9f	No error (0)	prod.detectportal.prod.cloudops.mozgcp.net		34.107.221.82	A (IP address)	IN (0x0001)	false
Oct 31, 2024 16:36:20.401197910 CET	1.1.1.1	192.168.2.8	0x49bf	No error (0)	push.services.mozilla.com		34.107.243.93	A (IP address)	IN (0x0001)	false
Oct 31, 2024 16:36:20.409383059 CET	1.1.1.1	192.168.2.8	0x2c49	No error (0)	push.services.mozilla.com		34.107.243.93	A (IP address)	IN (0x0001)	false
Oct 31, 2024 16:36:22.278347015 CET	1.1.1.1	192.168.2.8	0x2d30	No error (0)	support.mozilla.org	prod.sumo.prod.webservices.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 31, 2024 16:36:22.278347015 CET	1.1.1.1	192.168.2.8	0x2d30	No error (0)	prod.sumo.prod.webservices.mozgcp.net	us-west1.prod.sumo.prod.webservices.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 31, 2024 16:36:22.278347015 CET	1.1.1.1	192.168.2.8	0x2d30	No error (0)	us-west1.prod.sumo.prod.webservices.mozgcp.net		34.149.128.2	A (IP address)	IN (0x0001)	false
Oct 31, 2024 16:36:22.305108070 CET	1.1.1.1	192.168.2.8	0x6a90	No error (0)	us-west1.prod.sumo.prod.webservices.mozgcp.net		34.149.128.2	A (IP address)	IN (0x0001)	false
Oct 31, 2024 16:36:22.394946098 CET	1.1.1.1	192.168.2.8	0x95f7	No error (0)	balrog-aus5.r53-2.services.mozilla.com	prod.balrog.prod.cloudops.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 31, 2024 16:36:22.394946098 CET	1.1.1.1	192.168.2.8	0x95f7	No error (0)	prod.balrog.prod.cloudops.mozgcp.net		35.244.181.201	A (IP address)	IN (0x0001)	false
Oct 31, 2024 16:36:22.456376076 CET	1.1.1.1	192.168.2.8	0x26fa	No error (0)	telemetry-incoming.r53-2.services.mozilla.com		34.120.208.123	A (IP address)	IN (0x0001)	false
Oct 31, 2024 16:36:22.482146025 CET	1.1.1.1	192.168.2.8	0xd1f7	No error (0)	telemetry-incoming.r53-2.services.mozilla.com		34.120.208.123	A (IP address)	IN (0x0001)	false
Oct 31, 2024 16:36:22.774871111 CET	1.1.1.1	192.168.2.8	0x7ccf	No error (0)	firefox.settings.services.mozilla.com	prod.remote-settings.prod.webservices.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 31, 2024 16:36:22.774871111 CET	1.1.1.1	192.168.2.8	0x7ccf	No error (0)	prod.remote-settings.prod.webservices.mozgcp.net		34.149.100.209	A (IP address)	IN (0x0001)	false
Oct 31, 2024 16:36:22.785094023 CET	1.1.1.1	192.168.2.8	0x8583	No error (0)	prod.remote-settings.prod.webservices.mozgcp.net		34.149.100.209	A (IP address)	IN (0x0001)	false
Oct 31, 2024 16:36:22.911878109 CET	1.1.1.1	192.168.2.8	0x31ef	No error (0)	detectportal.firefox.com	detectportal.prod.mozaws.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 31, 2024 16:36:22.911878109 CET	1.1.1.1	192.168.2.8	0x31ef	No error (0)	prod.detectportal.prod.cloudops.mozgcp.net		34.107.221.82	A (IP address)	IN (0x0001)	false
Oct 31, 2024 16:36:27.946494102 CET	1.1.1.1	192.168.2.8	0xcbf	No error (0)	telemetry-incoming.r53-2.services.mozilla.com		34.120.208.123	A (IP address)	IN (0x0001)	false
Oct 31, 2024 16:36:27.967207909 CET	1.1.1.1	192.168.2.8	0x13ce	No error (0)	www.facebook.com	star-mini.c10r.facebook.com		CNAME (Canonical name)	IN (0x0001)	false
Oct 31, 2024 16:36:27.967207909 CET	1.1.1.1	192.168.2.8	0x13ce	No error (0)	star-mini.c10r.facebook.com		157.240.0.35	A (IP address)	IN (0x0001)	false
Oct 31, 2024 16:36:27.967223883 CET	1.1.1.1	192.168.2.8	0x40b4	No error (0)	www.youtube.com	youtube-ui.l.google.com		CNAME (Canonical name)	IN (0x0001)	false
Oct 31, 2024 16:36:27.967223883 CET	1.1.1.1	192.168.2.8	0x40b4	No error (0)	youtube-ui.l.google.com		172.217.18.110	A (IP address)	IN (0x0001)	false
Oct 31, 2024 16:36:27.967223883 CET	1.1.1.1	192.168.2.8	0x40b4	No error (0)	youtube-ui.l.google.com		142.250.185.142	A (IP address)	IN (0x0001)	false
Oct 31, 2024 16:36:27.967223883 CET	1.1.1.1	192.168.2.8	0x40b4	No error (0)	youtube-ui.l.google.com		142.250.184.238	A (IP address)	IN (0x0001)	false
Oct 31, 2024 16:36:27.967223883 CET	1.1.1.1	192.168.2.8	0x40b4	No error (0)	youtube-ui.l.google.com		142.250.185.238	A (IP address)	IN (0x0001)	false
Oct 31, 2024 16:36:27.967223883 CET	1.1.1.1	192.168.2.8	0x40b4	No error (0)	youtube-ui.l.google.com		142.250.185.78	A (IP address)	IN (0x0001)	false
Oct 31, 2024 16:36:27.967223883 CET	1.1.1.1	192.168.2.8	0x40b4	No error (0)	youtube-ui.l.google.com		142.250.186.174	A (IP address)	IN (0x0001)	false
Oct 31, 2024 16:36:27.967223883 CET	1.1.1.1	192.168.2.8	0x40b4	No error (0)	youtube-ui.l.google.com		142.250.186.78	A (IP address)	IN (0x0001)	false
Oct 31, 2024 16:36:27.967223883 CET	1.1.1.1	192.168.2.8	0x40b4	No error (0)	youtube-ui.l.google.com		216.58.206.46	A (IP address)	IN (0x0001)	false
Oct 31, 2024 16:36:27.967223883 CET	1.1.1.1	192.168.2.8	0x40b4	No error (0)	youtube-ui.l.google.com		172.217.23.110	A (IP address)	IN (0x0001)	false
Oct 31, 2024 16:36:27.967223883 CET	1.1.1.1	192.168.2.8	0x40b4	No error (0)	youtube-ui.l.google.com		142.250.185.206	A (IP address)	IN (0x0001)	false
Oct 31, 2024 16:36:27.967223883 CET	1.1.1.1	192.168.2.8	0x40b4	No error (0)	youtube-ui.l.google.com		142.250.186.110	A (IP address)	IN (0x0001)	false
Oct 31, 2024 16:36:27.967223883 CET	1.1.1.1	192.168.2.8	0x40b4	No error (0)	youtube-ui.l.google.com		216.58.206.78	A (IP address)	IN (0x0001)	false
Oct 31, 2024 16:36:27.967223883 CET	1.1.1.1	192.168.2.8	0x40b4	No error (0)	youtube-ui.l.google.com		142.250.185.174	A (IP address)	IN (0x0001)	false
Oct 31, 2024 16:36:27.967223883 CET	1.1.1.1	192.168.2.8	0x40b4	No error (0)	youtube-ui.l.google.com		142.250.185.110	A (IP address)	IN (0x0001)	false
Oct 31, 2024 16:36:27.967223883 CET	1.1.1.1	192.168.2.8	0x40b4	No error (0)	youtube-ui.l.google.com		172.217.16.206	A (IP address)	IN (0x0001)	false
Oct 31, 2024 16:36:27.967223883 CET	1.1.1.1	192.168.2.8	0x40b4	No error (0)	youtube-ui.l.google.com		142.250.74.206	A (IP address)	IN (0x0001)	false
Oct 31, 2024 16:36:27.967538118 CET	1.1.1.1	192.168.2.8	0x92d9	No error (0)	www.wikipedia.org	dyna.wikimedia.org		CNAME (Canonical name)	IN (0x0001)	false
Oct 31, 2024 16:36:27.967538118 CET	1.1.1.1	192.168.2.8	0x92d9	No error (0)	dyna.wikimedia.org		185.15.59.224	A (IP address)	IN (0x0001)	false
Oct 31, 2024 16:36:28.436794996 CET	1.1.1.1	192.168.2.8	0x74a3	No error (0)	youtube-ui.l.google.com		142.250.186.142	A (IP address)	IN (0x0001)	false
Oct 31, 2024 16:36:28.436794996 CET	1.1.1.1	192.168.2.8	0x74a3	No error (0)	youtube-ui.l.google.com		142.250.184.206	A (IP address)	IN (0x0001)	false
Oct 31, 2024 16:36:28.436794996 CET	1.1.1.1	192.168.2.8	0x74a3	No error (0)	youtube-ui.l.google.com		142.250.185.78	A (IP address)	IN (0x0001)	false
Oct 31, 2024 16:36:28.436794996 CET	1.1.1.1	192.168.2.8	0x74a3	No error (0)	youtube-ui.l.google.com		142.250.184.238	A (IP address)	IN (0x0001)	false
Oct 31, 2024 16:36:28.436794996 CET	1.1.1.1	192.168.2.8	0x74a3	No error (0)	youtube-ui.l.google.com		142.250.185.142	A (IP address)	IN (0x0001)	false
Oct 31, 2024 16:36:28.436794996 CET	1.1.1.1	192.168.2.8	0x74a3	No error (0)	youtube-ui.l.google.com		142.250.74.206	A (IP address)	IN (0x0001)	false
Oct 31, 2024 16:36:28.436794996 CET	1.1.1.1	192.168.2.8	0x74a3	No error (0)	youtube-ui.l.google.com		142.250.186.78	A (IP address)	IN (0x0001)	false
Oct 31, 2024 16:36:28.436794996 CET	1.1.1.1	192.168.2.8	0x74a3	No error (0)	youtube-ui.l.google.com		142.250.185.110	A (IP address)	IN (0x0001)	false
Oct 31, 2024 16:36:28.436794996 CET	1.1.1.1	192.168.2.8	0x74a3	No error (0)	youtube-ui.l.google.com		216.58.212.142	A (IP address)	IN (0x0001)	false
Oct 31, 2024 16:36:28.436794996 CET	1.1.1.1	192.168.2.8	0x74a3	No error (0)	youtube-ui.l.google.com		142.250.186.46	A (IP address)	IN (0x0001)	false
Oct 31, 2024 16:36:28.436794996 CET	1.1.1.1	192.168.2.8	0x74a3	No error (0)	youtube-ui.l.google.com		216.58.206.78	A (IP address)	IN (0x0001)	false
Oct 31, 2024 16:36:28.436794996 CET	1.1.1.1	192.168.2.8	0x74a3	No error (0)	youtube-ui.l.google.com		216.58.212.174	A (IP address)	IN (0x0001)	false
Oct 31, 2024 16:36:28.436794996 CET	1.1.1.1	192.168.2.8	0x74a3	No error (0)	youtube-ui.l.google.com		172.217.18.14	A (IP address)	IN (0x0001)	false
Oct 31, 2024 16:36:28.436794996 CET	1.1.1.1	192.168.2.8	0x74a3	No error (0)	youtube-ui.l.google.com		216.58.206.46	A (IP address)	IN (0x0001)	false
Oct 31, 2024 16:36:28.436794996 CET	1.1.1.1	192.168.2.8	0x74a3	No error (0)	youtube-ui.l.google.com		142.250.186.110	A (IP address)	IN (0x0001)	false
Oct 31, 2024 16:36:28.436794996 CET	1.1.1.1	192.168.2.8	0x74a3	No error (0)	youtube-ui.l.google.com		172.217.16.206	A (IP address)	IN (0x0001)	false
Oct 31, 2024 16:36:28.437714100 CET	1.1.1.1	192.168.2.8	0x9fa3	No error (0)	star-mini.c10r.facebook.com		157.240.0.35	A (IP address)	IN (0x0001)	false
Oct 31, 2024 16:36:28.437725067 CET	1.1.1.1	192.168.2.8	0x115d	No error (0)	dyna.wikimedia.org		185.15.59.224	A (IP address)	IN (0x0001)	false
Oct 31, 2024 16:36:28.447952032 CET	1.1.1.1	192.168.2.8	0x913	No error (0)	youtube-ui.l.google.com			28	IN (0x0001)	false
Oct 31, 2024 16:36:28.447952032 CET	1.1.1.1	192.168.2.8	0x913	No error (0)	youtube-ui.l.google.com			28	IN (0x0001)	false
Oct 31, 2024 16:36:28.447952032 CET	1.1.1.1	192.168.2.8	0x913	No error (0)	youtube-ui.l.google.com			28	IN (0x0001)	false
Oct 31, 2024 16:36:28.447952032 CET	1.1.1.1	192.168.2.8	0x913	No error (0)	youtube-ui.l.google.com			28	IN (0x0001)	false
Oct 31, 2024 16:36:28.450625896 CET	1.1.1.1	192.168.2.8	0x9065	No error (0)	star-mini.c10r.facebook.com			28	IN (0x0001)	false
Oct 31, 2024 16:36:28.453419924 CET	1.1.1.1	192.168.2.8	0x896a	No error (0)	dyna.wikimedia.org			28	IN (0x0001)	false
Oct 31, 2024 16:36:28.464510918 CET	1.1.1.1	192.168.2.8	0xa6fc	No error (0)	www.reddit.com	reddit.map.fastly.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 31, 2024 16:36:28.464510918 CET	1.1.1.1	192.168.2.8	0xa6fc	No error (0)	reddit.map.fastly.net		151.101.129.140	A (IP address)	IN (0x0001)	false
Oct 31, 2024 16:36:28.464510918 CET	1.1.1.1	192.168.2.8	0xa6fc	No error (0)	reddit.map.fastly.net		151.101.65.140	A (IP address)	IN (0x0001)	false
Oct 31, 2024 16:36:28.464510918 CET	1.1.1.1	192.168.2.8	0xa6fc	No error (0)	reddit.map.fastly.net		151.101.193.140	A (IP address)	IN (0x0001)	false
Oct 31, 2024 16:36:28.464510918 CET	1.1.1.1	192.168.2.8	0xa6fc	No error (0)	reddit.map.fastly.net		151.101.1.140	A (IP address)	IN (0x0001)	false
Oct 31, 2024 16:36:28.465976954 CET	1.1.1.1	192.168.2.8	0x1c70	No error (0)	twitter.com		104.244.42.1	A (IP address)	IN (0x0001)	false
Oct 31, 2024 16:36:28.473998070 CET	1.1.1.1	192.168.2.8	0x9367	No error (0)	twitter.com		104.244.42.65	A (IP address)	IN (0x0001)	false
Oct 31, 2024 16:36:28.474057913 CET	1.1.1.1	192.168.2.8	0x6bfd	No error (0)	reddit.map.fastly.net		151.101.193.140	A (IP address)	IN (0x0001)	false
Oct 31, 2024 16:36:28.474057913 CET	1.1.1.1	192.168.2.8	0x6bfd	No error (0)	reddit.map.fastly.net		151.101.65.140	A (IP address)	IN (0x0001)	false
Oct 31, 2024 16:36:28.474057913 CET	1.1.1.1	192.168.2.8	0x6bfd	No error (0)	reddit.map.fastly.net		151.101.129.140	A (IP address)	IN (0x0001)	false
Oct 31, 2024 16:36:28.474057913 CET	1.1.1.1	192.168.2.8	0x6bfd	No error (0)	reddit.map.fastly.net		151.101.1.140	A (IP address)	IN (0x0001)	false
Oct 31, 2024 16:36:28.558141947 CET	1.1.1.1	192.168.2.8	0x8f2b	No error (0)	push.services.mozilla.com		34.107.243.93	A (IP address)	IN (0x0001)	false
Oct 31, 2024 16:36:39.817929029 CET	1.1.1.1	192.168.2.8	0x544c	No error (0)	push.services.mozilla.com		34.107.243.93	A (IP address)	IN (0x0001)	false
Oct 31, 2024 16:36:45.918692112 CET	1.1.1.1	192.168.2.8	0x3ef	No error (0)	balrog-aus5.r53-2.services.mozilla.com	prod.balrog.prod.cloudops.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 31, 2024 16:36:45.918692112 CET	1.1.1.1	192.168.2.8	0x3ef	No error (0)	prod.balrog.prod.cloudops.mozgcp.net		35.244.181.201	A (IP address)	IN (0x0001)	false
Oct 31, 2024 16:36:45.918704987 CET	1.1.1.1	192.168.2.8	0x7f6d	No error (0)	services.addons.mozilla.org		151.101.65.91	A (IP address)	IN (0x0001)	false
Oct 31, 2024 16:36:45.918704987 CET	1.1.1.1	192.168.2.8	0x7f6d	No error (0)	services.addons.mozilla.org		151.101.193.91	A (IP address)	IN (0x0001)	false
Oct 31, 2024 16:36:45.918704987 CET	1.1.1.1	192.168.2.8	0x7f6d	No error (0)	services.addons.mozilla.org		151.101.1.91	A (IP address)	IN (0x0001)	false
Oct 31, 2024 16:36:45.918704987 CET	1.1.1.1	192.168.2.8	0x7f6d	No error (0)	services.addons.mozilla.org		151.101.129.91	A (IP address)	IN (0x0001)	false
Oct 31, 2024 16:36:45.919311047 CET	1.1.1.1	192.168.2.8	0x1f7e	No error (0)	normandy.cdn.mozilla.net	normandy-cdn.services.mozilla.com		CNAME (Canonical name)	IN (0x0001)	false
Oct 31, 2024 16:36:45.919311047 CET	1.1.1.1	192.168.2.8	0x1f7e	No error (0)	normandy-cdn.services.mozilla.com		35.201.103.21	A (IP address)	IN (0x0001)	false
Oct 31, 2024 16:36:45.938201904 CET	1.1.1.1	192.168.2.8	0xbcbf	No error (0)	normandy-cdn.services.mozilla.com		35.201.103.21	A (IP address)	IN (0x0001)	false
Oct 31, 2024 16:36:45.939544916 CET	1.1.1.1	192.168.2.8	0x11fe	No error (0)	services.addons.mozilla.org		151.101.193.91	A (IP address)	IN (0x0001)	false
Oct 31, 2024 16:36:45.939544916 CET	1.1.1.1	192.168.2.8	0x11fe	No error (0)	services.addons.mozilla.org		151.101.65.91	A (IP address)	IN (0x0001)	false
Oct 31, 2024 16:36:45.939544916 CET	1.1.1.1	192.168.2.8	0x11fe	No error (0)	services.addons.mozilla.org		151.101.1.91	A (IP address)	IN (0x0001)	false
Oct 31, 2024 16:36:45.939544916 CET	1.1.1.1	192.168.2.8	0x11fe	No error (0)	services.addons.mozilla.org		151.101.129.91	A (IP address)	IN (0x0001)	false
Oct 31, 2024 16:36:45.951611996 CET	1.1.1.1	192.168.2.8	0xd94b	No error (0)	services.addons.mozilla.org			28	IN (0x0001)	false
Oct 31, 2024 16:36:45.951611996 CET	1.1.1.1	192.168.2.8	0xd94b	No error (0)	services.addons.mozilla.org			28	IN (0x0001)	false
Oct 31, 2024 16:36:45.951611996 CET	1.1.1.1	192.168.2.8	0xd94b	No error (0)	services.addons.mozilla.org			28	IN (0x0001)	false
Oct 31, 2024 16:36:45.951611996 CET	1.1.1.1	192.168.2.8	0xd94b	No error (0)	services.addons.mozilla.org			28	IN (0x0001)	false
Oct 31, 2024 16:36:47.306929111 CET	1.1.1.1	192.168.2.8	0xf402	No error (0)	a21ed24aedde648804e7-228765c84088fef4ff5e70f2710398e9.r17.cf1.rackcdn.com	a17.rackcdn.com		CNAME (Canonical name)	IN (0x0001)	false
Oct 31, 2024 16:36:47.306929111 CET	1.1.1.1	192.168.2.8	0xf402	No error (0)	a17.rackcdn.com	a17.rackcdn.com.mdc.edgesuite.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 31, 2024 16:37:15.540781021 CET	1.1.1.1	192.168.2.8	0x41d1	No error (0)	telemetry-incoming.r53-2.services.mozilla.com		34.120.208.123	A (IP address)	IN (0x0001)	false
Oct 31, 2024 16:37:42.690525055 CET	1.1.1.1	192.168.2.8	0xa523	No error (0)	push.services.mozilla.com		34.107.243.93	A (IP address)	IN (0x0001)	false
Oct 31, 2024 16:37:43.331868887 CET	1.1.1.1	192.168.2.8	0x70ae	No error (0)	detectportal.firefox.com	detectportal.prod.mozaws.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 31, 2024 16:37:43.331868887 CET	1.1.1.1	192.168.2.8	0x70ae	No error (0)	prod.detectportal.prod.cloudops.mozgcp.net		34.107.221.82	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

detectportal.firefox.com

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.8	49713	34.107.221.82	80	6768	C:\Program Files\Mozilla Firefox\firefox.exe

Timestamp	Bytes transferred	Direction	Data
Oct 31, 2024 16:36:16.552068949 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 31, 2024 16:36:17.142873049 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Thu, 31 Oct 2024 09:05:59 GMT Age: 23418 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.8	49719	34.107.221.82	80	6768	C:\Program Files\Mozilla Firefox\firefox.exe

Timestamp	Bytes transferred	Direction	Data
Oct 31, 2024 16:36:17.321374893 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 31, 2024 16:36:17.916851044 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Wed, 30 Oct 2024 19:15:14 GMT Age: 73263 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.8	49724	34.107.221.82	80	6768	C:\Program Files\Mozilla Firefox\firefox.exe

Timestamp	Bytes transferred	Direction	Data
Oct 31, 2024 16:36:18.102032900 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 31, 2024 16:36:18.710045099 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Thu, 31 Oct 2024 09:05:59 GMT Age: 23419 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 31, 2024 16:36:18.819526911 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 31, 2024 16:36:18.946185112 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Thu, 31 Oct 2024 09:05:59 GMT Age: 23419 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 31, 2024 16:36:19.048146963 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 31, 2024 16:36:19.174902916 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Thu, 31 Oct 2024 09:05:59 GMT Age: 23420 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 31, 2024 16:36:20.226870060 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 31, 2024 16:36:20.354006052 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Thu, 31 Oct 2024 09:05:59 GMT Age: 23421 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 31, 2024 16:36:22.903564930 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 31, 2024 16:36:23.030764103 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Thu, 31 Oct 2024 09:05:59 GMT Age: 23423 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 31, 2024 16:36:26.715745926 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 31, 2024 16:36:26.843426943 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Thu, 31 Oct 2024 09:05:59 GMT Age: 23427 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 31, 2024 16:36:29.715470076 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 31, 2024 16:36:29.842184067 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Thu, 31 Oct 2024 09:05:59 GMT Age: 23430 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 31, 2024 16:36:30.973263025 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 31, 2024 16:36:31.100861073 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Thu, 31 Oct 2024 09:05:59 GMT Age: 23432 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 31, 2024 16:36:32.019181967 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 31, 2024 16:36:32.146589041 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Thu, 31 Oct 2024 09:05:59 GMT Age: 23433 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 31, 2024 16:36:32.642024994 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 31, 2024 16:36:32.768856049 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Thu, 31 Oct 2024 09:05:59 GMT Age: 23433 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 31, 2024 16:36:33.283617020 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 31, 2024 16:36:33.410394907 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Thu, 31 Oct 2024 09:05:59 GMT Age: 23434 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 31, 2024 16:36:40.439569950 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 31, 2024 16:36:40.567774057 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Thu, 31 Oct 2024 09:05:59 GMT Age: 23441 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 31, 2024 16:36:46.531394005 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 31, 2024 16:36:46.658994913 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Thu, 31 Oct 2024 09:05:59 GMT Age: 23447 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 31, 2024 16:36:47.191386938 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 31, 2024 16:36:47.318449020 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Thu, 31 Oct 2024 09:05:59 GMT Age: 23448 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 31, 2024 16:36:57.334980965 CET	6	OUT	Data Raw: 00 Data Ascii:
Oct 31, 2024 16:37:01.490819931 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 31, 2024 16:37:01.620563984 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Thu, 31 Oct 2024 09:05:59 GMT Age: 23462 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 31, 2024 16:37:11.638345003 CET	6	OUT	Data Raw: 00 Data Ascii:
Oct 31, 2024 16:37:16.192080021 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 31, 2024 16:37:16.319554090 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Thu, 31 Oct 2024 09:05:59 GMT Age: 23477 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 31, 2024 16:37:16.775015116 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 31, 2024 16:37:16.902718067 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Thu, 31 Oct 2024 09:05:59 GMT Age: 23477 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 31, 2024 16:37:21.588507891 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 31, 2024 16:37:21.715522051 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Thu, 31 Oct 2024 09:05:59 GMT Age: 23482 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 31, 2024 16:37:31.726898909 CET	6	OUT	Data Raw: 00 Data Ascii:
Oct 31, 2024 16:37:41.740643024 CET	6	OUT	Data Raw: 00 Data Ascii:
Oct 31, 2024 16:37:43.323498964 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 31, 2024 16:37:43.451353073 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Thu, 31 Oct 2024 09:05:59 GMT Age: 23504 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 31, 2024 16:37:53.458584070 CET	6	OUT	Data Raw: 00 Data Ascii:
Oct 31, 2024 16:38:03.464709044 CET	6	OUT	Data Raw: 00 Data Ascii:
Oct 31, 2024 16:38:13.470252991 CET	6	OUT	Data Raw: 00 Data Ascii:

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.8	49728	34.107.221.82	80	6768	C:\Program Files\Mozilla Firefox\firefox.exe

Timestamp	Bytes transferred	Direction	Data
Oct 31, 2024 16:36:18.826505899 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.8	49729	34.107.221.82	80	6768	C:\Program Files\Mozilla Firefox\firefox.exe

Timestamp	Bytes transferred	Direction	Data
Oct 31, 2024 16:36:18.986756086 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.8	49734	34.107.221.82	80	6768	C:\Program Files\Mozilla Firefox\firefox.exe

Timestamp	Bytes transferred	Direction	Data
Oct 31, 2024 16:36:20.239906073 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.8	49736	34.107.221.82	80	6768	C:\Program Files\Mozilla Firefox\firefox.exe

Timestamp	Bytes transferred	Direction	Data
Oct 31, 2024 16:36:20.389442921 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 31, 2024 16:36:20.993447065 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Wed, 30 Oct 2024 19:15:14 GMT Age: 73266 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 31, 2024 16:36:24.306679964 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 31, 2024 16:36:24.433661938 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Wed, 30 Oct 2024 19:15:14 GMT Age: 73270 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 31, 2024 16:36:28.542552948 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 31, 2024 16:36:28.669487000 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Wed, 30 Oct 2024 19:15:14 GMT Age: 73274 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 31, 2024 16:36:29.981875896 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 31, 2024 16:36:30.206803083 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Wed, 30 Oct 2024 19:15:14 GMT Age: 73276 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 31, 2024 16:36:31.165771961 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 31, 2024 16:36:31.293533087 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Wed, 30 Oct 2024 19:15:14 GMT Age: 73277 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 31, 2024 16:36:32.150212049 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 31, 2024 16:36:32.278994083 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Wed, 30 Oct 2024 19:15:14 GMT Age: 73278 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 31, 2024 16:36:32.774650097 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 31, 2024 16:36:32.902070999 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Wed, 30 Oct 2024 19:15:14 GMT Age: 73278 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 31, 2024 16:36:33.413655043 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 31, 2024 16:36:33.540066957 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Wed, 30 Oct 2024 19:15:14 GMT Age: 73279 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 31, 2024 16:36:40.571798086 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 31, 2024 16:36:40.698872089 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Wed, 30 Oct 2024 19:15:14 GMT Age: 73286 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 31, 2024 16:36:46.661875010 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 31, 2024 16:36:46.799864054 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Wed, 30 Oct 2024 19:15:14 GMT Age: 73292 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 31, 2024 16:36:47.332535982 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 31, 2024 16:36:47.460244894 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Wed, 30 Oct 2024 19:15:14 GMT Age: 73293 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 31, 2024 16:36:57.473064899 CET	6	OUT	Data Raw: 00 Data Ascii:
Oct 31, 2024 16:37:01.624103069 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 31, 2024 16:37:01.750726938 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Wed, 30 Oct 2024 19:15:14 GMT Age: 73307 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 31, 2024 16:37:11.754277945 CET	6	OUT	Data Raw: 00 Data Ascii:
Oct 31, 2024 16:37:16.413722992 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 31, 2024 16:37:16.540224075 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Wed, 30 Oct 2024 19:15:14 GMT Age: 73322 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 31, 2024 16:37:16.981266022 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 31, 2024 16:37:17.107328892 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Wed, 30 Oct 2024 19:15:14 GMT Age: 73323 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 31, 2024 16:37:21.718739986 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 31, 2024 16:37:21.845153093 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Wed, 30 Oct 2024 19:15:14 GMT Age: 73327 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 31, 2024 16:37:31.858438015 CET	6	OUT	Data Raw: 00 Data Ascii:
Oct 31, 2024 16:37:41.872373104 CET	6	OUT	Data Raw: 00 Data Ascii:
Oct 31, 2024 16:37:43.455127954 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 31, 2024 16:37:43.582159042 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Wed, 30 Oct 2024 19:15:14 GMT Age: 73349 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 31, 2024 16:37:53.590164900 CET	6	OUT	Data Raw: 00 Data Ascii:
Oct 31, 2024 16:38:03.618166924 CET	6	OUT	Data Raw: 00 Data Ascii:
Oct 31, 2024 16:38:13.639571905 CET	6	OUT	Data Raw: 00 Data Ascii:

Target ID:	1
Start time:	11:36:06
Start date:	31/10/2024
Path:	C:\Users\user\Desktop\file.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\file.exe"
Imagebase:	0x260000
File size:	919'552 bytes
MD5 hash:	F7B759777F1500CE5514A0C154641CF9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	11:36:07
Start date:	31/10/2024
Path:	C:\Windows\SysWOW64\taskkill.exe
Wow64 process (32bit):	true
Commandline:	taskkill /F /IM firefox.exe /T
Imagebase:	0x30000
File size:	74'240 bytes
MD5 hash:	CA313FD7E6C2A778FFD21CFB5C1C56CD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	11:36:07
Start date:	31/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6ee680000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	11:36:10
Start date:	31/10/2024
Path:	C:\Windows\SysWOW64\taskkill.exe
Wow64 process (32bit):	true
Commandline:	taskkill /F /IM chrome.exe /T
Imagebase:	0x30000
File size:	74'240 bytes
MD5 hash:	CA313FD7E6C2A778FFD21CFB5C1C56CD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	11:36:11
Start date:	31/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6ee680000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	11:36:11
Start date:	31/10/2024
Path:	C:\Windows\SysWOW64\taskkill.exe
Wow64 process (32bit):	true
Commandline:	taskkill /F /IM msedge.exe /T
Imagebase:	0x30000
File size:	74'240 bytes
MD5 hash:	CA313FD7E6C2A778FFD21CFB5C1C56CD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	11:36:11
Start date:	31/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6ee680000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	11:36:11
Start date:	31/10/2024
Path:	C:\Windows\SysWOW64\taskkill.exe
Wow64 process (32bit):	true
Commandline:	taskkill /F /IM opera.exe /T
Imagebase:	0x30000
File size:	74'240 bytes
MD5 hash:	CA313FD7E6C2A778FFD21CFB5C1C56CD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	9
Start time:	11:36:11
Start date:	31/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6ee680000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	10
Start time:	11:36:12
Start date:	31/10/2024
Path:	C:\Windows\SysWOW64\taskkill.exe
Wow64 process (32bit):	true
Commandline:	taskkill /F /IM brave.exe /T
Imagebase:	0x30000
File size:	74'240 bytes
MD5 hash:	CA313FD7E6C2A778FFD21CFB5C1C56CD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	11
Start time:	11:36:12
Start date:	31/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6ee680000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	12
Start time:	11:36:12
Start date:	31/10/2024
Path:	C:\Program Files\Mozilla Firefox\firefox.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking
Imagebase:	0x7ff6d20e0000
File size:	676'768 bytes
MD5 hash:	C86B1BE9ED6496FE0E0CBE73F81D8045
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	13
Start time:	11:36:12
Start date:	31/10/2024
Path:	C:\Program Files\Mozilla Firefox\firefox.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking --attempting-deelevation
Imagebase:	0x7ff6d20e0000
File size:	676'768 bytes
MD5 hash:	C86B1BE9ED6496FE0E0CBE73F81D8045
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	14
Start time:	11:36:12
Start date:	31/10/2024
Path:	C:\Program Files\Mozilla Firefox\firefox.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking
Imagebase:	0x7ff6d20e0000
File size:	676'768 bytes
MD5 hash:	C86B1BE9ED6496FE0E0CBE73F81D8045
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	16
Start time:	11:36:13
Start date:	31/10/2024
Path:	C:\Program Files\Mozilla Firefox\firefox.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2280 -parentBuildID 20230927232528 -prefsHandle 2216 -prefMapHandle 2208 -prefsLen 25298 -prefMapSize 238442 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {7ac96ae0-b0aa-4a08-ae07-ad8715404c1b} 6768 "\\.\pipe\gecko-crash-server-pipe.6768" 22db096d310 socket
Imagebase:	0x7ff6d20e0000
File size:	676'768 bytes
MD5 hash:	C86B1BE9ED6496FE0E0CBE73F81D8045
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	18
Start time:	11:36:15
Start date:	31/10/2024
Path:	C:\Program Files\Mozilla Firefox\firefox.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3848 -parentBuildID 20230927232528 -prefsHandle 3876 -prefMapHandle 3856 -prefsLen 26313 -prefMapSize 238442 -appDir "C:\Program Files\Mozilla Firefox\browser" - {37f0de6c-b1ae-43d1-aa54-d2569a232f96} 6768 "\\.\pipe\gecko-crash-server-pipe.6768" 22dc2a85f10 rdd
Imagebase:	0x7ff6d20e0000
File size:	676'768 bytes
MD5 hash:	C86B1BE9ED6496FE0E0CBE73F81D8045
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	20
Start time:	11:36:21
Start date:	31/10/2024
Path:	C:\Program Files\Mozilla Firefox\firefox.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5092 -parentBuildID 20230927232528 -sandboxingKind 0 -prefsHandle 1528 -prefMapHandle 4644 -prefsLen 33464 -prefMapSize 238442 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {13d00d77-8c6e-4eed-a5ad-36e9c86da38f} 6768 "\\.\pipe\gecko-crash-server-pipe.6768" 22dcc7dd910 utility
Imagebase:	0x7ff6d20e0000
File size:	676'768 bytes
MD5 hash:	C86B1BE9ED6496FE0E0CBE73F81D8045
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	1.9%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	7%
Total number of Nodes:	1509
Total number of Limit Nodes:	55

Executed Functions

Function 002642DE Relevance: 21.2, APIs: 9, Strings: 3, Instructions: 235
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetVersionExW.KERNEL32(?), ref: 0026430D

Part of subcall function 00266B57: _wcslen.LIBCMT ref: 00266B6A

GetCurrentProcess.KERNEL32(?,002FCB64,00000000,?,?), ref: 00264422
IsWow64Process.KERNEL32(00000000,?,?), ref: 00264429
LoadLibraryA.KERNEL32(kernel32.dll,?,?), ref: 00264454
GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo), ref: 00264466
GetNativeSystemInfo.KERNELBASE(?,?,?), ref: 00264474
FreeLibrary.KERNEL32(00000000,?,?), ref: 0026447B
GetSystemInfo.KERNEL32(?,?,?), ref: 002644A0

Strings

|O, xrefs: 002A36F8
GetNativeSystemInfo, xrefs: 00264460
kernel32.dll, xrefs: 0026444F

Memory Dump Source

Source File: 00000001.00000002.1547293858.0000000000261000.00000020.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true

Associated: 00000001.00000002.1546305634.0000000000260000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1552306005.00000000002FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1552306005.0000000000322000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1553018664.000000000032C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1553203039.0000000000334000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_260000_file.jbxd

Similarity

API ID: InfoLibraryProcessSystem$AddressCurrentFreeLoadNativeProcVersionWow64_wcslen
String ID: GetNativeSystemInfo$kernel32.dll$|O
API String ID: 3290436268-3101561225
Opcode ID: 687d37ed5fee6c4bc65282f99e01a610a3ac7d1ab896aeb52fb275ce03dc4818
Instruction ID: 34a77d7629105d368b193dede7300e026171a5109e61b575d28055bfbf47597a
Opcode Fuzzy Hash: 687d37ed5fee6c4bc65282f99e01a610a3ac7d1ab896aeb52fb275ce03dc4818
Instruction Fuzzy Hash: CDA1B66EA2A3C0DFC713DB797CC51E57FAC7B26760F1848A9E08193B21DA704568CB21

Function 002642A2 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 61
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateStreamOnHGlobal.COMBASE(00000000,00000001,?,?,?,?,?,002650AA,?,?,00000000,00000000), ref: 002642B2
FindResourceExW.KERNEL32(?,0000000A,SCRIPT,00000000,?,?,002650AA,?,?,00000000,00000000), ref: 002642C9
LoadResource.KERNEL32(?,00000000,?,?,002650AA,?,?,00000000,00000000,?,?,?,?,?,?,00264F20), ref: 002A35BE
SizeofResource.KERNEL32(?,00000000,?,?,002650AA,?,?,00000000,00000000,?,?,?,?,?,?,00264F20), ref: 002A35D3
LockResource.KERNEL32(002650AA,?,?,002650AA,?,?,00000000,00000000,?,?,?,?,?,?,00264F20,?), ref: 002A35E6

Strings

SCRIPT, xrefs: 002642BF

Memory Dump Source

Source File: 00000001.00000002.1547293858.0000000000261000.00000020.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true

Associated: 00000001.00000002.1546305634.0000000000260000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1552306005.00000000002FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1552306005.0000000000322000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1553018664.000000000032C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1553203039.0000000000334000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_260000_file.jbxd

Similarity

API ID: Resource$CreateFindGlobalLoadLockSizeofStream
String ID: SCRIPT
API String ID: 3051347437-3967369404
Opcode ID: 90f19747e245d6de47a586e0239a012be6e2e2f2b777292509d7242c08129773
Instruction ID: 9a94fc56948493d8ec9b1945d0f3d33ae84764b762402cf93d33fe4d7bfd6bee
Opcode Fuzzy Hash: 90f19747e245d6de47a586e0239a012be6e2e2f2b777292509d7242c08129773
Instruction Fuzzy Hash: 5A11AC70200305BFE7219F65ED58F277BB9EBC5BA1F20416AF802C6290DB71DC20CA20

Function 002A2BA5 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 62
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetCurrentDirectoryW.KERNEL32(?), ref: 00262B6B

Part of subcall function 00263A5A: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,00331418,?,00262E7F,?,?,?,00000000), ref: 00263A78

Part of subcall function 00269CB3: _wcslen.LIBCMT ref: 00269CBD

GetForegroundWindow.USER32(runas,?,?,?,?,?,00322224), ref: 002A2C10
ShellExecuteW.SHELL32(00000000,?,?,00322224), ref: 002A2C17

Strings

runas, xrefs: 002A2C0B

Memory Dump Source

Source File: 00000001.00000002.1547293858.0000000000261000.00000020.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true

Associated: 00000001.00000002.1546305634.0000000000260000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1552306005.00000000002FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1552306005.0000000000322000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1553018664.000000000032C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1553203039.0000000000334000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_260000_file.jbxd

Similarity

API ID: CurrentDirectoryExecuteFileForegroundModuleNameShellWindow_wcslen
String ID: runas
API String ID: 448630720-4000483414
Opcode ID: c8e5186a113ea486e0ae3867be72acd214dfec0eda35a62e1f1a7e4364c39146
Instruction ID: 5e43d6ea320bd0d61550c5f92c1d48a3618342e8a56d57cafcb9a67d38d9e039
Opcode Fuzzy Hash: c8e5186a113ea486e0ae3867be72acd214dfec0eda35a62e1f1a7e4364c39146
Instruction Fuzzy Hash: AB11B131228345EAC705FF64E995ABEB7A89B95354F44082DF082531A2CF318AEDDB52

Function 002CD4DC Relevance: 6.1, APIs: 4, Instructions: 86
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 002CD501
Process32FirstW.KERNEL32(00000000,?), ref: 002CD50F
Process32NextW.KERNEL32(00000000,?), ref: 002CD52F
CloseHandle.KERNELBASE(00000000), ref: 002CD5DC

Memory Dump Source

Source File: 00000001.00000002.1547293858.0000000000261000.00000020.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true

Associated: 00000001.00000002.1546305634.0000000000260000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1552306005.00000000002FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1552306005.0000000000322000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1553018664.000000000032C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1553203039.0000000000334000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_260000_file.jbxd

Similarity

API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32
String ID:
API String ID: 420147892-0
Opcode ID: 27e216713c40592333b884a84fdda24f83b2b4b6f51ca11e03acdd0c1048893a
Instruction ID: 2a41171c0a5bdaa2acc6579c8774b39983424649034691269983ba52f24187ac
Opcode Fuzzy Hash: 27e216713c40592333b884a84fdda24f83b2b4b6f51ca11e03acdd0c1048893a
Instruction Fuzzy Hash: 0831B1710183019FD300EF54D885FAFBBE8EF99394F50092DF585831A1EB7199A8CBA2

Function 002CDBBE Relevance: 6.0, APIs: 4, Instructions: 29filestringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,002A5222), ref: 002CDBCE
GetFileAttributesW.KERNELBASE(?), ref: 002CDBDD
FindFirstFileW.KERNEL32(?,?), ref: 002CDBEE
FindClose.KERNEL32(00000000), ref: 002CDBFA

Memory Dump Source

Source File: 00000001.00000002.1547293858.0000000000261000.00000020.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true

Associated: 00000001.00000002.1546305634.0000000000260000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1552306005.00000000002FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1552306005.0000000000322000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1553018664.000000000032C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1553203039.0000000000334000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_260000_file.jbxd

Similarity

API ID: FileFind$AttributesCloseFirstlstrlen
String ID:
API String ID: 2695905019-0
Opcode ID: 62b9c923866baa860e82f4aabda3f83fea054736d7a7fd5a46b2835c2decf59b
Instruction ID: 0810c27d8a5b4e17fd6f1a0d83fb1ad7aab339cccdd9d86d17b40c25b7c228b0
Opcode Fuzzy Hash: 62b9c923866baa860e82f4aabda3f83fea054736d7a7fd5a46b2835c2decf59b
Instruction Fuzzy Hash: D8F0A0308209185782206F7CAE0D9BA376C9E01374BA0472BF836C20E0EBB06A64C6D5

Function 00284CE8 Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(002928E9,?,00284CBE,002928E9,003288B8,0000000C,00284E15,002928E9,00000002,00000000,?,002928E9), ref: 00284D09
TerminateProcess.KERNEL32(00000000,?,00284CBE,002928E9,003288B8,0000000C,00284E15,002928E9,00000002,00000000,?,002928E9), ref: 00284D10
ExitProcess.KERNEL32 ref: 00284D22

Memory Dump Source

Source File: 00000001.00000002.1547293858.0000000000261000.00000020.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true

Associated: 00000001.00000002.1546305634.0000000000260000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1552306005.00000000002FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1552306005.0000000000322000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1553018664.000000000032C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1553203039.0000000000334000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_260000_file.jbxd

Similarity

API ID: Process$CurrentExitTerminate
String ID:
API String ID: 1703294689-0
Opcode ID: 0961a9077f39bf0575c1b184b8a41d954f2e61b254c6f5591a52b39e8f4e1064
Instruction ID: bbb60218d87438d94379dad7d299f227dcb0c7e6d029205a47c7200ab3d0c2d6
Opcode Fuzzy Hash: 0961a9077f39bf0575c1b184b8a41d954f2e61b254c6f5591a52b39e8f4e1064
Instruction Fuzzy Hash: 51E0B635011149ABCF12BF54EE0DA697B69EB457D1B204064FC098A162CB35ED62DF80

Function 0026BF40 Relevance: 2.4, Strings: 1, Instructions: 1178COMMON

Download Yara Rule

Strings

p#3, xrefs: 002B07CE

Memory Dump Source

Source File: 00000001.00000002.1547293858.0000000000261000.00000020.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true

Associated: 00000001.00000002.1546305634.0000000000260000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1552306005.00000000002FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1552306005.0000000000322000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1553018664.000000000032C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1553203039.0000000000334000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_260000_file.jbxd

Similarity

API ID: BuffCharUpper
String ID: p#3
API String ID: 3964851224-2865342261
Opcode ID: 8b2225fb3bf74ea5e27306ed6201c41b10e95d69ea5dc384b04fd4f74e295e45
Instruction ID: 6b88a44ecc852617eb69a879fd68d93bebac19c54efe9676a911d2243ac40e8d
Opcode Fuzzy Hash: 8b2225fb3bf74ea5e27306ed6201c41b10e95d69ea5dc384b04fd4f74e295e45
Instruction Fuzzy Hash: 2AA26B706283418FD721DF14C480B6AB7E1BF89344F24896DE89A9B352D771ECA5CF92

Function 002EAFF9 Relevance: 24.4, APIs: 16, Instructions: 418
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_wcslen.LIBCMT ref: 002EB198
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 002EB1B0
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 002EB1D4
_wcslen.LIBCMT ref: 002EB200
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 002EB214
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 002EB236
_wcslen.LIBCMT ref: 002EB332

Part of subcall function 002D05A7: GetStdHandle.KERNEL32(000000F6), ref: 002D05C6

_wcslen.LIBCMT ref: 002EB34B
_wcslen.LIBCMT ref: 002EB366
CreateProcessW.KERNELBASE(00000000,?,00000000,00000000,?,?,00000000,?,?,?), ref: 002EB3B6
GetLastError.KERNEL32(00000000), ref: 002EB407
CloseHandle.KERNEL32(?), ref: 002EB439
CloseHandle.KERNEL32(00000000), ref: 002EB44A
CloseHandle.KERNEL32(00000000), ref: 002EB45C
CloseHandle.KERNEL32(00000000), ref: 002EB46E
CloseHandle.KERNEL32(?), ref: 002EB4E3

Memory Dump Source

Source File: 00000001.00000002.1547293858.0000000000261000.00000020.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true

Associated: 00000001.00000002.1546305634.0000000000260000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1552306005.00000000002FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1552306005.0000000000322000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1553018664.000000000032C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1553203039.0000000000334000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_260000_file.jbxd

Similarity

API ID: Handle$Close_wcslen$Directory$CurrentSystem$CreateErrorLastProcess
String ID:
API String ID: 2178637699-0
Opcode ID: 295dbdb384084f6e133493ba2f17635ea97b94fd3e6041aa55b6c0aa05302521
Instruction ID: f88d5894e35e9c83fb2b46a3479c8378ebd3c0f47fa98651157eb8a7f8d344b7
Opcode Fuzzy Hash: 295dbdb384084f6e133493ba2f17635ea97b94fd3e6041aa55b6c0aa05302521
Instruction Fuzzy Hash: 8CF1BB315283819FC715EF25C891B6BBBE4AF85314F54845DF8898B2A2DB31EC64CF52

Function 0026D730 Relevance: 21.6, APIs: 14, Instructions: 624windowsleeptimeCOMMON

Download Yara Rule

APIs

GetInputState.USER32 ref: 0026D807
timeGetTime.WINMM ref: 0026DA07
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 0026DB28
TranslateMessage.USER32(?), ref: 0026DB7B
DispatchMessageW.USER32(?), ref: 0026DB89
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 0026DB9F
Sleep.KERNELBASE(0000000A), ref: 0026DBB1

Memory Dump Source

Source File: 00000001.00000002.1547293858.0000000000261000.00000020.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true

Associated: 00000001.00000002.1546305634.0000000000260000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1552306005.00000000002FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1552306005.0000000000322000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1553018664.000000000032C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1553203039.0000000000334000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_260000_file.jbxd

Similarity

API ID: Message$Peek$DispatchInputSleepStateTimeTranslatetime
String ID:
API String ID: 2189390790-0
Opcode ID: 64f9fa20b0562ee8283c5c046adfec41d5d85d7ece1ee1ff2a57113c2003fbab
Instruction ID: 7ff4a50a82c4edc5f3225f0880e473a4ac42595627a65884bf0be54f41f72bf4
Opcode Fuzzy Hash: 64f9fa20b0562ee8283c5c046adfec41d5d85d7ece1ee1ff2a57113c2003fbab
Instruction Fuzzy Hash: F442E230B2834ADFD729CF24C894BAABBE4BF45354F14855DE45587291D7B0E8A8CF82

Function 00262CD4 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 53
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 00262D07
RegisterClassExW.USER32(00000030), ref: 00262D31
RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00262D42
InitCommonControlsEx.COMCTL32(?), ref: 00262D5F
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00262D6F
LoadIconW.USER32(000000A9), ref: 00262D85
ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00262D94

Strings

TaskbarCreated, xrefs: 00262D37
+, xrefs: 00262CF0
0, xrefs: 00262CE9
AutoIt v3 GUI, xrefs: 00262D23

Memory Dump Source

Source File: 00000001.00000002.1547293858.0000000000261000.00000020.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true

Associated: 00000001.00000002.1546305634.0000000000260000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1552306005.00000000002FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1552306005.0000000000322000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1553018664.000000000032C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1553203039.0000000000334000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_260000_file.jbxd

Similarity

API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
String ID: +$0$AutoIt v3 GUI$TaskbarCreated
API String ID: 2914291525-1005189915
Opcode ID: d80fcab95ac2695c465217cf4d2b42c4b343104d363193f5697e853f9ad8d936
Instruction ID: 28058d7182cfc93fc4d68d43e696058c18284a6dc696297be9c6d6b3f7346529
Opcode Fuzzy Hash: d80fcab95ac2695c465217cf4d2b42c4b343104d363193f5697e853f9ad8d936
Instruction Fuzzy Hash: BE21E3B595130CEFDB01DFA4E989BEDBBB8FB08750F10812AF611A62A0D7B51544CF90

Function 002A065B Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 272
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 002A039A: CreateFileW.KERNELBASE(00000000,00000000,?,002A0704,?,?,00000000,?,002A0704,00000000,0000000C), ref: 002A03B7

GetLastError.KERNEL32 ref: 002A076F
__dosmaperr.LIBCMT ref: 002A0776
GetFileType.KERNELBASE(00000000), ref: 002A0782
GetLastError.KERNEL32 ref: 002A078C
__dosmaperr.LIBCMT ref: 002A0795
CloseHandle.KERNEL32(00000000), ref: 002A07B5
CloseHandle.KERNEL32(?), ref: 002A08FF
GetLastError.KERNEL32 ref: 002A0931
__dosmaperr.LIBCMT ref: 002A0938

Strings

H, xrefs: 002A08BD

Memory Dump Source

Source File: 00000001.00000002.1547293858.0000000000261000.00000020.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true

Associated: 00000001.00000002.1546305634.0000000000260000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1552306005.00000000002FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1552306005.0000000000322000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1553018664.000000000032C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1553203039.0000000000334000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_260000_file.jbxd

Similarity

API ID: ErrorLast__dosmaperr$CloseFileHandle$CreateType
String ID: H
API String ID: 4237864984-2852464175
Opcode ID: 72dcf43b9e9d84fbb0987ce15f21d84ee191efcac7968057d805d675fa0f64bd
Instruction ID: 1da1b1adb30abb21e80e00216abd03f33813a9c438de152068508a661cf35289
Opcode Fuzzy Hash: 72dcf43b9e9d84fbb0987ce15f21d84ee191efcac7968057d805d675fa0f64bd
Instruction Fuzzy Hash: 42A12632A201098FDF19AF68DC91BAE7BA4AB46324F140159F815DF2E1DB359D22CF91

Function 0026344D Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 201
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00263A5A: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,00331418,?,00262E7F,?,?,?,00000000), ref: 00263A78

Part of subcall function 00263357: GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 00263379

RegOpenKeyExW.KERNELBASE(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?,?,\Include\), ref: 0026356A
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,00000000,?), ref: 002A318D
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,?,?,00000000), ref: 002A31CE
RegCloseKey.ADVAPI32(?), ref: 002A3210
_wcslen.LIBCMT ref: 002A3277
_wcslen.LIBCMT ref: 002A3286

Strings

\Include\, xrefs: 00263527
Include, xrefs: 002A3184, 002A31C5
Software\AutoIt v3\AutoIt, xrefs: 00263560
\, xrefs: 002A328C

Memory Dump Source

Source File: 00000001.00000002.1547293858.0000000000261000.00000020.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true

Associated: 00000001.00000002.1546305634.0000000000260000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1552306005.00000000002FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1552306005.0000000000322000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1553018664.000000000032C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1553203039.0000000000334000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_260000_file.jbxd

Similarity

API ID: NameQueryValue_wcslen$CloseFileFullModuleOpenPath
String ID: Include$Software\AutoIt v3\AutoIt$\$\Include\
API String ID: 98802146-2727554177
Opcode ID: 738697e164d62a21ace0fc2d4bfc5d8267d1083cc605340121e00cda3dfa563b
Instruction ID: d2003399bc1d376741c43abfb3fa912a3aa82a6d548b5e4fb6ee692ba1aa47bf
Opcode Fuzzy Hash: 738697e164d62a21ace0fc2d4bfc5d8267d1083cc605340121e00cda3dfa563b
Instruction Fuzzy Hash: 9B718C755293059FC315EF65EC819ABBBE8FF85360F50042EF545931A0EB309A98CF62

Function 00262B83 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 63
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 00262B8E
LoadCursorW.USER32(00000000,00007F00), ref: 00262B9D
LoadIconW.USER32(00000063), ref: 00262BB3
LoadIconW.USER32(000000A4), ref: 00262BC5
LoadIconW.USER32(000000A2), ref: 00262BD7
LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 00262BEF
RegisterClassExW.USER32(?), ref: 00262C40

Part of subcall function 00262CD4: GetSysColorBrush.USER32(0000000F), ref: 00262D07
Part of subcall function 00262CD4: RegisterClassExW.USER32(00000030), ref: 00262D31
Part of subcall function 00262CD4: RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00262D42
Part of subcall function 00262CD4: InitCommonControlsEx.COMCTL32(?), ref: 00262D5F
Part of subcall function 00262CD4: ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00262D6F
Part of subcall function 00262CD4: LoadIconW.USER32(000000A9), ref: 00262D85
Part of subcall function 00262CD4: ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00262D94

Strings

#, xrefs: 00262C16
0, xrefs: 00262C0F
AutoIt v3, xrefs: 00262C2F

Memory Dump Source

Source File: 00000001.00000002.1547293858.0000000000261000.00000020.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true

Associated: 00000001.00000002.1546305634.0000000000260000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1552306005.00000000002FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1552306005.0000000000322000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1553018664.000000000032C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1553203039.0000000000334000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_260000_file.jbxd

Similarity

API ID: Load$Icon$ImageRegister$BrushClassColorList_$CommonControlsCreateCursorInitMessageReplaceWindow
String ID: #$0$AutoIt v3
API String ID: 423443420-4155596026
Opcode ID: d28f580dd2c1790fdeb0853b8d3a6236f8b96607a5cc555735e827de0cbe1ad2
Instruction ID: 1b76cafc5151a2a71f4c9e35a5402e0ea4ea91444e2abf9f60ffc116b36a2436
Opcode Fuzzy Hash: d28f580dd2c1790fdeb0853b8d3a6236f8b96607a5cc555735e827de0cbe1ad2
Instruction Fuzzy Hash: D4213079E50318AFDB129F95ED99BADBFB8FB48B60F10002AF500A66B0D7B11554CF90

Function 00263170 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 145
windowtimeregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DefWindowProcW.USER32(?,?,?,?,?,?,?,?,?,0026316A,?,?), ref: 002631D8
KillTimer.USER32(?,00000001,?,?,?,?,?,0026316A,?,?), ref: 00263204
SetTimer.USER32(?,00000001,000002EE,00000000), ref: 00263227
RegisterWindowMessageW.USER32(TaskbarCreated,?,?,?,?,?,0026316A,?,?), ref: 00263232
CreatePopupMenu.USER32 ref: 00263246
PostQuitMessage.USER32(00000000), ref: 00263267

Strings

TaskbarCreated, xrefs: 0026322D

Memory Dump Source

Source File: 00000001.00000002.1547293858.0000000000261000.00000020.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true

Associated: 00000001.00000002.1546305634.0000000000260000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1552306005.00000000002FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1552306005.0000000000322000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1553018664.000000000032C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1553203039.0000000000334000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_260000_file.jbxd

Similarity

API ID: MessageTimerWindow$CreateKillMenuPopupPostProcQuitRegister
String ID: TaskbarCreated
API String ID: 129472671-2362178303
Opcode ID: c17b58954db5b016e25805945d6ce0544c6318d33cca87948e6e46bad63c9bcf
Instruction ID: 4cbf6e12d89a450833908be1c29bb60b5c335dac4162ed4e720d7b46f5530ecd
Opcode Fuzzy Hash: c17b58954db5b016e25805945d6ce0544c6318d33cca87948e6e46bad63c9bcf
Instruction Fuzzy Hash: 30416935230205A7DB16AF389D9DB79361DE707360F140125FA06C62E1CBB09EF4CBA1

Function 00261410 Relevance: 14.3, APIs: 7, Strings: 1, Instructions: 332
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

mciSendStringW.WINMM(close all,00000000,00000000,00000000), ref: 00261459
CoUninitialize.COMBASE ref: 002614F8
UnregisterHotKey.USER32(?), ref: 002616DD
DestroyWindow.USER32(?), ref: 002A24B9
FreeLibrary.KERNEL32(?), ref: 002A251E
VirtualFree.KERNEL32(?,00000000,00008000), ref: 002A254B

Strings

close all, xrefs: 00261454

Memory Dump Source

Source File: 00000001.00000002.1547293858.0000000000261000.00000020.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true

Associated: 00000001.00000002.1546305634.0000000000260000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1552306005.00000000002FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1552306005.0000000000322000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1553018664.000000000032C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1553203039.0000000000334000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_260000_file.jbxd

Similarity

API ID: Free$DestroyLibrarySendStringUninitializeUnregisterVirtualWindow
String ID: close all
API String ID: 469580280-3243417748
Opcode ID: 09151e7012398da91d86c86e5f3a43a580fe682db5f026a960700d5a1e2576f2
Instruction ID: 259b72a784be7f54f47a118bdb10b08c380a3d9ce40a9c8f32b12153a81baba4
Opcode Fuzzy Hash: 09151e7012398da91d86c86e5f3a43a580fe682db5f026a960700d5a1e2576f2
Instruction Fuzzy Hash: D7D17D31722212CFCB19EF19C599A29F7A4BF05710F6881ADE84A6B251DF30AC76CF51

Function 00262C63 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 00262C91
CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00262CB2
ShowWindow.USER32(00000000,?,?,?,?,?,?,00261CAD,?), ref: 00262CC6
ShowWindow.USER32(00000000,?,?,?,?,?,?,00261CAD,?), ref: 00262CCF

Strings

edit, xrefs: 00262CAC
AutoIt v3, xrefs: 00262C89, 00262C8E, 00262C8F

Memory Dump Source

Source File: 00000001.00000002.1547293858.0000000000261000.00000020.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true

Associated: 00000001.00000002.1546305634.0000000000260000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1552306005.00000000002FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1552306005.0000000000322000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1553018664.000000000032C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1553203039.0000000000334000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_260000_file.jbxd

Similarity

API ID: Window$CreateShow
String ID: AutoIt v3$edit
API String ID: 1584632944-3779509399
Opcode ID: b1dddb8898eca0ff3bd1121baf47de976f73ae31f00185e315ae769550f38a16
Instruction ID: 49b580b30936d85fb101058b39dea589a34ed3e603105511bd36ebd3b2a58304
Opcode Fuzzy Hash: b1dddb8898eca0ff3bd1121baf47de976f73ae31f00185e315ae769550f38a16
Instruction Fuzzy Hash: 49F0DA795402987AEB321717AC8CEB76EBDD7C6FB1F10006AFA00A35A4C6A11854DEB0

Function 00292DF8 Relevance: 7.6, APIs: 5, Instructions: 53
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetLastError.KERNEL32(?,?,?,0028F2DE,00293863,00331444,?,0027FDF5,?,?,0026A976,00000010,00331440,002613FC,?,002613C6), ref: 00292DFD
_free.LIBCMT ref: 00292E32
_free.LIBCMT ref: 00292E59
SetLastError.KERNEL32(00000000,00261129), ref: 00292E66
SetLastError.KERNEL32(00000000,00261129), ref: 00292E6F

Memory Dump Source

Source File: 00000001.00000002.1547293858.0000000000261000.00000020.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true

Associated: 00000001.00000002.1546305634.0000000000260000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1552306005.00000000002FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1552306005.0000000000322000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1553018664.000000000032C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1553203039.0000000000334000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_260000_file.jbxd

Similarity

API ID: ErrorLast$_free
String ID:
API String ID: 3170660625-0
Opcode ID: 6a83e4aee47eddd2cd16edc32101255e54617a91f674f28c4095ffac2ccd200b
Instruction ID: 396f46d01b9a3ea6a87749224fe5082fbcb07ae0dd89c5d62eced7a5d2c99476
Opcode Fuzzy Hash: 6a83e4aee47eddd2cd16edc32101255e54617a91f674f28c4095ffac2ccd200b
Instruction Fuzzy Hash: A201D632535605F78E126B347DCAD2B355DABC17F5B310029F855A2193EA60AC394560

Function 00263B1C Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 58
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegOpenKeyExW.KERNELBASE(80000001,Control Panel\Mouse,00000000,00000001,00000000,?,?,80000001,80000001,?,00263B0F,SwapMouseButtons,00000004,?), ref: 00263B40
RegQueryValueExW.KERNELBASE(00000000,00000000,00000000,00000000,?,?,?,?,?,80000001,80000001,?,00263B0F,SwapMouseButtons,00000004,?), ref: 00263B61
RegCloseKey.KERNELBASE(00000000,?,?,?,80000001,80000001,?,00263B0F,SwapMouseButtons,00000004,?), ref: 00263B83

Strings

Control Panel\Mouse, xrefs: 00263B3E

Memory Dump Source

Source File: 00000001.00000002.1547293858.0000000000261000.00000020.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true

Associated: 00000001.00000002.1546305634.0000000000260000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1552306005.00000000002FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1552306005.0000000000322000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1553018664.000000000032C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1553203039.0000000000334000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_260000_file.jbxd

Similarity

API ID: CloseOpenQueryValue
String ID: Control Panel\Mouse
API String ID: 3677997916-824357125
Opcode ID: 40728439924d6c2015e9bc3af750805dbf643168594bf8deb3ade7231a76cda4
Instruction ID: a339d49c602b85cd05c3663cff3fe12ae21951a51de711a643b3231e48b22820
Opcode Fuzzy Hash: 40728439924d6c2015e9bc3af750805dbf643168594bf8deb3ade7231a76cda4
Instruction Fuzzy Hash: 36115AB1520208FFDB20CFA4DC48EEEB7B8EF01798B104469A801D7210D6319E909760

Function 00263923 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 94windowCOMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000065,?,0000007F,00000104), ref: 002A33A2

Part of subcall function 00266B57: _wcslen.LIBCMT ref: 00266B6A

Shell_NotifyIconW.SHELL32(00000001,?), ref: 00263A04

Strings

Line: , xrefs: 002A33EB

Memory Dump Source

Source File: 00000001.00000002.1547293858.0000000000261000.00000020.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true

Associated: 00000001.00000002.1546305634.0000000000260000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1552306005.00000000002FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1552306005.0000000000322000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1553018664.000000000032C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1553203039.0000000000334000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_260000_file.jbxd

Similarity

API ID: IconLoadNotifyShell_String_wcslen
String ID: Line:
API String ID: 2289894680-1585850449
Opcode ID: fceff9817f3ab66a059727c6928bb73e9f674a4c09706e48e394c7cf964072d5
Instruction ID: 169c0f2922c0249a2b53e6a194aa7a9bb5bcfd2f17dc6f244235d262b447a899
Opcode Fuzzy Hash: fceff9817f3ab66a059727c6928bb73e9f674a4c09706e48e394c7cf964072d5
Instruction Fuzzy Hash: 5031C071429305ABD722EB20DC85BEBB7DCAB41720F10456AF599931D1DF709AA8CFC2

Function 00262DE3 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 64COMMON

Download Yara Rule

APIs

GetOpenFileNameW.COMDLG32(?), ref: 002A2C8C

Part of subcall function 00263AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00263A97,?,?,00262E7F,?,?,?,00000000), ref: 00263AC2

Part of subcall function 00262DA5: GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 00262DC4

Strings

`e2, xrefs: 002A2C85
X, xrefs: 002A2C5A

Memory Dump Source

Source File: 00000001.00000002.1547293858.0000000000261000.00000020.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true

Associated: 00000001.00000002.1546305634.0000000000260000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1552306005.00000000002FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1552306005.0000000000322000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1553018664.000000000032C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1553203039.0000000000334000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_260000_file.jbxd

Similarity

API ID: Name$Path$FileFullLongOpen
String ID: X$`e2
API String ID: 779396738-2040221244
Opcode ID: ca8ab219622355945d50acdc6ab86891dae89ed507d558c1ee3af3ab13a4deeb
Instruction ID: 6ba27fe9bff376a7c65555d552b4f63bc4c2f0c5a898952d25482913d3a5d59c
Opcode Fuzzy Hash: ca8ab219622355945d50acdc6ab86891dae89ed507d558c1ee3af3ab13a4deeb
Instruction Fuzzy Hash: 8B21C370A202989FCB01EF94D845BEE7BF8AF49314F00805AE405B7241DFB45A9D8F61

Function 0027FDDB Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 43COMMON

Download Yara Rule

APIs

__CxxThrowException@8.LIBVCRUNTIME ref: 00280668

Part of subcall function 002832A4: RaiseException.KERNEL32(?,?,?,0028068A,?,00331444,?,?,?,?,?,?,0028068A,00261129,00328738,00261129), ref: 00283304

__CxxThrowException@8.LIBVCRUNTIME ref: 00280685

Strings

Unknown exception, xrefs: 00280692

Memory Dump Source

Source File: 00000001.00000002.1547293858.0000000000261000.00000020.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true

Associated: 00000001.00000002.1546305634.0000000000260000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1552306005.00000000002FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1552306005.0000000000322000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1553018664.000000000032C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1553203039.0000000000334000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_260000_file.jbxd

Similarity

API ID: Exception@8Throw$ExceptionRaise
String ID: Unknown exception
API String ID: 3476068407-410509341
Opcode ID: 99575efd23e426cfb5a9299bbffbfc991f903d9f845fe5635f7999b084a66f5d
Instruction ID: c408e24708cedee2ed679a2ae95c50a7592b2ab98ca3ea995e7e09988527d7e2
Opcode Fuzzy Hash: 99575efd23e426cfb5a9299bbffbfc991f903d9f845fe5635f7999b084a66f5d
Instruction Fuzzy Hash: 3DF0C23892120EB7CF54FAA4E886C9E776C6E00750B608571F928965D2FF71DA39CBD0

Function 002610F3 Relevance: 4.7, APIs: 3, Instructions: 153comCOMMON

Download Yara Rule

APIs

Part of subcall function 00261BC3: MapVirtualKeyW.USER32(0000005B,00000000), ref: 00261BF4
Part of subcall function 00261BC3: MapVirtualKeyW.USER32(00000010,00000000), ref: 00261BFC
Part of subcall function 00261BC3: MapVirtualKeyW.USER32(000000A0,00000000), ref: 00261C07
Part of subcall function 00261BC3: MapVirtualKeyW.USER32(000000A1,00000000), ref: 00261C12
Part of subcall function 00261BC3: MapVirtualKeyW.USER32(00000011,00000000), ref: 00261C1A
Part of subcall function 00261BC3: MapVirtualKeyW.USER32(00000012,00000000), ref: 00261C22

Part of subcall function 00261B4A: RegisterWindowMessageW.USER32(00000004,?,002612C4), ref: 00261BA2

GetStdHandle.KERNEL32(000000F6,00000000,00000000), ref: 0026136A
OleInitialize.OLE32 ref: 00261388
CloseHandle.KERNEL32(00000000,00000000), ref: 002A24AB

Memory Dump Source

Source File: 00000001.00000002.1547293858.0000000000261000.00000020.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true

Associated: 00000001.00000002.1546305634.0000000000260000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1552306005.00000000002FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1552306005.0000000000322000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1553018664.000000000032C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1553203039.0000000000334000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_260000_file.jbxd

Similarity

API ID: Virtual$Handle$CloseInitializeMessageRegisterWindow
String ID:
API String ID: 1986988660-0
Opcode ID: 1b8a75c11e80a40c1dfdb396aec7b8a822166a342c9ad7d13f8ec0eaa1c9e5fa
Instruction ID: c039d9e1ade128ac89552697e56f7566259615777ed09f3d30ca5b9f7abae767
Opcode Fuzzy Hash: 1b8a75c11e80a40c1dfdb396aec7b8a822166a342c9ad7d13f8ec0eaa1c9e5fa
Instruction Fuzzy Hash: 0071E1B59213048FE386DF7AADC56657AE8FB8A340F64823AD44ACB371EB704461CF54

Function 002CC161 Relevance: 4.6, APIs: 3, Instructions: 74timewindowCOMMON

Download Yara Rule

APIs

Part of subcall function 00263923: Shell_NotifyIconW.SHELL32(00000001,?), ref: 00263A04

Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 002CC259
KillTimer.USER32(?,00000001,?,?), ref: 002CC261
SetTimer.USER32(?,00000001,000002EE,00000000), ref: 002CC270

Memory Dump Source

Source File: 00000001.00000002.1547293858.0000000000261000.00000020.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true

Associated: 00000001.00000002.1546305634.0000000000260000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1552306005.00000000002FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1552306005.0000000000322000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1553018664.000000000032C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1553203039.0000000000334000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_260000_file.jbxd

Similarity

API ID: IconNotifyShell_Timer$Kill
String ID:
API String ID: 3500052701-0
Opcode ID: 56fce30b1504f39474d7e044a8bf1dc16a528de416398cec2d86e7ab3d85df10
Instruction ID: 3f1718678fad613d4bf9a128f0559826b44ff187fe137ffb2fe2af17b4e433c2
Opcode Fuzzy Hash: 56fce30b1504f39474d7e044a8bf1dc16a528de416398cec2d86e7ab3d85df10
Instruction Fuzzy Hash: 17319370914344AFEB329F649899BE7BBECAB06304F14049ED5DE97241C7745A84CF52

Function 002986AE Relevance: 4.6, APIs: 3, Instructions: 61COMMONLIBRARYCODE

Download Yara Rule

APIs

CloseHandle.KERNELBASE(00000000,00000000,?,?,002985CC,?,00328CC8,0000000C), ref: 00298704
GetLastError.KERNEL32(?,002985CC,?,00328CC8,0000000C), ref: 0029870E
__dosmaperr.LIBCMT ref: 00298739

Memory Dump Source

Source File: 00000001.00000002.1547293858.0000000000261000.00000020.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true

Associated: 00000001.00000002.1546305634.0000000000260000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1552306005.00000000002FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1552306005.0000000000322000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1553018664.000000000032C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1553203039.0000000000334000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_260000_file.jbxd

Similarity

API ID: CloseErrorHandleLast__dosmaperr
String ID:
API String ID: 2583163307-0
Opcode ID: 8168c58e62056f0e42e97178ad0a9deb15a3b5e5b93af56e3d559cb6965f5af4
Instruction ID: 30dec8ea3d135fa7129aa2ce3cb13c819d4832369d2d2197981fe2a7037c15cb
Opcode Fuzzy Hash: 8168c58e62056f0e42e97178ad0a9deb15a3b5e5b93af56e3d559cb6965f5af4
Instruction Fuzzy Hash: 69014833A3522016DE256634A845B7E674D4B837B4F3D0159E9088F0D2DEA08CA1C694

Function 0026DB38 Relevance: 4.5, APIs: 3, Instructions: 29windowsleepCOMMON

Download Yara Rule

APIs

TranslateMessage.USER32(?), ref: 0026DB7B
DispatchMessageW.USER32(?), ref: 0026DB89
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 0026DB9F
Sleep.KERNELBASE(0000000A), ref: 0026DBB1
TranslateAcceleratorW.USER32(?,?,?), ref: 002B1CC9

Memory Dump Source

Source File: 00000001.00000002.1547293858.0000000000261000.00000020.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true

Associated: 00000001.00000002.1546305634.0000000000260000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1552306005.00000000002FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1552306005.0000000000322000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1553018664.000000000032C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1553203039.0000000000334000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_260000_file.jbxd

Similarity

API ID: Message$Translate$AcceleratorDispatchPeekSleep
String ID:
API String ID: 3288985973-0
Opcode ID: e34f25a050fe223c13419d126e12680a1fb0f55b3dead1ef53bb1686288d76b1
Instruction ID: 8ae54fff43e623023ac4d3c7011cb9a0a250ff105701cbf5b5ed8bde0120ee61
Opcode Fuzzy Hash: e34f25a050fe223c13419d126e12680a1fb0f55b3dead1ef53bb1686288d76b1
Instruction Fuzzy Hash: 13F08931654349DBE730DB60DD99FEA73ACEB45350F504925E619C70D0DB30A498CB16

Function 00271310 Relevance: 4.0, APIs: 1, Strings: 1, Instructions: 531COMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 002717F6

Strings

CALL, xrefs: 002717C6

Memory Dump Source

Source File: 00000001.00000002.1547293858.0000000000261000.00000020.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true

Associated: 00000001.00000002.1546305634.0000000000260000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1552306005.00000000002FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1552306005.0000000000322000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1553018664.000000000032C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1553203039.0000000000334000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_260000_file.jbxd

Similarity

API ID: Init_thread_footer
String ID: CALL
API String ID: 1385522511-4196123274
Opcode ID: f7d894d370f70777434db89f62c7485d4b5ad38c6072ae237985b8bb420e766d
Instruction ID: e234114cc5bfc938e550d8329b990afd223e14605fa688eb5c7f41452ddd57fa
Opcode Fuzzy Hash: f7d894d370f70777434db89f62c7485d4b5ad38c6072ae237985b8bb420e766d
Instruction Fuzzy Hash: BB22AB706282029FC714DF18C484A2ABBF5BF85354F24896DF48A8B361D775E975CF82

Function 00263837 Relevance: 3.1, APIs: 2, Instructions: 77windowCOMMON

Download Yara Rule

APIs

Shell_NotifyIconW.SHELL32(00000000,?), ref: 00263908

Memory Dump Source

Source File: 00000001.00000002.1547293858.0000000000261000.00000020.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true

Associated: 00000001.00000002.1546305634.0000000000260000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1552306005.00000000002FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1552306005.0000000000322000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1553018664.000000000032C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1553203039.0000000000334000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_260000_file.jbxd

Similarity

API ID: IconNotifyShell_
String ID:
API String ID: 1144537725-0
Opcode ID: 05d356194c771244f3a3c27ff787cd7c2e1fd4e176f4f71281d58adffdf0d8a3
Instruction ID: 84dc31bf5fd1837569f5d0a1a7e559ba94f85e58b939458386dfe512b129204f
Opcode Fuzzy Hash: 05d356194c771244f3a3c27ff787cd7c2e1fd4e176f4f71281d58adffdf0d8a3
Instruction Fuzzy Hash: D231A275514701DFD721DF24D8847D7BBE8FB49718F00092EF59A83250E7B1AA94CB92

Function 0027F645 Relevance: 3.0, APIs: 2, Instructions: 29sleeptimeCOMMON

Download Yara Rule

APIs

timeGetTime.WINMM ref: 0027F661

Part of subcall function 0026D730: GetInputState.USER32 ref: 0026D807

Sleep.KERNEL32(00000000), ref: 002BF2DE

Memory Dump Source

Source File: 00000001.00000002.1547293858.0000000000261000.00000020.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true

Associated: 00000001.00000002.1546305634.0000000000260000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1552306005.00000000002FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1552306005.0000000000322000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1553018664.000000000032C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1553203039.0000000000334000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_260000_file.jbxd

Similarity

API ID: InputSleepStateTimetime
String ID:
API String ID: 4149333218-0
Opcode ID: df8ae1c57b5b6463fd2cba330f60632023cadd64c8844ea9a69221e0e662c2f7
Instruction ID: fe32c32843210c538fbb0ae51a700a828c4b2b555b50b46a2228ec8ef1e04a20
Opcode Fuzzy Hash: df8ae1c57b5b6463fd2cba330f60632023cadd64c8844ea9a69221e0e662c2f7
Instruction Fuzzy Hash: 9CF05E352502099FD354EB75D549BAAB7E8AF45760F104029E85AC7260DB70A850CF91

Function 00264ECB Relevance: 1.6, APIs: 1, Instructions: 65libraryCOMMON

Download Yara Rule

APIs

Part of subcall function 00264E90: LoadLibraryA.KERNEL32(kernel32.dll,?,?,00264EDD,?,00331418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00264E9C
Part of subcall function 00264E90: GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 00264EAE
Part of subcall function 00264E90: FreeLibrary.KERNEL32(00000000,?,?,00264EDD,?,00331418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00264EC0

LoadLibraryExW.KERNEL32(?,00000000,00000002,?,00331418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00264EFD

Part of subcall function 00264E59: LoadLibraryA.KERNEL32(kernel32.dll,?,?,002A3CDE,?,00331418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00264E62
Part of subcall function 00264E59: GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 00264E74
Part of subcall function 00264E59: FreeLibrary.KERNEL32(00000000,?,?,002A3CDE,?,00331418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00264E87

Memory Dump Source

Source File: 00000001.00000002.1547293858.0000000000261000.00000020.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true

Associated: 00000001.00000002.1546305634.0000000000260000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1552306005.00000000002FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1552306005.0000000000322000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1553018664.000000000032C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1553203039.0000000000334000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_260000_file.jbxd

Similarity

API ID: Library$Load$AddressFreeProc
String ID:
API String ID: 2632591731-0
Opcode ID: a7149df9c4f3ad1d71c1987c7bb1a211744e02a321d898127bc23a594376ba20
Instruction ID: f5b0cc43a49aed5837cc47b7b6cf8d091153db603da82d7834ada832612398b5
Opcode Fuzzy Hash: a7149df9c4f3ad1d71c1987c7bb1a211744e02a321d898127bc23a594376ba20
Instruction Fuzzy Hash: B611E332630205EBCF15FF60DC02FAD77A5AF40714F20842EF582A61D1EEB59AA59F90

Function 00298402 Relevance: 1.6, APIs: 1, Instructions: 54COMMON

Download Yara Rule

APIs

__wsopen_s.LIBCMT ref: 00298440

Memory Dump Source

Source File: 00000001.00000002.1547293858.0000000000261000.00000020.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true

Associated: 00000001.00000002.1546305634.0000000000260000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1552306005.00000000002FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1552306005.0000000000322000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1553018664.000000000032C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1553203039.0000000000334000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_260000_file.jbxd

Similarity

API ID: __wsopen_s
String ID:
API String ID: 3347428461-0
Opcode ID: 292daa0e9d1ffda930933f9fb9deff6a352691956d7a0d64224addbe754824bb
Instruction ID: ff5d4faa0b3dec430660af7e81e92002b9c49fd534babd5aaa864504a18aa065
Opcode Fuzzy Hash: 292daa0e9d1ffda930933f9fb9deff6a352691956d7a0d64224addbe754824bb
Instruction Fuzzy Hash: 4A11157590420AAFCF05DF58E94199A7BF9EF49314F1440A9F808AB312DA31EA21CBA5

Function 0028E602 Relevance: 1.5, APIs: 1, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1547293858.0000000000261000.00000020.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true

Associated: 00000001.00000002.1546305634.0000000000260000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1552306005.00000000002FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1552306005.0000000000322000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1553018664.000000000032C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1553203039.0000000000334000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_260000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d6c69ec2a70ac845cc05b5f137181c3f07394ab8b33ef369e8c7ef627d5c9574
Instruction ID: 1b161de56c5677c794ec20d5625d0cce9d41e7fe77b4d52c9543c28b0c922b37
Opcode Fuzzy Hash: d6c69ec2a70ac845cc05b5f137181c3f07394ab8b33ef369e8c7ef627d5c9574
Instruction Fuzzy Hash: CCF0283A532A24E6DF313E698C05F5A339C9F52330F150715F924971E2EB70E8268FA5

Function 00294C7D Relevance: 1.5, APIs: 1, Instructions: 39memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000008,00261129,00000000,?,00292E29,00000001,00000364,?,?,?,0028F2DE,00293863,00331444,?,0027FDF5,?), ref: 00294CBE

Memory Dump Source

Source File: 00000001.00000002.1547293858.0000000000261000.00000020.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true

Associated: 00000001.00000002.1546305634.0000000000260000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1552306005.00000000002FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1552306005.0000000000322000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1553018664.000000000032C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1553203039.0000000000334000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_260000_file.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: a3edb831dce76cc474c12ee13d4016357fd35f76e6a7d80de84f393fc01c27ba
Instruction ID: d6e074751cfedeae3f52858f5d2c590d58b51e01f5f1f38c1fad7ba7452313b1
Opcode Fuzzy Hash: a3edb831dce76cc474c12ee13d4016357fd35f76e6a7d80de84f393fc01c27ba
Instruction Fuzzy Hash: 91F0B4356332266FDF217F629D09F5A3788BF517B1B144227B819A61D0CA70E83286A0

Function 00293820 Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000000,?,00331444,?,0027FDF5,?,?,0026A976,00000010,00331440,002613FC,?,002613C6,?,00261129), ref: 00293852

Memory Dump Source

Source File: 00000001.00000002.1547293858.0000000000261000.00000020.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true

Associated: 00000001.00000002.1546305634.0000000000260000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1552306005.00000000002FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1552306005.0000000000322000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1553018664.000000000032C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1553203039.0000000000334000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_260000_file.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 65a2c8cf37bb990bb73cf69987c57fce705dc628620c462b2fd3d369b4e3328d
Instruction ID: 498f87ff76dfd001f255130018926fa45e6425b96c07915262495c3ee261fe0d
Opcode Fuzzy Hash: 65a2c8cf37bb990bb73cf69987c57fce705dc628620c462b2fd3d369b4e3328d
Instruction Fuzzy Hash: 54E0E53613122A57DE21BE679C04B9B374ABF427B0F150032BC49928D0CB50DD3196E0

Function 00264F39 Relevance: 1.5, APIs: 1, Instructions: 28COMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32(?,?,00331418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00264F6D

Memory Dump Source

Source File: 00000001.00000002.1547293858.0000000000261000.00000020.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true

Associated: 00000001.00000002.1546305634.0000000000260000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1552306005.00000000002FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1552306005.0000000000322000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1553018664.000000000032C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1553203039.0000000000334000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_260000_file.jbxd

Similarity

API ID: FreeLibrary
String ID:
API String ID: 3664257935-0
Opcode ID: 80bb4e06d0fc03e9862518f3799250255504101487e14d0c1f34172a06d58147
Instruction ID: 6b6216a177bc0059da3ff8079f98702516669873fae2208733dbc2c18fabe6e9
Opcode Fuzzy Hash: 80bb4e06d0fc03e9862518f3799250255504101487e14d0c1f34172a06d58147
Instruction Fuzzy Hash: A4F06571125752CFDB38AF64D494822B7F4FF14329320897EE1DA83911C77198A4DF10

Function 002F2A55 Relevance: 1.5, APIs: 1, Instructions: 25COMMON

Download Yara Rule

APIs

IsWindow.USER32(00000000), ref: 002F2A66

Memory Dump Source

Source File: 00000001.00000002.1547293858.0000000000261000.00000020.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true

Associated: 00000001.00000002.1546305634.0000000000260000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1552306005.00000000002FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1552306005.0000000000322000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1553018664.000000000032C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1553203039.0000000000334000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_260000_file.jbxd

Similarity

API ID: Window
String ID:
API String ID: 2353593579-0
Opcode ID: fdd0d3be008f7934175d35b0792eb338e30d6622bccd5c0220a599d00476a668
Instruction ID: 27c533b92e786baa36e32b679ed2ab7622bf57b6fd1bf3e49df42af4f13521a3
Opcode Fuzzy Hash: fdd0d3be008f7934175d35b0792eb338e30d6622bccd5c0220a599d00476a668
Instruction Fuzzy Hash: 3EE04F3637411AEAC714EA30EC909FAB39CEB513D5710453AAD1BD2200DF7099B9DAA0

Function 002630F2 Relevance: 1.5, APIs: 1, Instructions: 24windowCOMMON

Download Yara Rule

APIs

Shell_NotifyIconW.SHELL32(00000002,?), ref: 0026314E

Memory Dump Source

Source File: 00000001.00000002.1547293858.0000000000261000.00000020.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true

Associated: 00000001.00000002.1546305634.0000000000260000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1552306005.00000000002FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1552306005.0000000000322000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1553018664.000000000032C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1553203039.0000000000334000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_260000_file.jbxd

Similarity

API ID: IconNotifyShell_
String ID:
API String ID: 1144537725-0
Opcode ID: df2b55bdf5e88c291a657479af9fdd089f4451b51bb2d3d625fbcf52bcc18934
Instruction ID: 4083f521e1ab16053a7d331ee31fe2b1c1f4e46a1d006167716452d7885d6f3b
Opcode Fuzzy Hash: df2b55bdf5e88c291a657479af9fdd089f4451b51bb2d3d625fbcf52bcc18934
Instruction Fuzzy Hash: B5F037749143189FE753DF24DC897D57BFCA701718F0000E5A54997191D7745798CF51

Function 00262DA5 Relevance: 1.5, APIs: 1, Instructions: 23COMMON

Download Yara Rule

APIs

GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 00262DC4

Part of subcall function 00266B57: _wcslen.LIBCMT ref: 00266B6A

Memory Dump Source

Source File: 00000001.00000002.1547293858.0000000000261000.00000020.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true

Associated: 00000001.00000002.1546305634.0000000000260000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1552306005.00000000002FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1552306005.0000000000322000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1553018664.000000000032C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1553203039.0000000000334000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_260000_file.jbxd

Similarity

API ID: LongNamePath_wcslen
String ID:
API String ID: 541455249-0
Opcode ID: 837efb1d74da2c9f43136438dbe3fea57ce6305086b8706bd0d27629a7fcb845
Instruction ID: 464c7284c9a80eb54e7306842a1302a5b8963444402b04fe685617662a095467
Opcode Fuzzy Hash: 837efb1d74da2c9f43136438dbe3fea57ce6305086b8706bd0d27629a7fcb845
Instruction Fuzzy Hash: 46E0CD766002245BC72096589C09FEA77DDDFC87F0F044071FD09E7248D960AD90C950

Function 00262B3D Relevance: 1.5, APIs: 1, Instructions: 22COMMON

Download Yara Rule

APIs

Part of subcall function 00263837: Shell_NotifyIconW.SHELL32(00000000,?), ref: 00263908

Part of subcall function 0026D730: GetInputState.USER32 ref: 0026D807

SetCurrentDirectoryW.KERNEL32(?), ref: 00262B6B

Part of subcall function 002630F2: Shell_NotifyIconW.SHELL32(00000002,?), ref: 0026314E

Memory Dump Source

Source File: 00000001.00000002.1547293858.0000000000261000.00000020.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true

Associated: 00000001.00000002.1546305634.0000000000260000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1552306005.00000000002FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1552306005.0000000000322000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1553018664.000000000032C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1553203039.0000000000334000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_260000_file.jbxd

Similarity

API ID: IconNotifyShell_$CurrentDirectoryInputState
String ID:
API String ID: 3667716007-0
Opcode ID: cb34f2cc895ecb9ac6b3dcb2bc92e58f4e9e26fc34a3b8834f8b788bbbf8a42d
Instruction ID: 2538af55bf61762ceedff52065327cfcf44df906057737c6ba7c9d76d66d8195
Opcode Fuzzy Hash: cb34f2cc895ecb9ac6b3dcb2bc92e58f4e9e26fc34a3b8834f8b788bbbf8a42d
Instruction Fuzzy Hash: EFE0262131024802C608FB71A8525BDE35DCBD1351F40043EF042831A2CE2445E98B12

Function 002A039A Relevance: 1.5, APIs: 1, Instructions: 15fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

CreateFileW.KERNELBASE(00000000,00000000,?,002A0704,?,?,00000000,?,002A0704,00000000,0000000C), ref: 002A03B7

Memory Dump Source

Source File: 00000001.00000002.1547293858.0000000000261000.00000020.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true

Associated: 00000001.00000002.1546305634.0000000000260000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1552306005.00000000002FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1552306005.0000000000322000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1553018664.000000000032C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1553203039.0000000000334000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_260000_file.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: d227f7a315fa8c3af2194f416bf15adb34f25bdbe9d9a83a4a10242c668cc847
Instruction ID: 884566511ccc85da054e1e07b268c873ac0bf2b125c9208cab7be125f7375bbd
Opcode Fuzzy Hash: d227f7a315fa8c3af2194f416bf15adb34f25bdbe9d9a83a4a10242c668cc847
Instruction Fuzzy Hash: 48D06C3204010DBBDF028F84ED06EDA3BAAFB48754F114010BE1856020C732E831EB90

Function 00261CAD Relevance: 1.5, APIs: 1, Instructions: 8COMMON

Download Yara Rule

APIs

SystemParametersInfoW.USER32(00002001,00000000,00000002), ref: 00261CBC

Memory Dump Source

Source File: 00000001.00000002.1547293858.0000000000261000.00000020.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true

Associated: 00000001.00000002.1546305634.0000000000260000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1552306005.00000000002FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1552306005.0000000000322000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1553018664.000000000032C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1553203039.0000000000334000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_260000_file.jbxd

Similarity

API ID: InfoParametersSystem
String ID:
API String ID: 3098949447-0
Opcode ID: 3facf528067e83b1e586ea03883bd618647be31cb951dab73c0f397ca0ae02ad
Instruction ID: db53612e88c7cbcf40eafcd985ff48285515b2393ed75104a60791c9330e7708
Opcode Fuzzy Hash: 3facf528067e83b1e586ea03883bd618647be31cb951dab73c0f397ca0ae02ad
Instruction Fuzzy Hash: 67C09B352803049FF2164780BD8EF117758E348B11F544001F609655E3C3A11414D650

Non-executed Functions

Function 002F9576 Relevance: 74.1, APIs: 39, Strings: 3, Instructions: 625windowkeyboardCOMMON

Download Yara Rule

APIs

Part of subcall function 00279BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00279BB2

DefDlgProcW.USER32(?,0000004E,?,?,?,?,?,?), ref: 002F961A
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 002F965B
GetWindowLongW.USER32(FFFFFDD9,000000F0), ref: 002F969F
SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 002F96C9
SendMessageW.USER32 ref: 002F96F2
GetKeyState.USER32(00000011), ref: 002F978B
GetKeyState.USER32(00000009), ref: 002F9798
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 002F97AE
GetKeyState.USER32(00000010), ref: 002F97B8
SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 002F97E9
SendMessageW.USER32 ref: 002F9810
SendMessageW.USER32(?,00001030,?,002F7E95), ref: 002F9918
ImageList_SetDragCursorImage.COMCTL32(00000000,00000000,00000000,?,?,?), ref: 002F992E
ImageList_BeginDrag.COMCTL32(00000000,000000F8,000000F0), ref: 002F9941
SetCapture.USER32(?), ref: 002F994A
ClientToScreen.USER32(?,?), ref: 002F99AF
ImageList_DragEnter.COMCTL32(00000000,?,?), ref: 002F99BC
InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 002F99D6
ReleaseCapture.USER32 ref: 002F99E1
GetCursorPos.USER32(?), ref: 002F9A19
ScreenToClient.USER32(?,?), ref: 002F9A26
SendMessageW.USER32(?,00001012,00000000,?), ref: 002F9A80
SendMessageW.USER32 ref: 002F9AAE
SendMessageW.USER32(?,00001111,00000000,?), ref: 002F9AEB
SendMessageW.USER32 ref: 002F9B1A
SendMessageW.USER32(?,0000110B,00000009,00000000), ref: 002F9B3B
SendMessageW.USER32(?,0000110B,00000009,?), ref: 002F9B4A
GetCursorPos.USER32(?), ref: 002F9B68
ScreenToClient.USER32(?,?), ref: 002F9B75
GetParent.USER32(?), ref: 002F9B93
SendMessageW.USER32(?,00001012,00000000,?), ref: 002F9BFA
SendMessageW.USER32 ref: 002F9C2B
ClientToScreen.USER32(?,?), ref: 002F9C84
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000), ref: 002F9CB4
SendMessageW.USER32(?,00001111,00000000,?), ref: 002F9CDE
SendMessageW.USER32 ref: 002F9D01
ClientToScreen.USER32(?,?), ref: 002F9D4E
TrackPopupMenuEx.USER32(?,00000080,?,?,?,00000000), ref: 002F9D82

Part of subcall function 00279944: GetWindowLongW.USER32(?,000000EB), ref: 00279952

GetWindowLongW.USER32(?,000000F0), ref: 002F9E05

Strings

p#3, xrefs: 002F9990
@GUI_DRAGID, xrefs: 002F997D
F, xrefs: 002F9D07

Memory Dump Source

Source File: 00000001.00000002.1547293858.0000000000261000.00000020.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true

Associated: 00000001.00000002.1546305634.0000000000260000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1552306005.00000000002FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1552306005.0000000000322000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1553018664.000000000032C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1553203039.0000000000334000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_260000_file.jbxd

Similarity

API ID: MessageSend$ClientScreen$ImageLongWindow$CursorDragList_State$CaptureMenuPopupTrack$BeginEnterInvalidateParentProcRectRelease
String ID: @GUI_DRAGID$F$p#3
API String ID: 3429851547-1423565979
Opcode ID: 04faf6c8cb3f9de4205aeeab5bece19cd4b4d23f361e536c5e69c277ca03e35c
Instruction ID: 5d6c0bdb1ea0369f3142137e6209e82e6005833b4ccc6c2fd22c0ebf7942ae1c
Opcode Fuzzy Hash: 04faf6c8cb3f9de4205aeeab5bece19cd4b4d23f361e536c5e69c277ca03e35c
Instruction Fuzzy Hash: 3B428C34614209AFD725DF24CD88BBAFBE9EF497A0F100629F659C72A1D77198A0CF41

Function 002F4873 Relevance: 60.1, APIs: 33, Strings: 1, Instructions: 566windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000408,00000000,00000000), ref: 002F48F3
SendMessageW.USER32(00000000,00000188,00000000,00000000), ref: 002F4908
SendMessageW.USER32(00000000,0000018A,00000000,00000000), ref: 002F4927
SendMessageW.USER32(?,00000148,00000000,00000000), ref: 002F494B
SendMessageW.USER32(00000000,00000147,00000000,00000000), ref: 002F495C
SendMessageW.USER32(00000000,00000149,00000000,00000000), ref: 002F497B
SendMessageW.USER32(00000000,0000130B,00000000,00000000), ref: 002F49AE
SendMessageW.USER32(00000000,0000133C,00000000,?), ref: 002F49D4
SendMessageW.USER32(00000000,0000110A,00000009,00000000), ref: 002F4A0F
SendMessageW.USER32(00000000,0000113E,00000000,00000004), ref: 002F4A56
SendMessageW.USER32(00000000,0000113E,00000000,00000004), ref: 002F4A7E
IsMenu.USER32(?), ref: 002F4A97
GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 002F4AF2
GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 002F4B20
GetWindowLongW.USER32(?,000000F0), ref: 002F4B94
SendMessageW.USER32(?,0000113E,00000000,00000008), ref: 002F4BE3
SendMessageW.USER32(00000000,00001001,00000000,?), ref: 002F4C82
wsprintfW.USER32 ref: 002F4CAE
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 002F4CC9
GetWindowTextW.USER32(?,00000000,00000001), ref: 002F4CF1
SendMessageW.USER32(00000000,000000F0,00000000,00000000), ref: 002F4D13
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 002F4D33
GetWindowTextW.USER32(?,00000000,00000001), ref: 002F4D5A

Strings

%d/%02d/%02d, xrefs: 002F4CA8

Memory Dump Source

Source File: 00000001.00000002.1547293858.0000000000261000.00000020.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true

Associated: 00000001.00000002.1546305634.0000000000260000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1552306005.00000000002FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1552306005.0000000000322000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1553018664.000000000032C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1553203039.0000000000334000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_260000_file.jbxd

Similarity

API ID: MessageSend$MenuWindow$InfoItemText$Longwsprintf
String ID: %d/%02d/%02d
API String ID: 4054740463-328681919
Opcode ID: a8830fffb5c4f23a2bfbec1bc823e7b264e4acfa8051ce3c472c9f183aebcc0e
Instruction ID: 2fe44b2fe864c535021cf417b1339cf3f5a6e35d7fc45685daa75512973b8594
Opcode Fuzzy Hash: a8830fffb5c4f23a2bfbec1bc823e7b264e4acfa8051ce3c472c9f183aebcc0e
Instruction Fuzzy Hash: D512E33152020DABEB24AF24DD49FBFBBF8AF45790F104229FA19DA2D1D7B49950CB50

Function 0027F98E Relevance: 43.9, APIs: 24, Strings: 1, Instructions: 130keyboardthreadwindowCOMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(00000000,00000000,00000000), ref: 0027F998
FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 002BF474
IsIconic.USER32(00000000), ref: 002BF47D
ShowWindow.USER32(00000000,00000009), ref: 002BF48A
SetForegroundWindow.USER32(00000000), ref: 002BF494
GetWindowThreadProcessId.USER32(00000000,00000000), ref: 002BF4AA
GetCurrentThreadId.KERNEL32 ref: 002BF4B1
GetWindowThreadProcessId.USER32(00000000,00000000), ref: 002BF4BD
AttachThreadInput.USER32(?,00000000,00000001), ref: 002BF4CE
AttachThreadInput.USER32(?,00000000,00000001), ref: 002BF4D6
AttachThreadInput.USER32(00000000,000000FF,00000001), ref: 002BF4DE
SetForegroundWindow.USER32(00000000), ref: 002BF4E1
MapVirtualKeyW.USER32(00000012,00000000), ref: 002BF4F6
keybd_event.USER32(00000012,00000000), ref: 002BF501
MapVirtualKeyW.USER32(00000012,00000000), ref: 002BF50B
keybd_event.USER32(00000012,00000000), ref: 002BF510
MapVirtualKeyW.USER32(00000012,00000000), ref: 002BF519
keybd_event.USER32(00000012,00000000), ref: 002BF51E
MapVirtualKeyW.USER32(00000012,00000000), ref: 002BF528
keybd_event.USER32(00000012,00000000), ref: 002BF52D
SetForegroundWindow.USER32(00000000), ref: 002BF530
AttachThreadInput.USER32(?,000000FF,00000000), ref: 002BF557

Strings

Shell_TrayWnd, xrefs: 002BF46F

Memory Dump Source

Source File: 00000001.00000002.1547293858.0000000000261000.00000020.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true

Associated: 00000001.00000002.1546305634.0000000000260000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1552306005.00000000002FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1552306005.0000000000322000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1553018664.000000000032C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1553203039.0000000000334000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_260000_file.jbxd

Similarity

API ID: Window$Thread$AttachForegroundInputVirtualkeybd_event$Process$CurrentFindIconicShow
String ID: Shell_TrayWnd
API String ID: 4125248594-2988720461
Opcode ID: dc5104e63686160f9a5973022a807454f52d062fe7c9b433cdcf87e421ebeb99
Instruction ID: 3e1f2ff6186400fae597aad47a2fe583d68d7583aa1e7ec1a7284092b0a74f3c
Opcode Fuzzy Hash: dc5104e63686160f9a5973022a807454f52d062fe7c9b433cdcf87e421ebeb99
Instruction Fuzzy Hash: 51315071A5021CBAEB206FB56D4AFBF7E6CEB44BA0F200075FA00F61D1C6B05910EB60

Function 002C1201 Relevance: 40.5, APIs: 19, Strings: 4, Instructions: 241COMMON

Download Yara Rule

APIs

Part of subcall function 002C16C3: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 002C170D
Part of subcall function 002C16C3: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 002C173A
Part of subcall function 002C16C3: GetLastError.KERNEL32 ref: 002C174A

LogonUserW.ADVAPI32(?,?,?,00000000,00000000,?), ref: 002C1286
DuplicateTokenEx.ADVAPI32(?,00000000,00000000,00000002,00000001,?), ref: 002C12A8
CloseHandle.KERNEL32(?), ref: 002C12B9
OpenWindowStationW.USER32(winsta0,00000000,00060000), ref: 002C12D1
GetProcessWindowStation.USER32 ref: 002C12EA
SetProcessWindowStation.USER32(00000000), ref: 002C12F4
OpenDesktopW.USER32(default,00000000,00000000,00060081), ref: 002C1310

Part of subcall function 002C10BF: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,002C11FC), ref: 002C10D4
Part of subcall function 002C10BF: CloseHandle.KERNEL32(?,?,002C11FC), ref: 002C10E9

Strings

winsta0, xrefs: 002C12CC
Z2, xrefs: 002C1392
default, xrefs: 002C130B
, xrefs: 002C125A

Memory Dump Source

Source File: 00000001.00000002.1547293858.0000000000261000.00000020.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true

Associated: 00000001.00000002.1546305634.0000000000260000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1552306005.00000000002FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1552306005.0000000000322000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1553018664.000000000032C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1553203039.0000000000334000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_260000_file.jbxd

Similarity

API ID: StationTokenWindow$AdjustCloseHandleOpenPrivilegesProcess$DesktopDuplicateErrorLastLogonLookupPrivilegeUserValue
String ID: $default$winsta0$Z2
API String ID: 22674027-991774236
Opcode ID: 06a94fd1433b60e0762d3231686e3f5f1a2c74b6e7b029869f4b79b7458ad9fd
Instruction ID: 33a52f58824626e31e1db0eff9c078bf6153919714cbdf5d68635d20d4c7b143
Opcode Fuzzy Hash: 06a94fd1433b60e0762d3231686e3f5f1a2c74b6e7b029869f4b79b7458ad9fd
Instruction Fuzzy Hash: 7781AA7191020AABDF259FA4ED4AFEE7BB9EF05704F14426DF910E61A2D7308964CF60

Function 002C0B62 Relevance: 31.7, APIs: 21, Instructions: 202memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 002C10F9: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 002C1114
Part of subcall function 002C10F9: GetLastError.KERNEL32(?,00000000,00000000,?,?,002C0B9B,?,?,?), ref: 002C1120
Part of subcall function 002C10F9: GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,002C0B9B,?,?,?), ref: 002C112F
Part of subcall function 002C10F9: HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,002C0B9B,?,?,?), ref: 002C1136
Part of subcall function 002C10F9: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 002C114D

GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 002C0BCC
GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 002C0C00
GetLengthSid.ADVAPI32(?), ref: 002C0C17
GetAce.ADVAPI32(?,00000000,?), ref: 002C0C51
AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 002C0C6D
GetLengthSid.ADVAPI32(?), ref: 002C0C84
GetProcessHeap.KERNEL32(00000008,00000008), ref: 002C0C8C
HeapAlloc.KERNEL32(00000000), ref: 002C0C93
GetLengthSid.ADVAPI32(?,00000008,?), ref: 002C0CB4
CopySid.ADVAPI32(00000000), ref: 002C0CBB
AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 002C0CEA
SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 002C0D0C
SetUserObjectSecurity.USER32(?,00000004,?), ref: 002C0D1E
GetProcessHeap.KERNEL32(00000000,00000000), ref: 002C0D45
HeapFree.KERNEL32(00000000), ref: 002C0D4C
GetProcessHeap.KERNEL32(00000000,00000000), ref: 002C0D55
HeapFree.KERNEL32(00000000), ref: 002C0D5C
GetProcessHeap.KERNEL32(00000000,00000000), ref: 002C0D65
HeapFree.KERNEL32(00000000), ref: 002C0D6C
GetProcessHeap.KERNEL32(00000000,?), ref: 002C0D78
HeapFree.KERNEL32(00000000), ref: 002C0D7F

Part of subcall function 002C1193: GetProcessHeap.KERNEL32(00000008,002C0BB1,?,00000000,?,002C0BB1,?), ref: 002C11A1
Part of subcall function 002C1193: HeapAlloc.KERNEL32(00000000,?,00000000,?,002C0BB1,?), ref: 002C11A8
Part of subcall function 002C1193: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00000000,?,002C0BB1,?), ref: 002C11B7

Memory Dump Source

Source File: 00000001.00000002.1547293858.0000000000261000.00000020.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true

Associated: 00000001.00000002.1546305634.0000000000260000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1552306005.00000000002FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1552306005.0000000000322000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1553018664.000000000032C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1553203039.0000000000334000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_260000_file.jbxd

Similarity

API ID: Heap$Process$Security$Free$AllocDescriptorLengthObjectUser$Dacl$CopyErrorInformationInitializeLast
String ID:
API String ID: 4175595110-0
Opcode ID: bcdcaa523d12e9fe3e97bf6fcd5d11529b0569b1215e0ee9043e23a4f0dbf711
Instruction ID: 574027ee984ebde27f82ff6805204353485037c318e3efc187274bc405cc5d89
Opcode Fuzzy Hash: bcdcaa523d12e9fe3e97bf6fcd5d11529b0569b1215e0ee9043e23a4f0dbf711
Instruction Fuzzy Hash: 97717E7190020EEBDF10DFE4DD88FAEBBB8FF04750F144629E919A6191D771AA25CB60

Function 002DEAFF Relevance: 30.2, APIs: 20, Instructions: 191clipboardfileCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32(002FCC08), ref: 002DEB29
IsClipboardFormatAvailable.USER32(0000000D), ref: 002DEB37
GetClipboardData.USER32(0000000D), ref: 002DEB43
CloseClipboard.USER32 ref: 002DEB4F
GlobalLock.KERNEL32(00000000), ref: 002DEB87
CloseClipboard.USER32 ref: 002DEB91
GlobalUnlock.KERNEL32(00000000), ref: 002DEBBC
IsClipboardFormatAvailable.USER32(00000001), ref: 002DEBC9
GetClipboardData.USER32(00000001), ref: 002DEBD1
GlobalLock.KERNEL32(00000000), ref: 002DEBE2
GlobalUnlock.KERNEL32(00000000), ref: 002DEC22
IsClipboardFormatAvailable.USER32(0000000F), ref: 002DEC38
GetClipboardData.USER32(0000000F), ref: 002DEC44
GlobalLock.KERNEL32(00000000), ref: 002DEC55
DragQueryFileW.SHELL32(00000000,000000FF,00000000,00000000), ref: 002DEC77
DragQueryFileW.SHELL32(00000000,?,?,00000104), ref: 002DEC94
DragQueryFileW.SHELL32(00000000,?,?,00000104), ref: 002DECD2
GlobalUnlock.KERNEL32(00000000), ref: 002DECF3
CountClipboardFormats.USER32 ref: 002DED14
CloseClipboard.USER32 ref: 002DED59

Memory Dump Source

Source File: 00000001.00000002.1547293858.0000000000261000.00000020.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true

Associated: 00000001.00000002.1546305634.0000000000260000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1552306005.00000000002FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1552306005.0000000000322000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1553018664.000000000032C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1553203039.0000000000334000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_260000_file.jbxd

Similarity

API ID: Clipboard$Global$AvailableCloseDataDragFileFormatLockQueryUnlock$CountFormatsOpen
String ID:
API String ID: 420908878-0
Opcode ID: cd69a47e013ef04741a3da3da4c928e4513142822f1b69f0207045fb38f322a7
Instruction ID: 824edd8d13af43c4c62cfe344866672e3abca894fdfdc6f4ae75aba7d1dd386c
Opcode Fuzzy Hash: cd69a47e013ef04741a3da3da4c928e4513142822f1b69f0207045fb38f322a7
Instruction Fuzzy Hash: 5B61DE342142069FD700EF24D988F3A77A8EF84754F25452AF856DB3A2CB70ED59CB62

Function 002D698F Relevance: 21.4, APIs: 7, Strings: 5, Instructions: 363timefileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 002D69BE
FindClose.KERNEL32(00000000), ref: 002D6A12
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 002D6A4E
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 002D6A75

Part of subcall function 00269CB3: _wcslen.LIBCMT ref: 00269CBD

FileTimeToSystemTime.KERNEL32(?,?), ref: 002D6AB2
FileTimeToSystemTime.KERNEL32(?,?), ref: 002D6ADF

Strings

%4d%02d%02d%02d%02d%02d%03d, xrefs: 002D6B32
%4d%02d%02d%02d%02d%02d, xrefs: 002D6B6A
%02d, xrefs: 002D6C00, 002D6C0A, 002D6C5A, 002D6CAA, 002D6CFA, 002D6D4A
%03d, xrefs: 002D6DA2
%4d, xrefs: 002D6BB1

Memory Dump Source

Source File: 00000001.00000002.1547293858.0000000000261000.00000020.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true

Associated: 00000001.00000002.1546305634.0000000000260000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1552306005.00000000002FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1552306005.0000000000322000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1553018664.000000000032C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1553203039.0000000000334000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_260000_file.jbxd

Similarity

API ID: Time$File$FindLocalSystem$CloseFirst_wcslen
String ID: %02d$%03d$%4d$%4d%02d%02d%02d%02d%02d$%4d%02d%02d%02d%02d%02d%03d
API String ID: 3830820486-3289030164
Opcode ID: 24a43aacdf466fb691b65570a90cdc29b25149aeb9f6415204daf6a2e174a6cf
Instruction ID: 8f61b3e64712cb47ccadd513261ac3279f19fd26434110c538d57218f803129c
Opcode Fuzzy Hash: 24a43aacdf466fb691b65570a90cdc29b25149aeb9f6415204daf6a2e174a6cf
Instruction Fuzzy Hash: 25D17271518300AFC310EFA0D985EABB7ECAF88704F04491EF585D7291EB74DA94CB62

Function 002D9642 Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 118fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,75568FB0,?,00000000), ref: 002D9663
GetFileAttributesW.KERNEL32(?), ref: 002D96A1
SetFileAttributesW.KERNEL32(?,?), ref: 002D96BB
FindNextFileW.KERNEL32(00000000,?), ref: 002D96D3
FindClose.KERNEL32(00000000), ref: 002D96DE
FindFirstFileW.KERNEL32(*.*,?), ref: 002D96FA
SetCurrentDirectoryW.KERNEL32(?), ref: 002D974A
SetCurrentDirectoryW.KERNEL32(00326B7C), ref: 002D9768
FindNextFileW.KERNEL32(00000000,00000010), ref: 002D9772
FindClose.KERNEL32(00000000), ref: 002D977F
FindClose.KERNEL32(00000000), ref: 002D978F

Strings

*.*, xrefs: 002D96F5

Memory Dump Source

Source File: 00000001.00000002.1547293858.0000000000261000.00000020.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true

Associated: 00000001.00000002.1546305634.0000000000260000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1552306005.00000000002FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1552306005.0000000000322000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1553018664.000000000032C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1553203039.0000000000334000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_260000_file.jbxd

Similarity

API ID: Find$File$Close$AttributesCurrentDirectoryFirstNext
String ID: *.*
API String ID: 1409584000-438819550
Opcode ID: e51a6f82db07ad0c6f12dd14ce7d87b2c8af350a7a8c57e590d61ed6be2fcbaa
Instruction ID: 26a948c577272a6cb86cff6f8bf04b6a1bd19730b934aec32eaca49c929bdedc
Opcode Fuzzy Hash: e51a6f82db07ad0c6f12dd14ce7d87b2c8af350a7a8c57e590d61ed6be2fcbaa
Instruction Fuzzy Hash: 0E31C27255121E6AEF14AFB4ED09AEEB7AC9F09360F244166F805E22A0DB30DD94CF50

Function 002D979D Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 111fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,75568FB0,?,00000000), ref: 002D97BE
FindNextFileW.KERNEL32(00000000,?), ref: 002D9819
FindClose.KERNEL32(00000000), ref: 002D9824
FindFirstFileW.KERNEL32(*.*,?), ref: 002D9840
SetCurrentDirectoryW.KERNEL32(?), ref: 002D9890
SetCurrentDirectoryW.KERNEL32(00326B7C), ref: 002D98AE
FindNextFileW.KERNEL32(00000000,00000010), ref: 002D98B8
FindClose.KERNEL32(00000000), ref: 002D98C5
FindClose.KERNEL32(00000000), ref: 002D98D5

Part of subcall function 002CDAE5: CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000003,02000080,00000000), ref: 002CDB00

Strings

*.*, xrefs: 002D983B

Memory Dump Source

Source File: 00000001.00000002.1547293858.0000000000261000.00000020.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true

Associated: 00000001.00000002.1546305634.0000000000260000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1552306005.00000000002FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1552306005.0000000000322000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1553018664.000000000032C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1553203039.0000000000334000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_260000_file.jbxd

Similarity

API ID: Find$File$Close$CurrentDirectoryFirstNext$Create
String ID: *.*
API String ID: 2640511053-438819550
Opcode ID: 3b4838d04e4c9f97e43cc3e0f96677e7eeada0e8611935e499df8f52052b49d7
Instruction ID: e8b790c1fbd0129228a1570c9a9fa5a9577036be40533f6fbe236de4dbf2693a
Opcode Fuzzy Hash: 3b4838d04e4c9f97e43cc3e0f96677e7eeada0e8611935e499df8f52052b49d7
Instruction Fuzzy Hash: 7731B33255121E6EDF10AFB4EC49AEE77AC9F06760F244166F810E22A0DB30DDA4DF20

Function 002EBE44 Relevance: 17.0, APIs: 11, Instructions: 456registryCOMMON

Download Yara Rule

APIs

Part of subcall function 002EC998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,002EB6AE,?,?), ref: 002EC9B5
Part of subcall function 002EC998: _wcslen.LIBCMT ref: 002EC9F1
Part of subcall function 002EC998: _wcslen.LIBCMT ref: 002ECA68
Part of subcall function 002EC998: _wcslen.LIBCMT ref: 002ECA9E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 002EBF3E
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?,?,?), ref: 002EBFA9
RegCloseKey.ADVAPI32(00000000), ref: 002EBFCD
RegQueryValueExW.ADVAPI32(?,?,00000000,?,00000000,?), ref: 002EC02C
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,00000008), ref: 002EC0E7
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,?,?,00000000), ref: 002EC154
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,?,?,00000000), ref: 002EC1E9
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,00000000,?,?,?,00000000), ref: 002EC23A
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,?,?,00000000), ref: 002EC2E3
RegCloseKey.ADVAPI32(?,?,00000000), ref: 002EC382
RegCloseKey.ADVAPI32(00000000), ref: 002EC38F

Memory Dump Source

Source File: 00000001.00000002.1547293858.0000000000261000.00000020.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true

Associated: 00000001.00000002.1546305634.0000000000260000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1552306005.00000000002FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1552306005.0000000000322000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1553018664.000000000032C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1553203039.0000000000334000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_260000_file.jbxd

Similarity

API ID: QueryValue$Close_wcslen$BuffCharConnectOpenRegistryUpper
String ID:
API String ID: 3102970594-0
Opcode ID: d43371c96f4688be87aca0101f8c391b53dd17ba1eb25d8962480aead45048e7
Instruction ID: d480612ecccff5088a0e6c0edc67293b375cea837d0c7bc8cf143a66ef7cd8bf
Opcode Fuzzy Hash: d43371c96f4688be87aca0101f8c391b53dd17ba1eb25d8962480aead45048e7
Instruction Fuzzy Hash: 94027D706142419FC714CF69C895E2ABBE4EF49318F68849DF84ACB2A2DB31EC52CF51

Function 002D8195 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 186timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?), ref: 002D8257
SystemTimeToFileTime.KERNEL32(?,?), ref: 002D8267
LocalFileTimeToFileTime.KERNEL32(?,?), ref: 002D8273
GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 002D8310
SetCurrentDirectoryW.KERNEL32(?), ref: 002D8324
SetCurrentDirectoryW.KERNEL32(?), ref: 002D8356
SetCurrentDirectoryW.KERNEL32(?,?,?,?,?), ref: 002D838C
SetCurrentDirectoryW.KERNEL32(?), ref: 002D8395

Strings

*.*, xrefs: 002D839B

Memory Dump Source

Source File: 00000001.00000002.1547293858.0000000000261000.00000020.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true

Associated: 00000001.00000002.1546305634.0000000000260000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1552306005.00000000002FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1552306005.0000000000322000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1553018664.000000000032C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1553203039.0000000000334000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_260000_file.jbxd

Similarity

API ID: CurrentDirectoryTime$File$Local$System
String ID: *.*
API String ID: 1464919966-438819550
Opcode ID: f515aeb4aaeb5fe6cadda5dd826a3d6785a4dcbbbed0f738b4f75d1428ebf3de
Instruction ID: 04f13c681cce4a592b67944255e0fbcaa79eeb64f840d4d242b83a880e3ff418
Opcode Fuzzy Hash: f515aeb4aaeb5fe6cadda5dd826a3d6785a4dcbbbed0f738b4f75d1428ebf3de
Instruction Fuzzy Hash: 8A6158725243459FCB10EF60C8449AEB3E8FF89310F14496AF98987251EB31ED65CF92

Function 002CD076 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 172fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00263AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00263A97,?,?,00262E7F,?,?,?,00000000), ref: 00263AC2

Part of subcall function 002CE199: GetFileAttributesW.KERNEL32(?,002CCF95), ref: 002CE19A

FindFirstFileW.KERNEL32(?,?), ref: 002CD122
DeleteFileW.KERNEL32(?,?,?,?,?,00000000,?,?,?), ref: 002CD1DD
MoveFileW.KERNEL32(?,?), ref: 002CD1F0
DeleteFileW.KERNEL32(?,?,?,?), ref: 002CD20D
FindNextFileW.KERNEL32(00000000,00000010), ref: 002CD237

Part of subcall function 002CD29C: CopyFileExW.KERNEL32(?,?,00000000,00000000,00000000,00000008,?,?,002CD21C,?,?), ref: 002CD2B2

FindClose.KERNEL32(00000000,?,?,?), ref: 002CD253
FindClose.KERNEL32(00000000), ref: 002CD264

Strings

\*.*, xrefs: 002CD0CD, 002CD0D6, 002CD0EB

Memory Dump Source

Source File: 00000001.00000002.1547293858.0000000000261000.00000020.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true

Associated: 00000001.00000002.1546305634.0000000000260000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1552306005.00000000002FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1552306005.0000000000322000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1553018664.000000000032C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1553203039.0000000000334000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_260000_file.jbxd

Similarity

API ID: File$Find$CloseDelete$AttributesCopyFirstFullMoveNameNextPath
String ID: \*.*
API String ID: 1946585618-1173974218
Opcode ID: 101379e309084c1e8b65c7329456a958d294c5287db638e6e5d63cc6e5aebad0
Instruction ID: c81445c9b0bd7bd8ddd640c1e51ec4f77bf984a4dde5ec18184cd5a6400595d5
Opcode Fuzzy Hash: 101379e309084c1e8b65c7329456a958d294c5287db638e6e5d63cc6e5aebad0
Instruction Fuzzy Hash: 6E616B3181110D9ACF05EFA0DA52EEDB7B9AF15300F244269E80577192EB309FA9DF61

Function 002DED6A Relevance: 13.6, APIs: 9, Instructions: 102clipboardmemoryCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32 ref: 002DED91
EmptyClipboard.USER32 ref: 002DED97
GlobalAlloc.KERNEL32(00000002,?), ref: 002DEDAC
CloseClipboard.USER32 ref: 002DEEA3

Memory Dump Source

Source File: 00000001.00000002.1547293858.0000000000261000.00000020.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true

Associated: 00000001.00000002.1546305634.0000000000260000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1552306005.00000000002FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1552306005.0000000000322000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1553018664.000000000032C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1553203039.0000000000334000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_260000_file.jbxd

Similarity

API ID: Clipboard$AllocCloseEmptyGlobalOpen
String ID:
API String ID: 1737998785-0
Opcode ID: 80b5849823aae1de08b2ee9b4c24377d25d63325f01d2fc7636ae17ec9515f7e
Instruction ID: d670fab44a1153f91b3f189992a3336dfe33f10fee3b8015f4665476ebd5ad3d
Opcode Fuzzy Hash: 80b5849823aae1de08b2ee9b4c24377d25d63325f01d2fc7636ae17ec9515f7e
Instruction Fuzzy Hash: 6A41C1352182129FD710EF15E888B29BBE5EF44368F25C09AE4568F762C771EC51CB90

Function 002CE8F6 Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 57shutdownCOMMON

Download Yara Rule

APIs

Part of subcall function 002C16C3: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 002C170D
Part of subcall function 002C16C3: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 002C173A
Part of subcall function 002C16C3: GetLastError.KERNEL32 ref: 002C174A

ExitWindowsEx.USER32(?,00000000), ref: 002CE932

Strings

@, xrefs: 002CE925
, xrefs: 002CE920
SeShutdownPrivilege, xrefs: 002CE902
, xrefs: 002CE95C

Memory Dump Source

Source File: 00000001.00000002.1547293858.0000000000261000.00000020.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true

Associated: 00000001.00000002.1546305634.0000000000260000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1552306005.00000000002FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1552306005.0000000000322000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1553018664.000000000032C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1553203039.0000000000334000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_260000_file.jbxd

Similarity

API ID: AdjustErrorExitLastLookupPrivilegePrivilegesTokenValueWindows
String ID: $ $@$SeShutdownPrivilege
API String ID: 2234035333-3163812486
Opcode ID: 15822feba4ffd99ad3944c39cc931ff062a0d53e498c2cda3e9dff3a208330b5
Instruction ID: 8458cd10d1ca8f053de8e008f59a8a9164c7f708e10a3610bd01c881f48143f3
Opcode Fuzzy Hash: 15822feba4ffd99ad3944c39cc931ff062a0d53e498c2cda3e9dff3a208330b5
Instruction Fuzzy Hash: B001F972630215ABEF5426B4AC8AFBF725CAB15790F264729FC03E31D2DAB05C64C694

Function 002E1204 Relevance: 12.1, APIs: 8, Instructions: 113networkCOMMON

Download Yara Rule

APIs

socket.WSOCK32(00000002,00000001,00000006), ref: 002E1276
WSAGetLastError.WSOCK32 ref: 002E1283
bind.WSOCK32(00000000,?,00000010), ref: 002E12BA
WSAGetLastError.WSOCK32 ref: 002E12C5
closesocket.WSOCK32(00000000), ref: 002E12F4
listen.WSOCK32(00000000,00000005), ref: 002E1303
WSAGetLastError.WSOCK32 ref: 002E130D
closesocket.WSOCK32(00000000), ref: 002E133C

Memory Dump Source

Source File: 00000001.00000002.1547293858.0000000000261000.00000020.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true

Associated: 00000001.00000002.1546305634.0000000000260000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1552306005.00000000002FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1552306005.0000000000322000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1553018664.000000000032C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1553203039.0000000000334000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_260000_file.jbxd

Similarity

API ID: ErrorLast$closesocket$bindlistensocket
String ID:
API String ID: 540024437-0
Opcode ID: 9aa145e196e558c8c32d8ef444a35c73d37aa83c3c6fc6813a9a8c0545d75ca8
Instruction ID: f64e8c9ffcf5cbf075de615bbddec6be28e4eef5d018c9c30600471880861c54
Opcode Fuzzy Hash: 9aa145e196e558c8c32d8ef444a35c73d37aa83c3c6fc6813a9a8c0545d75ca8
Instruction Fuzzy Hash: 384127306101519FD710DF25D888B69BBE1BF46368F6880A8D9568F3E6C370EC91CBE0

Function 0029B952 Relevance: 10.9, APIs: 7, Instructions: 370timeCOMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 0029B9D4
_free.LIBCMT ref: 0029B9F8
_free.LIBCMT ref: 0029BB7F
GetTimeZoneInformation.KERNEL32(?,00000000,00000000,00000000,?,00303700), ref: 0029BB91
WideCharToMultiByte.KERNEL32(00000000,00000000,0033121C,000000FF,00000000,0000003F,00000000,?,?), ref: 0029BC09
WideCharToMultiByte.KERNEL32(00000000,00000000,00331270,000000FF,?,0000003F,00000000,?), ref: 0029BC36
_free.LIBCMT ref: 0029BD4B

Memory Dump Source

Source File: 00000001.00000002.1547293858.0000000000261000.00000020.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true

Associated: 00000001.00000002.1546305634.0000000000260000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1552306005.00000000002FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1552306005.0000000000322000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1553018664.000000000032C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1553203039.0000000000334000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_260000_file.jbxd

Similarity

API ID: _free$ByteCharMultiWide$InformationTimeZone
String ID:
API String ID: 314583886-0
Opcode ID: a6ae319e831fe0844ae14a0f59dfcdbc6cb2f24b66f9b4f4a520d470ef251733
Instruction ID: 58f34bfd90eb1da6102d2b41b9fd10b6f6eb4afd325a99487e53054ee137965b
Opcode Fuzzy Hash: a6ae319e831fe0844ae14a0f59dfcdbc6cb2f24b66f9b4f4a520d470ef251733
Instruction Fuzzy Hash: C2C15C3192420AAFDF22DF78EE51BAE7BB9EF41310F1441AAE854D7291D7308E21CB50

Function 002CD3A9 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 91fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00263AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00263A97,?,?,00262E7F,?,?,?,00000000), ref: 00263AC2

Part of subcall function 002CE199: GetFileAttributesW.KERNEL32(?,002CCF95), ref: 002CE19A

FindFirstFileW.KERNEL32(?,?), ref: 002CD420
DeleteFileW.KERNEL32(?,?,?,?), ref: 002CD470
FindNextFileW.KERNEL32(00000000,00000010), ref: 002CD481
FindClose.KERNEL32(00000000), ref: 002CD498
FindClose.KERNEL32(00000000), ref: 002CD4A1

Strings

\*.*, xrefs: 002CD3F2

Memory Dump Source

Source File: 00000001.00000002.1547293858.0000000000261000.00000020.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true

Associated: 00000001.00000002.1546305634.0000000000260000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1552306005.00000000002FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1552306005.0000000000322000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1553018664.000000000032C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1553203039.0000000000334000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_260000_file.jbxd

Similarity

API ID: FileFind$Close$AttributesDeleteFirstFullNameNextPath
String ID: \*.*
API String ID: 2649000838-1173974218
Opcode ID: 260a0ce6236497740d70356825103cf93e4ba496c87050e1e822cb49e9a3b9d5
Instruction ID: f06af13efbc773ce5ef7ad968a45c5c13853b069fbf89a4ce1d95ffc48afcfad
Opcode Fuzzy Hash: 260a0ce6236497740d70356825103cf93e4ba496c87050e1e822cb49e9a3b9d5
Instruction Fuzzy Hash: C231C0310283459BC314EF64D8959AFB7A8BE91310F504A2DF4D593191EB30AA69DB63

Function 0029E4FF Relevance: 10.1, APIs: 1, Strings: 4, Instructions: 1381COMMON

Download Yara Rule

APIs

__floor_pentium4.LIBCMT ref: 0029E645

Strings

1#SNAN, xrefs: 0029F844
1#QNAN, xrefs: 0029F84B
1#IND, xrefs: 0029F83D
1#INF, xrefs: 0029F852

Memory Dump Source

Source File: 00000001.00000002.1547293858.0000000000261000.00000020.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true

Associated: 00000001.00000002.1546305634.0000000000260000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1552306005.00000000002FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1552306005.0000000000322000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1553018664.000000000032C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1553203039.0000000000334000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_260000_file.jbxd

Similarity

API ID: __floor_pentium4
String ID: 1#IND$1#INF$1#QNAN$1#SNAN
API String ID: 4168288129-2761157908
Opcode ID: 4b7428003335ce0250c439af2ad29b6815698c5e8562589ed84947db7f1aeb7e
Instruction ID: 6bb6eb846f642936035e8428e359cad2886c595b902ec123976dbc5c261f673f
Opcode Fuzzy Hash: 4b7428003335ce0250c439af2ad29b6815698c5e8562589ed84947db7f1aeb7e
Instruction Fuzzy Hash: 51C24971E246298FDFA5CE28DD407EAB7B9EB48304F1541EAD84DE7240E774AE918F40

Function 002D648E Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 367comCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 002D64DC
CoInitialize.OLE32(00000000), ref: 002D6639
CoCreateInstance.OLE32(002FFCF8,00000000,00000001,002FFB68,?), ref: 002D6650
CoUninitialize.OLE32 ref: 002D68D4

Strings

.lnk, xrefs: 002D64BA, 002D6524, 002D65E0

Memory Dump Source

Source File: 00000001.00000002.1547293858.0000000000261000.00000020.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true

Associated: 00000001.00000002.1546305634.0000000000260000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1552306005.00000000002FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1552306005.0000000000322000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1553018664.000000000032C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1553203039.0000000000334000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_260000_file.jbxd

Similarity

API ID: CreateInitializeInstanceUninitialize_wcslen
String ID: .lnk
API String ID: 886957087-24824748
Opcode ID: 7d9d90977a7a18e82631a83ca5719a262045143a22561f9353c03729ca01c5ab
Instruction ID: ce1153efb47d374ffec6d6489bf804ab8da3d87a225359f6d5b387f09df5556c
Opcode Fuzzy Hash: 7d9d90977a7a18e82631a83ca5719a262045143a22561f9353c03729ca01c5ab
Instruction Fuzzy Hash: DDD17B71528201AFC300EF24C88596BB7E8FF98704F50496DF5858B2A1EB71ED99CF92

Function 002E22DA Relevance: 9.1, APIs: 6, Instructions: 103COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(?,?,00000000), ref: 002E22E8

Part of subcall function 002DE4EC: GetWindowRect.USER32(?,?), ref: 002DE504

GetDesktopWindow.USER32 ref: 002E2312
GetWindowRect.USER32(00000000), ref: 002E2319
mouse_event.USER32(00008001,?,?,00000002,00000002), ref: 002E2355
GetCursorPos.USER32(?), ref: 002E2381
mouse_event.USER32(00008001,?,?,00000000,00000000), ref: 002E23DF

Memory Dump Source

Source File: 00000001.00000002.1547293858.0000000000261000.00000020.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true

Associated: 00000001.00000002.1546305634.0000000000260000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1552306005.00000000002FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1552306005.0000000000322000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1553018664.000000000032C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1553203039.0000000000334000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_260000_file.jbxd

Similarity

API ID: Window$Rectmouse_event$CursorDesktopForeground
String ID:
API String ID: 2387181109-0
Opcode ID: a295209f552353812f5a0df3875d9b7f77236ab026231c8482c619389931d4dd
Instruction ID: a91bc80889006dadb7370d3edd0e4afc7ccc07c976e0650adbdd0fbeac307eef
Opcode Fuzzy Hash: a295209f552353812f5a0df3875d9b7f77236ab026231c8482c619389931d4dd
Instruction Fuzzy Hash: 4D31EF72544346ABDB20DF15D809F6BB7AEFF84310F500A19F985A7181DB34E918CB92

Function 002D9B2B Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 119filesleepCOMMON

Download Yara Rule

APIs

Part of subcall function 00269CB3: _wcslen.LIBCMT ref: 00269CBD

FindFirstFileW.KERNEL32(00000001,?,*.*,?,?,00000000,00000000), ref: 002D9B78
FindClose.KERNEL32(00000000,?,00000000,00000000), ref: 002D9C8B

Part of subcall function 002D3874: GetInputState.USER32 ref: 002D38CB
Part of subcall function 002D3874: PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 002D3966

Sleep.KERNEL32(0000000A,?,00000000,00000000), ref: 002D9BA8
FindNextFileW.KERNEL32(?,?,?,00000000,00000000), ref: 002D9C75

Strings

*.*, xrefs: 002D9B5D

Memory Dump Source

Source File: 00000001.00000002.1547293858.0000000000261000.00000020.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true

Associated: 00000001.00000002.1546305634.0000000000260000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1552306005.00000000002FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1552306005.0000000000322000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1553018664.000000000032C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1553203039.0000000000334000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_260000_file.jbxd

Similarity

API ID: Find$File$CloseFirstInputMessageNextPeekSleepState_wcslen
String ID: *.*
API String ID: 1972594611-438819550
Opcode ID: ef0436c81a4438d80c4b3b2ea954e8aff55cf52e3c982ece46b944853c3b8ad7
Instruction ID: 3e48ce30536f6fbcd384c6f3b88b149f7be44b00ec27da5897fd46ef3f8f61da
Opcode Fuzzy Hash: ef0436c81a4438d80c4b3b2ea954e8aff55cf52e3c982ece46b944853c3b8ad7
Instruction Fuzzy Hash: CF413E7192420A9FCF15DF64D949AEEBBB8EF09350F244167F805A2291DB309EA4CF60

Function 00268060 Relevance: 8.7, Strings: 6, Instructions: 1151COMMON

Download Yara Rule

Strings

VUUU, xrefs: 0026843C
VUUU, xrefs: 002683FA
VUUU, xrefs: 002683E8
VUUU, xrefs: 002A5DF0
ERCP, xrefs: 0026813C
InitializeCriticalSectionEx, xrefs: 002A5D43

Memory Dump Source

Source File: 00000001.00000002.1547293858.0000000000261000.00000020.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true

Associated: 00000001.00000002.1546305634.0000000000260000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1552306005.00000000002FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1552306005.0000000000322000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1553018664.000000000032C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1553203039.0000000000334000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_260000_file.jbxd

Similarity

API ID:
String ID: ERCP$InitializeCriticalSectionEx$VUUU$VUUU$VUUU$VUUU
API String ID: 0-1173862840
Opcode ID: ad439a6ebbf51c7ea3b5e68765446966d924705a42212627b628af62c1c79528
Instruction ID: d3eb5bb03132537accb7a49f4b329d2f0d115dfa6a00475da86be735407e2e8b
Opcode Fuzzy Hash: ad439a6ebbf51c7ea3b5e68765446966d924705a42212627b628af62c1c79528
Instruction Fuzzy Hash: DFA29371E2061ACBDF24CF58C8447AEB7B1BF55314F24869AE815A7284EB709DE1CF90

Function 0027997D Relevance: 7.9, APIs: 5, Instructions: 375COMMON

Download Yara Rule

APIs

Part of subcall function 00279BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00279BB2

DefDlgProcW.USER32(?,?,?,?,?), ref: 00279A4E
GetSysColor.USER32(0000000F), ref: 00279B23
SetBkColor.GDI32(?,00000000), ref: 00279B36

Memory Dump Source

Source File: 00000001.00000002.1547293858.0000000000261000.00000020.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true

Associated: 00000001.00000002.1546305634.0000000000260000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1552306005.00000000002FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1552306005.0000000000322000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1553018664.000000000032C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1553203039.0000000000334000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_260000_file.jbxd

Similarity

API ID: Color$LongProcWindow
String ID:
API String ID: 3131106179-0
Opcode ID: 991f7805b9963572d9e7786dfac28a8d6342eb9428bed409c43e671b8c51fcdd
Instruction ID: 6808998a7376eb42a828e37bfb74fc82e4c84b1f545afbd721f39866a8612656
Opcode Fuzzy Hash: 991f7805b9963572d9e7786dfac28a8d6342eb9428bed409c43e671b8c51fcdd
Instruction Fuzzy Hash: 5EA18B70139209BEE729EE3D8C88EBB765DDB82380F208119F506C6695CE718DB1D772

Function 002E1806 Relevance: 7.7, APIs: 5, Instructions: 153networkCOMMON

Download Yara Rule

APIs

Part of subcall function 002E304E: inet_addr.WSOCK32(?), ref: 002E307A
Part of subcall function 002E304E: _wcslen.LIBCMT ref: 002E309B

socket.WSOCK32(00000002,00000002,00000011), ref: 002E185D
WSAGetLastError.WSOCK32 ref: 002E1884
bind.WSOCK32(00000000,?,00000010), ref: 002E18DB
WSAGetLastError.WSOCK32 ref: 002E18E6
closesocket.WSOCK32(00000000), ref: 002E1915

Memory Dump Source

Source File: 00000001.00000002.1547293858.0000000000261000.00000020.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true

Associated: 00000001.00000002.1546305634.0000000000260000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1552306005.00000000002FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1552306005.0000000000322000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1553018664.000000000032C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1553203039.0000000000334000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_260000_file.jbxd

Similarity

API ID: ErrorLast$_wcslenbindclosesocketinet_addrsocket
String ID:
API String ID: 1601658205-0
Opcode ID: e65e3a32164a5194b2c861df718e331617285801c3d8c3feb64fe7eeabfaec09
Instruction ID: a84e044beda9ed923f551c8e5e6a5ff0c0d69c1f9fbf38ef1e95ed7a02682515
Opcode Fuzzy Hash: e65e3a32164a5194b2c861df718e331617285801c3d8c3feb64fe7eeabfaec09
Instruction Fuzzy Hash: 51510771A502009FEB10EF24C89AF7A77E5AB44718F588098F9469F3D3C770AD61CBA1

Function 002F1C41 Relevance: 7.6, APIs: 5, Instructions: 83windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32 ref: 002F1CC0
IsWindowEnabled.USER32 ref: 002F1CCE
GetForegroundWindow.USER32(?,?,00000001,?), ref: 002F1CDB
IsIconic.USER32 ref: 002F1CE9
IsZoomed.USER32 ref: 002F1CF7

Memory Dump Source

Source File: 00000001.00000002.1547293858.0000000000261000.00000020.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true

Associated: 00000001.00000002.1546305634.0000000000260000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1552306005.00000000002FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1552306005.0000000000322000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1553018664.000000000032C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1553203039.0000000000334000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_260000_file.jbxd

Similarity

API ID: Window$EnabledForegroundIconicVisibleZoomed
String ID:
API String ID: 292994002-0
Opcode ID: 2ec6f274dada9e44c418d8d426ec4c9a98ebbfb1f864e9938d12530ad3f105c6
Instruction ID: c3483493a75c601021e00422fb091701ab27a681b29ec825ab255c625cb078f2
Opcode Fuzzy Hash: 2ec6f274dada9e44c418d8d426ec4c9a98ebbfb1f864e9938d12530ad3f105c6
Instruction Fuzzy Hash: 9E21D631750209DFD7209F1AD844B36BBA5EF853A4BA88079E946CB351C771DC62CB91

Function 002C8298 Relevance: 6.6, APIs: 1, Strings: 3, Instructions: 568stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,?,?,00000000), ref: 002C82AA

Strings

|, xrefs: 002C82DA
tb2, xrefs: 002C84F4
(, xrefs: 002C82F0

Memory Dump Source

Source File: 00000001.00000002.1547293858.0000000000261000.00000020.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true

Associated: 00000001.00000002.1546305634.0000000000260000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1552306005.00000000002FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1552306005.0000000000322000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1553018664.000000000032C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1553203039.0000000000334000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_260000_file.jbxd

Similarity

API ID: lstrlen
String ID: ($tb2$|
API String ID: 1659193697-4023024493
Opcode ID: 436627262c05faeee91acc513636725922a6de073ab0d77c5faf04e7d4ac2624
Instruction ID: a8de4e8559f79b49931e58ccadd427b403b99bd1fe85fafcb08f066f48941c1e
Opcode Fuzzy Hash: 436627262c05faeee91acc513636725922a6de073ab0d77c5faf04e7d4ac2624
Instruction Fuzzy Hash: E8323574A106069FCB28CF59C481E6AB7F0FF48710B15C66EE49ADB7A1EB70E951CB40

Function 002CAA57 Relevance: 6.1, APIs: 4, Instructions: 107keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,00000001,00000040,00000000), ref: 002CAAAC
SetKeyboardState.USER32(00000080), ref: 002CAAC8
PostMessageW.USER32(?,00000102,00000001,00000001), ref: 002CAB36
SendInput.USER32(00000001,?,0000001C,00000001,00000040,00000000), ref: 002CAB88

Memory Dump Source

Source File: 00000001.00000002.1547293858.0000000000261000.00000020.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true

Associated: 00000001.00000002.1546305634.0000000000260000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1552306005.00000000002FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1552306005.0000000000322000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1553018664.000000000032C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1553203039.0000000000334000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_260000_file.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: 908e9759a0f8a62b40c7fb95bfd575dfd97f284a2b924e331fe870f639b22a53
Instruction ID: 6543e53f957cbba29ce5f7be9e913d8ba50fa84ca5e2da8ca49b7322eb1ba519
Opcode Fuzzy Hash: 908e9759a0f8a62b40c7fb95bfd575dfd97f284a2b924e331fe870f639b22a53
Instruction Fuzzy Hash: 60311770A6020DAEEB258E64CC09FFA77B6AF64328F14431EF185961D0D7758DA1C752

Function 002DCE44 Relevance: 6.1, APIs: 4, Instructions: 75filenetworkCOMMON

Download Yara Rule

APIs

InternetReadFile.WININET(?,?,00000400,?), ref: 002DCE89
GetLastError.KERNEL32(?,00000000), ref: 002DCEEA
SetEvent.KERNEL32(?,?,00000000), ref: 002DCEFE

Memory Dump Source

Source File: 00000001.00000002.1547293858.0000000000261000.00000020.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true

Associated: 00000001.00000002.1546305634.0000000000260000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1552306005.00000000002FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1552306005.0000000000322000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1553018664.000000000032C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1553203039.0000000000334000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_260000_file.jbxd

Similarity

API ID: ErrorEventFileInternetLastRead
String ID:
API String ID: 234945975-0
Opcode ID: 42873ddc3b9dfdb13460170512905836573655c19842406ab06989d3464cdbce
Instruction ID: 19934cccc064a85253190d9d242561f2db963d0c60c8fe627cf540eb55a510b0
Opcode Fuzzy Hash: 42873ddc3b9dfdb13460170512905836573655c19842406ab06989d3464cdbce
Instruction Fuzzy Hash: 3921ACB15103069FDB209FA5D949BA6B7FCEB50364F30442BE64692291E770EE14DB50

Function 002D5C97 Relevance: 4.6, APIs: 3, Instructions: 138fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 002D5CC1
FindNextFileW.KERNEL32(00000000,?), ref: 002D5D17
FindClose.KERNEL32(?), ref: 002D5D5F

Memory Dump Source

Source File: 00000001.00000002.1547293858.0000000000261000.00000020.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true

Associated: 00000001.00000002.1546305634.0000000000260000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1552306005.00000000002FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1552306005.0000000000322000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1553018664.000000000032C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1553203039.0000000000334000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_260000_file.jbxd

Similarity

API ID: Find$File$CloseFirstNext
String ID:
API String ID: 3541575487-0
Opcode ID: cfd301a0f4afdd19bb4bd4db62b17a5ec1e9da5068e0f839783fa15e9a10b445
Instruction ID: 714540c5c32550da0dbb2ddc4ee54ee9ff769485c4a7332daed239b921ce885c
Opcode Fuzzy Hash: cfd301a0f4afdd19bb4bd4db62b17a5ec1e9da5068e0f839783fa15e9a10b445
Instruction Fuzzy Hash: 3251BB346246029FC714DF28C494EA6B7E4FF09324F14855EE99A8B3A1CB70EC64CFA1

Function 00292622 Relevance: 4.6, APIs: 3, Instructions: 78COMMONLIBRARYCODE

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32 ref: 0029271A
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00292724
UnhandledExceptionFilter.KERNEL32(?), ref: 00292731

Memory Dump Source

Source File: 00000001.00000002.1547293858.0000000000261000.00000020.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true

Associated: 00000001.00000002.1546305634.0000000000260000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1552306005.00000000002FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1552306005.0000000000322000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1553018664.000000000032C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1553203039.0000000000334000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_260000_file.jbxd

Similarity

API ID: ExceptionFilterUnhandled$DebuggerPresent
String ID:
API String ID: 3906539128-0
Opcode ID: 0e667ed74e0c7bbc04dd6e8f4b4d9fe4bcba8ee1c18660cc2605219fcbd154a4
Instruction ID: db28151fc80a138276118344f09101bf5df60e8b7e8ef2b694de9c75b69e3279
Opcode Fuzzy Hash: 0e667ed74e0c7bbc04dd6e8f4b4d9fe4bcba8ee1c18660cc2605219fcbd154a4
Instruction Fuzzy Hash: 5131D37491121DABCB21DF68DD887DCBBB8AF08310F5041EAE81CA72A0E7309F958F44

Function 002D51CD Relevance: 4.6, APIs: 3, Instructions: 76COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 002D51DA
GetDiskFreeSpaceExW.KERNEL32(?,?,?,?), ref: 002D5238
SetErrorMode.KERNEL32(00000000), ref: 002D52A1

Memory Dump Source

Source File: 00000001.00000002.1547293858.0000000000261000.00000020.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true

Associated: 00000001.00000002.1546305634.0000000000260000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1552306005.00000000002FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1552306005.0000000000322000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1553018664.000000000032C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1553203039.0000000000334000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_260000_file.jbxd

Similarity

API ID: ErrorMode$DiskFreeSpace
String ID:
API String ID: 1682464887-0
Opcode ID: a0362393ca5b96b936234e485940c24581470eb1f894bbfa6b30f82d0145eff4
Instruction ID: 7f8b3296da3a45aa131c8d8a2f187df23e2e240b45a9e5a68cf379b5e210bff7
Opcode Fuzzy Hash: a0362393ca5b96b936234e485940c24581470eb1f894bbfa6b30f82d0145eff4
Instruction Fuzzy Hash: 02314D75A10518DFDB00DF54D888EADBBB4FF48314F148099E8459B362DB71EC6ACB90

Function 002C16C3 Relevance: 4.6, APIs: 3, Instructions: 68COMMON

Download Yara Rule

APIs

Part of subcall function 0027FDDB: __CxxThrowException@8.LIBVCRUNTIME ref: 00280668
Part of subcall function 0027FDDB: __CxxThrowException@8.LIBVCRUNTIME ref: 00280685

LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 002C170D
AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 002C173A
GetLastError.KERNEL32 ref: 002C174A

Memory Dump Source

Source File: 00000001.00000002.1547293858.0000000000261000.00000020.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true

Associated: 00000001.00000002.1546305634.0000000000260000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1552306005.00000000002FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1552306005.0000000000322000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1553018664.000000000032C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1553203039.0000000000334000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_260000_file.jbxd

Similarity

API ID: Exception@8Throw$AdjustErrorLastLookupPrivilegePrivilegesTokenValue
String ID:
API String ID: 577356006-0
Opcode ID: b7cf4ce58a46c3fc5efd002eb3afeb9097e9f445a6cb6cb296b2450e253677d7
Instruction ID: 1f9874c811aa6a98f638cddefc1c9b63889bcd14e3e94b7318b0298f039442bd
Opcode Fuzzy Hash: b7cf4ce58a46c3fc5efd002eb3afeb9097e9f445a6cb6cb296b2450e253677d7
Instruction Fuzzy Hash: 7F11C1B2424309FFD7289F54ED86E6AB7BDEB45764B20852EE05653241EB70BC61CB20

Function 002CD5EB Relevance: 4.6, APIs: 3, Instructions: 58fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 002CD608
DeviceIoControl.KERNEL32(00000000,002D1400,?,0000000C,?,00000028,?,00000000), ref: 002CD645
CloseHandle.KERNEL32(?,?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 002CD650

Memory Dump Source

Source File: 00000001.00000002.1547293858.0000000000261000.00000020.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true

Associated: 00000001.00000002.1546305634.0000000000260000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1552306005.00000000002FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1552306005.0000000000322000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1553018664.000000000032C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1553203039.0000000000334000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_260000_file.jbxd

Similarity

API ID: CloseControlCreateDeviceFileHandle
String ID:
API String ID: 33631002-0
Opcode ID: f9b8d44f0433392bc17ca14a880a9e3aa7ef092714940c17dcbe312c2f986219
Instruction ID: 98e67962092099ee1ce29277744f6437667a31e9afd488b58e8f66e053641bf0
Opcode Fuzzy Hash: f9b8d44f0433392bc17ca14a880a9e3aa7ef092714940c17dcbe312c2f986219
Instruction Fuzzy Hash: B9118275E01228BFDB108F94ED48FAFBBBCEB45B60F204125F904E7290C2704A01CBA1

Function 002C1663 Relevance: 4.5, APIs: 3, Instructions: 40memoryCOMMON

Download Yara Rule

APIs

AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?,?), ref: 002C168C
CheckTokenMembership.ADVAPI32(00000000,?,?), ref: 002C16A1
FreeSid.ADVAPI32(?), ref: 002C16B1

Memory Dump Source

Source File: 00000001.00000002.1547293858.0000000000261000.00000020.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true

Associated: 00000001.00000002.1546305634.0000000000260000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1552306005.00000000002FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1552306005.0000000000322000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1553018664.000000000032C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1553203039.0000000000334000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_260000_file.jbxd

Similarity

API ID: AllocateCheckFreeInitializeMembershipToken
String ID:
API String ID: 3429775523-0
Opcode ID: 2f595f5d98f1f1ea18e25c3ffebd04f903229859586b02f41974ce7fea61d238
Instruction ID: 22b138d98d7448c5f9949e69943fffb8736128d724c52425b284dc9f62c9ddde
Opcode Fuzzy Hash: 2f595f5d98f1f1ea18e25c3ffebd04f903229859586b02f41974ce7fea61d238
Instruction Fuzzy Hash: 78F0447195030DFBDB00DFE09D89EAEBBBCEB08250F204968E500E2281E730AA049A50

Function 0029C2A2 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 127COMMON

Download Yara Rule

Strings

/, xrefs: 0029C36C

Memory Dump Source

Source File: 00000001.00000002.1547293858.0000000000261000.00000020.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true

Associated: 00000001.00000002.1546305634.0000000000260000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1552306005.00000000002FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1552306005.0000000000322000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1553018664.000000000032C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1553203039.0000000000334000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_260000_file.jbxd

Similarity

API ID:
String ID: /
API String ID: 0-2043925204
Opcode ID: 52051489c0e1cfd97bcd1011663324a8bab0fc985426bb0cee6e0cb3fc36c343
Instruction ID: c1c20ca6781dcb4712457f54b8d7b8e3fa9567836c71340594bc63e1501bfdac
Opcode Fuzzy Hash: 52051489c0e1cfd97bcd1011663324a8bab0fc985426bb0cee6e0cb3fc36c343
Instruction Fuzzy Hash: 40414972910219AFCF24AFB9DC48EBB77B8EB84354F6082ADF905D7180E6709D51CB54

Function 002BD27A Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON

Download Yara Rule

APIs

GetUserNameW.ADVAPI32(?,?), ref: 002BD28C

Strings

X64, xrefs: 002BD2A8

Memory Dump Source

Source File: 00000001.00000002.1547293858.0000000000261000.00000020.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true

Associated: 00000001.00000002.1546305634.0000000000260000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1552306005.00000000002FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1552306005.0000000000322000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1553018664.000000000032C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1553203039.0000000000334000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_260000_file.jbxd

Similarity

API ID: NameUser
String ID: X64
API String ID: 2645101109-893830106
Opcode ID: d4eb5e81abbf30a221cd085e9bd5cea4d53f9f8b2220cf50081d1bf6094ab4cc
Instruction ID: a7f6981728567ffd852dc2817debf1accd491ac3da0e9bc56e12235b9c017d8f
Opcode Fuzzy Hash: d4eb5e81abbf30a221cd085e9bd5cea4d53f9f8b2220cf50081d1bf6094ab4cc
Instruction Fuzzy Hash: A2D0C9B482511DEBCB94CB90EC88DD9B37CBF04345F104165F506A2000DB7095498F10

Function 0028CAA0 Relevance: 3.5, APIs: 2, Instructions: 464COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1547293858.0000000000261000.00000020.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true

Associated: 00000001.00000002.1546305634.0000000000260000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1552306005.00000000002FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1552306005.0000000000322000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1553018664.000000000032C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1553203039.0000000000334000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_260000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2fbdbeface8d474e65e3d830227d731b015bc4fe83c76ff0107a9da6199ccf29
Instruction ID: f75ba83d31803b1223fbf9f1c7c01d4d8044e4433fafa0759793ed27543c3b24
Opcode Fuzzy Hash: 2fbdbeface8d474e65e3d830227d731b015bc4fe83c76ff0107a9da6199ccf29
Instruction Fuzzy Hash: 3B023C75E112199BDF14DFA9C8806ADFBF1FF48324F25816AE919E7380D730AA51CB90

Function 0026CAF0 Relevance: 3.2, Strings: 2, Instructions: 659COMMON

Download Yara Rule

Strings

Variable is not of type 'Object'., xrefs: 002B0C40
p#3, xrefs: 0026CF7F

Memory Dump Source

Source File: 00000001.00000002.1547293858.0000000000261000.00000020.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true

Associated: 00000001.00000002.1546305634.0000000000260000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1552306005.00000000002FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1552306005.0000000000322000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1553018664.000000000032C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1553203039.0000000000334000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_260000_file.jbxd

Similarity

API ID:
String ID: Variable is not of type 'Object'.$p#3
API String ID: 0-3993228859
Opcode ID: 1007e19527354d1f21e68662df8d154f9a9c6c587c824a8a14e929f28a0dd214
Instruction ID: e1d8ffb58f4f0e4b7949768cae2d660703fffe85a24327247f2776e68503922b
Opcode Fuzzy Hash: 1007e19527354d1f21e68662df8d154f9a9c6c587c824a8a14e929f28a0dd214
Instruction Fuzzy Hash: 95329E70920219DBCF15EF90C881AFEB7B5FF05344F24805AE846AB292D775ADA5CF60

Function 002D68EE Relevance: 3.1, APIs: 2, Instructions: 57fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 002D6918
FindClose.KERNEL32(00000000), ref: 002D6961

Memory Dump Source

Source File: 00000001.00000002.1547293858.0000000000261000.00000020.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true

Associated: 00000001.00000002.1546305634.0000000000260000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1552306005.00000000002FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1552306005.0000000000322000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1553018664.000000000032C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1553203039.0000000000334000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_260000_file.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID:
API String ID: 2295610775-0
Opcode ID: 455619bff012a50adc82ae6601488f3477c2e48d7466dc629136d3b9130946c5
Instruction ID: 1b06e52b1f724d853f5136d4f0feb766dc596413f14a3b14bbfe7206ef4f979b
Opcode Fuzzy Hash: 455619bff012a50adc82ae6601488f3477c2e48d7466dc629136d3b9130946c5
Instruction Fuzzy Hash: F411E6316142419FC710DF69D488A26BBE0FF85328F14C6AAF8698F7A2C730EC55CB90

Function 002D37B5 Relevance: 3.0, APIs: 2, Instructions: 33windowCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(00000000,?,00000FFF,00000000,?,?,?,002E4891,?,?,00000035,?), ref: 002D37E4
FormatMessageW.KERNEL32(00001000,00000000,?,00000000,?,00000FFF,00000000,?,?,?,002E4891,?,?,00000035,?), ref: 002D37F4

Memory Dump Source

Source File: 00000001.00000002.1547293858.0000000000261000.00000020.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true

Associated: 00000001.00000002.1546305634.0000000000260000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1552306005.00000000002FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1552306005.0000000000322000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1553018664.000000000032C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1553203039.0000000000334000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_260000_file.jbxd

Similarity

API ID: ErrorFormatLastMessage
String ID:
API String ID: 3479602957-0
Opcode ID: 94810933b5637498bd68049e1288d49c6ff0838930d3a82308cd4a88d63ffc5a
Instruction ID: 3684cce2eb3145803246d56a1bd35ee810db18bf34c0c59c94c496c453da069a
Opcode Fuzzy Hash: 94810933b5637498bd68049e1288d49c6ff0838930d3a82308cd4a88d63ffc5a
Instruction Fuzzy Hash: F9F0E5B06153292BE72057669C4DFEB7AAEEFC57B1F000176F509E2281D9609D44CBB1

Function 002CB226 Relevance: 3.0, APIs: 2, Instructions: 29keyboardCOMMON

Download Yara Rule

APIs

SendInput.USER32(00000001,?,0000001C,?,?,00000002), ref: 002CB25D
keybd_event.USER32(?,76C1C0D0,?,00000000), ref: 002CB270

Memory Dump Source

Source File: 00000001.00000002.1547293858.0000000000261000.00000020.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true

Associated: 00000001.00000002.1546305634.0000000000260000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1552306005.00000000002FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1552306005.0000000000322000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1553018664.000000000032C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1553203039.0000000000334000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_260000_file.jbxd

Similarity

API ID: InputSendkeybd_event
String ID:
API String ID: 3536248340-0
Opcode ID: 776d8b7a6dc35b3dadc3e3ad1f0aced7c70c58e1811865c206f4b18eb1c9aa5d
Instruction ID: 4d34f89b38e3941546ccc597402db0f0fc06250d6f2755877a14dd37fa14f568
Opcode Fuzzy Hash: 776d8b7a6dc35b3dadc3e3ad1f0aced7c70c58e1811865c206f4b18eb1c9aa5d
Instruction Fuzzy Hash: 35F06D7081424EABDB059FA0C806BBE7BB4FF04315F108019F951A5191C3798611DF94

Function 002C10BF Relevance: 3.0, APIs: 2, Instructions: 24COMMON

Download Yara Rule

APIs

AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,002C11FC), ref: 002C10D4
CloseHandle.KERNEL32(?,?,002C11FC), ref: 002C10E9

Memory Dump Source

Source File: 00000001.00000002.1547293858.0000000000261000.00000020.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true

Associated: 00000001.00000002.1546305634.0000000000260000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1552306005.00000000002FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1552306005.0000000000322000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1553018664.000000000032C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1553203039.0000000000334000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_260000_file.jbxd

Similarity

API ID: AdjustCloseHandlePrivilegesToken
String ID:
API String ID: 81990902-0
Opcode ID: 6f8aad83d8fb5c2780a7d3e32d448304bbb4628036023eb6f94f1e7a08b505da
Instruction ID: 057c63a0cced3eb8feb0ccc4b8858ecccbaa474c8f013d9ed8136c36a7e0a97b
Opcode Fuzzy Hash: 6f8aad83d8fb5c2780a7d3e32d448304bbb4628036023eb6f94f1e7a08b505da
Instruction Fuzzy Hash: E1E04F32028600AFE7252B11FD09E7377A9EF04360B20C82DF4A5804B1DB726CA0DF10

Function 0029676B Relevance: 1.8, APIs: 1, Instructions: 269COMMONLIBRARYCODE

Download Yara Rule

APIs

RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,00296766,?,?,00000008,?,?,0029FEFE,00000000), ref: 00296998

Memory Dump Source

Source File: 00000001.00000002.1547293858.0000000000261000.00000020.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true

Associated: 00000001.00000002.1546305634.0000000000260000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1552306005.00000000002FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1552306005.0000000000322000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1553018664.000000000032C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1553203039.0000000000334000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_260000_file.jbxd

Similarity

API ID: ExceptionRaise
String ID:
API String ID: 3997070919-0
Opcode ID: db7553cf9c6565b8091e8a092c1de9671e3e840e1cb386fc49fc58953d70e624
Instruction ID: ef0698480e4b60caba8acc752d5e6e056c2edc77679ab346da1bc5c5d7207be5
Opcode Fuzzy Hash: db7553cf9c6565b8091e8a092c1de9671e3e840e1cb386fc49fc58953d70e624
Instruction Fuzzy Hash: 90B14D31620609DFEB15CF28C48AB657BE0FF45364F258658E899CF2A2C375E9A5CB40

Function 0027B119 Relevance: 1.8, Strings: 1, Instructions: 511COMMON

Download Yara Rule

Strings

, xrefs: 002B851F

Memory Dump Source

Source File: 00000001.00000002.1547293858.0000000000261000.00000020.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true

Associated: 00000001.00000002.1546305634.0000000000260000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1552306005.00000000002FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1552306005.0000000000322000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1553018664.000000000032C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1553203039.0000000000334000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_260000_file.jbxd

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: 669dfb33b5f4f276c205d02879dc707ba75122369bebc4ced05f211e7fee13bf
Instruction ID: d220382020e172c03da817a6f3eaeca2b09a56d6ef0bc836e3bf1263c5464919
Opcode Fuzzy Hash: 669dfb33b5f4f276c205d02879dc707ba75122369bebc4ced05f211e7fee13bf
Instruction Fuzzy Hash: 21125F759202299BCB25CF58C8907EEB7F9FF48710F14819AE849EB251DB709E91CF90

Function 002DEAA2 Relevance: 1.5, APIs: 1, Instructions: 25keyboardCOMMON

Download Yara Rule

APIs

BlockInput.USER32(00000001), ref: 002DEABD

Memory Dump Source

Source File: 00000001.00000002.1547293858.0000000000261000.00000020.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true

Associated: 00000001.00000002.1546305634.0000000000260000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1552306005.00000000002FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1552306005.0000000000322000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1553018664.000000000032C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1553203039.0000000000334000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_260000_file.jbxd

Similarity

API ID: BlockInput
String ID:
API String ID: 3456056419-0
Opcode ID: 3c084ea16122a0f142643fee49bb0bd9347323ec18de04aea85ee50ba0d407cc
Instruction ID: a821d49bd4d2499583e667dd8fc0de6ef481250988927834dcc852f9802a2fb3
Opcode Fuzzy Hash: 3c084ea16122a0f142643fee49bb0bd9347323ec18de04aea85ee50ba0d407cc
Instruction Fuzzy Hash: 7CE01A312202059FC710EF69D804E9AB7E9AF98760F118427FC4ACB361DAB0EC908B90

Function 002809D5 Relevance: 1.5, APIs: 1, Instructions: 3COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(Function_000209E1,002803EE), ref: 002809DA

Memory Dump Source

Source File: 00000001.00000002.1547293858.0000000000261000.00000020.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true

Associated: 00000001.00000002.1546305634.0000000000260000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1552306005.00000000002FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1552306005.0000000000322000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1553018664.000000000032C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1553203039.0000000000334000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_260000_file.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: a2ea4276e809c3e84837e8207a44b5514cfc84676f309523e5a4ade1059105dc
Instruction ID: 3168020f73d0e0b6f94a9c0e4f0d2c2b27d306bd856cdb5a2cb432d46efe0141
Opcode Fuzzy Hash: a2ea4276e809c3e84837e8207a44b5514cfc84676f309523e5a4ade1059105dc
Instruction Fuzzy Hash:

Function 0028781B Relevance: 1.5, Strings: 1, Instructions: 214COMMON

Download Yara Rule

Strings

0, xrefs: 0028798B

Memory Dump Source

Source File: 00000001.00000002.1547293858.0000000000261000.00000020.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true

Associated: 00000001.00000002.1546305634.0000000000260000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1552306005.00000000002FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1552306005.0000000000322000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1553018664.000000000032C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1553203039.0000000000334000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_260000_file.jbxd

Similarity

API ID:
String ID: 0
API String ID: 0-4108050209
Opcode ID: 9084b4e029052128895840c3c28e948f6724b1d83b91d22a18243ac96ad56844
Instruction ID: 4f3053faf262a0568abd17ac847292d73b0cda59d828cb0f442771bf3f5d4ea0
Opcode Fuzzy Hash: 9084b4e029052128895840c3c28e948f6724b1d83b91d22a18243ac96ad56844
Instruction Fuzzy Hash: F551976D63F6075BDB38BD68889D7BE27899B02340F380519D886C72C2D621EE31E352

Function 002D2046 Relevance: 1.3, Strings: 1, Instructions: 72COMMON

Download Yara Rule

Strings

0&3, xrefs: 002D2053

Memory Dump Source

Source File: 00000001.00000002.1547293858.0000000000261000.00000020.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true

Associated: 00000001.00000002.1546305634.0000000000260000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1552306005.00000000002FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1552306005.0000000000322000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1553018664.000000000032C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1553203039.0000000000334000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_260000_file.jbxd

Similarity

API ID:
String ID: 0&3
API String ID: 0-2804211376
Opcode ID: 0a93ac5786277fb973e2bba43862301e8caf14852a468464f4471736b1f96126
Instruction ID: e7754a2bb5b8df20172757897cb06cfb0aded81832444621cbd9cdcdbdee643b
Opcode Fuzzy Hash: 0a93ac5786277fb973e2bba43862301e8caf14852a468464f4471736b1f96126
Instruction Fuzzy Hash: B921BB326215118BD728CF79C86367E73E9A764310F15862EE4A7C37D0DE75AD04CB40

Function 00296DD9 Relevance: .6, Instructions: 637COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1547293858.0000000000261000.00000020.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true

Associated: 00000001.00000002.1546305634.0000000000260000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1552306005.00000000002FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1552306005.0000000000322000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1553018664.000000000032C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1553203039.0000000000334000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_260000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7cb0c38102f5e6be304da749b58092746dd0e393daa68c951373c660aa52d67c
Instruction ID: b1916fa251399b015945925afb17e5543752b2a48c0e0e782da860df630fa000
Opcode Fuzzy Hash: 7cb0c38102f5e6be304da749b58092746dd0e393daa68c951373c660aa52d67c
Instruction Fuzzy Hash: 2F32F122D7AF014DDB239634DC36336A64DAFB73C5F15D727E82AB59A6EB29C4834100

Function 0027CC39 Relevance: .6, Instructions: 635COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1547293858.0000000000261000.00000020.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true

Associated: 00000001.00000002.1546305634.0000000000260000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1552306005.00000000002FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1552306005.0000000000322000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1553018664.000000000032C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1553203039.0000000000334000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_260000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d1eec0d64867fd1a72e9cbed2db2738ad43251c2295c20c84b62d600d2ea6b7b
Instruction ID: cb16fac85927da6b5fc88ebcdc979ad315c5c8ca811d7ba9e52b270bc2fd3fd1
Opcode Fuzzy Hash: d1eec0d64867fd1a72e9cbed2db2738ad43251c2295c20c84b62d600d2ea6b7b
Instruction Fuzzy Hash: C632F331A341178BDF39CE28C4A46FD7BA1EB45394F38816FD4998B2A1D634DDA1DB40

Function 00267920 Relevance: .6, Instructions: 563COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1547293858.0000000000261000.00000020.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true

Associated: 00000001.00000002.1546305634.0000000000260000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1552306005.00000000002FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1552306005.0000000000322000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1553018664.000000000032C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1553203039.0000000000334000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_260000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2ac41a30b53731c9993088bf2a747d970db9dac036a106a83d1f954088adbbac
Instruction ID: b48bbf19e1e29a5708a2d42110d26d8f795f2abe89c5e589fb2a1546cc341757
Opcode Fuzzy Hash: 2ac41a30b53731c9993088bf2a747d970db9dac036a106a83d1f954088adbbac
Instruction Fuzzy Hash: 1E22F370A2460ADFDF14CFA4D981AAEB3F5FF49304F204129E816A7291EB35AD65CF50

Function 002691C0 Relevance: .5, Instructions: 475COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1547293858.0000000000261000.00000020.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true

Associated: 00000001.00000002.1546305634.0000000000260000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1552306005.00000000002FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1552306005.0000000000322000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1553018664.000000000032C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1553203039.0000000000334000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_260000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4d5585c1e38fa8b132bf9b41247f3f449ab6ff71455646f37e9e964010b83011
Instruction ID: 858f04e602ff4b41fbdd22d4319220122d52e0feabdbf317c4d4b4216ba875de
Opcode Fuzzy Hash: 4d5585c1e38fa8b132bf9b41247f3f449ab6ff71455646f37e9e964010b83011
Instruction Fuzzy Hash: 1502D6B1A20206EBDF04DF54D981AAEB7B5FF45300F118169E806DB291EB71AE71CF91

Function 00281C77 Relevance: .3, Instructions: 254COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1547293858.0000000000261000.00000020.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true

Associated: 00000001.00000002.1546305634.0000000000260000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1552306005.00000000002FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1552306005.0000000000322000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1553018664.000000000032C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1553203039.0000000000334000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_260000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 93657a121f16255c59120ad0d08fdbba6372c273009ad596b4ecdf6e8f3c6909
Instruction ID: 9aafdbc5e337e6fd09fa468c3595ad03bf91bb2d26aef3532be01052683b9f45
Opcode Fuzzy Hash: 93657a121f16255c59120ad0d08fdbba6372c273009ad596b4ecdf6e8f3c6909
Instruction Fuzzy Hash: B491B97A12A0A34ADB2D5A3E843413DFFE55A523A131A079ED4F2CA1C5FE10C975D720

Function 002819B0 Relevance: .2, Instructions: 240COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1547293858.0000000000261000.00000020.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true

Associated: 00000001.00000002.1546305634.0000000000260000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1552306005.00000000002FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1552306005.0000000000322000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1553018664.000000000032C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1553203039.0000000000334000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_260000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 40101273f58913c3cb3bc7eb54df01d47b4121c3e67d19f11ec2cb23d33ea445
Instruction ID: bf6c9eec97587ef59826ed3c81fa1263ce8dd7d382b86e380dd385fa6fae3b84
Opcode Fuzzy Hash: 40101273f58913c3cb3bc7eb54df01d47b4121c3e67d19f11ec2cb23d33ea445
Instruction Fuzzy Hash: 2291C77A22B0E349DB2D5A7A847403DFFE95A923A131A079ED4F2CA1C1FD14C576D720

Function 00287A4A Relevance: .2, Instructions: 237COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1547293858.0000000000261000.00000020.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true

Associated: 00000001.00000002.1546305634.0000000000260000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1552306005.00000000002FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1552306005.0000000000322000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1553018664.000000000032C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1553203039.0000000000334000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_260000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 25f80a20cdf9400ff42af06d58150db01ef6474db48ee09798ca153386afcf21
Instruction ID: 98a87d7749e6d1a7c9628f857be71ca0011682895d97652392053801a931370d
Opcode Fuzzy Hash: 25f80a20cdf9400ff42af06d58150db01ef6474db48ee09798ca153386afcf21
Instruction Fuzzy Hash: 62619A3D23A30B56DA38BD288C95BBE6396DF51708F34091AE842DB2C1DA51DE72C715

Function 00287CA7 Relevance: .2, Instructions: 237COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1547293858.0000000000261000.00000020.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true

Associated: 00000001.00000002.1546305634.0000000000260000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1552306005.00000000002FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1552306005.0000000000322000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1553018664.000000000032C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1553203039.0000000000334000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_260000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 69190e6cbfaf79e9a5e9d30c42293bd4929289c21b6f04b3161a58e20281957d
Instruction ID: 0093b060c4a6bbbe8f6791f9d9ac345a04c761e8d60fbeb9b620fc044451060e
Opcode Fuzzy Hash: 69190e6cbfaf79e9a5e9d30c42293bd4929289c21b6f04b3161a58e20281957d
Instruction Fuzzy Hash: DE618B3D23E70B92DA38BE284855BBF23889F52704F340859E843DB6C1EB52ED728755

Function 00281706 Relevance: .2, Instructions: 232COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1547293858.0000000000261000.00000020.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true

Associated: 00000001.00000002.1546305634.0000000000260000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1552306005.00000000002FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1552306005.0000000000322000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1553018664.000000000032C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1553203039.0000000000334000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_260000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 70da388f96bbbf26b230a155b4728740b34f0d100ea60ab2bbadb9d7d0befbf0
Instruction ID: 139e33927b515fdb58ca1f2fec75e330d7840c218d18fd3133626341b8656518
Opcode Fuzzy Hash: 70da388f96bbbf26b230a155b4728740b34f0d100ea60ab2bbadb9d7d0befbf0
Instruction Fuzzy Hash: 4081A73B62A0A30DEB2D5A3A853543EFFE55A923A131A079DD4F2CB1C1EE24C575D720

Function 0027D064 Relevance: .2, Instructions: 179COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1547293858.0000000000261000.00000020.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true

Associated: 00000001.00000002.1546305634.0000000000260000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1552306005.00000000002FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1552306005.0000000000322000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1553018664.000000000032C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1553203039.0000000000334000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_260000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9b456b214c0114bea38481c90ede046b5d7114b1ff0ca5f138fb7366db3ce11e
Instruction ID: fb09df9fb75522bf4098e526d906d57c8076e1dc4086ab8cb5c7eda5a285b1ab
Opcode Fuzzy Hash: 9b456b214c0114bea38481c90ede046b5d7114b1ff0ca5f138fb7366db3ce11e
Instruction Fuzzy Hash: 7F61ED7144E6E29FCB179F3489AA6847FB0EE6B6103084ADBC0808F19FD7646159CF57

Function 002E2ADE Relevance: 77.5, APIs: 40, Strings: 4, Instructions: 486filecommemoryCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 002E2B30
DeleteObject.GDI32(00000000), ref: 002E2B43
DestroyWindow.USER32 ref: 002E2B52
GetDesktopWindow.USER32 ref: 002E2B6D
GetWindowRect.USER32(00000000), ref: 002E2B74
SetRect.USER32(?,00000000,00000000,00000007,00000002), ref: 002E2CA3
AdjustWindowRectEx.USER32(?,88C00000,00000000,?), ref: 002E2CB1
CreateWindowExW.USER32(?,AutoIt v3,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 002E2CF8
GetClientRect.USER32(00000000,?), ref: 002E2D04
CreateWindowExW.USER32(00000000,static,00000000,5000000E,00000000,00000000,?,?,00000000,00000000,00000000), ref: 002E2D40
CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 002E2D62
GetFileSize.KERNEL32(00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 002E2D75
GlobalAlloc.KERNEL32(00000002,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 002E2D80
GlobalLock.KERNEL32(00000000), ref: 002E2D89
ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 002E2D98
GlobalUnlock.KERNEL32(00000000), ref: 002E2DA1
CloseHandle.KERNEL32(00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 002E2DA8
GlobalFree.KERNEL32(00000000), ref: 002E2DB3
CreateStreamOnHGlobal.OLE32(00000000,00000001,?,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 002E2DC5
OleLoadPicture.OLEAUT32(?,00000000,00000000,002FFC38,00000000), ref: 002E2DDB
GlobalFree.KERNEL32(00000000), ref: 002E2DEB
CopyImage.USER32(00000007,00000000,00000000,00000000,00002000), ref: 002E2E11
SendMessageW.USER32(00000000,00000172,00000000,00000007), ref: 002E2E30
SetWindowPos.USER32(00000000,00000000,00000000,00000000,?,?,00000020,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 002E2E52
ShowWindow.USER32(00000004,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 002E303F

Strings

, xrefs: 002E2FC5
static, xrefs: 002E2D3A, 002E2E91
AutoIt v3, xrefs: 002E2CF2
DISPLAY, xrefs: 002E2EA2

Memory Dump Source

Source File: 00000001.00000002.1547293858.0000000000261000.00000020.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true

Associated: 00000001.00000002.1546305634.0000000000260000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1552306005.00000000002FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1552306005.0000000000322000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1553018664.000000000032C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1553203039.0000000000334000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_260000_file.jbxd

Similarity

API ID: Window$Global$CreateRect$File$DeleteFreeObject$AdjustAllocClientCloseCopyDesktopDestroyHandleImageLoadLockMessagePictureReadSendShowSizeStreamUnlock
String ID: $AutoIt v3$DISPLAY$static
API String ID: 2211948467-2373415609
Opcode ID: 6c0d54fc3db17a67c64ef3eb247a13ce9d818b39365a7feb9a0c57ea65eecf38
Instruction ID: ce056bdccff9a48d675a82c1605b1950f92354ac0e96b5fe6fa6a2555c4ee0d5
Opcode Fuzzy Hash: 6c0d54fc3db17a67c64ef3eb247a13ce9d818b39365a7feb9a0c57ea65eecf38
Instruction Fuzzy Hash: A502AC71510209EFDB14DF64DD89EAE7BB9EF48360F208158F916AB2A0DB70AD54CF60

Function 002F70D5 Relevance: 49.8, APIs: 33, Instructions: 273COMMON

Download Yara Rule

APIs

SetTextColor.GDI32(?,00000000), ref: 002F712F
GetSysColorBrush.USER32(0000000F), ref: 002F7160
GetSysColor.USER32(0000000F), ref: 002F716C
SetBkColor.GDI32(?,000000FF), ref: 002F7186
SelectObject.GDI32(?,?), ref: 002F7195
InflateRect.USER32(?,000000FF,000000FF), ref: 002F71C0
GetSysColor.USER32(00000010), ref: 002F71C8
CreateSolidBrush.GDI32(00000000), ref: 002F71CF
FrameRect.USER32(?,?,00000000), ref: 002F71DE
DeleteObject.GDI32(00000000), ref: 002F71E5
InflateRect.USER32(?,000000FE,000000FE), ref: 002F7230
FillRect.USER32(?,?,?), ref: 002F7262
GetWindowLongW.USER32(?,000000F0), ref: 002F7284

Part of subcall function 002F73E8: GetSysColor.USER32(00000012), ref: 002F7421
Part of subcall function 002F73E8: SetTextColor.GDI32(?,?), ref: 002F7425
Part of subcall function 002F73E8: GetSysColorBrush.USER32(0000000F), ref: 002F743B
Part of subcall function 002F73E8: GetSysColor.USER32(0000000F), ref: 002F7446
Part of subcall function 002F73E8: GetSysColor.USER32(00000011), ref: 002F7463
Part of subcall function 002F73E8: CreatePen.GDI32(00000000,00000001,00743C00), ref: 002F7471
Part of subcall function 002F73E8: SelectObject.GDI32(?,00000000), ref: 002F7482
Part of subcall function 002F73E8: SetBkColor.GDI32(?,00000000), ref: 002F748B
Part of subcall function 002F73E8: SelectObject.GDI32(?,?), ref: 002F7498
Part of subcall function 002F73E8: InflateRect.USER32(?,000000FF,000000FF), ref: 002F74B7
Part of subcall function 002F73E8: RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 002F74CE
Part of subcall function 002F73E8: GetWindowLongW.USER32(00000000,000000F0), ref: 002F74DB

Memory Dump Source

Source File: 00000001.00000002.1547293858.0000000000261000.00000020.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true

Associated: 00000001.00000002.1546305634.0000000000260000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1552306005.00000000002FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1552306005.0000000000322000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1553018664.000000000032C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1553203039.0000000000334000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_260000_file.jbxd

Similarity

API ID: Color$Rect$Object$BrushInflateSelect$CreateLongTextWindow$DeleteFillFrameRoundSolid
String ID:
API String ID: 4124339563-0
Opcode ID: fcdd9ce8daaad81b8d7f36d797a2a242e06efce15a55bf14b63a6c91ede3611d
Instruction ID: b2f5ec20ef5b2b8b6ad6935da4e3299110a67033843391c27b3437077bb244a4
Opcode Fuzzy Hash: fcdd9ce8daaad81b8d7f36d797a2a242e06efce15a55bf14b63a6c91ede3611d
Instruction Fuzzy Hash: 41A19371018309AFD7009F60ED4CE7BBBA9FB493B0F200A29FA66961E1D771E954CB51

Function 00278D85 Relevance: 47.7, APIs: 26, Strings: 1, Instructions: 480windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?), ref: 00278E14
SendMessageW.USER32(?,00001308,?,00000000), ref: 002B6AC5
ImageList_Remove.COMCTL32(?,000000FF,?), ref: 002B6AFE
MoveWindow.USER32(?,?,?,?,?,00000000), ref: 002B6F43

Part of subcall function 00278F62: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00278BE8,?,00000000,?,?,?,?,00278BBA,00000000,?), ref: 00278FC5

SendMessageW.USER32(?,00001053), ref: 002B6F7F
SendMessageW.USER32(?,00001008,000000FF,00000000), ref: 002B6F96
ImageList_Destroy.COMCTL32(00000000,?), ref: 002B6FAC
ImageList_Destroy.COMCTL32(00000000,?), ref: 002B6FB7

Strings

0, xrefs: 002B6DCF

Memory Dump Source

Source File: 00000001.00000002.1547293858.0000000000261000.00000020.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true

Associated: 00000001.00000002.1546305634.0000000000260000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1552306005.00000000002FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1552306005.0000000000322000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1553018664.000000000032C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1553203039.0000000000334000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_260000_file.jbxd

Similarity

API ID: DestroyImageList_MessageSend$Window$InvalidateMoveRectRemove
String ID: 0
API String ID: 2760611726-4108050209
Opcode ID: e1835c22eb8d0b20507b6aaba704d9f79f5787d08affd60f81211d7a8ca33350
Instruction ID: 587ea141ddee1559b47cc51e078eb4f330838b8f7c1cffc3bcd882da4d06525e
Opcode Fuzzy Hash: e1835c22eb8d0b20507b6aaba704d9f79f5787d08affd60f81211d7a8ca33350
Instruction Fuzzy Hash: 4712AD30624202DFD725CF24D99CBBAB7E5FB44350F188469F4899B661CB35E862CF91

Function 002E2711 Relevance: 45.8, APIs: 22, Strings: 4, Instructions: 330windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(00000000), ref: 002E273E
SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 002E286A
SetRect.USER32(?,00000000,00000000,0000012C,?), ref: 002E28A9
AdjustWindowRectEx.USER32(?,88C00000,00000000,00000008), ref: 002E28B9
CreateWindowExW.USER32(00000008,AutoIt v3,?,88C00000,000000FF,?,?,?,00000000,00000000,00000000), ref: 002E2900
GetClientRect.USER32(00000000,?), ref: 002E290C
CreateWindowExW.USER32(00000000,static,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000), ref: 002E2955
CreateDCW.GDI32(DISPLAY,00000000,00000000,00000000), ref: 002E2964
GetStockObject.GDI32(00000011), ref: 002E2974
SelectObject.GDI32(00000000,00000000), ref: 002E2978
GetTextFaceW.GDI32(00000000,00000040,?,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000,?,88C00000,000000FF,?), ref: 002E2988
GetDeviceCaps.GDI32(00000000,0000005A), ref: 002E2991
DeleteDC.GDI32(00000000), ref: 002E299A
CreateFontW.GDI32(00000000,00000000,00000000,00000000,00000258,00000000,00000000,00000000,00000001,00000004,00000000,00000002,00000000,?), ref: 002E29C6
SendMessageW.USER32(00000030,00000000,00000001), ref: 002E29DD
CreateWindowExW.USER32(00000200,msctls_progress32,00000000,50000001,?,-0000001D,00000104,00000014,00000000,00000000,00000000), ref: 002E2A1D
SendMessageW.USER32(00000000,00000401,00000000,00640000), ref: 002E2A31
SendMessageW.USER32(00000404,00000001,00000000), ref: 002E2A42
CreateWindowExW.USER32(00000000,static,?,50000000,?,00000041,00000500,-00000027,00000000,00000000,00000000), ref: 002E2A77
GetStockObject.GDI32(00000011), ref: 002E2A82
SendMessageW.USER32(00000030,00000000,?,50000000), ref: 002E2A8D
ShowWindow.USER32(00000004,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000,?,88C00000,000000FF,?,?,?), ref: 002E2A97

Strings

msctls_progress32, xrefs: 002E2A13
static, xrefs: 002E294F, 002E2A71
AutoIt v3, xrefs: 002E28F8
DISPLAY, xrefs: 002E295A

Memory Dump Source

Source File: 00000001.00000002.1547293858.0000000000261000.00000020.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true

Associated: 00000001.00000002.1546305634.0000000000260000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1552306005.00000000002FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1552306005.0000000000322000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1553018664.000000000032C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1553203039.0000000000334000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_260000_file.jbxd

Similarity

API ID: Window$Create$MessageSend$ObjectRect$Stock$AdjustCapsClientDeleteDestroyDeviceFaceFontInfoParametersSelectShowSystemText
String ID: AutoIt v3$DISPLAY$msctls_progress32$static
API String ID: 2910397461-517079104
Opcode ID: 218fdd554bcc80c9b39af29ef27ce316477006fae24cc7348bc4c1a23f838a08
Instruction ID: 5198e12e73565c6afc72ac0b88cad1cfd07d9988498e1169960ed986ad8d505d
Opcode Fuzzy Hash: 218fdd554bcc80c9b39af29ef27ce316477006fae24cc7348bc4c1a23f838a08
Instruction Fuzzy Hash: 5DB16C75A50209AFEB14DF68DD89FAEBBADEB08720F104114F915E7290D770AD50CFA0

Function 002D4ADF Relevance: 45.7, APIs: 3, Strings: 23, Instructions: 191COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 002D4AED
GetDriveTypeW.KERNEL32(?,002FCB68,?,\\.\,002FCC08), ref: 002D4BCA
SetErrorMode.KERNEL32(00000000,002FCB68,?,\\.\,002FCC08), ref: 002D4D36

Strings

SSA, xrefs: 002D4CA6
FileBackedVirtual, xrefs: 002D4CEC
MMC, xrefs: 002D4CDE
ATAPI, xrefs: 002D4C91
SSD, xrefs: 002D4C4A
iSCSI, xrefs: 002D4CC2
SCSI, xrefs: 002D4C8A
RAID, xrefs: 002D4CBB
PhysicalDrive, xrefs: 002D4B76
Fixed, xrefs: 002D4C09
Virtual, xrefs: 002D4CE5
Removable, xrefs: 002D4C10, 002D4C15
USB, xrefs: 002D4CB4
SAS, xrefs: 002D4CC9
ATA, xrefs: 002D4C98
Unknown, xrefs: 002D4BED, 002D4C83
Network, xrefs: 002D4C02
RAMDisk, xrefs: 002D4BF4
1394, xrefs: 002D4C9F
\\.\, xrefs: 002D4B3F
SATA, xrefs: 002D4CD0
CDROM, xrefs: 002D4BFB
Fibre, xrefs: 002D4CAD

Memory Dump Source

Source File: 00000001.00000002.1547293858.0000000000261000.00000020.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true

Associated: 00000001.00000002.1546305634.0000000000260000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1552306005.00000000002FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1552306005.0000000000322000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1553018664.000000000032C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1553203039.0000000000334000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_260000_file.jbxd

Similarity

API ID: ErrorMode$DriveType
String ID: 1394$ATA$ATAPI$CDROM$Fibre$FileBackedVirtual$Fixed$MMC$Network$PhysicalDrive$RAID$RAMDisk$Removable$SAS$SATA$SCSI$SSA$SSD$USB$Unknown$Virtual$\\.\$iSCSI
API String ID: 2907320926-4222207086
Opcode ID: 76bf0f8f6d323f435a98c35376657140e4f8cd20ecf2242657073cc0cb319809
Instruction ID: 1bb134bc0bff934daa9d97b3f1c5e10112ffe15e7d0453bde99a786dcb217e9d
Opcode Fuzzy Hash: 76bf0f8f6d323f435a98c35376657140e4f8cd20ecf2242657073cc0cb319809
Instruction Fuzzy Hash: E261CF3063610ADBCB05FF24DA829BDB7B1AF44744B208567F806AB391DB71EDA1DB41

Function 002F73E8 Relevance: 39.2, APIs: 26, Instructions: 201windowCOMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000012), ref: 002F7421
SetTextColor.GDI32(?,?), ref: 002F7425
GetSysColorBrush.USER32(0000000F), ref: 002F743B
GetSysColor.USER32(0000000F), ref: 002F7446
CreateSolidBrush.GDI32(?), ref: 002F744B
GetSysColor.USER32(00000011), ref: 002F7463
CreatePen.GDI32(00000000,00000001,00743C00), ref: 002F7471
SelectObject.GDI32(?,00000000), ref: 002F7482
SetBkColor.GDI32(?,00000000), ref: 002F748B
SelectObject.GDI32(?,?), ref: 002F7498
InflateRect.USER32(?,000000FF,000000FF), ref: 002F74B7
RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 002F74CE
GetWindowLongW.USER32(00000000,000000F0), ref: 002F74DB
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 002F752A
GetWindowTextW.USER32(00000000,00000000,00000001), ref: 002F7554
InflateRect.USER32(?,000000FD,000000FD), ref: 002F7572
DrawFocusRect.USER32(?,?), ref: 002F757D
GetSysColor.USER32(00000011), ref: 002F758E
SetTextColor.GDI32(?,00000000), ref: 002F7596
DrawTextW.USER32(?,002F70F5,000000FF,?,00000000), ref: 002F75A8
SelectObject.GDI32(?,?), ref: 002F75BF
DeleteObject.GDI32(?), ref: 002F75CA
SelectObject.GDI32(?,?), ref: 002F75D0
DeleteObject.GDI32(?), ref: 002F75D5
SetTextColor.GDI32(?,?), ref: 002F75DB
SetBkColor.GDI32(?,?), ref: 002F75E5

Memory Dump Source

Source File: 00000001.00000002.1547293858.0000000000261000.00000020.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true

Associated: 00000001.00000002.1546305634.0000000000260000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1552306005.00000000002FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1552306005.0000000000322000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1553018664.000000000032C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1553203039.0000000000334000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_260000_file.jbxd

Similarity

API ID: Color$Object$Text$RectSelect$BrushCreateDeleteDrawInflateWindow$FocusLongMessageRoundSendSolid
String ID:
API String ID: 1996641542-0
Opcode ID: 70f06a33d0c45ea9b5c93aff56bf843f95e9339168944931aa8552590512d7fd
Instruction ID: f5db8919f90ce5fdf3b86fb98d7326a8b20c06b58958bd971ed182a5968542b5
Opcode Fuzzy Hash: 70f06a33d0c45ea9b5c93aff56bf843f95e9339168944931aa8552590512d7fd
Instruction Fuzzy Hash: F6615F7290421DAFDB019FA4ED49EEEBF79EB08360F214125FA15BB2A1D7709950CF90

Function 002F0FF3 Relevance: 37.0, APIs: 18, Strings: 3, Instructions: 284windowCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 002F1128
GetDesktopWindow.USER32 ref: 002F113D
GetWindowRect.USER32(00000000), ref: 002F1144
GetWindowLongW.USER32(?,000000F0), ref: 002F1199
DestroyWindow.USER32(?), ref: 002F11B9
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,7FFFFFFD,80000000,80000000,80000000,80000000,00000000,00000000,00000000,00000000), ref: 002F11ED
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 002F120B
SendMessageW.USER32(00000000,00000418,00000000,?), ref: 002F121D
SendMessageW.USER32(00000000,00000421,?,?), ref: 002F1232
SendMessageW.USER32(00000000,0000041D,00000000,00000000), ref: 002F1245
IsWindowVisible.USER32(00000000), ref: 002F12A1
SendMessageW.USER32(00000000,00000412,00000000,D8F0D8F0), ref: 002F12BC
SendMessageW.USER32(00000000,00000411,00000001,00000030), ref: 002F12D0
GetWindowRect.USER32(00000000,?), ref: 002F12E8
MonitorFromPoint.USER32(?,?,00000002), ref: 002F130E
GetMonitorInfoW.USER32(00000000,?), ref: 002F1328
CopyRect.USER32(?,?), ref: 002F133F
SendMessageW.USER32(00000000,00000412,00000000), ref: 002F13AA

Strings

(, xrefs: 002F131B
0, xrefs: 002F10D3
tooltips_class32, xrefs: 002F11E6

Memory Dump Source

Source File: 00000001.00000002.1547293858.0000000000261000.00000020.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true

Associated: 00000001.00000002.1546305634.0000000000260000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1552306005.00000000002FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1552306005.0000000000322000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1553018664.000000000032C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1553203039.0000000000334000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_260000_file.jbxd

Similarity

API ID: MessageSendWindow$Rect$Monitor$CopyCreateCursorDesktopDestroyFromInfoLongPointVisible
String ID: ($0$tooltips_class32
API String ID: 698492251-4156429822
Opcode ID: 4c110488768dcbf7bfa613468ae524d35cbed79bc80ed32700322dc750841414
Instruction ID: b6300989b96362998eb77c0c345b54bd7deeca00e698a20e97f03cab7613c802
Opcode Fuzzy Hash: 4c110488768dcbf7bfa613468ae524d35cbed79bc80ed32700322dc750841414
Instruction Fuzzy Hash: D8B19C71618345EFD704DF64C984B6AFBE4EF84390F408928FA999B261CB70D864CF51

Function 002F0241 Relevance: 35.4, APIs: 7, Strings: 13, Instructions: 391windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 002F02E5
_wcslen.LIBCMT ref: 002F031F
_wcslen.LIBCMT ref: 002F0389
_wcslen.LIBCMT ref: 002F03F1
_wcslen.LIBCMT ref: 002F0475
SendMessageW.USER32(?,00001032,00000000,00000000), ref: 002F04C5
SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 002F0504

Part of subcall function 0027F9F2: _wcslen.LIBCMT ref: 0027F9FD

Part of subcall function 002C223F: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 002C2258
Part of subcall function 002C223F: SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 002C228A

Strings

FINDITEM, xrefs: 002F0627
GETITEMCOUNT, xrefs: 002F0316, 002F0337
ISSELECTED, xrefs: 002F04DD
SELECT, xrefs: 002F0548
GETSELECTEDCOUNT, xrefs: 002F0470, 002F048B
SELECTALL, xrefs: 002F0515
GETTEXT, xrefs: 002F03EC, 002F0407
GETSUBITEMCOUNT, xrefs: 002F0384, 002F039F
VIEWCHANGE, xrefs: 002F0675
SELECTINVERT, xrefs: 002F057E
SELECTCLEAR, xrefs: 002F052D
DESELECT, xrefs: 002F059C
GETSELECTED, xrefs: 002F05E1

Memory Dump Source

Source File: 00000001.00000002.1547293858.0000000000261000.00000020.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true

Associated: 00000001.00000002.1546305634.0000000000260000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1552306005.00000000002FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1552306005.0000000000322000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1553018664.000000000032C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1553203039.0000000000334000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_260000_file.jbxd

Similarity

API ID: _wcslen$MessageSend$BuffCharUpper
String ID: DESELECT$FINDITEM$GETITEMCOUNT$GETSELECTED$GETSELECTEDCOUNT$GETSUBITEMCOUNT$GETTEXT$ISSELECTED$SELECT$SELECTALL$SELECTCLEAR$SELECTINVERT$VIEWCHANGE
API String ID: 1103490817-719923060
Opcode ID: c8f6a572d1fbb95e6249dab7cbfaeee56a8e9bf6c923b28b3c793c66d0996c01
Instruction ID: 6d9338b43f3a6b0b4499171ceea4e25aa299d1e968c3fa6208829aa1397209d0
Opcode Fuzzy Hash: c8f6a572d1fbb95e6249dab7cbfaeee56a8e9bf6c923b28b3c793c66d0996c01
Instruction Fuzzy Hash: FAE1E0312282168FC714DF24C59083AF3E6BFC8394B50496DF9969B3A2DB30EDA5CB41

Function 00278891 Relevance: 33.5, APIs: 18, Strings: 1, Instructions: 282windowtimeCOMMON

Download Yara Rule

APIs

SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 00278968
GetSystemMetrics.USER32(00000007), ref: 00278970
SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 0027899B
GetSystemMetrics.USER32(00000008), ref: 002789A3
GetSystemMetrics.USER32(00000004), ref: 002789C8
SetRect.USER32(000000FF,00000000,00000000,000000FF,000000FF), ref: 002789E5
AdjustWindowRectEx.USER32(000000FF,?,00000000,?), ref: 002789F5
CreateWindowExW.USER32(?,AutoIt v3 GUI,?,?,?,000000FF,000000FF,000000FF,?,00000000,00000000), ref: 00278A28
SetWindowLongW.USER32(00000000,000000EB,00000000), ref: 00278A3C
GetClientRect.USER32(00000000,000000FF), ref: 00278A5A
GetStockObject.GDI32(00000011), ref: 00278A76
SendMessageW.USER32(00000000,00000030,00000000), ref: 00278A81

Part of subcall function 0027912D: GetCursorPos.USER32(?), ref: 00279141
Part of subcall function 0027912D: ScreenToClient.USER32(00000000,?), ref: 0027915E
Part of subcall function 0027912D: GetAsyncKeyState.USER32(00000001), ref: 00279183
Part of subcall function 0027912D: GetAsyncKeyState.USER32(00000002), ref: 0027919D

SetTimer.USER32(00000000,00000000,00000028,002790FC), ref: 00278AA8

Strings

AutoIt v3 GUI, xrefs: 00278A20

Memory Dump Source

Source File: 00000001.00000002.1547293858.0000000000261000.00000020.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true

Associated: 00000001.00000002.1546305634.0000000000260000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1552306005.00000000002FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1552306005.0000000000322000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1553018664.000000000032C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1553203039.0000000000334000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_260000_file.jbxd

Similarity

API ID: System$MetricsRectWindow$AsyncClientInfoParametersState$AdjustCreateCursorLongMessageObjectScreenSendStockTimer
String ID: AutoIt v3 GUI
API String ID: 1458621304-248962490
Opcode ID: c36698464103f216653664e1cf6eddd55ad19f17cfd0fdc08652f57238b5584b
Instruction ID: 2fed180c26083fd144bf6400f8b511a76b8ddbf5da5c7b4713f5d290409dcc24
Opcode Fuzzy Hash: c36698464103f216653664e1cf6eddd55ad19f17cfd0fdc08652f57238b5584b
Instruction Fuzzy Hash: DEB19E71A1020A9FDB14DF68DD89BEE7BB4FB48354F108129FA15E7290DB74A850CF50

Function 002C0D8B Relevance: 31.7, APIs: 21, Instructions: 202memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 002C10F9: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 002C1114
Part of subcall function 002C10F9: GetLastError.KERNEL32(?,00000000,00000000,?,?,002C0B9B,?,?,?), ref: 002C1120
Part of subcall function 002C10F9: GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,002C0B9B,?,?,?), ref: 002C112F
Part of subcall function 002C10F9: HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,002C0B9B,?,?,?), ref: 002C1136
Part of subcall function 002C10F9: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 002C114D

GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 002C0DF5
GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 002C0E29
GetLengthSid.ADVAPI32(?), ref: 002C0E40
GetAce.ADVAPI32(?,00000000,?), ref: 002C0E7A
AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 002C0E96
GetLengthSid.ADVAPI32(?), ref: 002C0EAD
GetProcessHeap.KERNEL32(00000008,00000008), ref: 002C0EB5
HeapAlloc.KERNEL32(00000000), ref: 002C0EBC
GetLengthSid.ADVAPI32(?,00000008,?), ref: 002C0EDD
CopySid.ADVAPI32(00000000), ref: 002C0EE4
AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 002C0F13
SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 002C0F35
SetUserObjectSecurity.USER32(?,00000004,?), ref: 002C0F47
GetProcessHeap.KERNEL32(00000000,00000000), ref: 002C0F6E
HeapFree.KERNEL32(00000000), ref: 002C0F75
GetProcessHeap.KERNEL32(00000000,00000000), ref: 002C0F7E
HeapFree.KERNEL32(00000000), ref: 002C0F85
GetProcessHeap.KERNEL32(00000000,00000000), ref: 002C0F8E
HeapFree.KERNEL32(00000000), ref: 002C0F95
GetProcessHeap.KERNEL32(00000000,?), ref: 002C0FA1
HeapFree.KERNEL32(00000000), ref: 002C0FA8

Part of subcall function 002C1193: GetProcessHeap.KERNEL32(00000008,002C0BB1,?,00000000,?,002C0BB1,?), ref: 002C11A1
Part of subcall function 002C1193: HeapAlloc.KERNEL32(00000000,?,00000000,?,002C0BB1,?), ref: 002C11A8
Part of subcall function 002C1193: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00000000,?,002C0BB1,?), ref: 002C11B7

Memory Dump Source

Source File: 00000001.00000002.1547293858.0000000000261000.00000020.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true

Associated: 00000001.00000002.1546305634.0000000000260000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1552306005.00000000002FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1552306005.0000000000322000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1553018664.000000000032C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1553203039.0000000000334000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_260000_file.jbxd

Similarity

API ID: Heap$Process$Security$Free$AllocDescriptorLengthObjectUser$Dacl$CopyErrorInformationInitializeLast
String ID:
API String ID: 4175595110-0
Opcode ID: 3f9bd8e1eeaf5793357b3fbb6dd66c9ed432379a9325095a7f6bcefb2413d807
Instruction ID: f9baf50d513e4d57318a6b2a9a57d957e8194941db79f7eb540f0f56a5a75b5f
Opcode Fuzzy Hash: 3f9bd8e1eeaf5793357b3fbb6dd66c9ed432379a9325095a7f6bcefb2413d807
Instruction Fuzzy Hash: B671807191020AEBDF209FA4ED88FAEBBB8BF04350F144229F919E6151DB319965CB60

Function 002EC3B7 Relevance: 30.2, APIs: 11, Strings: 6, Instructions: 495registryCOMMON

Download Yara Rule

APIs

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 002EC4BD
RegCreateKeyExW.ADVAPI32(?,?,00000000,002FCC08,00000000,?,00000000,?,?), ref: 002EC544
RegCloseKey.ADVAPI32(00000000,00000000,00000000), ref: 002EC5A4
_wcslen.LIBCMT ref: 002EC5F4
_wcslen.LIBCMT ref: 002EC66F
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000001,?,?), ref: 002EC6B2
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000007,?,?), ref: 002EC7C1
RegSetValueExW.ADVAPI32(00000001,?,00000000,0000000B,?,00000008), ref: 002EC84D
RegCloseKey.ADVAPI32(?), ref: 002EC881
RegCloseKey.ADVAPI32(00000000), ref: 002EC88E
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000003,00000000,00000000), ref: 002EC960

Strings

REG_EXPAND_SZ, xrefs: 002EC5CD
REG_QWORD, xrefs: 002EC8C3
REG_DWORD, xrefs: 002EC804
REG_MULTI_SZ, xrefs: 002EC6F5
REG_SZ, xrefs: 002EC644
REG_BINARY, xrefs: 002EC913

Memory Dump Source

Source File: 00000001.00000002.1547293858.0000000000261000.00000020.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true

Associated: 00000001.00000002.1546305634.0000000000260000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1552306005.00000000002FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1552306005.0000000000322000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1553018664.000000000032C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1553203039.0000000000334000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_260000_file.jbxd

Similarity

API ID: Value$Close$_wcslen$ConnectCreateRegistry
String ID: REG_BINARY$REG_DWORD$REG_EXPAND_SZ$REG_MULTI_SZ$REG_QWORD$REG_SZ
API String ID: 9721498-966354055
Opcode ID: 93c62c082a8953b07bbc79af15459842f60a9da777eaa18f40b9c2c0f462fa42
Instruction ID: f645f766b5efa2fc37c6a8f18505b7cd50bec64bd2b6ef88630e9a6836b256a1
Opcode Fuzzy Hash: 93c62c082a8953b07bbc79af15459842f60a9da777eaa18f40b9c2c0f462fa42
Instruction Fuzzy Hash: BC129F356242419FD714DF15C481A2AB7E5FF88714F64889DF88A9B3A2DB30EC52CF81

Function 002F091E Relevance: 30.1, APIs: 6, Strings: 11, Instructions: 372windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 002F09C6
_wcslen.LIBCMT ref: 002F0A01
SendMessageW.USER32(?,00001105,00000000,00000000), ref: 002F0A54
_wcslen.LIBCMT ref: 002F0A8A
_wcslen.LIBCMT ref: 002F0B06
_wcslen.LIBCMT ref: 002F0B81

Part of subcall function 0027F9F2: _wcslen.LIBCMT ref: 0027F9FD

Part of subcall function 002C2BE8: SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 002C2BFA

Strings

EXPAND, xrefs: 002F0BF8
UNCHECK, xrefs: 002F0D3E
GETITEMCOUNT, xrefs: 002F0C1E
EXISTS, xrefs: 002F0B7C, 002F0B97
SELECT, xrefs: 002F0D11
COLLAPSE, xrefs: 002F0B01, 002F0B1C
GETSELECTED, xrefs: 002F0C4E
ISCHECKED, xrefs: 002F0CE1
GETTOTALCOUNT, xrefs: 002F09F2, 002F0A17
GETTEXT, xrefs: 002F0C97
CHECK, xrefs: 002F0A85, 002F0AA0

Memory Dump Source

Source File: 00000001.00000002.1547293858.0000000000261000.00000020.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true

Associated: 00000001.00000002.1546305634.0000000000260000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1552306005.00000000002FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1552306005.0000000000322000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1553018664.000000000032C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1553203039.0000000000334000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_260000_file.jbxd

Similarity

API ID: _wcslen$MessageSend$BuffCharUpper
String ID: CHECK$COLLAPSE$EXISTS$EXPAND$GETITEMCOUNT$GETSELECTED$GETTEXT$GETTOTALCOUNT$ISCHECKED$SELECT$UNCHECK
API String ID: 1103490817-4258414348
Opcode ID: d226b8c559eb06796922fe1cc58860139ecd3dd2ed82d4f3b4f1df95ee46db57
Instruction ID: 3bc55b48f9ca6d1bf8116391e8991ec20259c0a6e1c0cb6101de9f084295377a
Opcode Fuzzy Hash: d226b8c559eb06796922fe1cc58860139ecd3dd2ed82d4f3b4f1df95ee46db57
Instruction Fuzzy Hash: E1E19D352283068FC714DF24C59093AF7E1BF98358B50896DF99A9B362DB30ED65CB81

Function 002EC998 Relevance: 30.0, APIs: 7, Strings: 10, Instructions: 242COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,?,?,?,?,?,002EB6AE,?,?), ref: 002EC9B5
_wcslen.LIBCMT ref: 002EC9F1
_wcslen.LIBCMT ref: 002ECA68
_wcslen.LIBCMT ref: 002ECA9E
_wcslen.LIBCMT ref: 002ECAF9
_wcslen.LIBCMT ref: 002ECB2F
_wcslen.LIBCMT ref: 002ECB7F

Strings

HKEY_USERS, xrefs: 002ECBDF
HKEY_CURRENT_USER, xrefs: 002ECBBD
HKLM, xrefs: 002ECA98, 002ECA9D
HKU, xrefs: 002ECBF0
HKCC, xrefs: 002ECBAC
HKEY_LOCAL_MACHINE, xrefs: 002ECA62, 002ECA67
HKEY_CURRENT_CONFIG, xrefs: 002ECB79, 002ECB7E
HKCR, xrefs: 002ECB29, 002ECB2E
HKEY_CLASSES_ROOT, xrefs: 002ECAF3, 002ECAF8
HKCU, xrefs: 002ECBCE

Memory Dump Source

Source File: 00000001.00000002.1547293858.0000000000261000.00000020.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true

Associated: 00000001.00000002.1546305634.0000000000260000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1552306005.00000000002FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1552306005.0000000000322000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1553018664.000000000032C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1553203039.0000000000334000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_260000_file.jbxd

Similarity

API ID: _wcslen$BuffCharUpper
String ID: HKCC$HKCR$HKCU$HKEY_CLASSES_ROOT$HKEY_CURRENT_CONFIG$HKEY_CURRENT_USER$HKEY_LOCAL_MACHINE$HKEY_USERS$HKLM$HKU
API String ID: 1256254125-909552448
Opcode ID: 0c0febe64de5658d26c6dc98377faa726f93cfa8687f5915134f012e09aa4c82
Instruction ID: 10d0bf195fc4d59f7d35ba4a27681b3a7aeb65145ed7ddd996e0414dc3407a43
Opcode Fuzzy Hash: 0c0febe64de5658d26c6dc98377faa726f93cfa8687f5915134f012e09aa4c82
Instruction Fuzzy Hash: F87129326701AB8BCB20DEBED9415BE3395AB60754FB10139F86997384E630CD62C7A0

Function 002F833C Relevance: 29.9, APIs: 14, Strings: 3, Instructions: 196windowlibraryCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 002F835A
_wcslen.LIBCMT ref: 002F836E
_wcslen.LIBCMT ref: 002F8391
_wcslen.LIBCMT ref: 002F83B4
LoadImageW.USER32(00000000,?,00000001,?,?,00002010), ref: 002F83F2
LoadLibraryExW.KERNEL32(?,00000000,00000032,00000000,?,?,?,?,?,002F5BF2), ref: 002F844E
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 002F8487
LoadImageW.USER32(00000000,?,00000001,?,?,00000000), ref: 002F84CA
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 002F8501
FreeLibrary.KERNEL32(?), ref: 002F850D
ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 002F851D
DestroyIcon.USER32(?,?,?,?,?,002F5BF2), ref: 002F852C
SendMessageW.USER32(?,00000170,00000000,00000000), ref: 002F8549
SendMessageW.USER32(?,00000064,00000172,00000001), ref: 002F8555

Strings

.icl, xrefs: 002F8368
.dll, xrefs: 002F83AB
.exe, xrefs: 002F8388

Memory Dump Source

Source File: 00000001.00000002.1547293858.0000000000261000.00000020.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true

Associated: 00000001.00000002.1546305634.0000000000260000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1552306005.00000000002FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1552306005.0000000000322000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1553018664.000000000032C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1553203039.0000000000334000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_260000_file.jbxd

Similarity

API ID: Load$Image_wcslen$IconLibraryMessageSend$DestroyExtractFree
String ID: .dll$.exe$.icl
API String ID: 799131459-1154884017
Opcode ID: bfdfa5d24ab030562929cd28a580eee5ead0be723c04c0b05fc32aa1dc6fd50a
Instruction ID: 494bf4fd3484a3a2c700fdb25b0a4e363c74f1518c9cb74e185cdf27f85480a2
Opcode Fuzzy Hash: bfdfa5d24ab030562929cd28a580eee5ead0be723c04c0b05fc32aa1dc6fd50a
Instruction Fuzzy Hash: 1461037152021ABFEB14DF64DC45BBEB7A8FF04760F20412AF915D60D1DB74A9A0CBA0

Function 00267778 Relevance: 28.3, APIs: 1, Strings: 15, Instructions: 273COMMON

Download Yara Rule

Strings

#include-once, xrefs: 0026782F
Unterminated group of comments, xrefs: 002A528C
#cs, xrefs: 00267873, 002678C5
#comments-start, xrefs: 0026785F, 002678B1
Cannot parse #include, xrefs: 002A5279
#comments-end, xrefs: 002678D9
#ce, xrefs: 002678ED
#notrayicon, xrefs: 002677E7
Bad directive syntax error, xrefs: 002A519A
#requireadmin, xrefs: 002677FF
#pragma compile, xrefs: 002677D3
', xrefs: 002A5169
", xrefs: 002A5153
#include, xrefs: 00267847
#OnAutoItStartRegister, xrefs: 00267817

Memory Dump Source

Source File: 00000001.00000002.1547293858.0000000000261000.00000020.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true

Associated: 00000001.00000002.1546305634.0000000000260000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1552306005.00000000002FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1552306005.0000000000322000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1553018664.000000000032C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1553203039.0000000000334000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_260000_file.jbxd

Similarity

API ID:
String ID: "$#OnAutoItStartRegister$#ce$#comments-end$#comments-start$#cs$#include$#include-once$#notrayicon$#pragma compile$#requireadmin$'$Bad directive syntax error$Cannot parse #include$Unterminated group of comments
API String ID: 0-1645009161
Opcode ID: 5ebc8eed9255a76b07c6369cfc4e11c7d962194833e6ee5207425652771bf9e8
Instruction ID: b99b766b8f9b21b82115e3ba3b0f382d27b0ee7ad36ebd6e480d74b2bd3446c2
Opcode Fuzzy Hash: 5ebc8eed9255a76b07c6369cfc4e11c7d962194833e6ee5207425652771bf9e8
Instruction Fuzzy Hash: 9981E471634216ABDB21AF60DD42FBF77A8AF16344F104025FD08AB196EB70D9B1CB91

Function 002D3E79 Relevance: 28.2, APIs: 8, Strings: 8, Instructions: 205COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?), ref: 002D3EF8
_wcslen.LIBCMT ref: 002D3F03
_wcslen.LIBCMT ref: 002D3F5A
_wcslen.LIBCMT ref: 002D3F98
GetDriveTypeW.KERNEL32(?), ref: 002D3FD6
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 002D401E
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 002D4059
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 002D4087

Strings

open , xrefs: 002D3FE5
type cdaudio alias cd wait, xrefs: 002D4001
set cd door , xrefs: 002D4028
wait, xrefs: 002D4044
closed, xrefs: 002D3F08, 002D3F2D, 002D3F46, 002D3F7E, 002D3F97
close, xrefs: 002D3EFE, 002D3F18
close cd wait, xrefs: 002D4072
open, xrefs: 002D3F54, 002D3F59

Memory Dump Source

Source File: 00000001.00000002.1547293858.0000000000261000.00000020.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true

Associated: 00000001.00000002.1546305634.0000000000260000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1552306005.00000000002FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1552306005.0000000000322000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1553018664.000000000032C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1553203039.0000000000334000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_260000_file.jbxd

Similarity

API ID: SendString_wcslen$BuffCharDriveLowerType
String ID: type cdaudio alias cd wait$ wait$close$close cd wait$closed$open$open $set cd door
API String ID: 1839972693-4113822522
Opcode ID: 785ea5da6c700304e64dc907d61a18cbc850243ab29e85f2e3bbce2dcd173e58
Instruction ID: e39a0bd60045c0c4e85f15a67efbfb218dda1b3ffd6f40f2e4657d060c5af1b6
Opcode Fuzzy Hash: 785ea5da6c700304e64dc907d61a18cbc850243ab29e85f2e3bbce2dcd173e58
Instruction Fuzzy Hash: 0471E3326242169FC310EF24C88186AB7F4EF94768F10492EF89697351EB31ED95CB92

Function 002C5A1B Relevance: 27.2, APIs: 18, Instructions: 198windowtimeCOMMON

Download Yara Rule

APIs

LoadIconW.USER32(00000063), ref: 002C5A2E
SendMessageW.USER32(?,00000080,00000000,00000000), ref: 002C5A40
SetWindowTextW.USER32(?,?), ref: 002C5A57
GetDlgItem.USER32(?,000003EA), ref: 002C5A6C
SetWindowTextW.USER32(00000000,?), ref: 002C5A72
GetDlgItem.USER32(?,000003E9), ref: 002C5A82
SetWindowTextW.USER32(00000000,?), ref: 002C5A88
SendDlgItemMessageW.USER32(?,000003E9,000000CC,?,00000000), ref: 002C5AA9
SendDlgItemMessageW.USER32(?,000003E9,000000C5,00000000,00000000), ref: 002C5AC3
GetWindowRect.USER32(?,?), ref: 002C5ACC
_wcslen.LIBCMT ref: 002C5B33
SetWindowTextW.USER32(?,?), ref: 002C5B6F
GetDesktopWindow.USER32 ref: 002C5B75
GetWindowRect.USER32(00000000), ref: 002C5B7C
MoveWindow.USER32(?,?,00000080,00000000,?,00000000), ref: 002C5BD3
GetClientRect.USER32(?,?), ref: 002C5BE0
PostMessageW.USER32(?,00000005,00000000,?), ref: 002C5C05
SetTimer.USER32(?,0000040A,00000000,00000000), ref: 002C5C2F

Memory Dump Source

Source File: 00000001.00000002.1547293858.0000000000261000.00000020.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true

Associated: 00000001.00000002.1546305634.0000000000260000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1552306005.00000000002FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1552306005.0000000000322000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1553018664.000000000032C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1553203039.0000000000334000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_260000_file.jbxd

Similarity

API ID: Window$ItemMessageText$RectSend$ClientDesktopIconLoadMovePostTimer_wcslen
String ID:
API String ID: 895679908-0
Opcode ID: 9746cde73a1b11808444345046f6a59b29e257df6ca1136e3987e084149d5019
Instruction ID: 0a8e297af675921bb483fd4250f9745a30c0018a6aee5e48aef6c1d78b49da3b
Opcode Fuzzy Hash: 9746cde73a1b11808444345046f6a59b29e257df6ca1136e3987e084149d5019
Instruction Fuzzy Hash: 84716C31910A1A9FCB20DFA8CE49FAEBBF5EF48714F10462CE142A25A4D771F950CB50

Function 002DFE0E Relevance: 27.1, APIs: 18, Instructions: 128COMMON

Download Yara Rule

APIs

LoadCursorW.USER32(00000000,00007F89), ref: 002DFE27
LoadCursorW.USER32(00000000,00007F8A), ref: 002DFE32
LoadCursorW.USER32(00000000,00007F00), ref: 002DFE3D
LoadCursorW.USER32(00000000,00007F03), ref: 002DFE48
LoadCursorW.USER32(00000000,00007F8B), ref: 002DFE53
LoadCursorW.USER32(00000000,00007F01), ref: 002DFE5E
LoadCursorW.USER32(00000000,00007F81), ref: 002DFE69
LoadCursorW.USER32(00000000,00007F88), ref: 002DFE74
LoadCursorW.USER32(00000000,00007F80), ref: 002DFE7F
LoadCursorW.USER32(00000000,00007F86), ref: 002DFE8A
LoadCursorW.USER32(00000000,00007F83), ref: 002DFE95
LoadCursorW.USER32(00000000,00007F85), ref: 002DFEA0
LoadCursorW.USER32(00000000,00007F82), ref: 002DFEAB
LoadCursorW.USER32(00000000,00007F84), ref: 002DFEB6
LoadCursorW.USER32(00000000,00007F04), ref: 002DFEC1
LoadCursorW.USER32(00000000,00007F02), ref: 002DFECC
GetCursorInfo.USER32(?), ref: 002DFEDC
GetLastError.KERNEL32 ref: 002DFF1E

Memory Dump Source

Source File: 00000001.00000002.1547293858.0000000000261000.00000020.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true

Associated: 00000001.00000002.1546305634.0000000000260000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1552306005.00000000002FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1552306005.0000000000322000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1553018664.000000000032C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1553203039.0000000000334000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_260000_file.jbxd

Similarity

API ID: Cursor$Load$ErrorInfoLast
String ID:
API String ID: 3215588206-0
Opcode ID: ab60bde307dae7fb1143066ddea4c16f64179db6da516bf2c457ee16954d400f
Instruction ID: 41bdda1c1cd7f625452b485e3192b682404dc3f6b413c1322fba0bf43ccb97e1
Opcode Fuzzy Hash: ab60bde307dae7fb1143066ddea4c16f64179db6da516bf2c457ee16954d400f
Instruction Fuzzy Hash: CE4174B0D0431AAEDB109FBA8C8986EBFE8FF04354B50452AE11DE7681DB789901CF90

Function 002C30F7 Relevance: 26.6, APIs: 8, Strings: 7, Instructions: 400COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 002C318D
_wcslen.LIBCMT ref: 002C31F8

Strings

CLASS, xrefs: 002C3188, 002C31A5
TEXT, xrefs: 002C347C
NAME, xrefs: 002C3335, 002C3346
CLASSNN, xrefs: 002C31F3, 002C3204
[2, xrefs: 002C339A
REGEXPCLASS, xrefs: 002C3255, 002C3266
INSTANCE, xrefs: 002C3453

Memory Dump Source

Source File: 00000001.00000002.1547293858.0000000000261000.00000020.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true

Associated: 00000001.00000002.1546305634.0000000000260000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1552306005.00000000002FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1552306005.0000000000322000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1553018664.000000000032C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1553203039.0000000000334000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_260000_file.jbxd

Similarity

API ID: _wcslen
String ID: CLASS$CLASSNN$INSTANCE$NAME$REGEXPCLASS$TEXT$[2
API String ID: 176396367-686360318
Opcode ID: f18d757f02a1e374e84745051170211d074b14b38f8448786b4e2919e2f05641
Instruction ID: f75c80b5eb018ebfb90644b9032e30f0603abef0ecb3c0ba869d50b7e89eef52
Opcode Fuzzy Hash: f18d757f02a1e374e84745051170211d074b14b38f8448786b4e2919e2f05641
Instruction Fuzzy Hash: 57E1D632A205169BCB28DF68C441FEDBBB4BF48750F54C61DE856E7240DB70AFA58B90

Function 002800C6 Relevance: 26.3, APIs: 10, Strings: 5, Instructions: 81COMMON

Download Yara Rule

APIs

__scrt_initialize_thread_safe_statics_platform_specific.LIBCMT ref: 002800C6

Part of subcall function 002800ED: InitializeCriticalSectionAndSpinCount.KERNEL32(0033070C,00000FA0,764F6880,?,?,?,?,002A23B3,000000FF), ref: 0028011C
Part of subcall function 002800ED: GetModuleHandleW.KERNEL32(api-ms-win-core-synch-l1-2-0.dll,?,?,?,?,002A23B3,000000FF), ref: 00280127
Part of subcall function 002800ED: GetModuleHandleW.KERNEL32(kernel32.dll,?,?,?,?,002A23B3,000000FF), ref: 00280138
Part of subcall function 002800ED: GetProcAddress.KERNEL32(00000000,InitializeConditionVariable), ref: 0028014E
Part of subcall function 002800ED: GetProcAddress.KERNEL32(00000000,SleepConditionVariableCS), ref: 0028015C
Part of subcall function 002800ED: GetProcAddress.KERNEL32(00000000,WakeAllConditionVariable), ref: 0028016A
Part of subcall function 002800ED: __crt_fast_encode_pointer.LIBVCRUNTIME ref: 00280195
Part of subcall function 002800ED: __crt_fast_encode_pointer.LIBVCRUNTIME ref: 002801A0

___scrt_fastfail.LIBCMT ref: 002800E7

Part of subcall function 002800A3: __onexit.LIBCMT ref: 002800A9

Strings

kernel32.dll, xrefs: 00280133
api-ms-win-core-synch-l1-2-0.dll, xrefs: 00280122
InitializeConditionVariable, xrefs: 00280148
SleepConditionVariableCS, xrefs: 00280154
WakeAllConditionVariable, xrefs: 00280162

Memory Dump Source

Source File: 00000001.00000002.1547293858.0000000000261000.00000020.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true

Associated: 00000001.00000002.1546305634.0000000000260000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1552306005.00000000002FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1552306005.0000000000322000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1553018664.000000000032C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1553203039.0000000000334000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_260000_file.jbxd

Similarity

API ID: AddressProc$HandleModule__crt_fast_encode_pointer$CountCriticalInitializeSectionSpin___scrt_fastfail__onexit__scrt_initialize_thread_safe_statics_platform_specific
String ID: InitializeConditionVariable$SleepConditionVariableCS$WakeAllConditionVariable$api-ms-win-core-synch-l1-2-0.dll$kernel32.dll
API String ID: 66158676-1714406822
Opcode ID: ff63e3eaedc46ae4144fdb3368eb522036d353c5233d459370ef24f37972455d
Instruction ID: f41b6ac0fdea6bab8bf6ba21c3cd4059194d38ed230346c2fd58a7137ac9a1ed
Opcode Fuzzy Hash: ff63e3eaedc46ae4144fdb3368eb522036d353c5233d459370ef24f37972455d
Instruction Fuzzy Hash: 6B2137366253056BE7916B64AE8DB3A7398DF06BF0F100139F909922D1DB709824CBA0

Function 002D44C0 Relevance: 24.8, APIs: 7, Strings: 7, Instructions: 309COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(00000000,00000000,002FCC08), ref: 002D4527
_wcslen.LIBCMT ref: 002D453B
_wcslen.LIBCMT ref: 002D4599
_wcslen.LIBCMT ref: 002D45F4
_wcslen.LIBCMT ref: 002D463F
_wcslen.LIBCMT ref: 002D46A7

Part of subcall function 0027F9F2: _wcslen.LIBCMT ref: 0027F9FD

GetDriveTypeW.KERNEL32(?,00326BF0,00000061), ref: 002D4743

Strings

ramdisk, xrefs: 002D46F1
fixed, xrefs: 002D4635, 002D463A
network, xrefs: 002D469D, 002D46A2
removable, xrefs: 002D45EA, 002D45EF
all, xrefs: 002D4531, 002D4536
cdrom, xrefs: 002D458F, 002D4594
unknown, xrefs: 002D4708

Memory Dump Source

Source File: 00000001.00000002.1547293858.0000000000261000.00000020.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true

Associated: 00000001.00000002.1546305634.0000000000260000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1552306005.00000000002FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1552306005.0000000000322000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1553018664.000000000032C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1553203039.0000000000334000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_260000_file.jbxd

Similarity

API ID: _wcslen$BuffCharDriveLowerType
String ID: all$cdrom$fixed$network$ramdisk$removable$unknown
API String ID: 2055661098-1000479233
Opcode ID: 0d9047511ef34a8d7e4176bc70e4dcec853248a227e7a97b127371cf252b31e6
Instruction ID: 715657d615271080597dedd68a384129fa1e2c3c7676414e86033a1a019286cf
Opcode Fuzzy Hash: 0d9047511ef34a8d7e4176bc70e4dcec853248a227e7a97b127371cf252b31e6
Instruction Fuzzy Hash: 43B1E1316283029FC710EF28D891A7AB7E5AFA5764F50491EF49AC7391D730DCA4CB92

Function 002F911E Relevance: 24.7, APIs: 10, Strings: 4, Instructions: 181windowfileCOMMON

Download Yara Rule

APIs

Part of subcall function 00279BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00279BB2

DragQueryPoint.SHELL32(?,?), ref: 002F9147

Part of subcall function 002F7674: ClientToScreen.USER32(?,?), ref: 002F769A
Part of subcall function 002F7674: GetWindowRect.USER32(?,?), ref: 002F7710
Part of subcall function 002F7674: PtInRect.USER32(?,?,002F8B89), ref: 002F7720

SendMessageW.USER32(?,000000B0,?,?), ref: 002F91B0
DragQueryFileW.SHELL32(?,000000FF,00000000,00000000), ref: 002F91BB
DragQueryFileW.SHELL32(?,00000000,?,00000104), ref: 002F91DE
SendMessageW.USER32(?,000000C2,00000001,?), ref: 002F9225
SendMessageW.USER32(?,000000B0,?,?), ref: 002F923E
SendMessageW.USER32(?,000000B1,?,?), ref: 002F9255
SendMessageW.USER32(?,000000B1,?,?), ref: 002F9277
DragFinish.SHELL32(?), ref: 002F927E
DefDlgProcW.USER32(?,00000233,?,00000000,?,?,?), ref: 002F9371

Strings

@GUI_DROPID, xrefs: 002F929E
@GUI_DRAGID, xrefs: 002F92E9
@GUI_DRAGFILE, xrefs: 002F9320
p#3, xrefs: 002F92BB

Memory Dump Source

Source File: 00000001.00000002.1547293858.0000000000261000.00000020.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true

Associated: 00000001.00000002.1546305634.0000000000260000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1552306005.00000000002FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1552306005.0000000000322000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1553018664.000000000032C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1553203039.0000000000334000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_260000_file.jbxd

Similarity

API ID: MessageSend$Drag$Query$FileRectWindow$ClientFinishLongPointProcScreen
String ID: @GUI_DRAGFILE$@GUI_DRAGID$@GUI_DROPID$p#3
API String ID: 221274066-3482930507
Opcode ID: 4143e235483beb0b228562176a19f0cb604da677a4762e55e57b6e185323767d
Instruction ID: 294034b00bf44f9e7c30ca68d143af76cbb013121203c25579b10b867afe4049
Opcode Fuzzy Hash: 4143e235483beb0b228562176a19f0cb604da677a4762e55e57b6e185323767d
Instruction Fuzzy Hash: CF618B71118305AFC705DF60DD89EAFBBE8EF88790F10092EF595921A0DB709A99CF52

Function 0026326F Relevance: 23.0, APIs: 12, Strings: 1, Instructions: 214windowCOMMON

Download Yara Rule

APIs

GetMenuItemCount.USER32(00331990), ref: 002A2F8D
GetMenuItemCount.USER32(00331990), ref: 002A303D
GetCursorPos.USER32(?), ref: 002A3081
SetForegroundWindow.USER32(00000000), ref: 002A308A
TrackPopupMenuEx.USER32(00331990,00000000,?,00000000,00000000,00000000), ref: 002A309D
PostMessageW.USER32(00000000,00000000,00000000,00000000), ref: 002A30A9

Strings

0, xrefs: 0026327D

Memory Dump Source

Source File: 00000001.00000002.1547293858.0000000000261000.00000020.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true

Associated: 00000001.00000002.1546305634.0000000000260000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1552306005.00000000002FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1552306005.0000000000322000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1553018664.000000000032C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1553203039.0000000000334000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_260000_file.jbxd

Similarity

API ID: Menu$CountItem$CursorForegroundMessagePopupPostTrackWindow
String ID: 0
API String ID: 36266755-4108050209
Opcode ID: 92e0390367129a9c838ba452e1f08ffe2840f5424e56bfe75af30e88aa6868b2
Instruction ID: ab26f524221870f2fcdce2fc45c0774321cf219272f7d40e1cf240cf787fe9c1
Opcode Fuzzy Hash: 92e0390367129a9c838ba452e1f08ffe2840f5424e56bfe75af30e88aa6868b2
Instruction Fuzzy Hash: ED710770654206BFEB25CF28DD49FAABF64FF01364F204216F915AA1E0CBB1AD64DB50

Function 002F6CD9 Relevance: 22.9, APIs: 11, Strings: 2, Instructions: 194windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(00000000,?), ref: 002F6DEB

Part of subcall function 00266B57: _wcslen.LIBCMT ref: 00266B6A

CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00000000,?), ref: 002F6E5F
SendMessageW.USER32(00000000,00000433,00000000,00000030), ref: 002F6E81
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 002F6E94
DestroyWindow.USER32(?), ref: 002F6EB5
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00260000,00000000), ref: 002F6EE4
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 002F6EFD
GetDesktopWindow.USER32 ref: 002F6F16
GetWindowRect.USER32(00000000), ref: 002F6F1D
SendMessageW.USER32(00000000,00000418,00000000,?), ref: 002F6F35
SendMessageW.USER32(00000000,00000421,?,00000000), ref: 002F6F4D

Part of subcall function 00279944: GetWindowLongW.USER32(?,000000EB), ref: 00279952

Strings

0, xrefs: 002F6D98
tooltips_class32, xrefs: 002F6E58, 002F6EDD

Memory Dump Source

Source File: 00000001.00000002.1547293858.0000000000261000.00000020.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true

Associated: 00000001.00000002.1546305634.0000000000260000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1552306005.00000000002FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1552306005.0000000000322000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1553018664.000000000032C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1553203039.0000000000334000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_260000_file.jbxd

Similarity

API ID: Window$MessageSend$CreateDestroy$DesktopLongRect_wcslen
String ID: 0$tooltips_class32
API String ID: 2429346358-3619404913
Opcode ID: 731134a033ca16e1d0613055842704094abcb68db21c57f8f6ac2cd8936fc1a9
Instruction ID: 7af6d5e3b88b615ca04ac5e0db5e61c165215b0b9822a09c32dffcc16585dab1
Opcode Fuzzy Hash: 731134a033ca16e1d0613055842704094abcb68db21c57f8f6ac2cd8936fc1a9
Instruction Fuzzy Hash: 1C717871114249AFDB21CF18D848FBABBE9FB89344F14052DFA8987260C770AD16CB11

Function 002DC476 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 143networkCOMMON

Download Yara Rule

APIs

InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 002DC4B0
GetLastError.KERNEL32(?,00000003,?,?,?,?,?,?), ref: 002DC4C3
SetEvent.KERNEL32(?,?,00000003,?,?,?,?,?,?), ref: 002DC4D7
HttpOpenRequestW.WININET(00000000,00000000,?,00000000,00000000,00000000,?,00000000), ref: 002DC4F0
InternetQueryOptionW.WININET(00000000,0000001F,?,?), ref: 002DC533
InternetSetOptionW.WININET(00000000,0000001F,00000100,00000004), ref: 002DC549
HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 002DC554
HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 002DC584
GetLastError.KERNEL32(?,00000003,?,?,?,?,?,?), ref: 002DC5DC
SetEvent.KERNEL32(?,?,00000003,?,?,?,?,?,?), ref: 002DC5F0
InternetCloseHandle.WININET(00000000), ref: 002DC5FB

Strings

, xrefs: 002DC575

Memory Dump Source

Source File: 00000001.00000002.1547293858.0000000000261000.00000020.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true

Associated: 00000001.00000002.1546305634.0000000000260000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1552306005.00000000002FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1552306005.0000000000322000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1553018664.000000000032C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1553203039.0000000000334000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_260000_file.jbxd

Similarity

API ID: Internet$Http$ErrorEventLastOptionQueryRequest$CloseConnectHandleInfoOpenSend
String ID:
API String ID: 3800310941-3916222277
Opcode ID: 89231dfd42bea1cbad1b8de0c850b8b5be7172e65e75fcb3b3e9352c60aa057f
Instruction ID: 05698deca79a2ae63d6df789b0004bcfefd437f02df99047a9a19c8121124750
Opcode Fuzzy Hash: 89231dfd42bea1cbad1b8de0c850b8b5be7172e65e75fcb3b3e9352c60aa057f
Instruction Fuzzy Hash: 54515EB151020ABFDB219F60D948ABB7BBCFF08794F60442AF946A6250DB70ED54DB60

Function 002F856F Relevance: 22.6, APIs: 15, Instructions: 131filecommemoryCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,00000000,?,?,?,?,?,00000000,?,000000EC), ref: 002F8592
GetFileSize.KERNEL32(00000000,00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 002F85A2
GlobalAlloc.KERNEL32(00000002,00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 002F85AD
CloseHandle.KERNEL32(00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 002F85BA
GlobalLock.KERNEL32(00000000), ref: 002F85C8
ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 002F85D7
GlobalUnlock.KERNEL32(00000000), ref: 002F85E0
CloseHandle.KERNEL32(00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 002F85E7
CreateStreamOnHGlobal.OLE32(00000000,00000001,000000F0,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 002F85F8
OleLoadPicture.OLEAUT32(000000F0,00000000,00000000,002FFC38,?), ref: 002F8611
GlobalFree.KERNEL32(00000000), ref: 002F8621
GetObjectW.GDI32(?,00000018,?), ref: 002F8641
CopyImage.USER32(?,00000000,00000000,?,00002000), ref: 002F8671
DeleteObject.GDI32(?), ref: 002F8699
SendMessageW.USER32(?,00000172,00000000,00000000), ref: 002F86AF

Memory Dump Source

Source File: 00000001.00000002.1547293858.0000000000261000.00000020.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true

Associated: 00000001.00000002.1546305634.0000000000260000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1552306005.00000000002FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1552306005.0000000000322000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1553018664.000000000032C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1553203039.0000000000334000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_260000_file.jbxd

Similarity

API ID: Global$File$CloseCreateHandleObject$AllocCopyDeleteFreeImageLoadLockMessagePictureReadSendSizeStreamUnlock
String ID:
API String ID: 3840717409-0
Opcode ID: d4ba291dc081b6fea014181b3d4c201ba0cf4e41988e9ec9a840926d9c08840b
Instruction ID: ac03f084643cdc0a9b13cf9fa5a5e2ab8a527db3acabbd5462045f64c9a1c9d2
Opcode Fuzzy Hash: d4ba291dc081b6fea014181b3d4c201ba0cf4e41988e9ec9a840926d9c08840b
Instruction Fuzzy Hash: 92411975600209AFDB11DFA5DD4CEBABBBCEF897A1F104068F909E7260DB709911DB20

Function 002D14BD Relevance: 21.4, APIs: 10, Strings: 2, Instructions: 360timeCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(00000000), ref: 002D1502
VariantCopy.OLEAUT32(?,?), ref: 002D150B
VariantClear.OLEAUT32(?), ref: 002D1517
VariantTimeToSystemTime.OLEAUT32(?,?,?), ref: 002D15FB
VarR8FromDec.OLEAUT32(?,?), ref: 002D1657
VariantInit.OLEAUT32(?), ref: 002D1708
SysFreeString.OLEAUT32(?), ref: 002D178C
VariantClear.OLEAUT32(?), ref: 002D17D8
VariantClear.OLEAUT32(?), ref: 002D17E7
VariantInit.OLEAUT32(00000000), ref: 002D1823

Strings

%4d%02d%02d%02d%02d%02d, xrefs: 002D1625
Default, xrefs: 002D16AF

Memory Dump Source

Source File: 00000001.00000002.1547293858.0000000000261000.00000020.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true

Associated: 00000001.00000002.1546305634.0000000000260000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1552306005.00000000002FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1552306005.0000000000322000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1553018664.000000000032C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1553203039.0000000000334000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_260000_file.jbxd

Similarity

API ID: Variant$ClearInit$Time$CopyFreeFromStringSystem
String ID: %4d%02d%02d%02d%02d%02d$Default
API String ID: 1234038744-3931177956
Opcode ID: 0d62c01c7d93957a4481f13ffc85f619c406669143c6db6bfc5373056b0755d0
Instruction ID: d2a5bf576981d8cac2f82bf5f956ae89a53e110c36e342de63f63037f41b4d61
Opcode Fuzzy Hash: 0d62c01c7d93957a4481f13ffc85f619c406669143c6db6bfc5373056b0755d0
Instruction Fuzzy Hash: 14D10072A20106FBDB10AF65E884B7DB7B5BF45700F608067E446ABA90DBB4DC70DB61

Function 002EB60E Relevance: 21.3, APIs: 10, Strings: 2, Instructions: 285registrylibraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 00269CB3: _wcslen.LIBCMT ref: 00269CBD

Part of subcall function 002EC998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,002EB6AE,?,?), ref: 002EC9B5
Part of subcall function 002EC998: _wcslen.LIBCMT ref: 002EC9F1
Part of subcall function 002EC998: _wcslen.LIBCMT ref: 002ECA68
Part of subcall function 002EC998: _wcslen.LIBCMT ref: 002ECA9E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 002EB6F4
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 002EB772
RegDeleteValueW.ADVAPI32(?,?), ref: 002EB80A
RegCloseKey.ADVAPI32(?), ref: 002EB87E
RegCloseKey.ADVAPI32(?), ref: 002EB89C
LoadLibraryA.KERNEL32(advapi32.dll), ref: 002EB8F2
GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 002EB904
RegDeleteKeyW.ADVAPI32(?,?), ref: 002EB922
FreeLibrary.KERNEL32(00000000), ref: 002EB983
RegCloseKey.ADVAPI32(00000000), ref: 002EB994

Strings

advapi32.dll, xrefs: 002EB8ED
RegDeleteKeyExW, xrefs: 002EB8FE

Memory Dump Source

Source File: 00000001.00000002.1547293858.0000000000261000.00000020.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true

Associated: 00000001.00000002.1546305634.0000000000260000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1552306005.00000000002FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1552306005.0000000000322000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1553018664.000000000032C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1553203039.0000000000334000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_260000_file.jbxd

Similarity

API ID: _wcslen$Close$DeleteLibrary$AddressBuffCharConnectFreeLoadOpenProcRegistryUpperValue
String ID: RegDeleteKeyExW$advapi32.dll
API String ID: 146587525-4033151799
Opcode ID: f993202a02377a4b7cf2b4d90bd3bec4c1983f8b341c490e788ee224a95afd28
Instruction ID: 2b4be83b8fa1274281f73d310e186df3e073eaeb2282d5413b4a098c9cbd5783
Opcode Fuzzy Hash: f993202a02377a4b7cf2b4d90bd3bec4c1983f8b341c490e788ee224a95afd28
Instruction Fuzzy Hash: 75C1AD31224282AFD711DF15C494F2ABBE5BF84318F64849CE49A4B7A2CB71EC95CF91

Function 002E255C Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 169windowCOMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 002E25D8
CreateCompatibleBitmap.GDI32(00000000,?,?), ref: 002E25E8
CreateCompatibleDC.GDI32(?), ref: 002E25F4
SelectObject.GDI32(00000000,?), ref: 002E2601
StretchBlt.GDI32(?,00000000,00000000,?,?,?,00000006,?,?,?,00CC0020), ref: 002E266D
GetDIBits.GDI32(?,?,00000000,00000000,00000000,00000028,00000000), ref: 002E26AC
GetDIBits.GDI32(?,?,00000000,?,00000000,00000028,00000000), ref: 002E26D0
SelectObject.GDI32(?,?), ref: 002E26D8
DeleteObject.GDI32(?), ref: 002E26E1
DeleteDC.GDI32(?), ref: 002E26E8
ReleaseDC.USER32(00000000,?), ref: 002E26F3

Strings

(, xrefs: 002E268D

Memory Dump Source

Source File: 00000001.00000002.1547293858.0000000000261000.00000020.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true

Associated: 00000001.00000002.1546305634.0000000000260000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1552306005.00000000002FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1552306005.0000000000322000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1553018664.000000000032C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1553203039.0000000000334000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_260000_file.jbxd

Similarity

API ID: Object$BitsCompatibleCreateDeleteSelect$BitmapReleaseStretch
String ID: (
API String ID: 2598888154-3887548279
Opcode ID: ced773404f5b155c457cef54f3992e339cad0baf7b600937b1193c747c4175d5
Instruction ID: 119f25438b81930bc046802667447c1307661cc9d139a0875174c26345c2af6e
Opcode Fuzzy Hash: ced773404f5b155c457cef54f3992e339cad0baf7b600937b1193c747c4175d5
Instruction Fuzzy Hash: 7161E375D10219EFCF04CFA8D984EAEBBB9FF48310F208529E95AA7250D770A955CF50

Function 0029DA5D Relevance: 19.6, APIs: 13, Instructions: 114COMMONLIBRARYCODE

Download Yara Rule

APIs

___free_lconv_mon.LIBCMT ref: 0029DAA1

Part of subcall function 0029D63C: _free.LIBCMT ref: 0029D659
Part of subcall function 0029D63C: _free.LIBCMT ref: 0029D66B
Part of subcall function 0029D63C: _free.LIBCMT ref: 0029D67D
Part of subcall function 0029D63C: _free.LIBCMT ref: 0029D68F
Part of subcall function 0029D63C: _free.LIBCMT ref: 0029D6A1
Part of subcall function 0029D63C: _free.LIBCMT ref: 0029D6B3
Part of subcall function 0029D63C: _free.LIBCMT ref: 0029D6C5
Part of subcall function 0029D63C: _free.LIBCMT ref: 0029D6D7
Part of subcall function 0029D63C: _free.LIBCMT ref: 0029D6E9
Part of subcall function 0029D63C: _free.LIBCMT ref: 0029D6FB
Part of subcall function 0029D63C: _free.LIBCMT ref: 0029D70D
Part of subcall function 0029D63C: _free.LIBCMT ref: 0029D71F
Part of subcall function 0029D63C: _free.LIBCMT ref: 0029D731

_free.LIBCMT ref: 0029DA96

Part of subcall function 002929C8: RtlFreeHeap.NTDLL(00000000,00000000,?,0029D7D1,00000000,00000000,00000000,00000000,?,0029D7F8,00000000,00000007,00000000,?,0029DBF5,00000000), ref: 002929DE
Part of subcall function 002929C8: GetLastError.KERNEL32(00000000,?,0029D7D1,00000000,00000000,00000000,00000000,?,0029D7F8,00000000,00000007,00000000,?,0029DBF5,00000000,00000000), ref: 002929F0

_free.LIBCMT ref: 0029DAB8
_free.LIBCMT ref: 0029DACD
_free.LIBCMT ref: 0029DAD8
_free.LIBCMT ref: 0029DAFA
_free.LIBCMT ref: 0029DB0D
_free.LIBCMT ref: 0029DB1B
_free.LIBCMT ref: 0029DB26
_free.LIBCMT ref: 0029DB5E
_free.LIBCMT ref: 0029DB65
_free.LIBCMT ref: 0029DB82
_free.LIBCMT ref: 0029DB9A

Memory Dump Source

Source File: 00000001.00000002.1547293858.0000000000261000.00000020.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true

Associated: 00000001.00000002.1546305634.0000000000260000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1552306005.00000000002FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1552306005.0000000000322000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1553018664.000000000032C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1553203039.0000000000334000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_260000_file.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast___free_lconv_mon
String ID:
API String ID: 161543041-0
Opcode ID: 857242c58931647addc0295fc7ade0c1802b1ebb6beda26ef622057f0455b7dc
Instruction ID: d6a356aaa78e869ce49f0ce509c3f71961443cc160772c2c70f5a64ad03df357
Opcode Fuzzy Hash: 857242c58931647addc0295fc7ade0c1802b1ebb6beda26ef622057f0455b7dc
Instruction Fuzzy Hash: A7315A31664206EFEF22AE39E845B5AB7E9FF10320F615419E448D7191DE31AC64AB60

Function 002C365B Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 267windowtimeCOMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000100), ref: 002C369C
_wcslen.LIBCMT ref: 002C36A7
SendMessageTimeoutW.USER32(?,?,00000101,00000000,00000002,00001388,?), ref: 002C3797
GetClassNameW.USER32(?,?,00000400), ref: 002C380C
GetDlgCtrlID.USER32(?), ref: 002C385D
GetWindowRect.USER32(?,?), ref: 002C3882
GetParent.USER32(?), ref: 002C38A0
ScreenToClient.USER32(00000000), ref: 002C38A7
GetClassNameW.USER32(?,?,00000100), ref: 002C3921
GetWindowTextW.USER32(?,?,00000400), ref: 002C395D

Strings

%s%u, xrefs: 002C3734

Memory Dump Source

Source File: 00000001.00000002.1547293858.0000000000261000.00000020.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true

Associated: 00000001.00000002.1546305634.0000000000260000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1552306005.00000000002FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1552306005.0000000000322000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1553018664.000000000032C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1553203039.0000000000334000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_260000_file.jbxd

Similarity

API ID: ClassName$Window$ClientCtrlMessageParentRectScreenSendTextTimeout_wcslen
String ID: %s%u
API String ID: 4010501982-679674701
Opcode ID: d0f9c8ceb3022a03494b87b34898f512078b776ec12c4b5cf324518a58bd50bd
Instruction ID: d01bf04bb0f787dbe28ab71c7329a08ae50684683459e0d9b42a1915632d8903
Opcode Fuzzy Hash: d0f9c8ceb3022a03494b87b34898f512078b776ec12c4b5cf324518a58bd50bd
Instruction Fuzzy Hash: 7791AF71214607AFD719DF24C885FAAF7A8FF44354F108A2DF999C2190DB30AA69CB91

Function 002C4954 Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 253COMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000400), ref: 002C4994
GetWindowTextW.USER32(?,?,00000400), ref: 002C49DA
_wcslen.LIBCMT ref: 002C49EB
CharUpperBuffW.USER32(?,00000000), ref: 002C49F7
_wcsstr.LIBVCRUNTIME ref: 002C4A2C
GetClassNameW.USER32(00000018,?,00000400), ref: 002C4A64
GetWindowTextW.USER32(?,?,00000400), ref: 002C4A9D
GetClassNameW.USER32(00000018,?,00000400), ref: 002C4AE6
GetClassNameW.USER32(?,?,00000400), ref: 002C4B20
GetWindowRect.USER32(?,?), ref: 002C4B8B

Strings

ThumbnailClass, xrefs: 002C4A6F, 002C4AF1

Memory Dump Source

Source File: 00000001.00000002.1547293858.0000000000261000.00000020.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true

Associated: 00000001.00000002.1546305634.0000000000260000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1552306005.00000000002FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1552306005.0000000000322000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1553018664.000000000032C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1553203039.0000000000334000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_260000_file.jbxd

Similarity

API ID: ClassName$Window$Text$BuffCharRectUpper_wcslen_wcsstr
String ID: ThumbnailClass
API String ID: 1311036022-1241985126
Opcode ID: d9827eee520b2a7019c94b13fd32d54ef67a1bc7d69c4200ec9dc382c6c4300e
Instruction ID: e3e64a086d29932fd18d646c83473c7bcd6d5a331de2e9ebbf1e3efa4a3ab6eb
Opcode Fuzzy Hash: d9827eee520b2a7019c94b13fd32d54ef67a1bc7d69c4200ec9dc382c6c4300e
Instruction Fuzzy Hash: 6D91CE7142820A9BDB04EF10C9A4FAB77A8FF84354F04466EFD859A095DB30ED65CBA1

Function 002F8D0E Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 221windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00279BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00279BB2

PostMessageW.USER32(?,00000111,00000000,00000000), ref: 002F8D5A
GetFocus.USER32 ref: 002F8D6A
GetDlgCtrlID.USER32(00000000), ref: 002F8D75
DefDlgProcW.USER32(?,00000111,?,?,00000000,?,?,?,?,?,?,?), ref: 002F8E1D
GetMenuItemInfoW.USER32(?,00000000,00000000,?), ref: 002F8ECF
GetMenuItemCount.USER32(?), ref: 002F8EEC
GetMenuItemID.USER32(?,00000000), ref: 002F8EFC
GetMenuItemInfoW.USER32(?,-00000001,00000001,?), ref: 002F8F2E
GetMenuItemInfoW.USER32(?,?,00000001,?), ref: 002F8F70
CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 002F8FA1

Strings

0, xrefs: 002F8E9F

Memory Dump Source

Source File: 00000001.00000002.1547293858.0000000000261000.00000020.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true

Associated: 00000001.00000002.1546305634.0000000000260000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1552306005.00000000002FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1552306005.0000000000322000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1553018664.000000000032C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1553203039.0000000000334000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_260000_file.jbxd

Similarity

API ID: ItemMenu$Info$CheckCountCtrlFocusLongMessagePostProcRadioWindow
String ID: 0
API String ID: 1026556194-4108050209
Opcode ID: be82ad035aa5993397e3cb4fe098a6971790f431e33fb31b22739cb0e9cd23e3
Instruction ID: 7cb0bec8af4d42c9b1b55930ec25a789811aaaecf22dd352c8482f5cce1c17a0
Opcode Fuzzy Hash: be82ad035aa5993397e3cb4fe098a6971790f431e33fb31b22739cb0e9cd23e3
Instruction Fuzzy Hash: 7581C07151830A9FD710CF24D984A7BFBE9FF88394F100629FA8597291DB70D910CBA2

Function 002CDC0E Relevance: 19.4, APIs: 6, Strings: 5, Instructions: 178COMMON

Download Yara Rule

APIs

GetFileVersionInfoSizeW.VERSION(?,?), ref: 002CDC20
GetFileVersionInfoW.VERSION(?,00000000,00000000,00000000,?,?), ref: 002CDC46
_wcslen.LIBCMT ref: 002CDC50
_wcsstr.LIBVCRUNTIME ref: 002CDCA0
VerQueryValueW.VERSION(?,\VarFileInfo\Translation,?,?,?,?,?,?,00000000,?,?), ref: 002CDCBC

Strings

04090000, xrefs: 002CDCF2
DefaultLangCodepage, xrefs: 002CDD1F
%u.%u.%u.%u, xrefs: 002CDD9A
\VarFileInfo\Translation, xrefs: 002CDCB4
StringFileInfo\, xrefs: 002CDC8F

Memory Dump Source

Source File: 00000001.00000002.1547293858.0000000000261000.00000020.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true

Associated: 00000001.00000002.1546305634.0000000000260000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1552306005.00000000002FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1552306005.0000000000322000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1553018664.000000000032C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1553203039.0000000000334000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_260000_file.jbxd

Similarity

API ID: FileInfoVersion$QuerySizeValue_wcslen_wcsstr
String ID: %u.%u.%u.%u$04090000$DefaultLangCodepage$StringFileInfo\$\VarFileInfo\Translation
API String ID: 1939486746-1459072770
Opcode ID: 394f066ae84cc25a73fb72c035942903b0febcc9892f953c20ef3f0cd3c70cff
Instruction ID: 3bc71c54bd39cc121ea64135ca1ef6dca1fef8cd390e48262a69e0bfe9a13b03
Opcode Fuzzy Hash: 394f066ae84cc25a73fb72c035942903b0febcc9892f953c20ef3f0cd3c70cff
Instruction Fuzzy Hash: 464144369242097BDB04BB20DC03FFF77ACEF46760F240079F905A20C2EA7099209BA0

Function 002ECC34 Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 104registryCOMMON

Download Yara Rule

APIs

RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?,00000000), ref: 002ECC64
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?,?,?,00000000), ref: 002ECC8D
FreeLibrary.KERNEL32(00000000,?,?,00000000), ref: 002ECD48

Part of subcall function 002ECC34: RegCloseKey.ADVAPI32(?,?,?,00000000), ref: 002ECCAA
Part of subcall function 002ECC34: LoadLibraryA.KERNEL32(advapi32.dll,?,?,00000000), ref: 002ECCBD
Part of subcall function 002ECC34: GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 002ECCCF
Part of subcall function 002ECC34: FreeLibrary.KERNEL32(00000000,?,?,00000000), ref: 002ECD05
Part of subcall function 002ECC34: RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?,00000000), ref: 002ECD28

RegDeleteKeyW.ADVAPI32(?,?), ref: 002ECCF3

Strings

advapi32.dll, xrefs: 002ECCB8
RegDeleteKeyExW, xrefs: 002ECCC9

Memory Dump Source

Source File: 00000001.00000002.1547293858.0000000000261000.00000020.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true

Associated: 00000001.00000002.1546305634.0000000000260000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1552306005.00000000002FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1552306005.0000000000322000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1553018664.000000000032C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1553203039.0000000000334000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_260000_file.jbxd

Similarity

API ID: Library$EnumFree$AddressCloseDeleteLoadOpenProc
String ID: RegDeleteKeyExW$advapi32.dll
API String ID: 2734957052-4033151799
Opcode ID: 1bcbe2b01a50b33c3a28a5e6a6b033420385182705fa289dc29ce270c45c12d8
Instruction ID: f294eedff3945bcab4183d4dfe6da00c12279cb6594e639b69af0e743310ec2b
Opcode Fuzzy Hash: 1bcbe2b01a50b33c3a28a5e6a6b033420385182705fa289dc29ce270c45c12d8
Instruction Fuzzy Hash: 4A31807194112DBBD7218F95EC8CEFFBB7CEF05790F200175E905E2240DA709A46DAA0

Function 002D3D1E Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 101fileCOMMON

Download Yara Rule

APIs

GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 002D3D40
_wcslen.LIBCMT ref: 002D3D6D
CreateDirectoryW.KERNEL32(?,00000000), ref: 002D3D9D
CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000003,02200000,00000000), ref: 002D3DBE
RemoveDirectoryW.KERNEL32(?), ref: 002D3DCE
DeviceIoControl.KERNEL32(00000000,000900A4,?,?,00000000,00000000,?,00000000), ref: 002D3E55
CloseHandle.KERNEL32(00000000), ref: 002D3E60
CloseHandle.KERNEL32(00000000), ref: 002D3E6B

Strings

:, xrefs: 002D3D82
\??\%s, xrefs: 002D3D5B
\, xrefs: 002D3D77

Memory Dump Source

Source File: 00000001.00000002.1547293858.0000000000261000.00000020.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true

Associated: 00000001.00000002.1546305634.0000000000260000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1552306005.00000000002FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1552306005.0000000000322000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1553018664.000000000032C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1553203039.0000000000334000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_260000_file.jbxd

Similarity

API ID: CloseCreateDirectoryHandle$ControlDeviceFileFullNamePathRemove_wcslen
String ID: :$\$\??\%s
API String ID: 1149970189-3457252023
Opcode ID: 3531889e1de37b8ed36ad6831eb03a34bbf17e5542f0792da335b74c447bb417
Instruction ID: 528d006f8bde768656ded24608dc29bfdfda237cecbc1ae21b6face188f5a4a4
Opcode Fuzzy Hash: 3531889e1de37b8ed36ad6831eb03a34bbf17e5542f0792da335b74c447bb417
Instruction Fuzzy Hash: FB319F7591020AAADB20EFA0EC49FEB37B9EF89750F1040B6F509D2191E7709B54CF25

Function 002CE6B0 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 72sleepwindowtimeCOMMON

Download Yara Rule

APIs

timeGetTime.WINMM ref: 002CE6B4

Part of subcall function 0027E551: timeGetTime.WINMM(?,?,002CE6D4), ref: 0027E555

Sleep.KERNEL32(0000000A), ref: 002CE6E1
EnumThreadWindows.USER32(?,Function_0006E665,00000000), ref: 002CE705
FindWindowExW.USER32(00000000,00000000,BUTTON,00000000), ref: 002CE727
SetActiveWindow.USER32 ref: 002CE746
SendMessageW.USER32(00000000,000000F5,00000000,00000000), ref: 002CE754
SendMessageW.USER32(00000010,00000000,00000000), ref: 002CE773
Sleep.KERNEL32(000000FA), ref: 002CE77E
IsWindow.USER32 ref: 002CE78A
EndDialog.USER32(00000000), ref: 002CE79B

Strings

BUTTON, xrefs: 002CE719

Memory Dump Source

Source File: 00000001.00000002.1547293858.0000000000261000.00000020.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true

Associated: 00000001.00000002.1546305634.0000000000260000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1552306005.00000000002FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1552306005.0000000000322000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1553018664.000000000032C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1553203039.0000000000334000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_260000_file.jbxd

Similarity

API ID: Window$MessageSendSleepTimetime$ActiveDialogEnumFindThreadWindows
String ID: BUTTON
API String ID: 1194449130-3405671355
Opcode ID: c7cacfc3084341083813745a1f8512aee6028546b296d27f82f97405ddd70e5f
Instruction ID: 5ff113fd73fa654bcfa7f50db65785c4710e807945bd9cf81f1218a294d0bf71
Opcode Fuzzy Hash: c7cacfc3084341083813745a1f8512aee6028546b296d27f82f97405ddd70e5f
Instruction Fuzzy Hash: 5B219FB1220609AFEF029F21FDCEF367B6DEB54398F211538F405811A1DBB1AC24CA24

Function 002CE9FC Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 71COMMON

Download Yara Rule

APIs

Part of subcall function 00269CB3: _wcslen.LIBCMT ref: 00269CBD

mciSendStringW.WINMM(status PlayMe mode,?,00000100,00000000), ref: 002CEA5D
mciSendStringW.WINMM(close PlayMe,00000000,00000000,00000000), ref: 002CEA73
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 002CEA84
mciSendStringW.WINMM(play PlayMe wait,00000000,00000000,00000000), ref: 002CEA96
mciSendStringW.WINMM(play PlayMe,00000000,00000000,00000000), ref: 002CEAA7

Strings

alias PlayMe, xrefs: 002CEA36
open , xrefs: 002CEA0C
play PlayMe wait, xrefs: 002CEA91
play PlayMe, xrefs: 002CEAA2
status PlayMe mode, xrefs: 002CEA58
close PlayMe, xrefs: 002CEA6E, 002CEA9B

Memory Dump Source

Source File: 00000001.00000002.1547293858.0000000000261000.00000020.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true

Associated: 00000001.00000002.1546305634.0000000000260000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1552306005.00000000002FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1552306005.0000000000322000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1553018664.000000000032C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1553203039.0000000000334000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_260000_file.jbxd

Similarity

API ID: SendString$_wcslen
String ID: alias PlayMe$close PlayMe$open $play PlayMe$play PlayMe wait$status PlayMe mode
API String ID: 2420728520-1007645807
Opcode ID: 9b793184e01a3cc26cac40c4415573292327247159f77e0e2fc1152212e5cb40
Instruction ID: 02d3bdbcbd6d9ddebce13939cb88fcf0d5385e667c8ae1ae795e0266f317075c
Opcode Fuzzy Hash: 9b793184e01a3cc26cac40c4415573292327247159f77e0e2fc1152212e5cb40
Instruction Fuzzy Hash: 531137316A02697DD711E761ED4BEFF6A7CEFD1B40F400529B411A20D1DF705995C9B0

Function 002C5CC6 Relevance: 18.2, APIs: 12, Instructions: 173COMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,00000001), ref: 002C5CE2
GetWindowRect.USER32(00000000,?), ref: 002C5CFB
MoveWindow.USER32(?,0000000A,00000004,?,?,00000004,00000000), ref: 002C5D59
GetDlgItem.USER32(?,00000002), ref: 002C5D69
GetWindowRect.USER32(00000000,?), ref: 002C5D7B
MoveWindow.USER32(?,?,00000004,00000000,?,00000004,00000000), ref: 002C5DCF
GetDlgItem.USER32(?,000003E9), ref: 002C5DDD
GetWindowRect.USER32(00000000,?), ref: 002C5DEF
MoveWindow.USER32(?,0000000A,00000000,?,00000004,00000000), ref: 002C5E31
GetDlgItem.USER32(?,000003EA), ref: 002C5E44
MoveWindow.USER32(00000000,0000000A,0000000A,?,-00000005,00000000), ref: 002C5E5A
InvalidateRect.USER32(?,00000000,00000001), ref: 002C5E67

Memory Dump Source

Source File: 00000001.00000002.1547293858.0000000000261000.00000020.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true

Associated: 00000001.00000002.1546305634.0000000000260000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1552306005.00000000002FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1552306005.0000000000322000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1553018664.000000000032C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1553203039.0000000000334000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_260000_file.jbxd

Similarity

API ID: Window$ItemMoveRect$Invalidate
String ID:
API String ID: 3096461208-0
Opcode ID: 707900fc681cb9f4f07d4a83a8f511b531362559905fcd6d8fa995b0e08b4aed
Instruction ID: 31c85249b226ad169765e34f8bbec196eaca596f9f979470085e72e434d98c39
Opcode Fuzzy Hash: 707900fc681cb9f4f07d4a83a8f511b531362559905fcd6d8fa995b0e08b4aed
Instruction Fuzzy Hash: E7511270A10619AFDF14DF68DD89EAEBBB9EF48350F108229F515E6290D770ED50CB50

Function 00278BCD Relevance: 18.2, APIs: 12, Instructions: 168timeCOMMON

Download Yara Rule

APIs

Part of subcall function 00278F62: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00278BE8,?,00000000,?,?,?,?,00278BBA,00000000,?), ref: 00278FC5

DestroyWindow.USER32(?), ref: 00278C81
KillTimer.USER32(00000000,?,?,?,?,00278BBA,00000000,?), ref: 00278D1B
DestroyAcceleratorTable.USER32(00000000), ref: 002B6973
ImageList_Destroy.COMCTL32(00000000,?,?,?,?,?,?,00000000,?,?,?,?,00278BBA,00000000,?), ref: 002B69A1
ImageList_Destroy.COMCTL32(?,?,?,?,?,?,?,00000000,?,?,?,?,00278BBA,00000000,?), ref: 002B69B8
ImageList_Destroy.COMCTL32(00000000,?,?,?,?,?,?,?,?,00000000,?,?,?,?,00278BBA,00000000), ref: 002B69D4
DeleteObject.GDI32(00000000), ref: 002B69E6

Memory Dump Source

Source File: 00000001.00000002.1547293858.0000000000261000.00000020.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true

Associated: 00000001.00000002.1546305634.0000000000260000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1552306005.00000000002FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1552306005.0000000000322000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1553018664.000000000032C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1553203039.0000000000334000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_260000_file.jbxd

Similarity

API ID: Destroy$ImageList_$AcceleratorDeleteInvalidateKillObjectRectTableTimerWindow
String ID:
API String ID: 641708696-0
Opcode ID: b9f4b52b77bec925971e8f625c59b35cbee010768b1e1666159745d3c3948d3f
Instruction ID: 4aa6599a5fb5d4ce27179d9465a1871139019a0693214cec5d29d3eaf9010288
Opcode Fuzzy Hash: b9f4b52b77bec925971e8f625c59b35cbee010768b1e1666159745d3c3948d3f
Instruction Fuzzy Hash: 5D61BF31521615DFCB3A9F14DA8CB65B7F1FB40362F24852DE0469B960CB75ACA0CF90

Function 00279838 Relevance: 18.1, APIs: 12, Instructions: 137COMMON

Download Yara Rule

APIs

Part of subcall function 00279944: GetWindowLongW.USER32(?,000000EB), ref: 00279952

GetSysColor.USER32(0000000F), ref: 00279862

Memory Dump Source

Source File: 00000001.00000002.1547293858.0000000000261000.00000020.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true

Associated: 00000001.00000002.1546305634.0000000000260000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1552306005.00000000002FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1552306005.0000000000322000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1553018664.000000000032C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1553203039.0000000000334000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_260000_file.jbxd

Similarity

API ID: ColorLongWindow
String ID:
API String ID: 259745315-0
Opcode ID: 51c3c6357d761693ca9b61d73053253c50ad2e570e91458e42497d5eb506e8aa
Instruction ID: 2d7f5e544a963baa1323f8f5c836ddfbf8ca94d572cfb7f64b1ad9080e90d85f
Opcode Fuzzy Hash: 51c3c6357d761693ca9b61d73053253c50ad2e570e91458e42497d5eb506e8aa
Instruction Fuzzy Hash: 1B41F7311157059FDB209F38EC88BBA3765EB47370F248655F9AA872E1C7319CA1DB11

Function 00298D45 Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 300COMMONLIBRARYCODE

Download Yara Rule

Strings

.(, xrefs: 0029903A, 00298FD0, 00298FF2

Memory Dump Source

Source File: 00000001.00000002.1547293858.0000000000261000.00000020.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true

Associated: 00000001.00000002.1546305634.0000000000260000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1552306005.00000000002FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1552306005.0000000000322000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1553018664.000000000032C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1553203039.0000000000334000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_260000_file.jbxd

Similarity

API ID:
String ID: .(
API String ID: 0-2618553908
Opcode ID: a7131d1ba7b1fd2f9330ef1e00f8809473847642378ade7f7ad1530a230a680c
Instruction ID: bdc2545d20d94c8b43c36473f28059190c5ddd26b8e8cfa6a1005b5947c96ff3
Opcode Fuzzy Hash: a7131d1ba7b1fd2f9330ef1e00f8809473847642378ade7f7ad1530a230a680c
Instruction Fuzzy Hash: C3C1E575D2424AAFDF11EFACC845BADBBB4BF0A320F184059F814A7292C7719991CF61

Function 002C96E2 Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 137windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,00000FFF,00000001,00000000,?,?,002AF7F8,00000001,0000138C,00000001,?,00000001,00000000,?,?), ref: 002C9717
LoadStringW.USER32(00000000,?,002AF7F8,00000001), ref: 002C9720

Part of subcall function 00269CB3: _wcslen.LIBCMT ref: 00269CBD

GetModuleHandleW.KERNEL32(00000000,00000001,?,00000FFF,?,?,002AF7F8,00000001,0000138C,00000001,?,00000001,00000000,?,?,00000000), ref: 002C9742
LoadStringW.USER32(00000000,?,002AF7F8,00000001), ref: 002C9745
MessageBoxW.USER32(00000000,00000000,?,00011010), ref: 002C9866

Strings

Error: , xrefs: 002C981D
Line %d (File "%s"):, xrefs: 002C978F
^ ERROR, xrefs: 002C97FB
%s (%d) : ==> %s: %s %s, xrefs: 002C984A
Line %d:, xrefs: 002C97A0

Memory Dump Source

Source File: 00000001.00000002.1547293858.0000000000261000.00000020.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true

Associated: 00000001.00000002.1546305634.0000000000260000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1552306005.00000000002FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1552306005.0000000000322000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1553018664.000000000032C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1553203039.0000000000334000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_260000_file.jbxd

Similarity

API ID: HandleLoadModuleString$Message_wcslen
String ID: Error: $%s (%d) : ==> %s: %s %s$Line %d (File "%s"):$Line %d:$^ ERROR
API String ID: 747408836-2268648507
Opcode ID: da96d68fb5e1436c27c13a201d123391de1f2640a73741257e520b6237068507
Instruction ID: 231dc83dffa94391540cf0c9ddbd3efd9bf0c89725ca1b82599358ffe1b5eac6
Opcode Fuzzy Hash: da96d68fb5e1436c27c13a201d123391de1f2640a73741257e520b6237068507
Instruction Fuzzy Hash: E1413F72810219AACB05FBE0DE46EEEB37CAF55740F200165F50572191EE356FA8CF61

Function 002C06DE Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 127registryshareCOMMON

Download Yara Rule

APIs

Part of subcall function 00266B57: _wcslen.LIBCMT ref: 00266B6A

WNetAddConnection2W.MPR(?,?,?,00000000), ref: 002C07A2
RegConnectRegistryW.ADVAPI32(?,80000002,?), ref: 002C07BE
RegOpenKeyExW.ADVAPI32(?,?,00000000,00020019,?,?,SOFTWARE\Classes\), ref: 002C07DA
RegQueryValueExW.ADVAPI32(?,00000000,00000000,00000000,?,?,?,SOFTWARE\Classes\), ref: 002C0804
CLSIDFromString.OLE32(?,000001FE,?,SOFTWARE\Classes\), ref: 002C082C
RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 002C0837
RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 002C083C

Strings

\IPC$, xrefs: 002C0784
SOFTWARE\Classes\, xrefs: 002C070E
\CLSID, xrefs: 002C0724

Memory Dump Source

Source File: 00000001.00000002.1547293858.0000000000261000.00000020.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true

Associated: 00000001.00000002.1546305634.0000000000260000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1552306005.00000000002FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1552306005.0000000000322000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1553018664.000000000032C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1553203039.0000000000334000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_260000_file.jbxd

Similarity

API ID: Close$ConnectConnection2FromOpenQueryRegistryStringValue_wcslen
String ID: SOFTWARE\Classes\$\CLSID$\IPC$
API String ID: 323675364-22481851
Opcode ID: 713734a7c901298a2aa75539a49435d8a7154c0935510b25e32ac6692bf50352
Instruction ID: 9942d5c03bb1ae53e1181a29cab2ea1f33bf8ce3a49067f0a72c3109470549de
Opcode Fuzzy Hash: 713734a7c901298a2aa75539a49435d8a7154c0935510b25e32ac6692bf50352
Instruction Fuzzy Hash: 6141E472820229EADB15EFA4DC95DEDB778AF04750B144169E905B3161EB309EA4CFA0

Function 002E3C30 Relevance: 16.8, APIs: 11, Instructions: 344fileCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 002E3C5C
CoInitialize.OLE32(00000000), ref: 002E3C8A
CoUninitialize.OLE32 ref: 002E3C94
_wcslen.LIBCMT ref: 002E3D2D
GetRunningObjectTable.OLE32(00000000,?), ref: 002E3DB1
SetErrorMode.KERNEL32(00000001,00000029), ref: 002E3ED5
CoGetInstanceFromFile.OLE32(00000000,?,00000000,00000015,00000002,?,00000001,?), ref: 002E3F0E
CoGetObject.OLE32(?,00000000,002FFB98,?), ref: 002E3F2D
SetErrorMode.KERNEL32(00000000), ref: 002E3F40
SetErrorMode.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 002E3FC4
VariantClear.OLEAUT32(?), ref: 002E3FD8

Memory Dump Source

Source File: 00000001.00000002.1547293858.0000000000261000.00000020.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true

Associated: 00000001.00000002.1546305634.0000000000260000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1552306005.00000000002FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1552306005.0000000000322000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1553018664.000000000032C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1553203039.0000000000334000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_260000_file.jbxd

Similarity

API ID: ErrorMode$ObjectVariant$ClearFileFromInitInitializeInstanceRunningTableUninitialize_wcslen
String ID:
API String ID: 429561992-0
Opcode ID: 249b85402b076d39c614dcfec391abfa370dc6549eecd6432b50d6fd3d8ec1a5
Instruction ID: 1bb32e561d8f742d79a2723450abe51491ed403f260078a8ac002a50c60b16d4
Opcode Fuzzy Hash: 249b85402b076d39c614dcfec391abfa370dc6549eecd6432b50d6fd3d8ec1a5
Instruction Fuzzy Hash: D9C175716283459FD700DF29C88892BB7E8FF89749F50492DF88A9B210DB30EE55CB52

Function 002D7A96 Relevance: 16.8, APIs: 11, Instructions: 298comCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 002D7AF3
SHGetSpecialFolderLocation.SHELL32(00000000,00000000,?), ref: 002D7B8F
SHGetDesktopFolder.SHELL32(?), ref: 002D7BA3
CoCreateInstance.OLE32(002FFD08,00000000,00000001,00326E6C,?), ref: 002D7BEF
SHCreateShellItem.SHELL32(00000000,00000000,?,00000003), ref: 002D7C74
CoTaskMemFree.OLE32(?,?), ref: 002D7CCC
SHBrowseForFolderW.SHELL32(?), ref: 002D7D57
SHGetPathFromIDListW.SHELL32(00000000,?), ref: 002D7D7A
CoTaskMemFree.OLE32(00000000), ref: 002D7D81
CoTaskMemFree.OLE32(00000000), ref: 002D7DD6
CoUninitialize.OLE32 ref: 002D7DDC

Memory Dump Source

Source File: 00000001.00000002.1547293858.0000000000261000.00000020.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true

Associated: 00000001.00000002.1546305634.0000000000260000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1552306005.00000000002FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1552306005.0000000000322000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1553018664.000000000032C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1553203039.0000000000334000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_260000_file.jbxd

Similarity

API ID: FolderFreeTask$Create$BrowseDesktopFromInitializeInstanceItemListLocationPathShellSpecialUninitialize
String ID:
API String ID: 2762341140-0
Opcode ID: c1cca60bc1f412fb10ba4990b4caf73e464342f47ed340bd174ceb344b43b6de
Instruction ID: 86103d707b820c495a67cebe7ea5ae14091cddb1545a2b7485d1163ceb338234
Opcode Fuzzy Hash: c1cca60bc1f412fb10ba4990b4caf73e464342f47ed340bd174ceb344b43b6de
Instruction Fuzzy Hash: 06C12A75A14109AFCB14DF64C888DAEBBB9FF48314B1484AAE816DB361D730ED91CF90

Function 002F541D Relevance: 16.7, APIs: 11, Instructions: 191windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000158,000000FF,00000158), ref: 002F5504
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 002F5515
CharNextW.USER32(00000158), ref: 002F5544
SendMessageW.USER32(?,0000014B,00000000,00000000), ref: 002F5585
SendMessageW.USER32(?,00000158,000000FF,0000014E), ref: 002F559B
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 002F55AC

Memory Dump Source

Source File: 00000001.00000002.1547293858.0000000000261000.00000020.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true

Associated: 00000001.00000002.1546305634.0000000000260000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1552306005.00000000002FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1552306005.0000000000322000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1553018664.000000000032C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1553203039.0000000000334000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_260000_file.jbxd

Similarity

API ID: MessageSend$CharNext
String ID:
API String ID: 1350042424-0
Opcode ID: 31c60a14f10f9f9d7555f77d667cad76752eeca0af674203bae4edd3c8cefac7
Instruction ID: 4369bab723348374e9720ed4b67612ccee17ab8cd67f9aa7ca2799ae1f8a51c7
Opcode Fuzzy Hash: 31c60a14f10f9f9d7555f77d667cad76752eeca0af674203bae4edd3c8cefac7
Instruction Fuzzy Hash: 6361A13092462DABDF149F50CD84DFEBBB9EB057A0F104165F725A6290D7B48AA0DB60

Function 002BFA88 Relevance: 16.6, APIs: 11, Instructions: 122memoryCOMMON

Download Yara Rule

APIs

SafeArrayAllocDescriptorEx.OLEAUT32(0000000C,?,?), ref: 002BFAAF
SafeArrayAllocData.OLEAUT32(?), ref: 002BFB08
VariantInit.OLEAUT32(?), ref: 002BFB1A
SafeArrayAccessData.OLEAUT32(?,?), ref: 002BFB3A
VariantCopy.OLEAUT32(?,?), ref: 002BFB8D
SafeArrayUnaccessData.OLEAUT32(?), ref: 002BFBA1
VariantClear.OLEAUT32(?), ref: 002BFBB6
SafeArrayDestroyData.OLEAUT32(?), ref: 002BFBC3
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 002BFBCC
VariantClear.OLEAUT32(?), ref: 002BFBDE
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 002BFBE9

Memory Dump Source

Source File: 00000001.00000002.1547293858.0000000000261000.00000020.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true

Associated: 00000001.00000002.1546305634.0000000000260000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1552306005.00000000002FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1552306005.0000000000322000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1553018664.000000000032C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1553203039.0000000000334000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_260000_file.jbxd

Similarity

API ID: ArraySafe$DataVariant$DescriptorDestroy$AllocClear$AccessCopyInitUnaccess
String ID:
API String ID: 2706829360-0
Opcode ID: 7a39d79e98f64b5d654577afbeb17a7b353e3794f1d24807e908612f6a65a1de
Instruction ID: d5c5a31cbbad008ec50f4417d5c07cb46897d26cf4668a1b0b69b3186d219dc8
Opcode Fuzzy Hash: 7a39d79e98f64b5d654577afbeb17a7b353e3794f1d24807e908612f6a65a1de
Instruction Fuzzy Hash: 5A418E34A102199FCB00DF64DD589FEBBB9EF08394F108479E945A7261DB30A955CFA0

Function 002C9C79 Relevance: 16.6, APIs: 11, Instructions: 119keyboardCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?), ref: 002C9CA1
GetAsyncKeyState.USER32(000000A0), ref: 002C9D22
GetKeyState.USER32(000000A0), ref: 002C9D3D
GetAsyncKeyState.USER32(000000A1), ref: 002C9D57
GetKeyState.USER32(000000A1), ref: 002C9D6C
GetAsyncKeyState.USER32(00000011), ref: 002C9D84
GetKeyState.USER32(00000011), ref: 002C9D96
GetAsyncKeyState.USER32(00000012), ref: 002C9DAE
GetKeyState.USER32(00000012), ref: 002C9DC0
GetAsyncKeyState.USER32(0000005B), ref: 002C9DD8
GetKeyState.USER32(0000005B), ref: 002C9DEA

Memory Dump Source

Source File: 00000001.00000002.1547293858.0000000000261000.00000020.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true

Associated: 00000001.00000002.1546305634.0000000000260000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1552306005.00000000002FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1552306005.0000000000322000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1553018664.000000000032C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1553203039.0000000000334000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_260000_file.jbxd

Similarity

API ID: State$Async$Keyboard
String ID:
API String ID: 541375521-0
Opcode ID: a3375cdd8d7fb1576480f14a16ab337a9b57606acfd73f24858bbf6b5732b5fb
Instruction ID: 12c45f4e44c3fe6455dfed7c5a27d2ae5bddaeda9af44e9178f13a0727fd0d58
Opcode Fuzzy Hash: a3375cdd8d7fb1576480f14a16ab337a9b57606acfd73f24858bbf6b5732b5fb
Instruction Fuzzy Hash: 0D411B305147CB69FF309F64940CBB5BEA0AF25344F44425FD9C3661C2DBA55AE4C791

Function 002E055B Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 207networkfileCOMMON

Download Yara Rule

APIs

WSAStartup.WSOCK32(00000101,?), ref: 002E05BC
inet_addr.WSOCK32(?), ref: 002E061C
gethostbyname.WSOCK32(?), ref: 002E0628
IcmpCreateFile.IPHLPAPI ref: 002E0636
IcmpSendEcho.IPHLPAPI(?,?,?,00000005,00000000,?,00000029,00000FA0), ref: 002E06C6
IcmpSendEcho.IPHLPAPI(00000000,00000000,?,00000005,00000000,?,00000029,00000FA0), ref: 002E06E5
IcmpCloseHandle.IPHLPAPI(?), ref: 002E07B9
WSACleanup.WSOCK32 ref: 002E07BF

Strings

Ping, xrefs: 002E0676

Memory Dump Source

Source File: 00000001.00000002.1547293858.0000000000261000.00000020.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true

Associated: 00000001.00000002.1546305634.0000000000260000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1552306005.00000000002FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1552306005.0000000000322000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1553018664.000000000032C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1553203039.0000000000334000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_260000_file.jbxd

Similarity

API ID: Icmp$EchoSend$CleanupCloseCreateFileHandleStartupgethostbynameinet_addr
String ID: Ping
API String ID: 1028309954-2246546115
Opcode ID: e308790c9fb055b7714f6a9e28193e6bd855bc415a9a2ddd5dc662f57da3080b
Instruction ID: 47bf6c303010c9358cae13f1e40bf5bc4e6f5de47994b2227da9076cadb0de97
Opcode Fuzzy Hash: e308790c9fb055b7714f6a9e28193e6bd855bc415a9a2ddd5dc662f57da3080b
Instruction Fuzzy Hash: 3191BF345282429FD320DF16D5C8F1ABBE4AF44318F5485A9F4698B7A2C7B0EC92CF91

Function 002E8CD3 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 193COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?,00000000,?), ref: 002E8CF3

Part of subcall function 002C8E54: _wcslen.LIBCMT ref: 002C8E77

_wcslen.LIBCMT ref: 002E8D4E
_wcslen.LIBCMT ref: 002E8D9C
_wcslen.LIBCMT ref: 002E8DDC
_wcslen.LIBCMT ref: 002E8E6E

Strings

none, xrefs: 002E8E65, 002E8E6A
cdecl, xrefs: 002E8D48, 002E8D4D
winapi, xrefs: 002E8D96, 002E8D9B
stdcall, xrefs: 002E8DD6, 002E8DDB

Memory Dump Source

Source File: 00000001.00000002.1547293858.0000000000261000.00000020.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true

Associated: 00000001.00000002.1546305634.0000000000260000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1552306005.00000000002FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1552306005.0000000000322000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1553018664.000000000032C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1553203039.0000000000334000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_260000_file.jbxd

Similarity

API ID: _wcslen$BuffCharLower
String ID: cdecl$none$stdcall$winapi
API String ID: 707087890-567219261
Opcode ID: 3550be5abaa52671184130c15f3da17c37060860457b38c84f25547e2fa283cc
Instruction ID: be22009ad9c6b42f366cb7a0c2e17454e766b30cbc1064a52913e6be82d62b6c
Opcode Fuzzy Hash: 3550be5abaa52671184130c15f3da17c37060860457b38c84f25547e2fa283cc
Instruction Fuzzy Hash: 0651C531A601579BCF14DF69C9408BEB3A5BF65310BA44229F499E72C4DF30DD60CB90

Function 002E372C Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 187comCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32 ref: 002E3774
CoUninitialize.OLE32 ref: 002E377F
CoCreateInstance.OLE32(?,00000000,00000017,002FFB78,?), ref: 002E37D9
IIDFromString.OLE32(?,?), ref: 002E384C
VariantInit.OLEAUT32(?), ref: 002E38E4
VariantClear.OLEAUT32(?), ref: 002E3936

Strings

Invalid parameter, xrefs: 002E3865
Failed to create object, xrefs: 002E37E4, 002E389A
NULL Pointer assignment, xrefs: 002E381E

Memory Dump Source

Source File: 00000001.00000002.1547293858.0000000000261000.00000020.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true

Associated: 00000001.00000002.1546305634.0000000000260000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1552306005.00000000002FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1552306005.0000000000322000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1553018664.000000000032C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1553203039.0000000000334000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_260000_file.jbxd

Similarity

API ID: Variant$ClearCreateFromInitInitializeInstanceStringUninitialize
String ID: Failed to create object$Invalid parameter$NULL Pointer assignment
API String ID: 636576611-1287834457
Opcode ID: d5c471cd37710c02e9b447efe76d38b4715b29ed1235510ffc29ad0c8c4fca78
Instruction ID: 82909778a6408345363068854ea33921c8588bfc70e5e50860f46a81bcd34e15
Opcode Fuzzy Hash: d5c471cd37710c02e9b447efe76d38b4715b29ed1235510ffc29ad0c8c4fca78
Instruction Fuzzy Hash: EA61FF70268341AFD310DF16D888F6ABBE8EF49755F50081DF8859B291C770EE58CB92

Function 002F8B02 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 149windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00279BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00279BB2

Part of subcall function 0027912D: GetCursorPos.USER32(?), ref: 00279141
Part of subcall function 0027912D: ScreenToClient.USER32(00000000,?), ref: 0027915E
Part of subcall function 0027912D: GetAsyncKeyState.USER32(00000001), ref: 00279183
Part of subcall function 0027912D: GetAsyncKeyState.USER32(00000002), ref: 0027919D

ImageList_DragLeave.COMCTL32(00000000,00000000,00000001,?,?,?,?), ref: 002F8B6B
ImageList_EndDrag.COMCTL32 ref: 002F8B71
ReleaseCapture.USER32 ref: 002F8B77
SetWindowTextW.USER32(?,00000000), ref: 002F8C12
SendMessageW.USER32(?,000000B1,00000000,000000FF), ref: 002F8C25
DefDlgProcW.USER32(?,00000202,?,?,00000000,00000001,?,?,?,?), ref: 002F8CFF

Strings

@GUI_DROPID, xrefs: 002F8C51
@GUI_DRAGFILE, xrefs: 002F8C9A
p#3, xrefs: 002F8C71

Memory Dump Source

Source File: 00000001.00000002.1547293858.0000000000261000.00000020.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true

Associated: 00000001.00000002.1546305634.0000000000260000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1552306005.00000000002FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1552306005.0000000000322000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1553018664.000000000032C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1553203039.0000000000334000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_260000_file.jbxd

Similarity

API ID: AsyncDragImageList_StateWindow$CaptureClientCursorLeaveLongMessageProcReleaseScreenSendText
String ID: @GUI_DRAGFILE$@GUI_DROPID$p#3
API String ID: 1924731296-3277278523
Opcode ID: 1a63735778adc67d0e45c705520ca0311da6a994b4dbe715ecebf027ecef6246
Instruction ID: cecc33c115599a5b58e257e3324707633764622452a00411394328ff527c605c
Opcode Fuzzy Hash: 1a63735778adc67d0e45c705520ca0311da6a994b4dbe715ecebf027ecef6246
Instruction Fuzzy Hash: 38518C71114208AFD704DF14DD99BBAB7E8FB88750F100529FA56972A1CB709964CB62

Function 002D3388 Relevance: 15.9, APIs: 3, Strings: 6, Instructions: 149COMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000066,?,00000FFF,?), ref: 002D33CF

Part of subcall function 00269CB3: _wcslen.LIBCMT ref: 00269CBD

LoadStringW.USER32(00000072,?,00000FFF,?), ref: 002D33F0

Strings

Error: , xrefs: 002D34D1
^ ERROR , xrefs: 002D349E
"%s" (%d) : ==> %s:%s%s, xrefs: 002D3504
Line %d (File "%s"):, xrefs: 002D3443, 002D345C
"%s" (%d) : ==> %s:, xrefs: 002D3522
Incorrect parameters to object property !, xrefs: 002D34AB

Memory Dump Source

Source File: 00000001.00000002.1547293858.0000000000261000.00000020.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true

Associated: 00000001.00000002.1546305634.0000000000260000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1552306005.00000000002FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1552306005.0000000000322000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1553018664.000000000032C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1553203039.0000000000334000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_260000_file.jbxd

Similarity

API ID: LoadString$_wcslen
String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Incorrect parameters to object property !$Line %d (File "%s"):$^ ERROR
API String ID: 4099089115-3080491070
Opcode ID: 29c2f355bd266c54805a52370eda964b6d3c3a44f0239c3d9f8be83883eedc30
Instruction ID: c753eaa0cad6fb36e285208a926bc654b8ad801d0f7a49063e9587c487eb7c32
Opcode Fuzzy Hash: 29c2f355bd266c54805a52370eda964b6d3c3a44f0239c3d9f8be83883eedc30
Instruction Fuzzy Hash: 35519271910209AADF15EBA0DE46EEEB378AF18740F204165F50572191EF312FB8DF61

Function 002CB5C8 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 142COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 002CB5FC
_wcslen.LIBCMT ref: 002CB608
_wcslen.LIBCMT ref: 002CB64D
_wcslen.LIBCMT ref: 002CB68C
_wcslen.LIBCMT ref: 002CB6C7

Strings

APPEND, xrefs: 002CB6C1, 002CB6C6
KEYS, xrefs: 002CB647, 002CB64C
EXISTS, xrefs: 002CB686, 002CB68B
REMOVE, xrefs: 002CB602, 002CB607

Memory Dump Source

Source File: 00000001.00000002.1547293858.0000000000261000.00000020.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true

Associated: 00000001.00000002.1546305634.0000000000260000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1552306005.00000000002FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1552306005.0000000000322000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1553018664.000000000032C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1553203039.0000000000334000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_260000_file.jbxd

Similarity

API ID: _wcslen$BuffCharUpper
String ID: APPEND$EXISTS$KEYS$REMOVE
API String ID: 1256254125-769500911
Opcode ID: 13048a35c352a4e46415b6c4998d56a158d6f33d0c766d1168698995f0337c48
Instruction ID: 84380147cd73e80ac3595f1cff8e55b45ac32096554a00932d006a9c930d614f
Opcode Fuzzy Hash: 13048a35c352a4e46415b6c4998d56a158d6f33d0c766d1168698995f0337c48
Instruction Fuzzy Hash: 3D41D632A210279BCB216F7DC892ABEB7A9AF60754F34432DE425D7284E731CD91C790

Function 002D5393 Relevance: 15.9, APIs: 4, Strings: 5, Instructions: 103COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 002D53A0
GetDiskFreeSpaceW.KERNEL32(?,?,?,?,?,00000002,00000001), ref: 002D5416
GetLastError.KERNEL32 ref: 002D5420
SetErrorMode.KERNEL32(00000000,READY), ref: 002D54A7

Strings

UNKNOWN, xrefs: 002D5444
READONLY, xrefs: 002D5452
NOTREADY, xrefs: 002D544B
READY, xrefs: 002D5460, 002D5468
INVALID, xrefs: 002D5459

Memory Dump Source

Source File: 00000001.00000002.1547293858.0000000000261000.00000020.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true

Associated: 00000001.00000002.1546305634.0000000000260000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1552306005.00000000002FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1552306005.0000000000322000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1553018664.000000000032C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1553203039.0000000000334000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_260000_file.jbxd

Similarity

API ID: Error$Mode$DiskFreeLastSpace
String ID: INVALID$NOTREADY$READONLY$READY$UNKNOWN
API String ID: 4194297153-14809454
Opcode ID: 6cc3f997c14aea84a30f0b191124d1eaeafb1c6b3e594efbf8d51008b0194970
Instruction ID: ae2d08aa0dcd3aa540138cde46221f40869c8fde61ff558606aeb44b56dcf2bf
Opcode Fuzzy Hash: 6cc3f997c14aea84a30f0b191124d1eaeafb1c6b3e594efbf8d51008b0194970
Instruction Fuzzy Hash: 5431F435A105199FC710DF68D585BAABBF4FF04305F14806AE405CB392DBB0DDA2CB92

Function 002F3C46 Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 101windowCOMMON

Download Yara Rule

APIs

CreateMenu.USER32 ref: 002F3C79
SetMenu.USER32(?,00000000), ref: 002F3C88
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 002F3D10
IsMenu.USER32(?), ref: 002F3D24
CreatePopupMenu.USER32 ref: 002F3D2E
InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 002F3D5B
DrawMenuBar.USER32 ref: 002F3D63

Strings

F, xrefs: 002F3D4E
0, xrefs: 002F3C54

Memory Dump Source

Source File: 00000001.00000002.1547293858.0000000000261000.00000020.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true

Associated: 00000001.00000002.1546305634.0000000000260000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1552306005.00000000002FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1552306005.0000000000322000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1553018664.000000000032C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1553203039.0000000000334000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_260000_file.jbxd

Similarity

API ID: Menu$CreateItem$DrawInfoInsertPopup
String ID: 0$F
API String ID: 161812096-3044882817
Opcode ID: 0b3f3fc374c8d78da1155b77c676b366a32b8bf709783fd5a77ec500b5273cdb
Instruction ID: 3ae4706ad5468130323e3e00cdec39e1dcff4b755a006eada491b9470b9cf093
Opcode Fuzzy Hash: 0b3f3fc374c8d78da1155b77c676b366a32b8bf709783fd5a77ec500b5273cdb
Instruction Fuzzy Hash: DC417F7561120EEFDB14DF64E884BAAB7B5FF49390F140029FA46A7360D770AA24CF90

Function 002F3A23 Relevance: 15.2, APIs: 10, Instructions: 182windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000101F,00000000,00000000), ref: 002F3A9D
SendMessageW.USER32(00000000,?,0000101F,00000000), ref: 002F3AA0
GetWindowLongW.USER32(?,000000F0), ref: 002F3AC7
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 002F3AEA
SendMessageW.USER32(?,0000104D,00000000,00000007), ref: 002F3B62
SendMessageW.USER32(?,00001074,00000000,00000007), ref: 002F3BAC
SendMessageW.USER32(?,00001057,00000000,00000000), ref: 002F3BC7
SendMessageW.USER32(?,0000101D,00001004,00000000), ref: 002F3BE2
SendMessageW.USER32(?,0000101E,00001004,00000000), ref: 002F3BF6
SendMessageW.USER32(?,00001008,00000000,00000007), ref: 002F3C13

Memory Dump Source

Source File: 00000001.00000002.1547293858.0000000000261000.00000020.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true

Associated: 00000001.00000002.1546305634.0000000000260000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1552306005.00000000002FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1552306005.0000000000322000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1553018664.000000000032C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1553203039.0000000000334000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_260000_file.jbxd

Similarity

API ID: MessageSend$LongWindow
String ID:
API String ID: 312131281-0
Opcode ID: 2235348eb13337afefd36d05d900fb25d5973598d571c74553b8ed1fee41b683
Instruction ID: 7f6e15f3eeb616a6103a0a306a97c0860cafc4b9a6b90aac174d2320ba92ac18
Opcode Fuzzy Hash: 2235348eb13337afefd36d05d900fb25d5973598d571c74553b8ed1fee41b683
Instruction Fuzzy Hash: 72617975910208AFDB11DFA8CC81EFEB7B8EB09754F1000AAFA15E72A1C770AA55DF50

Function 002CB12F Relevance: 15.1, APIs: 10, Instructions: 88threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 002CB151
GetForegroundWindow.USER32(00000000,?,?,?,?,?,002CA1E1,?,00000001), ref: 002CB165
GetWindowThreadProcessId.USER32(00000000), ref: 002CB16C
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,002CA1E1,?,00000001), ref: 002CB17B
GetWindowThreadProcessId.USER32(?,00000000), ref: 002CB18D
AttachThreadInput.USER32(?,00000000,00000001,?,?,?,?,?,002CA1E1,?,00000001), ref: 002CB1A6
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,002CA1E1,?,00000001), ref: 002CB1B8
AttachThreadInput.USER32(00000000,00000000,?,?,?,?,?,002CA1E1,?,00000001), ref: 002CB1FD
AttachThreadInput.USER32(?,?,00000000,?,?,?,?,?,002CA1E1,?,00000001), ref: 002CB212
AttachThreadInput.USER32(00000000,?,00000000,?,?,?,?,?,002CA1E1,?,00000001), ref: 002CB21D

Memory Dump Source

Source File: 00000001.00000002.1547293858.0000000000261000.00000020.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true

Associated: 00000001.00000002.1546305634.0000000000260000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1552306005.00000000002FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1552306005.0000000000322000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1553018664.000000000032C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1553203039.0000000000334000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_260000_file.jbxd

Similarity

API ID: Thread$AttachInput$Window$Process$CurrentForeground
String ID:
API String ID: 2156557900-0
Opcode ID: d23a687d5c1c4b8b4602d757e7930efcc6f6c8bfc675aeb00b3662549f5589b0
Instruction ID: 9254a66aa2f81cff31808d0b841f82196408346d6ee668c4a1da49bb5eb18475
Opcode Fuzzy Hash: d23a687d5c1c4b8b4602d757e7930efcc6f6c8bfc675aeb00b3662549f5589b0
Instruction Fuzzy Hash: 7F31B171520209BFDB269F24ED8AFBD7BADBB51361F208128F906D6190D7B89D40CF61

Function 00292C80 Relevance: 15.1, APIs: 10, Instructions: 54COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00292C94

Part of subcall function 002929C8: RtlFreeHeap.NTDLL(00000000,00000000,?,0029D7D1,00000000,00000000,00000000,00000000,?,0029D7F8,00000000,00000007,00000000,?,0029DBF5,00000000), ref: 002929DE
Part of subcall function 002929C8: GetLastError.KERNEL32(00000000,?,0029D7D1,00000000,00000000,00000000,00000000,?,0029D7F8,00000000,00000007,00000000,?,0029DBF5,00000000,00000000), ref: 002929F0

_free.LIBCMT ref: 00292CA0
_free.LIBCMT ref: 00292CAB
_free.LIBCMT ref: 00292CB6
_free.LIBCMT ref: 00292CC1
_free.LIBCMT ref: 00292CCC
_free.LIBCMT ref: 00292CD7
_free.LIBCMT ref: 00292CE2
_free.LIBCMT ref: 00292CED
_free.LIBCMT ref: 00292CFB

Memory Dump Source

Source File: 00000001.00000002.1547293858.0000000000261000.00000020.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true

Associated: 00000001.00000002.1546305634.0000000000260000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1552306005.00000000002FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1552306005.0000000000322000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1553018664.000000000032C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1553203039.0000000000334000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_260000_file.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 8e6aaf90575c646f5a381b707c7ad6f2ba0e302428b08c65edab10f993f2a18f
Instruction ID: c5288c9f30417542e699ba2af3b2e5f12e5e3003a1f0ad0b49ee98cc9291da71
Opcode Fuzzy Hash: 8e6aaf90575c646f5a381b707c7ad6f2ba0e302428b08c65edab10f993f2a18f
Instruction Fuzzy Hash: 3D119376120108FFDF02EF54D882DDD3BA5FF05350F6154A5FA489B222DA31EA649F90

Function 002D7DF0 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 230COMMON

Download Yara Rule

APIs

GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 002D7FAD
SetCurrentDirectoryW.KERNEL32(?), ref: 002D7FC1
GetFileAttributesW.KERNEL32(?), ref: 002D7FEB
SetFileAttributesW.KERNEL32(?,00000000), ref: 002D8005
SetCurrentDirectoryW.KERNEL32(?), ref: 002D8017
SetCurrentDirectoryW.KERNEL32(?), ref: 002D8060
SetCurrentDirectoryW.KERNEL32(?,?,?,?,?), ref: 002D80B0

Strings

*.*, xrefs: 002D8066

Memory Dump Source

Source File: 00000001.00000002.1547293858.0000000000261000.00000020.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true

Associated: 00000001.00000002.1546305634.0000000000260000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1552306005.00000000002FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1552306005.0000000000322000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1553018664.000000000032C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1553203039.0000000000334000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_260000_file.jbxd

Similarity

API ID: CurrentDirectory$AttributesFile
String ID: *.*
API String ID: 769691225-438819550
Opcode ID: f7834b8b19bb7dadc8fd03fddc6fed8fb3c43d998fc63559495f6940a887da83
Instruction ID: e552d103392ec944cdaf500609d23a971f3b298f6003093bc5ba7abafb864940
Opcode Fuzzy Hash: f7834b8b19bb7dadc8fd03fddc6fed8fb3c43d998fc63559495f6940a887da83
Instruction Fuzzy Hash: EB8191715282469BCB20EF14C844ABAB3E8BF88314F54486FF885C7351EB78DD65CB52

Function 00265BEA Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 184windowCOMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(?,000000EB), ref: 00265C7A

Part of subcall function 00265D0A: GetClientRect.USER32(?,?), ref: 00265D30
Part of subcall function 00265D0A: GetWindowRect.USER32(?,?), ref: 00265D71
Part of subcall function 00265D0A: ScreenToClient.USER32(?,?), ref: 00265D99

GetDC.USER32 ref: 002A46F5
SendMessageW.USER32(?,00000031,00000000,00000000), ref: 002A4708
SelectObject.GDI32(00000000,00000000), ref: 002A4716
SelectObject.GDI32(00000000,00000000), ref: 002A472B
ReleaseDC.USER32(?,00000000), ref: 002A4733
MoveWindow.USER32(?,?,?,?,?,?,?,00000031,00000000,00000000), ref: 002A47C4

Strings

U, xrefs: 002A4693

Memory Dump Source

Source File: 00000001.00000002.1547293858.0000000000261000.00000020.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true

Associated: 00000001.00000002.1546305634.0000000000260000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1552306005.00000000002FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1552306005.0000000000322000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1553018664.000000000032C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1553203039.0000000000334000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_260000_file.jbxd

Similarity

API ID: Window$ClientObjectRectSelect$LongMessageMoveReleaseScreenSend
String ID: U
API String ID: 4009187628-3372436214
Opcode ID: 0be613c799688bde3731e883bc49e29f7a72c817d3fc087947ecef828fa82f8e
Instruction ID: a8e629fe6a8e39d3876ea42fab8a9e6169f747da08b60ec62d44554af6ed76f5
Opcode Fuzzy Hash: 0be613c799688bde3731e883bc49e29f7a72c817d3fc087947ecef828fa82f8e
Instruction Fuzzy Hash: 0271E430410246DFCF21AF64CD84ABABBB5FF8B360F14426AED555A166CBB1C8A1DF50

Function 002D359C Relevance: 14.2, APIs: 3, Strings: 5, Instructions: 150COMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000066,?,00000FFF,00000000), ref: 002D35E4

Part of subcall function 00269CB3: _wcslen.LIBCMT ref: 00269CBD

LoadStringW.USER32(00332390,?,00000FFF,?), ref: 002D360A

Strings

Error: , xrefs: 002D36EF
"%s" (%d) : ==> %s:%s%s, xrefs: 002D3724
Line %d (File "%s"):, xrefs: 002D366B
^ ERROR, xrefs: 002D36C9
"%s" (%d) : ==> %s:, xrefs: 002D3742

Memory Dump Source

Source File: 00000001.00000002.1547293858.0000000000261000.00000020.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true

Associated: 00000001.00000002.1546305634.0000000000260000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1552306005.00000000002FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1552306005.0000000000322000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1553018664.000000000032C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1553203039.0000000000334000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_260000_file.jbxd

Similarity

API ID: LoadString$_wcslen
String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Line %d (File "%s"):$^ ERROR
API String ID: 4099089115-2391861430
Opcode ID: 2963879da2c04cd3c9d0a877c3b3fad334e41c855836aa4531cb840e884c7c3d
Instruction ID: 27fbdc50cdd2c7cf89de15b409e18630cf193560a036c141ffbe758a78707804
Opcode Fuzzy Hash: 2963879da2c04cd3c9d0a877c3b3fad334e41c855836aa4531cb840e884c7c3d
Instruction Fuzzy Hash: CD51807281020ABBDF15EBA0DD86EEEBB78AF14310F144165F105721A1EB305BE8DFA1

Function 002DC253 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 94networkCOMMON

Download Yara Rule

APIs

InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 002DC272
HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 002DC29A
HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 002DC2CA
GetLastError.KERNEL32 ref: 002DC322
SetEvent.KERNEL32(?), ref: 002DC336
InternetCloseHandle.WININET(00000000), ref: 002DC341

Strings

, xrefs: 002DC2BB

Memory Dump Source

Source File: 00000001.00000002.1547293858.0000000000261000.00000020.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true

Associated: 00000001.00000002.1546305634.0000000000260000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1552306005.00000000002FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1552306005.0000000000322000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1553018664.000000000032C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1553203039.0000000000334000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_260000_file.jbxd

Similarity

API ID: HttpInternet$CloseErrorEventHandleInfoLastOpenQueryRequestSend
String ID:
API String ID: 3113390036-3916222277
Opcode ID: 105ec10f9228a97c638dbbf8809e4b33c406a6781948a982b3e2d946128d3414
Instruction ID: 6dcb868d8930e6a3fd061e3089341e68f12d76f9a038bfc787082fa915961da6
Opcode Fuzzy Hash: 105ec10f9228a97c638dbbf8809e4b33c406a6781948a982b3e2d946128d3414
Instruction Fuzzy Hash: F3318DB151020AAFD7219F649D88ABB7BFCEB49790B20852FF48692300DB30DD14DB60

Function 002C989B Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 74windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000FFF,00000000,?,002A3AAF,?,?,Bad directive syntax error,002FCC08,00000000,00000010,?,?,>>>AUTOIT SCRIPT<<<), ref: 002C98BC
LoadStringW.USER32(00000000,?,002A3AAF,?), ref: 002C98C3

Part of subcall function 00269CB3: _wcslen.LIBCMT ref: 00269CBD

MessageBoxW.USER32(00000000,00000001,00000001,00011010), ref: 002C9987

Strings

Line %d (File "%s"):, xrefs: 002C992D
., xrefs: 002C996D
Error: , xrefs: 002C9955
Line %d:, xrefs: 002C9912
%s (%d) : ==> %s.: %s %s, xrefs: 002C98F1

Memory Dump Source

Source File: 00000001.00000002.1547293858.0000000000261000.00000020.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true

Associated: 00000001.00000002.1546305634.0000000000260000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1552306005.00000000002FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1552306005.0000000000322000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1553018664.000000000032C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1553203039.0000000000334000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_260000_file.jbxd

Similarity

API ID: HandleLoadMessageModuleString_wcslen
String ID: Error: $%s (%d) : ==> %s.: %s %s$.$Line %d (File "%s"):$Line %d:
API String ID: 858772685-4153970271
Opcode ID: 52c2db84d2e5580812bcf815fbd0bc3124a2165b022cf75dd584837d3c17cb9c
Instruction ID: 414c3d798f317f23f8025a26104195840f8d406fa7dd42c6f74e613d559b816d
Opcode Fuzzy Hash: 52c2db84d2e5580812bcf815fbd0bc3124a2165b022cf75dd584837d3c17cb9c
Instruction Fuzzy Hash: 05216D3182021EABCF12EF90DC0AEEE7739BF18704F044469F519620A2EB7196B8DF50

Function 002C209F Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 71windowCOMMON

Download Yara Rule

APIs

GetParent.USER32 ref: 002C20AB
GetClassNameW.USER32(00000000,?,00000100), ref: 002C20C0
SendMessageW.USER32(00000000,00000111,0000702B,00000000), ref: 002C214D

Strings

smallicons, xrefs: 002C2115
largeicons, xrefs: 002C20E1
list, xrefs: 002C212F
SHELLDLL_DefView, xrefs: 002C20CC
details, xrefs: 002C20FB

Memory Dump Source

Source File: 00000001.00000002.1547293858.0000000000261000.00000020.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true

Associated: 00000001.00000002.1546305634.0000000000260000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1552306005.00000000002FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1552306005.0000000000322000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1553018664.000000000032C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1553203039.0000000000334000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_260000_file.jbxd

Similarity

API ID: ClassMessageNameParentSend
String ID: SHELLDLL_DefView$details$largeicons$list$smallicons
API String ID: 1290815626-3381328864
Opcode ID: b86522632bcea299318d15cfef34e059694b658d21dd3496e34c0827cc1aaa1a
Instruction ID: 6bcf5faeebb1cacfe543dc542fc5abdf3183a42db20c22769c8d851fe623dde3
Opcode Fuzzy Hash: b86522632bcea299318d15cfef34e059694b658d21dd3496e34c0827cc1aaa1a
Instruction Fuzzy Hash: DF110D7A5A8717F6F6057620EC16EF6379CCF14324B30022AFB08A50D2EEF159255E14

Function 0029CE90 Relevance: 13.7, APIs: 9, Instructions: 209COMMON

Download Yara Rule

APIs

___from_strstr_to_strchr.LIBCMT ref: 0029CEB7
_free.LIBCMT ref: 0029CF22
_free.LIBCMT ref: 0029CF48
_free.LIBCMT ref: 0029CF71
_free.LIBCMT ref: 0029CFA9
_free.LIBCMT ref: 0029CFDA
_free.LIBCMT ref: 0029D01B
SetEnvironmentVariableA.KERNEL32(00000000,00000000), ref: 0029D09C
_free.LIBCMT ref: 0029D0B5

Memory Dump Source

Source File: 00000001.00000002.1547293858.0000000000261000.00000020.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true

Associated: 00000001.00000002.1546305634.0000000000260000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1552306005.00000000002FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1552306005.0000000000322000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1553018664.000000000032C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1553203039.0000000000334000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_260000_file.jbxd

Similarity

API ID: _free$EnvironmentVariable___from_strstr_to_strchr
String ID:
API String ID: 1282221369-0
Opcode ID: 0e593a1da06cd1a960da28b760d2dad57ac218c891c32e7cc164d30bdc8f1556
Instruction ID: b17cd5f2d81f645f13479c87fb7604dc879a253120b2b267c6c65e6dbf4651ce
Opcode Fuzzy Hash: 0e593a1da06cd1a960da28b760d2dad57ac218c891c32e7cc164d30bdc8f1556
Instruction Fuzzy Hash: 01618871924302EFDF26AFB4D8D1A6D7BE9EF05360F24016EF84597281E7319D218B90

Function 002F50D4 Relevance: 13.7, APIs: 9, Instructions: 162windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00002001,00000000,00000000), ref: 002F5186
ShowWindow.USER32(?,00000000), ref: 002F51C7
ShowWindow.USER32(?,00000005,?,00000000), ref: 002F51CD
SetFocus.USER32(?,?,00000005,?,00000000), ref: 002F51D1

Part of subcall function 002F6FBA: DeleteObject.GDI32(00000000), ref: 002F6FE6

GetWindowLongW.USER32(?,000000F0), ref: 002F520D
SetWindowLongW.USER32(?,000000F0,00000000), ref: 002F521A
InvalidateRect.USER32(?,00000000,00000001,?,00000001), ref: 002F524D
SendMessageW.USER32(?,00001001,00000000,000000FE), ref: 002F5287
SendMessageW.USER32(?,00001026,00000000,000000FE), ref: 002F5296

Memory Dump Source

Source File: 00000001.00000002.1547293858.0000000000261000.00000020.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true

Associated: 00000001.00000002.1546305634.0000000000260000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1552306005.00000000002FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1552306005.0000000000322000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1553018664.000000000032C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1553203039.0000000000334000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_260000_file.jbxd

Similarity

API ID: Window$MessageSend$LongShow$DeleteFocusInvalidateObjectRect
String ID:
API String ID: 3210457359-0
Opcode ID: e12368f441c88ff879056c371f29a610ac73b1916cff041152e98837bc7aaf4f
Instruction ID: da3fec23a08b970ff96e4846716d36fe591c288335bd2a3b4c8992a069657eb1
Opcode Fuzzy Hash: e12368f441c88ff879056c371f29a610ac73b1916cff041152e98837bc7aaf4f
Instruction Fuzzy Hash: 6351873067062DBEEF249F24CC49BF9BB65AF053A1F144221FB19962E0C775A9A0DF40

Function 00278B06 Relevance: 13.7, APIs: 9, Instructions: 155windowCOMMON

Download Yara Rule

APIs

LoadImageW.USER32(00000000,?,?,00000010,00000010,00000010), ref: 002B6890
ExtractIconExW.SHELL32(?,?,00000000,00000000,00000001), ref: 002B68A9
LoadImageW.USER32(00000000,?,00000001,00000000,00000000,00000050), ref: 002B68B9
ExtractIconExW.SHELL32(?,?,?,00000000,00000001), ref: 002B68D1
SendMessageW.USER32(00000000,00000080,00000000,00000000), ref: 002B68F2
DestroyIcon.USER32(00000000,?,00000010,00000010,00000010,?,?,?,?,?,00278874,00000000,00000000,00000000,000000FF,00000000), ref: 002B6901
SendMessageW.USER32(00000000,00000080,00000001,00000000), ref: 002B691E
DestroyIcon.USER32(00000000,?,00000010,00000010,00000010,?,?,?,?,?,00278874,00000000,00000000,00000000,000000FF,00000000), ref: 002B692D

Memory Dump Source

Source File: 00000001.00000002.1547293858.0000000000261000.00000020.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true

Associated: 00000001.00000002.1546305634.0000000000260000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1552306005.00000000002FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1552306005.0000000000322000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1553018664.000000000032C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1553203039.0000000000334000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_260000_file.jbxd

Similarity

API ID: Icon$DestroyExtractImageLoadMessageSend
String ID:
API String ID: 1268354404-0
Opcode ID: 519c5058d61d1291a3dc482f0aef9e1706cc959a8101f6039f88773d80992ce0
Instruction ID: 5d9f6fe6008fe12ede76dd5b84497141d5369481f3cabcb99514be4b3ffaf1db
Opcode Fuzzy Hash: 519c5058d61d1291a3dc482f0aef9e1706cc959a8101f6039f88773d80992ce0
Instruction Fuzzy Hash: 28518F7062020AEFDB20CF25CC59FAA77B5FB447A4F108528F95AD72A0DB70E960DB50

Function 002DC143 Relevance: 13.6, APIs: 9, Instructions: 95networkCOMMON

Download Yara Rule

APIs

InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 002DC182
GetLastError.KERNEL32 ref: 002DC195
SetEvent.KERNEL32(?), ref: 002DC1A9

Part of subcall function 002DC253: InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 002DC272
Part of subcall function 002DC253: GetLastError.KERNEL32 ref: 002DC322
Part of subcall function 002DC253: SetEvent.KERNEL32(?), ref: 002DC336
Part of subcall function 002DC253: InternetCloseHandle.WININET(00000000), ref: 002DC341

Memory Dump Source

Source File: 00000001.00000002.1547293858.0000000000261000.00000020.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true

Associated: 00000001.00000002.1546305634.0000000000260000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1552306005.00000000002FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1552306005.0000000000322000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1553018664.000000000032C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1553203039.0000000000334000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_260000_file.jbxd

Similarity

API ID: Internet$ErrorEventLast$CloseConnectHandleOpen
String ID:
API String ID: 337547030-0
Opcode ID: 37441049f389b00b2873d480964741951d9b5b362e81015c44989b5755029015
Instruction ID: acebf09c2dcfa1063683a8e1bbd30b26605187f236089b9dc2a7dbf06e4952b8
Opcode Fuzzy Hash: 37441049f389b00b2873d480964741951d9b5b362e81015c44989b5755029015
Instruction Fuzzy Hash: EA318E71210606AFDB219FA5ED48A76BBF9FF58350B20842EF95A82710D731EC24DF60

Function 002C25A2 Relevance: 13.6, APIs: 9, Instructions: 60sleepkeyboardwindowCOMMON

Download Yara Rule

APIs

Part of subcall function 002C3A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 002C3A57
Part of subcall function 002C3A3D: GetCurrentThreadId.KERNEL32 ref: 002C3A5E
Part of subcall function 002C3A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,002C25B3), ref: 002C3A65

MapVirtualKeyW.USER32(00000025,00000000), ref: 002C25BD
PostMessageW.USER32(?,00000100,00000025,00000000), ref: 002C25DB
Sleep.KERNEL32(00000000,?,00000100,00000025,00000000), ref: 002C25DF
MapVirtualKeyW.USER32(00000025,00000000), ref: 002C25E9
PostMessageW.USER32(?,00000100,00000027,00000000), ref: 002C2601
Sleep.KERNEL32(00000000,?,00000100,00000027,00000000), ref: 002C2605
MapVirtualKeyW.USER32(00000025,00000000), ref: 002C260F
PostMessageW.USER32(?,00000101,00000027,00000000), ref: 002C2623
Sleep.KERNEL32(00000000,?,00000101,00000027,00000000,?,00000100,00000027,00000000), ref: 002C2627

Memory Dump Source

Source File: 00000001.00000002.1547293858.0000000000261000.00000020.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true

Associated: 00000001.00000002.1546305634.0000000000260000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1552306005.00000000002FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1552306005.0000000000322000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1553018664.000000000032C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1553203039.0000000000334000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_260000_file.jbxd

Similarity

API ID: MessagePostSleepThreadVirtual$AttachCurrentInputProcessWindow
String ID:
API String ID: 2014098862-0
Opcode ID: 2d5d4c0bab28982c059fc7189823eb592bf421a888c923af1f5c84bc2a045e41
Instruction ID: 44e7a58eb362663feb8a64f15481fb497b90658eb79de53c9e09b58ecd645aeb
Opcode Fuzzy Hash: 2d5d4c0bab28982c059fc7189823eb592bf421a888c923af1f5c84bc2a045e41
Instruction Fuzzy Hash: 1401D830794218BBFB1067689C8EF6A3F5DDF4EB61F200025F318AE0D1C9F25454CA69

Function 002C1803 Relevance: 13.5, APIs: 9, Instructions: 49memorythreadCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000008,0000000C,?,00000000,?,002C1449,?,?,00000000), ref: 002C180C
HeapAlloc.KERNEL32(00000000,?,002C1449,?,?,00000000), ref: 002C1813
GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,002C1449,?,?,00000000), ref: 002C1828
GetCurrentProcess.KERNEL32(?,00000000,?,002C1449,?,?,00000000), ref: 002C1830
DuplicateHandle.KERNEL32(00000000,?,002C1449,?,?,00000000), ref: 002C1833
GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,002C1449,?,?,00000000), ref: 002C1843
GetCurrentProcess.KERNEL32(002C1449,00000000,?,002C1449,?,?,00000000), ref: 002C184B
DuplicateHandle.KERNEL32(00000000,?,002C1449,?,?,00000000), ref: 002C184E
CreateThread.KERNEL32(00000000,00000000,002C1874,00000000,00000000,00000000), ref: 002C1868

Memory Dump Source

Source File: 00000001.00000002.1547293858.0000000000261000.00000020.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true

Associated: 00000001.00000002.1546305634.0000000000260000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1552306005.00000000002FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1552306005.0000000000322000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1553018664.000000000032C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1553203039.0000000000334000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_260000_file.jbxd

Similarity

API ID: Process$Current$DuplicateHandleHeap$AllocCreateThread
String ID:
API String ID: 1957940570-0
Opcode ID: ad7a02de190c81aa6082ddefa6aa6b23a392b82b5e356dab8b404d57d7ae6738
Instruction ID: edf644ef4aa18722a2225368570872c8d2c0b26edb29accf0d0a0a2a1a3ddcc6
Opcode Fuzzy Hash: ad7a02de190c81aa6082ddefa6aa6b23a392b82b5e356dab8b404d57d7ae6738
Instruction Fuzzy Hash: 7701BF75240308BFE710AB65ED4DF673B6CEB89B51F104521FA05DB191C6709820DF60

Function 00293E80 Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 305COMMON

Download Yara Rule

APIs

_strrchr.LIBCMT ref: 00293F0B
__alldvrm.LIBCMT ref: 0029410C
__alldvrm.LIBCMT ref: 0029412E

Strings

}}(, xrefs: 00293E8A
}}(, xrefs: 002940CD
}}(, xrefs: 00293E96, 00293EF1, 00293F0A, 00294090

Memory Dump Source

Source File: 00000001.00000002.1547293858.0000000000261000.00000020.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true

Associated: 00000001.00000002.1546305634.0000000000260000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1552306005.00000000002FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1552306005.0000000000322000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1553018664.000000000032C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1553203039.0000000000334000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_260000_file.jbxd

Similarity

API ID: __alldvrm$_strrchr
String ID: }}($}}($}}(
API String ID: 1036877536-243026749
Opcode ID: 190bec492484a18a97fe5f025dcdb3e473ceac46589bc02d4dbe4f94f5be8f6e
Instruction ID: 573b879e86ae823f4296caab3f7f3153f44e0c663f8659de91795feb0531cfaf
Opcode Fuzzy Hash: 190bec492484a18a97fe5f025dcdb3e473ceac46589bc02d4dbe4f94f5be8f6e
Instruction Fuzzy Hash: BAA16876D303869FEF25EF18C891BAEBBE4EF61350F14416DE5859B281C23489A2CB50

Function 002EA0E2 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 160COMMON

Download Yara Rule

APIs

Part of subcall function 002CD4DC: CreateToolhelp32Snapshot.KERNEL32 ref: 002CD501
Part of subcall function 002CD4DC: Process32FirstW.KERNEL32(00000000,?), ref: 002CD50F
Part of subcall function 002CD4DC: CloseHandle.KERNELBASE(00000000), ref: 002CD5DC

OpenProcess.KERNEL32(00000001,00000000,?), ref: 002EA16D
GetLastError.KERNEL32 ref: 002EA180
OpenProcess.KERNEL32(00000001,00000000,?), ref: 002EA1B3
TerminateProcess.KERNEL32(00000000,00000000), ref: 002EA268
GetLastError.KERNEL32(00000000), ref: 002EA273
CloseHandle.KERNEL32(00000000), ref: 002EA2C4

Strings

SeDebugPrivilege, xrefs: 002EA18F

Memory Dump Source

Source File: 00000001.00000002.1547293858.0000000000261000.00000020.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true

Associated: 00000001.00000002.1546305634.0000000000260000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1552306005.00000000002FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1552306005.0000000000322000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1553018664.000000000032C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1553203039.0000000000334000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_260000_file.jbxd

Similarity

API ID: Process$CloseErrorHandleLastOpen$CreateFirstProcess32SnapshotTerminateToolhelp32
String ID: SeDebugPrivilege
API String ID: 2533919879-2896544425
Opcode ID: 1439bd1de13375cbcc4ef75dcfc084e4cc1928f23da50f329c443848a9dd84f6
Instruction ID: 970a21167177541b0d9326f131f6e6a88489f69f0a7d322c4da41bcc6b01bef8
Opcode Fuzzy Hash: 1439bd1de13375cbcc4ef75dcfc084e4cc1928f23da50f329c443848a9dd84f6
Instruction Fuzzy Hash: 6F619F302642829FD710DF19C494F26BBE1AF44318F54849CE95A8BBA3C772FC95CB92

Function 002F3886 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 141windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00001036,00000010,00000010), ref: 002F3925
SendMessageW.USER32(00000000,00001036,00000000,?), ref: 002F393A
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000013), ref: 002F3954
_wcslen.LIBCMT ref: 002F3999
SendMessageW.USER32(?,00001057,00000000,?), ref: 002F39C6
SendMessageW.USER32(?,00001061,?,0000000F), ref: 002F39F4

Strings

SysListView32, xrefs: 002F38F7

Memory Dump Source

Source File: 00000001.00000002.1547293858.0000000000261000.00000020.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true

Associated: 00000001.00000002.1546305634.0000000000260000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1552306005.00000000002FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1552306005.0000000000322000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1553018664.000000000032C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1553203039.0000000000334000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_260000_file.jbxd

Similarity

API ID: MessageSend$Window_wcslen
String ID: SysListView32
API String ID: 2147712094-78025650
Opcode ID: b485eb05aae3df7c4e1b29bef0bbb034e2215fa7a6f51829c88a53d46a374b5d
Instruction ID: 773dcc639e49db979908a9b281a9898dcb1fe91a0f41ae0272b68086a0c6ffcb
Opcode Fuzzy Hash: b485eb05aae3df7c4e1b29bef0bbb034e2215fa7a6f51829c88a53d46a374b5d
Instruction Fuzzy Hash: 8D41857191021DABEB21DF64CC49BFAB7A9EF48390F100536F658E7281D7B599A0CB90

Function 002CBC5E Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 137windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 002CBCFD
IsMenu.USER32(00000000), ref: 002CBD1D
CreatePopupMenu.USER32 ref: 002CBD53
GetMenuItemCount.USER32(014860B0), ref: 002CBDA4
InsertMenuItemW.USER32(014860B0,?,00000001,00000030), ref: 002CBDCC

Strings

2, xrefs: 002CBD37
0, xrefs: 002CBCA8

Memory Dump Source

Source File: 00000001.00000002.1547293858.0000000000261000.00000020.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true

Associated: 00000001.00000002.1546305634.0000000000260000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1552306005.00000000002FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1552306005.0000000000322000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1553018664.000000000032C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1553203039.0000000000334000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_260000_file.jbxd

Similarity

API ID: Menu$Item$CountCreateInfoInsertPopup
String ID: 0$2
API String ID: 93392585-3793063076
Opcode ID: 72433213a4573bdd75e0c679606627e18914606ae0f08210e459aa2e1fbe74c0
Instruction ID: a464bebfd0650b1c7e8d8656f97614c868b2a1a647797d5fec16ef2fc0f043ce
Opcode Fuzzy Hash: 72433213a4573bdd75e0c679606627e18914606ae0f08210e459aa2e1fbe74c0
Instruction Fuzzy Hash: 4751D37061024A9BDF12CFA8D88AFAEBBF8BF45314F24436DE402E7290D7719955CB51

Function 00282D20 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 117COMMON

Download Yara Rule

APIs

_ValidateLocalCookies.LIBCMT ref: 00282D4B
___except_validate_context_record.LIBVCRUNTIME ref: 00282D53
_ValidateLocalCookies.LIBCMT ref: 00282DE1
__IsNonwritableInCurrentImage.LIBCMT ref: 00282E0C
_ValidateLocalCookies.LIBCMT ref: 00282E61

Strings

csm, xrefs: 00282DF6
&H(, xrefs: 00282DFE, 00282E07, 00282E18

Memory Dump Source

Source File: 00000001.00000002.1547293858.0000000000261000.00000020.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true

Associated: 00000001.00000002.1546305634.0000000000260000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1552306005.00000000002FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1552306005.0000000000322000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1553018664.000000000032C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1553203039.0000000000334000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_260000_file.jbxd

Similarity

API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
String ID: &H($csm
API String ID: 1170836740-1485831292
Opcode ID: c80603441e8d756117bd1157452bb1cf35a7f5011869c11da8ed97117185ee67
Instruction ID: 615fc9e1d7de3f1009fdcd4293c1ac7033fc668bcc126d98834bb30a3c8647bc
Opcode Fuzzy Hash: c80603441e8d756117bd1157452bb1cf35a7f5011869c11da8ed97117185ee67
Instruction Fuzzy Hash: 4741D538A22209DBCF10EF68C845A9EBFB4BF44724F148155E8146B3D2D771EA29CF90

Function 002CC874 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 81windowCOMMON

Download Yara Rule

APIs

LoadIconW.USER32(00000000,00007F03), ref: 002CC913

Strings

info, xrefs: 002CC8B4
warning, xrefs: 002CC8FC
stop, xrefs: 002CC8E4
blank, xrefs: 002CC895
question, xrefs: 002CC8CC

Memory Dump Source

Source File: 00000001.00000002.1547293858.0000000000261000.00000020.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true

Associated: 00000001.00000002.1546305634.0000000000260000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1552306005.00000000002FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1552306005.0000000000322000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1553018664.000000000032C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1553203039.0000000000334000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_260000_file.jbxd

Similarity

API ID: IconLoad
String ID: blank$info$question$stop$warning
API String ID: 2457776203-404129466
Opcode ID: 63e841993d8a4571f7d0b90e1bd1e6caf3de740472d72974669e41c643f2da7b
Instruction ID: d8f63dee2543e5efc97f46f1adc4be46e9caf5d691220da5e6aebb9ec28ed2fa
Opcode Fuzzy Hash: 63e841993d8a4571f7d0b90e1bd1e6caf3de740472d72974669e41c643f2da7b
Instruction Fuzzy Hash: 20112E356AA317BAA705AB14FC83EFB679CDF15354B30012EF908A62C1D7B09D105764

Function 002CDE27 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 70networkCOMMON

Download Yara Rule

APIs

WSAStartup.WSOCK32(00000101,?), ref: 002CDE42
gethostname.WSOCK32(?,00000100), ref: 002CDE5C
gethostbyname.WSOCK32(?), ref: 002CDE69
inet_ntoa.WSOCK32(?), ref: 002CDEAB
_strcat.LIBCMT ref: 002CDEB9
WSACleanup.WSOCK32 ref: 002CDEDE

Strings

0.0.0.0, xrefs: 002CDE87

Memory Dump Source

Source File: 00000001.00000002.1547293858.0000000000261000.00000020.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true

Associated: 00000001.00000002.1546305634.0000000000260000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1552306005.00000000002FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1552306005.0000000000322000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1553018664.000000000032C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1553203039.0000000000334000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_260000_file.jbxd

Similarity

API ID: CleanupStartup_strcatgethostbynamegethostnameinet_ntoa
String ID: 0.0.0.0
API String ID: 642191829-3771769585
Opcode ID: a383737f35cb0fb7ec9cc5e9f18db07b5e2aa55a855f624d8375771c857e2715
Instruction ID: 481a5557a4ea4ae488986e666af11a5e8d7309dd244ffd3ec49c006947b5de6b
Opcode Fuzzy Hash: a383737f35cb0fb7ec9cc5e9f18db07b5e2aa55a855f624d8375771c857e2715
Instruction Fuzzy Hash: 2E11E431924119ABCB20BB20ED4AEEE77ACDF15760F11027AF50996091EF718A95CB90

Function 002CED19 Relevance: 12.1, APIs: 8, Instructions: 137timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32 ref: 002CED2A
_wcslen.LIBCMT ref: 002CED3B
_wcslen.LIBCMT ref: 002CED79
_wcslen.LIBCMT ref: 002CEDAF
_wcslen.LIBCMT ref: 002CEDDF
_wcslen.LIBCMT ref: 002CEDEF
_wcslen.LIBCMT ref: 002CEE2B
_wcslen.LIBCMT ref: 002CEE5A

Memory Dump Source

Source File: 00000001.00000002.1547293858.0000000000261000.00000020.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true

Associated: 00000001.00000002.1546305634.0000000000260000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1552306005.00000000002FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1552306005.0000000000322000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1553018664.000000000032C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1553203039.0000000000334000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_260000_file.jbxd

Similarity

API ID: _wcslen$LocalTime
String ID:
API String ID: 952045576-0
Opcode ID: 55c41b2613f30a918c889d9b1393c5c8cf4764df4536322e72b95404ea9718d4
Instruction ID: c76d864ebca7a1380d5f4e5492fb854fbe467b939f98edb454b0907cffe7a068
Opcode Fuzzy Hash: 55c41b2613f30a918c889d9b1393c5c8cf4764df4536322e72b95404ea9718d4
Instruction Fuzzy Hash: EB41D669C2111976CB21FBF4888AECF73ACAF05310F104567E918E31A2FB34E265C7A5

Function 0027F8D8 Relevance: 12.1, APIs: 8, Instructions: 124COMMON

Download Yara Rule

APIs

ShowWindow.USER32(FFFFFFFF,000000FF,?,00000000,?,002B682C,00000004,00000000,00000000), ref: 0027F953
ShowWindow.USER32(FFFFFFFF,00000006,?,00000000,?,002B682C,00000004,00000000,00000000), ref: 002BF3D1
ShowWindow.USER32(FFFFFFFF,000000FF,?,00000000,?,002B682C,00000004,00000000,00000000), ref: 002BF454

Memory Dump Source

Source File: 00000001.00000002.1547293858.0000000000261000.00000020.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true

Associated: 00000001.00000002.1546305634.0000000000260000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1552306005.00000000002FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1552306005.0000000000322000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1553018664.000000000032C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1553203039.0000000000334000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_260000_file.jbxd

Similarity

API ID: ShowWindow
String ID:
API String ID: 1268545403-0
Opcode ID: e603db38b5e92d14b59451845915cf35278dbb708655279c69b04e25d08d3cc0
Instruction ID: 2103eb9b36bab2f188d96f2773a26a37196e51aecebc846b3634719056699ac5
Opcode Fuzzy Hash: e603db38b5e92d14b59451845915cf35278dbb708655279c69b04e25d08d3cc0
Instruction Fuzzy Hash: 3E41293113C281FAC7F59F2C9F8877ABB95AB45364F14C43CE24F56560D67198A0CB11

Function 002F2D03 Relevance: 12.1, APIs: 8, Instructions: 95windowCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 002F2D1B
GetDC.USER32(00000000), ref: 002F2D23
GetDeviceCaps.GDI32(00000000,0000005A), ref: 002F2D2E
ReleaseDC.USER32(00000000,00000000), ref: 002F2D3A
CreateFontW.GDI32(?,00000000,00000000,00000000,?,00000000,00000000,00000000,00000001,00000004,00000000,?,00000000,?), ref: 002F2D76
SendMessageW.USER32(?,00000030,00000000,00000001), ref: 002F2D87
MoveWindow.USER32(?,?,?,?,?,00000000,?,?,002F5A65,?,?,000000FF,00000000,?,000000FF,?), ref: 002F2DC2
SendMessageW.USER32(?,00000142,00000000,00000000), ref: 002F2DE1

Memory Dump Source

Source File: 00000001.00000002.1547293858.0000000000261000.00000020.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true

Associated: 00000001.00000002.1546305634.0000000000260000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1552306005.00000000002FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1552306005.0000000000322000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1553018664.000000000032C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1553203039.0000000000334000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_260000_file.jbxd

Similarity

API ID: MessageSend$CapsCreateDeleteDeviceFontMoveObjectReleaseWindow
String ID:
API String ID: 3864802216-0
Opcode ID: 7c06a7bc334464c18dcf7195402a3aa0433e61469e725810bc11fe6a5325c6a2
Instruction ID: 69936e2825937308eb36985c1f4636ae1abb45f5dcf96a089d08906642b216c0
Opcode Fuzzy Hash: 7c06a7bc334464c18dcf7195402a3aa0433e61469e725810bc11fe6a5325c6a2
Instruction Fuzzy Hash: 4431AD72211218BBEB148F10DC89FFB3BADEF4A7A1F044065FE08DA291C6758C50CBA0

Function 002C5622 Relevance: 12.1, APIs: 8, Instructions: 92COMMON

Download Yara Rule

APIs

_memcmp.LIBVCRUNTIME ref: 002C5637
_memcmp.LIBVCRUNTIME ref: 002C5659
_memcmp.LIBVCRUNTIME ref: 002C5671
_memcmp.LIBVCRUNTIME ref: 002C5684
_memcmp.LIBVCRUNTIME ref: 002C569E
_memcmp.LIBVCRUNTIME ref: 002C56B1
_memcmp.LIBVCRUNTIME ref: 002C56C9
_memcmp.LIBVCRUNTIME ref: 002C56E4

Memory Dump Source

Source File: 00000001.00000002.1547293858.0000000000261000.00000020.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true

Associated: 00000001.00000002.1546305634.0000000000260000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1552306005.00000000002FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1552306005.0000000000322000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1553018664.000000000032C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1553203039.0000000000334000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_260000_file.jbxd

Similarity

API ID: _memcmp
String ID:
API String ID: 2931989736-0
Opcode ID: b73c6662bff4f045265693f2dcf378194113f5d4cd3ae19d99159dcdc51b9e7f
Instruction ID: 327072c339fc3cc25ea1357413134ce5f5f2b8c259f966760f07f2f8a6293aa2
Opcode Fuzzy Hash: b73c6662bff4f045265693f2dcf378194113f5d4cd3ae19d99159dcdc51b9e7f
Instruction Fuzzy Hash: 0C210A6167192E77D214A9108E82FBA734CAF12385F640139FE045A5C5F760FDB186E9

Function 002E4FAE Relevance: 10.9, APIs: 4, Strings: 2, Instructions: 359COMMON

Download Yara Rule

Strings

Not an Object type, xrefs: 002E5007
NULL Pointer assignment, xrefs: 002E502E, 002E5383

Memory Dump Source

Source File: 00000001.00000002.1547293858.0000000000261000.00000020.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true

Associated: 00000001.00000002.1546305634.0000000000260000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1552306005.00000000002FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1552306005.0000000000322000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1553018664.000000000032C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1553203039.0000000000334000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_260000_file.jbxd

Similarity

API ID:
String ID: NULL Pointer assignment$Not an Object type
API String ID: 0-572801152
Opcode ID: b756dd4a3c5e6b98e8b4f8bab984781ccaefed9d4408d373da8aab0b05b64f2f
Instruction ID: 6f2f086df4c898a8856a977a8ec5277e9a140091978487b857ef7c495b9b25a0
Opcode Fuzzy Hash: b756dd4a3c5e6b98e8b4f8bab984781ccaefed9d4408d373da8aab0b05b64f2f
Instruction Fuzzy Hash: FCD10471A6065A9FDF10CF99C880FAEB7B5FF48348F548069E915AB280E370DD51CB60

Function 002A1522 Relevance: 10.8, APIs: 7, Instructions: 268COMMON

Download Yara Rule

APIs

GetCPInfo.KERNEL32(00000000,00000000,?,7FFFFFFF,?,?,002A17FB,00000000,00000000,?,00000000,?,?,?,?,00000000), ref: 002A15CE
MultiByteToWideChar.KERNEL32(00000000,00000009,00000000,00000000,00000000,00000000,?,002A17FB,00000000,00000000,?,00000000,?,?,?,?), ref: 002A1651
MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00000000,00000000,002A17FB,?,002A17FB,00000000,00000000,?,00000000,?,?,?,?), ref: 002A16E4
MultiByteToWideChar.KERNEL32(00000000,00000009,00000000,00000000,00000000,00000000,?,002A17FB,00000000,00000000,?,00000000,?,?,?,?), ref: 002A16FB

Part of subcall function 00293820: RtlAllocateHeap.NTDLL(00000000,?,00331444,?,0027FDF5,?,?,0026A976,00000010,00331440,002613FC,?,002613C6,?,00261129), ref: 00293852

MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00000000,00000000,00000000,?,002A17FB,00000000,00000000,?,00000000,?,?,?,?), ref: 002A1777
__freea.LIBCMT ref: 002A17A2
__freea.LIBCMT ref: 002A17AE

Memory Dump Source

Source File: 00000001.00000002.1547293858.0000000000261000.00000020.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true

Associated: 00000001.00000002.1546305634.0000000000260000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1552306005.00000000002FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1552306005.0000000000322000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1553018664.000000000032C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1553203039.0000000000334000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_260000_file.jbxd

Similarity

API ID: ByteCharMultiWide$__freea$AllocateHeapInfo
String ID:
API String ID: 2829977744-0
Opcode ID: 91858367ce97b6ecc2c0f49f45cdae73f1481902a3050530462d45ce59615029
Instruction ID: 41b3c55cd04cc72695a182b6489923db00e9084ed903f75f24214813088af7a6
Opcode Fuzzy Hash: 91858367ce97b6ecc2c0f49f45cdae73f1481902a3050530462d45ce59615029
Instruction Fuzzy Hash: 2491C471E202169BDF208E64CC81EEEBBB9AF4A720F584559E901E7180DF35CC70CB60

Function 002E4523 Relevance: 10.8, APIs: 4, Strings: 2, Instructions: 262COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 002E4648
VariantInit.OLEAUT32(?), ref: 002E4749
VariantClear.OLEAUT32(?), ref: 002E4753
VariantClear.OLEAUT32(?), ref: 002E47B0

Strings

Null Object assignment in FOR..IN loop, xrefs: 002E45D8, 002E4706, 002E47BE
Incorrect Object type in FOR..IN loop, xrefs: 002E472C

Memory Dump Source

Source File: 00000001.00000002.1547293858.0000000000261000.00000020.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true

Associated: 00000001.00000002.1546305634.0000000000260000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1552306005.00000000002FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1552306005.0000000000322000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1553018664.000000000032C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1553203039.0000000000334000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_260000_file.jbxd

Similarity

API ID: Variant$ClearInit
String ID: Incorrect Object type in FOR..IN loop$Null Object assignment in FOR..IN loop
API String ID: 2610073882-625585964
Opcode ID: d32de0a1d194bf5fb7a939e352d918a94d6b59797f5a883669ec9458fb40b76c
Instruction ID: 421ff20a6ef33c01e34e7f7cc2a4f3f072830871ba5445b2a9ce656a8f311e6e
Opcode Fuzzy Hash: d32de0a1d194bf5fb7a939e352d918a94d6b59797f5a883669ec9458fb40b76c
Instruction Fuzzy Hash: 3191D370A60259AFDF20DFA6CC48FAEBBB8EF46710F108119F505AB280D7709951CFA0

Function 002D1187 Relevance: 10.8, APIs: 7, Instructions: 254COMMON

Download Yara Rule

APIs

SafeArrayGetVartype.OLEAUT32(00000001,?), ref: 002D125C
SafeArrayAccessData.OLEAUT32(00000000,?), ref: 002D1284
SafeArrayUnaccessData.OLEAUT32(00000001), ref: 002D12A8
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 002D12D8
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 002D135F
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 002D13C4
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 002D1430

Memory Dump Source

Source File: 00000001.00000002.1547293858.0000000000261000.00000020.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true

Associated: 00000001.00000002.1546305634.0000000000260000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1552306005.00000000002FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1552306005.0000000000322000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1553018664.000000000032C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1553203039.0000000000334000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_260000_file.jbxd

Similarity

API ID: ArraySafe$Data$Access$UnaccessVartype
String ID:
API String ID: 2550207440-0
Opcode ID: 436f058fbd24e059b7e992f5992fe3d5974cb8ffe46489f9a1c28ab60ae19bc8
Instruction ID: a9a11bf17b026a5d5890a654f709add5b70d453c5843245d3aa9a569aefe5b70
Opcode Fuzzy Hash: 436f058fbd24e059b7e992f5992fe3d5974cb8ffe46489f9a1c28ab60ae19bc8
Instruction Fuzzy Hash: 5F91B071A20219AFEB009F98D888BBE77B5FF45325F10402AE900E7791D775AD61CF90

Function 0027948A Relevance: 10.8, APIs: 7, Instructions: 254COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1547293858.0000000000261000.00000020.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true

Associated: 00000001.00000002.1546305634.0000000000260000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1552306005.00000000002FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1552306005.0000000000322000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1553018664.000000000032C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1553203039.0000000000334000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_260000_file.jbxd

Similarity

API ID: ObjectSelect$BeginCreatePath
String ID:
API String ID: 3225163088-0
Opcode ID: b7632d339ceb185adedf12a8dc99981ca53b884c2bc79cc29eaaa2095ab5fbfb
Instruction ID: 66c94d63f30ae10ddc9acf27748b119e0cfaf90ccc7eb3d9f6e887ba8e2a3b8f
Opcode Fuzzy Hash: b7632d339ceb185adedf12a8dc99981ca53b884c2bc79cc29eaaa2095ab5fbfb
Instruction Fuzzy Hash: A8911771D1021AEFCB10CFA9CC88AEEBBB8FF49320F148559E515B7251D774A992CB60

Function 002E3947 Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 240COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 002E396B
CharUpperBuffW.USER32(?,?), ref: 002E3A7A
_wcslen.LIBCMT ref: 002E3A8A
VariantClear.OLEAUT32(?), ref: 002E3C1F

Part of subcall function 002D0CDF: VariantInit.OLEAUT32(00000000), ref: 002D0D1F
Part of subcall function 002D0CDF: VariantCopy.OLEAUT32(?,?), ref: 002D0D28
Part of subcall function 002D0CDF: VariantClear.OLEAUT32(?), ref: 002D0D34

Strings

AUTOIT.ERROR, xrefs: 002E3A80, 002E3A85
Incorrect Parameter format, xrefs: 002E39A6, 002E3BA1

Memory Dump Source

Source File: 00000001.00000002.1547293858.0000000000261000.00000020.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true

Associated: 00000001.00000002.1546305634.0000000000260000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1552306005.00000000002FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1552306005.0000000000322000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1553018664.000000000032C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1553203039.0000000000334000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_260000_file.jbxd

Similarity

API ID: Variant$ClearInit$BuffCharCopyUpper_wcslen
String ID: AUTOIT.ERROR$Incorrect Parameter format
API String ID: 4137639002-1221869570
Opcode ID: df8fe925d472c980888d7810ddd1762a3a771f6af5f02d138a8d07f66b2ea7a5
Instruction ID: d5d68762ddb72445a7afedff5386781f8d34bf2fcd6445761617361565ac93ba
Opcode Fuzzy Hash: df8fe925d472c980888d7810ddd1762a3a771f6af5f02d138a8d07f66b2ea7a5
Instruction Fuzzy Hash: CC9177746283459FC700EF25C48496AB7E4BF89314F54886EF88A9B351DB30EE55CF92

Function 002E4BAD Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 236COMMON

Download Yara Rule

APIs

Part of subcall function 002C000E: CLSIDFromProgID.OLE32(?,?,?,00000000,?,?,?,-C000001E,00000001,?,002BFF41,80070057,?,?,?,002C035E), ref: 002C002B
Part of subcall function 002C000E: ProgIDFromCLSID.OLE32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,002BFF41,80070057,?,?), ref: 002C0046
Part of subcall function 002C000E: lstrcmpiW.KERNEL32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,002BFF41,80070057,?,?), ref: 002C0054
Part of subcall function 002C000E: CoTaskMemFree.OLE32(00000000,?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,002BFF41,80070057,?), ref: 002C0064

CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000002,00000003,00000000,00000000,00000000,00000001,?,?), ref: 002E4C51
_wcslen.LIBCMT ref: 002E4D59
CoCreateInstanceEx.OLE32(?,00000000,00000015,?,00000001,?), ref: 002E4DCF
CoTaskMemFree.OLE32(?), ref: 002E4DDA

Strings

NULL Pointer assignment, xrefs: 002E4E23, 002E4E52

Memory Dump Source

Source File: 00000001.00000002.1547293858.0000000000261000.00000020.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true

Associated: 00000001.00000002.1546305634.0000000000260000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1552306005.00000000002FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1552306005.0000000000322000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1553018664.000000000032C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1553203039.0000000000334000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_260000_file.jbxd

Similarity

API ID: FreeFromProgTask$CreateInitializeInstanceSecurity_wcslenlstrcmpi
String ID: NULL Pointer assignment
API String ID: 614568839-2785691316
Opcode ID: 03bd9deceaac3f3c3bdb9e8967a8e232d9648015df074ac8ea17bb79d62e1430
Instruction ID: d182d2b7b90b666d7cbb47ac5e704fb37a8a96912c6d5511d7d52d1d9afba581
Opcode Fuzzy Hash: 03bd9deceaac3f3c3bdb9e8967a8e232d9648015df074ac8ea17bb79d62e1430
Instruction Fuzzy Hash: FF913671D1025DABDF14EFA5C880AEEB7B8BF08300F60816AE915B7281DB709A54CF60

Function 002F20FD Relevance: 10.7, APIs: 7, Instructions: 196windowCOMMON

Download Yara Rule

APIs

GetMenu.USER32(?), ref: 002F2183
GetMenuItemCount.USER32(00000000), ref: 002F21B5
GetMenuStringW.USER32(00000000,00000000,?,00007FFF,00000400), ref: 002F21DD
_wcslen.LIBCMT ref: 002F2213
GetMenuItemID.USER32(?,?), ref: 002F224D
GetSubMenu.USER32(?,?), ref: 002F225B

Part of subcall function 002C3A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 002C3A57
Part of subcall function 002C3A3D: GetCurrentThreadId.KERNEL32 ref: 002C3A5E
Part of subcall function 002C3A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,002C25B3), ref: 002C3A65

PostMessageW.USER32(?,00000111,00000000,00000000), ref: 002F22E3

Part of subcall function 002CE97B: Sleep.KERNEL32 ref: 002CE9F3

Memory Dump Source

Source File: 00000001.00000002.1547293858.0000000000261000.00000020.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true

Associated: 00000001.00000002.1546305634.0000000000260000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1552306005.00000000002FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1552306005.0000000000322000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1553018664.000000000032C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1553203039.0000000000334000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_260000_file.jbxd

Similarity

API ID: Menu$Thread$Item$AttachCountCurrentInputMessagePostProcessSleepStringWindow_wcslen
String ID:
API String ID: 4196846111-0
Opcode ID: 443760ca340dcafc1af1f4ee832435689f51064fa6e393cf724fbc52ae1597ce
Instruction ID: e417a32cd71ec5f2c8325ba51f06f0a0e065191c7a830d9bd243ad2f474227a8
Opcode Fuzzy Hash: 443760ca340dcafc1af1f4ee832435689f51064fa6e393cf724fbc52ae1597ce
Instruction Fuzzy Hash: 15719F35A20209EFCB10EFA4C845ABEB7B5EF49360F108469E916EB351D734AD55CF90

Function 002F7E9E Relevance: 10.7, APIs: 7, Instructions: 193windowCOMMON

Download Yara Rule

APIs

IsWindow.USER32(01486380), ref: 002F7F37
IsWindowEnabled.USER32(01486380), ref: 002F7F43
SendMessageW.USER32(00000000,0000041C,00000000,00000000), ref: 002F801E
SendMessageW.USER32(01486380,000000B0,?,?), ref: 002F8051
IsDlgButtonChecked.USER32(?,?), ref: 002F8089
GetWindowLongW.USER32(01486380,000000EC), ref: 002F80AB
SendMessageW.USER32(?,000000A1,00000002,00000000), ref: 002F80C3

Memory Dump Source

Source File: 00000001.00000002.1547293858.0000000000261000.00000020.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true

Associated: 00000001.00000002.1546305634.0000000000260000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1552306005.00000000002FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1552306005.0000000000322000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1553018664.000000000032C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1553203039.0000000000334000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_260000_file.jbxd

Similarity

API ID: MessageSendWindow$ButtonCheckedEnabledLong
String ID:
API String ID: 4072528602-0
Opcode ID: 4f8c1c9de9d91c5fdcc74a64886a401b7c399357ee7628f02d1d6d762bbfa262
Instruction ID: f39e50cf5ad7057cd2e021ef097671b27755a68441ed53e569433f700df97f29
Opcode Fuzzy Hash: 4f8c1c9de9d91c5fdcc74a64886a401b7c399357ee7628f02d1d6d762bbfa262
Instruction Fuzzy Hash: E471B13461820EAFEB219F54CC84FFAFBB9EF09380F144579EA4597261CB31A865CB10

Function 002CAEBA Relevance: 10.7, APIs: 7, Instructions: 162windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(?), ref: 002CAEF9
GetKeyboardState.USER32(?), ref: 002CAF0E
SetKeyboardState.USER32(?), ref: 002CAF6F
PostMessageW.USER32(?,00000101,00000010,?), ref: 002CAF9D
PostMessageW.USER32(?,00000101,00000011,?), ref: 002CAFBC
PostMessageW.USER32(?,00000101,00000012,?), ref: 002CAFFD
PostMessageW.USER32(?,00000101,0000005B,?), ref: 002CB020

Memory Dump Source

Source File: 00000001.00000002.1547293858.0000000000261000.00000020.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true

Associated: 00000001.00000002.1546305634.0000000000260000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1552306005.00000000002FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1552306005.0000000000322000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1553018664.000000000032C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1553203039.0000000000334000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_260000_file.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: 8df7f91d813348ee08ee17a4de7e2ffb1c167c07ff8eb4e1c5ea56f14abe0831
Instruction ID: 699e0e0e11b8e2f02c756e1aa60c4372b50e868039329c8ee98c12bec24d9dac
Opcode Fuzzy Hash: 8df7f91d813348ee08ee17a4de7e2ffb1c167c07ff8eb4e1c5ea56f14abe0831
Instruction Fuzzy Hash: 5451C5A09247DA3DFB3746348C46FBA7EA95B06308F08868DE1D9458C3C3E99CE4D752

Function 002CACDA Relevance: 10.7, APIs: 7, Instructions: 161windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(00000000), ref: 002CAD19
GetKeyboardState.USER32(?), ref: 002CAD2E
SetKeyboardState.USER32(?), ref: 002CAD8F
PostMessageW.USER32(00000000,00000100,00000010,?), ref: 002CADBB
PostMessageW.USER32(00000000,00000100,00000011,?), ref: 002CADD8
PostMessageW.USER32(00000000,00000100,00000012,?), ref: 002CAE17
PostMessageW.USER32(00000000,00000100,0000005B,?), ref: 002CAE38

Memory Dump Source

Source File: 00000001.00000002.1547293858.0000000000261000.00000020.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true

Associated: 00000001.00000002.1546305634.0000000000260000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1552306005.00000000002FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1552306005.0000000000322000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1553018664.000000000032C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1553203039.0000000000334000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_260000_file.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: b102ebbcdf102c6da28bf5cffa216fd1962bc88360713ef6bfac9fdb98ae2aec
Instruction ID: ee65f697dfdfa6cb3d8bfd07400d8ea85ebdb30f4ec50834dfadfab8c0d2d1bf
Opcode Fuzzy Hash: b102ebbcdf102c6da28bf5cffa216fd1962bc88360713ef6bfac9fdb98ae2aec
Instruction Fuzzy Hash: 4A5109A09647DA3DFB3747348C46F7A7E985B45308F08869CE1D6468C3C294ECA4D792

Function 0029542E Relevance: 10.7, APIs: 7, Instructions: 152fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetConsoleCP.KERNEL32(002A3CD6,?,?,?,?,?,?,?,?,00295BA3,?,?,002A3CD6,?,?), ref: 00295470
__fassign.LIBCMT ref: 002954EB
__fassign.LIBCMT ref: 00295506
WideCharToMultiByte.KERNEL32(?,00000000,?,00000001,002A3CD6,00000005,00000000,00000000), ref: 0029552C
WriteFile.KERNEL32(?,002A3CD6,00000000,00295BA3,00000000,?,?,?,?,?,?,?,?,?,00295BA3,?), ref: 0029554B
WriteFile.KERNEL32(?,?,00000001,00295BA3,00000000,?,?,?,?,?,?,?,?,?,00295BA3,?), ref: 00295584

Memory Dump Source

Source File: 00000001.00000002.1547293858.0000000000261000.00000020.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true

Associated: 00000001.00000002.1546305634.0000000000260000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1552306005.00000000002FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1552306005.0000000000322000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1553018664.000000000032C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1553203039.0000000000334000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_260000_file.jbxd

Similarity

API ID: FileWrite__fassign$ByteCharConsoleMultiWide
String ID:
API String ID: 1324828854-0
Opcode ID: 4a03c3997126b79dc983e95c1053578f99bc00d616b6b2dc72e2fcf4d62464e5
Instruction ID: aba516f17367cb125b8ec8def14086b90ec62ad211079ac2ed4e3c18d5acf550
Opcode Fuzzy Hash: 4a03c3997126b79dc983e95c1053578f99bc00d616b6b2dc72e2fcf4d62464e5
Instruction Fuzzy Hash: D751D3B0A106099FDF11CFA8D885AEEBBF9EF09300F15411AF555E7292D7709A51CB60

Function 002E10B8 Relevance: 10.6, APIs: 7, Instructions: 110networkCOMMON

Download Yara Rule

APIs

Part of subcall function 002E304E: inet_addr.WSOCK32(?), ref: 002E307A
Part of subcall function 002E304E: _wcslen.LIBCMT ref: 002E309B

socket.WSOCK32(00000002,00000001,00000006), ref: 002E1112
WSAGetLastError.WSOCK32 ref: 002E1121
WSAGetLastError.WSOCK32 ref: 002E11C9
closesocket.WSOCK32(00000000), ref: 002E11F9

Memory Dump Source

Source File: 00000001.00000002.1547293858.0000000000261000.00000020.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true

Associated: 00000001.00000002.1546305634.0000000000260000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1552306005.00000000002FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1552306005.0000000000322000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1553018664.000000000032C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1553203039.0000000000334000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_260000_file.jbxd

Similarity

API ID: ErrorLast$_wcslenclosesocketinet_addrsocket
String ID:
API String ID: 2675159561-0
Opcode ID: 907a57e51ca1114e1a42c9d1f106ebd704c35f7de90670dfcff363c02db10d1a
Instruction ID: e111c83220d70619ff003b365782757b1335db96ea132acb54aa66aef9776da7
Opcode Fuzzy Hash: 907a57e51ca1114e1a42c9d1f106ebd704c35f7de90670dfcff363c02db10d1a
Instruction Fuzzy Hash: 8D411431210249AFDB109F55D888BA9B7E9EF44364F648069FD0A9F291C770ADA1CFA0

Function 002CCF00 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 108filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 002CDDE0: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,002CCF22,?), ref: 002CDDFD

Part of subcall function 002CDDE0: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,002CCF22,?), ref: 002CDE16

lstrcmpiW.KERNEL32(?,?), ref: 002CCF45
MoveFileW.KERNEL32(?,?), ref: 002CCF7F
_wcslen.LIBCMT ref: 002CD005
_wcslen.LIBCMT ref: 002CD01B
SHFileOperationW.SHELL32(?), ref: 002CD061

Strings

\*.*, xrefs: 002CCFF3

Memory Dump Source

Source File: 00000001.00000002.1547293858.0000000000261000.00000020.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true

Associated: 00000001.00000002.1546305634.0000000000260000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1552306005.00000000002FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1552306005.0000000000322000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1553018664.000000000032C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1553203039.0000000000334000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_260000_file.jbxd

Similarity

API ID: FileFullNamePath_wcslen$MoveOperationlstrcmpi
String ID: \*.*
API String ID: 3164238972-1173974218
Opcode ID: 743e2754ec5b80e1eb453791b40942908d11b663bb463dc8c51a9101624c550e
Instruction ID: 6f66a86f94afa1c7b829691baeba36cfedacb2d0a3bb2b3cad5d6c34ef0fddad
Opcode Fuzzy Hash: 743e2754ec5b80e1eb453791b40942908d11b663bb463dc8c51a9101624c550e
Instruction Fuzzy Hash: D64165758552195FDF12EFA4D981FDDB7B8AF08380F1001EEE509EB142EA34AA94CF50

Function 002F2DFD Relevance: 10.6, APIs: 7, Instructions: 99windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,000000F0,00000000,00000000), ref: 002F2E1C
GetWindowLongW.USER32(?,000000F0), ref: 002F2E4F
GetWindowLongW.USER32(?,000000F0), ref: 002F2E84
SendMessageW.USER32(?,000000F1,00000000,00000000), ref: 002F2EB6
SendMessageW.USER32(?,000000F1,00000001,00000000), ref: 002F2EE0
GetWindowLongW.USER32(?,000000F0), ref: 002F2EF1
SetWindowLongW.USER32(?,000000F0,00000000), ref: 002F2F0B

Memory Dump Source

Source File: 00000001.00000002.1547293858.0000000000261000.00000020.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true

Associated: 00000001.00000002.1546305634.0000000000260000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1552306005.00000000002FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1552306005.0000000000322000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1553018664.000000000032C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1553203039.0000000000334000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_260000_file.jbxd

Similarity

API ID: LongWindow$MessageSend
String ID:
API String ID: 2178440468-0
Opcode ID: 1eb4b54fa4cd8f0e8dbbe76655d0ee30ddaa16e98655fa5e00e56ef022034ee3
Instruction ID: 81d6db090569d4330a20e0dc1bfa0e23b12d42fc5d113f10e149748e0ac5dc1f
Opcode Fuzzy Hash: 1eb4b54fa4cd8f0e8dbbe76655d0ee30ddaa16e98655fa5e00e56ef022034ee3
Instruction Fuzzy Hash: F6310530654159DFEB218F18DD98F6577A4EB8A7A0F250174FA00DF2B2CB61B858DB40

Function 002C7726 Relevance: 10.6, APIs: 7, Instructions: 94memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 002C7769
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 002C778F
SysAllocString.OLEAUT32(00000000), ref: 002C7792
SysAllocString.OLEAUT32(?), ref: 002C77B0
SysFreeString.OLEAUT32(?), ref: 002C77B9
StringFromGUID2.OLE32(?,?,00000028), ref: 002C77DE
SysAllocString.OLEAUT32(?), ref: 002C77EC

Memory Dump Source

Source File: 00000001.00000002.1547293858.0000000000261000.00000020.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true

Associated: 00000001.00000002.1546305634.0000000000260000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1552306005.00000000002FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1552306005.0000000000322000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1553018664.000000000032C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1553203039.0000000000334000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_260000_file.jbxd

Similarity

API ID: String$Alloc$ByteCharMultiWide$FreeFrom
String ID:
API String ID: 3761583154-0
Opcode ID: 2994d718baa0df6bac0021b539262c603bbe1dc5196f5bd319dd45948dcaf60b
Instruction ID: 053dcf9baa0b0131e4fc3339cb09550cf7365a8e7d5719b738277ced072fc01e
Opcode Fuzzy Hash: 2994d718baa0df6bac0021b539262c603bbe1dc5196f5bd319dd45948dcaf60b
Instruction Fuzzy Hash: B521A17661821DAFDB10EFA8DD88DBBB3ACEB093A47108129B914DB150D670DC59CF64

Function 002C77FD Relevance: 10.6, APIs: 7, Instructions: 89memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 002C7842
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 002C7868
SysAllocString.OLEAUT32(00000000), ref: 002C786B
SysAllocString.OLEAUT32 ref: 002C788C
SysFreeString.OLEAUT32 ref: 002C7895
StringFromGUID2.OLE32(?,?,00000028), ref: 002C78AF
SysAllocString.OLEAUT32(?), ref: 002C78BD

Memory Dump Source

Source File: 00000001.00000002.1547293858.0000000000261000.00000020.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true

Associated: 00000001.00000002.1546305634.0000000000260000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1552306005.00000000002FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1552306005.0000000000322000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1553018664.000000000032C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1553203039.0000000000334000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_260000_file.jbxd

Similarity

API ID: String$Alloc$ByteCharMultiWide$FreeFrom
String ID:
API String ID: 3761583154-0
Opcode ID: b6bbc12351b17a124799971ce6f600b80c6b3fdb74f7e04322def615f81b46b2
Instruction ID: 5d9e7014a14ae0dfdcd907f9b12e87b6f8bda1fe7b9ac99188a68173c250be72
Opcode Fuzzy Hash: b6bbc12351b17a124799971ce6f600b80c6b3fdb74f7e04322def615f81b46b2
Instruction Fuzzy Hash: 2B217431618109AFDB10AFA8DC8DEBA77ECEB097607108229FA15CB2A1D670DC51DF64

Function 002D04D2 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 80pipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(0000000C), ref: 002D04F2
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 002D052E

Strings

nul, xrefs: 002D0567

Memory Dump Source

Source File: 00000001.00000002.1547293858.0000000000261000.00000020.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true

Associated: 00000001.00000002.1546305634.0000000000260000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1552306005.00000000002FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1552306005.0000000000322000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1553018664.000000000032C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1553203039.0000000000334000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_260000_file.jbxd

Similarity

API ID: CreateHandlePipe
String ID: nul
API String ID: 1424370930-2873401336
Opcode ID: 96859769bdd60437a95b504197b6b30787dc07da9c9f00edb6ede696023076ec
Instruction ID: cea92e42f6061368bb61978822d88ecad144850547c2c7056034c7496e9fc1c9
Opcode Fuzzy Hash: 96859769bdd60437a95b504197b6b30787dc07da9c9f00edb6ede696023076ec
Instruction Fuzzy Hash: 7D217175910306DBDB209F29F889B9A77A4BF44764F604A2AECA1D72F0D7709D64CF20

Function 002D05A7 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 80pipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(000000F6), ref: 002D05C6
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 002D0601

Strings

nul, xrefs: 002D0639

Memory Dump Source

Source File: 00000001.00000002.1547293858.0000000000261000.00000020.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true

Associated: 00000001.00000002.1546305634.0000000000260000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1552306005.00000000002FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1552306005.0000000000322000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1553018664.000000000032C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1553203039.0000000000334000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_260000_file.jbxd

Similarity

API ID: CreateHandlePipe
String ID: nul
API String ID: 1424370930-2873401336
Opcode ID: 0d413f23487390a321bc15297ec06b4c1cb7bcaf10342cc469946d696f896c76
Instruction ID: 02ead4e8eeee8722efce0d5740dcba282eaf708863c3393d22f8e0c647877a3e
Opcode Fuzzy Hash: 0d413f23487390a321bc15297ec06b4c1cb7bcaf10342cc469946d696f896c76
Instruction Fuzzy Hash: B92130755102069BDB209F699884BAA77A8AF95770F200A5AE8A1E73E0D6B0DD70CB50

Function 002F40AD Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 75windowCOMMON

Download Yara Rule

APIs

Part of subcall function 0026600E: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 0026604C
Part of subcall function 0026600E: GetStockObject.GDI32(00000011), ref: 00266060
Part of subcall function 0026600E: SendMessageW.USER32(00000000,00000030,00000000), ref: 0026606A

SendMessageW.USER32(00000000,00002001,00000000,FF000000), ref: 002F4112
SendMessageW.USER32(?,00000409,00000000,FF000000), ref: 002F411F
SendMessageW.USER32(?,00000402,00000000,00000000), ref: 002F412A
SendMessageW.USER32(?,00000401,00000000,00640000), ref: 002F4139
SendMessageW.USER32(?,00000404,00000001,00000000), ref: 002F4145

Strings

Msctls_Progress32, xrefs: 002F40E3

Memory Dump Source

Source File: 00000001.00000002.1547293858.0000000000261000.00000020.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true

Associated: 00000001.00000002.1546305634.0000000000260000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1552306005.00000000002FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1552306005.0000000000322000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1553018664.000000000032C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1553203039.0000000000334000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_260000_file.jbxd

Similarity

API ID: MessageSend$CreateObjectStockWindow
String ID: Msctls_Progress32
API String ID: 1025951953-3636473452
Opcode ID: 14cbdd297dd31eccd4fee05788adfabe0fb6644f3c9f327c0da0899aae8b573e
Instruction ID: 46ae88456555cf518351d3b5dddebe5144a526d33ebe53520fd3f3de51086a4f
Opcode Fuzzy Hash: 14cbdd297dd31eccd4fee05788adfabe0fb6644f3c9f327c0da0899aae8b573e
Instruction Fuzzy Hash: 771151B115011D7EEB119E64CC85EE7BF5DEF08798F114121BB18A6150C6729C61DBA4

Function 0029D7DF Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 0029D7A3: _free.LIBCMT ref: 0029D7CC

_free.LIBCMT ref: 0029D82D

Part of subcall function 002929C8: RtlFreeHeap.NTDLL(00000000,00000000,?,0029D7D1,00000000,00000000,00000000,00000000,?,0029D7F8,00000000,00000007,00000000,?,0029DBF5,00000000), ref: 002929DE
Part of subcall function 002929C8: GetLastError.KERNEL32(00000000,?,0029D7D1,00000000,00000000,00000000,00000000,?,0029D7F8,00000000,00000007,00000000,?,0029DBF5,00000000,00000000), ref: 002929F0

_free.LIBCMT ref: 0029D838
_free.LIBCMT ref: 0029D843
_free.LIBCMT ref: 0029D897
_free.LIBCMT ref: 0029D8A2
_free.LIBCMT ref: 0029D8AD
_free.LIBCMT ref: 0029D8B8

Memory Dump Source

Source File: 00000001.00000002.1547293858.0000000000261000.00000020.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true

Associated: 00000001.00000002.1546305634.0000000000260000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1552306005.00000000002FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1552306005.0000000000322000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1553018664.000000000032C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1553203039.0000000000334000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_260000_file.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: d5e9bbcb1dbdafe4c8d3bd98f36014f41f46dc5d4a3df644b036f3c2391e0fc8
Instruction ID: 105843bb6f7383bfad0996175eb50f13fa218af44961e33a8ca1ee0a1ef2edc9
Opcode Fuzzy Hash: d5e9bbcb1dbdafe4c8d3bd98f36014f41f46dc5d4a3df644b036f3c2391e0fc8
Instruction Fuzzy Hash: 47110D71561B04FAEE21FFF0CC47FCBBBDC6F04700F404825B29DA6492DA65B5255AA0

Function 002CDA5A Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 46windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000100,00000000), ref: 002CDA74
LoadStringW.USER32(00000000), ref: 002CDA7B
GetModuleHandleW.KERNEL32(00000000,00001389,?,00000100), ref: 002CDA91
LoadStringW.USER32(00000000), ref: 002CDA98
MessageBoxW.USER32(00000000,?,?,00011010), ref: 002CDADC

Strings

%s (%d) : ==> %s: %s %s, xrefs: 002CDAB9

Memory Dump Source

Source File: 00000001.00000002.1547293858.0000000000261000.00000020.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true

Associated: 00000001.00000002.1546305634.0000000000260000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1552306005.00000000002FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1552306005.0000000000322000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1553018664.000000000032C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1553203039.0000000000334000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_260000_file.jbxd

Similarity

API ID: HandleLoadModuleString$Message
String ID: %s (%d) : ==> %s: %s %s
API String ID: 4072794657-3128320259
Opcode ID: c78a0a681d23da5112ad1e60c9e57bfa221dd30470a759b4ef72594f9357e194
Instruction ID: 402b48dd32997cfdce1acaf0161fb7900221cf8176b726b046a45285c96e6e72
Opcode Fuzzy Hash: c78a0a681d23da5112ad1e60c9e57bfa221dd30470a759b4ef72594f9357e194
Instruction Fuzzy Hash: A30162F290020C7FE711ABA4AE8DEF7726CEB08751F5005A6B746E2041E6749E948F74

Function 002D096B Relevance: 10.5, APIs: 7, Instructions: 35synchronizationthreadCOMMON

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(0148EAA0,0148EAA0), ref: 002D097B
EnterCriticalSection.KERNEL32(0148EA80,00000000), ref: 002D098D
TerminateThread.KERNEL32(?,000001F6), ref: 002D099B
WaitForSingleObject.KERNEL32(?,000003E8), ref: 002D09A9
CloseHandle.KERNEL32(?), ref: 002D09B8
InterlockedExchange.KERNEL32(0148EAA0,000001F6), ref: 002D09C8
LeaveCriticalSection.KERNEL32(0148EA80), ref: 002D09CF

Memory Dump Source

Source File: 00000001.00000002.1547293858.0000000000261000.00000020.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true

Associated: 00000001.00000002.1546305634.0000000000260000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1552306005.00000000002FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1552306005.0000000000322000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1553018664.000000000032C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1553203039.0000000000334000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_260000_file.jbxd

Similarity

API ID: CriticalExchangeInterlockedSection$CloseEnterHandleLeaveObjectSingleTerminateThreadWait
String ID:
API String ID: 3495660284-0
Opcode ID: 4ce12c73590184bfa42d26f7d9f8110c5af57c430f4742ecde36332a8ed45a7e
Instruction ID: 6f262432dc70bbf143f47b27725fbd05b7fcb9c6a32a576fc32989d72831619b
Opcode Fuzzy Hash: 4ce12c73590184bfa42d26f7d9f8110c5af57c430f4742ecde36332a8ed45a7e
Instruction Fuzzy Hash: 0FF01D31442506ABD7415F94EF8CBE67A25FF01792F501036F101908A0C774A875DF90

Function 002E1C60 Relevance: 9.3, APIs: 6, Instructions: 298networkCOMMON

Download Yara Rule

APIs

__WSAFDIsSet.WSOCK32(00000000,?), ref: 002E1DC0
#17.WSOCK32(00000000,?,?,00000000,?,00000010), ref: 002E1DE1
WSAGetLastError.WSOCK32 ref: 002E1DF2
htons.WSOCK32(?), ref: 002E1EDB
inet_ntoa.WSOCK32(?), ref: 002E1E8C

Part of subcall function 002C39E8: _strlen.LIBCMT ref: 002C39F2

Part of subcall function 002E3224: MultiByteToWideChar.KERNEL32(00000000,00000001,?,?,00000000,00000000,00000000,?,?,?,?,002DEC0C), ref: 002E3240

_strlen.LIBCMT ref: 002E1F35

Memory Dump Source

Source File: 00000001.00000002.1547293858.0000000000261000.00000020.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true

Associated: 00000001.00000002.1546305634.0000000000260000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1552306005.00000000002FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1552306005.0000000000322000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1553018664.000000000032C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1553203039.0000000000334000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_260000_file.jbxd

Similarity

API ID: _strlen$ByteCharErrorLastMultiWidehtonsinet_ntoa
String ID:
API String ID: 3203458085-0
Opcode ID: 786be8f1dd6bdab4a318184f4ec9e927231248bbe68713feb963ebac704cdcb8
Instruction ID: 123605ecdc229704644bb4bfb58e67db28fe20a5fbe7cfe128bce71f508f9397
Opcode Fuzzy Hash: 786be8f1dd6bdab4a318184f4ec9e927231248bbe68713feb963ebac704cdcb8
Instruction Fuzzy Hash: DBB12430254381AFC324DF25C895F2A77E5AF84318FA4855CF45A8B2E2DB71EDA1CB91

Function 00265D0A Relevance: 9.3, APIs: 6, Instructions: 276COMMON

Download Yara Rule

APIs

GetClientRect.USER32(?,?), ref: 00265D30
GetWindowRect.USER32(?,?), ref: 00265D71
ScreenToClient.USER32(?,?), ref: 00265D99
GetClientRect.USER32(?,?), ref: 00265ED7
GetWindowRect.USER32(?,?), ref: 00265EF8

Memory Dump Source

Source File: 00000001.00000002.1547293858.0000000000261000.00000020.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true

Associated: 00000001.00000002.1546305634.0000000000260000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1552306005.00000000002FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1552306005.0000000000322000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1553018664.000000000032C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1553203039.0000000000334000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_260000_file.jbxd

Similarity

API ID: Rect$Client$Window$Screen
String ID:
API String ID: 1296646539-0
Opcode ID: 34bb5418077ac48fe5b7a0fb24a00f5f36f6d1c6d826e751dfe4acc7255cd998
Instruction ID: 3a218690471fe285bd62a8eb9fbb2dc8348df13e6d323deac8a380b00cdc0757
Opcode Fuzzy Hash: 34bb5418077ac48fe5b7a0fb24a00f5f36f6d1c6d826e751dfe4acc7255cd998
Instruction Fuzzy Hash: E5B16934A2064ADFDB10DFA8C5806EAB7F1FF58310F14851AE8A9D7250DB74EAA1DB50

Function 002901B7 Relevance: 9.3, APIs: 6, Instructions: 269COMMON

Download Yara Rule

APIs

__allrem.LIBCMT ref: 002900BA
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 002900D6
__allrem.LIBCMT ref: 002900ED
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0029010B
__allrem.LIBCMT ref: 00290122
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00290140

Memory Dump Source

Source File: 00000001.00000002.1547293858.0000000000261000.00000020.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true

Associated: 00000001.00000002.1546305634.0000000000260000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1552306005.00000000002FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1552306005.0000000000322000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1553018664.000000000032C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1553203039.0000000000334000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_260000_file.jbxd

Similarity

API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@
String ID:
API String ID: 1992179935-0
Opcode ID: 8fbb49ba762f8ece8e29681380aa111ddf72d6c7443a1a5a7b6c612577c50f6c
Instruction ID: 21c3e13fd2cc84bfcc37e1e703120ea86e68e540a0441bbb4a0542846f9a88e7
Opcode Fuzzy Hash: 8fbb49ba762f8ece8e29681380aa111ddf72d6c7443a1a5a7b6c612577c50f6c
Instruction Fuzzy Hash: DF811776A2170A9FEB20AF68CD81B6B73E8AF51724F24413EF515D76C1E770E9208B50

Function 002961FE Relevance: 9.2, APIs: 6, Instructions: 216COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000001,00000000,?,?,00000000,00000000,?,002882D9,002882D9,?,?,?,0029644F,00000001,00000001,8BE85006), ref: 00296258
MultiByteToWideChar.KERNEL32(00000001,00000001,?,?,00000000,?,?,?,?,0029644F,00000001,00000001,8BE85006,?,?,?), ref: 002962DE
WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,?,8BE85006,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 002963D8
__freea.LIBCMT ref: 002963E5

Part of subcall function 00293820: RtlAllocateHeap.NTDLL(00000000,?,00331444,?,0027FDF5,?,?,0026A976,00000010,00331440,002613FC,?,002613C6,?,00261129), ref: 00293852

__freea.LIBCMT ref: 002963EE
__freea.LIBCMT ref: 00296413

Memory Dump Source

Source File: 00000001.00000002.1547293858.0000000000261000.00000020.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true

Associated: 00000001.00000002.1546305634.0000000000260000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1552306005.00000000002FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1552306005.0000000000322000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1553018664.000000000032C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1553203039.0000000000334000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_260000_file.jbxd

Similarity

API ID: ByteCharMultiWide__freea$AllocateHeap
String ID:
API String ID: 1414292761-0
Opcode ID: f95c98bb34dec9168827ed09c62b2cdf28fd1b3a3e49d06c3acaaf0d8c67c6ae
Instruction ID: 98f4a0a930bc1d77fb7d327035ba9b8b807103b4cd2d73d2ffe6333653b5ef13
Opcode Fuzzy Hash: f95c98bb34dec9168827ed09c62b2cdf28fd1b3a3e49d06c3acaaf0d8c67c6ae
Instruction Fuzzy Hash: 6451E372A20217ABDF268FA4CC89EBF77E9EB44B50F154269FC05D6140EB34DC60CA64

Function 002EBBDB Relevance: 9.2, APIs: 6, Instructions: 191registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00269CB3: _wcslen.LIBCMT ref: 00269CBD

Part of subcall function 002EC998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,002EB6AE,?,?), ref: 002EC9B5
Part of subcall function 002EC998: _wcslen.LIBCMT ref: 002EC9F1
Part of subcall function 002EC998: _wcslen.LIBCMT ref: 002ECA68
Part of subcall function 002EC998: _wcslen.LIBCMT ref: 002ECA9E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 002EBCCA
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 002EBD25
RegCloseKey.ADVAPI32(00000000), ref: 002EBD6A
RegEnumValueW.ADVAPI32(?,-00000001,?,?,00000000,?,00000000,00000000), ref: 002EBD99
RegCloseKey.ADVAPI32(?,?,00000000), ref: 002EBDF3
RegCloseKey.ADVAPI32(?), ref: 002EBDFF

Memory Dump Source

Source File: 00000001.00000002.1547293858.0000000000261000.00000020.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true

Associated: 00000001.00000002.1546305634.0000000000260000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1552306005.00000000002FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1552306005.0000000000322000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1553018664.000000000032C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1553203039.0000000000334000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_260000_file.jbxd

Similarity

API ID: _wcslen$Close$BuffCharConnectEnumOpenRegistryUpperValue
String ID:
API String ID: 1120388591-0
Opcode ID: 4c29c331be684a9eb6da56b754c92307c9bb43056b1e4059c5a7e7c943b36e36
Instruction ID: 91ff5ccc34d224db4f52a9347f43f8fadf48816bd1be68dcc412b96c8412d66e
Opcode Fuzzy Hash: 4c29c331be684a9eb6da56b754c92307c9bb43056b1e4059c5a7e7c943b36e36
Instruction Fuzzy Hash: B8819C30128281AFD715DF24C885E2ABBE5FF84308F64856DF4598B2A2DB31ED55CF92

Function 002BF7AD Relevance: 9.2, APIs: 6, Instructions: 183memoryCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(00000035), ref: 002BF7B9
SysAllocString.OLEAUT32(00000001), ref: 002BF860
VariantCopy.OLEAUT32(002BFA64,00000000), ref: 002BF889
VariantClear.OLEAUT32(002BFA64), ref: 002BF8AD
VariantCopy.OLEAUT32(002BFA64,00000000), ref: 002BF8B1
VariantClear.OLEAUT32(?), ref: 002BF8BB

Memory Dump Source

Source File: 00000001.00000002.1547293858.0000000000261000.00000020.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true

Associated: 00000001.00000002.1546305634.0000000000260000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1552306005.00000000002FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1552306005.0000000000322000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1553018664.000000000032C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1553203039.0000000000334000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_260000_file.jbxd

Similarity

API ID: Variant$ClearCopy$AllocInitString
String ID:
API String ID: 3859894641-0
Opcode ID: ba6c0408ff125a392dc7dc76ef1148547a000b09f185e91367b2802175412e69
Instruction ID: ccb3d82972a0fc6d548dc45a6f51e68dd44b54df3eba31cdf555bfa6d8e116aa
Opcode Fuzzy Hash: ba6c0408ff125a392dc7dc76ef1148547a000b09f185e91367b2802175412e69
Instruction Fuzzy Hash: 3C510831530300BACFA0AF65DD95BA9B3A8EF45350F208477E905DF291DBB08CA0CB96

Function 002D910C Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 383COMMON

Download Yara Rule

APIs

Part of subcall function 00267620: _wcslen.LIBCMT ref: 00267625

Part of subcall function 00266B57: _wcslen.LIBCMT ref: 00266B6A

GetOpenFileNameW.COMDLG32(00000058), ref: 002D94E5
_wcslen.LIBCMT ref: 002D9506
_wcslen.LIBCMT ref: 002D952D
GetSaveFileNameW.COMDLG32(00000058), ref: 002D9585

Strings

X, xrefs: 002D9412

Memory Dump Source

Source File: 00000001.00000002.1547293858.0000000000261000.00000020.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true

Associated: 00000001.00000002.1546305634.0000000000260000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1552306005.00000000002FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1552306005.0000000000322000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1553018664.000000000032C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1553203039.0000000000334000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_260000_file.jbxd

Similarity

API ID: _wcslen$FileName$OpenSave
String ID: X
API String ID: 83654149-3081909835
Opcode ID: 21a9a4218fc0bbe7838c95002bdb338bf4c2d015ed9e352c705b8145edbd6328
Instruction ID: 4331545617bd76097efe5d88dfd9a5d6f4b20d1ee7953a662a8d30c2bd505852
Opcode Fuzzy Hash: 21a9a4218fc0bbe7838c95002bdb338bf4c2d015ed9e352c705b8145edbd6328
Instruction Fuzzy Hash: F7E1A2315283418FC724EF24C881A6AB7E4BF85314F14856EF8899B3A2DB31DD95CF91

Function 0027920C Relevance: 9.1, APIs: 6, Instructions: 113COMMON

Download Yara Rule

APIs

Part of subcall function 00279BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00279BB2

BeginPaint.USER32(?,?,?), ref: 00279241
GetWindowRect.USER32(?,?), ref: 002792A5
ScreenToClient.USER32(?,?), ref: 002792C2
SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 002792D3
EndPaint.USER32(?,?,?,?,?), ref: 00279321
Rectangle.GDI32(00000000,00000000,00000000,?,?), ref: 002B71EA

Part of subcall function 00279339: BeginPath.GDI32(00000000), ref: 00279357

Memory Dump Source

Source File: 00000001.00000002.1547293858.0000000000261000.00000020.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true

Associated: 00000001.00000002.1546305634.0000000000260000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1552306005.00000000002FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1552306005.0000000000322000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1553018664.000000000032C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1553203039.0000000000334000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_260000_file.jbxd

Similarity

API ID: BeginPaintWindow$ClientLongPathRectRectangleScreenViewport
String ID:
API String ID: 3050599898-0
Opcode ID: 47cb056a68d9139cabb8ac2f1bec78545ae26a267f84218b27807825b9a96b22
Instruction ID: f11a41d60a0ac9f76dbb9a74f5ba00b9b9e01d9a1c6ad79c1891d7ca76476cdc
Opcode Fuzzy Hash: 47cb056a68d9139cabb8ac2f1bec78545ae26a267f84218b27807825b9a96b22
Instruction Fuzzy Hash: 9E41D231124301AFD711DF24DCC4FBA7BB8EB85370F104269F969872A1C7719895DB61

Function 002D07EF Relevance: 9.1, APIs: 6, Instructions: 107fileCOMMON

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(?,000001F5), ref: 002D080C
ReadFile.KERNEL32(?,?,0000FFFF,?,00000000), ref: 002D0847
EnterCriticalSection.KERNEL32(?), ref: 002D0863
LeaveCriticalSection.KERNEL32(?), ref: 002D08DC
ReadFile.KERNEL32(?,?,0000FFFF,00000000,00000000), ref: 002D08F3
InterlockedExchange.KERNEL32(?,000001F6), ref: 002D0921

Memory Dump Source

Source File: 00000001.00000002.1547293858.0000000000261000.00000020.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true

Associated: 00000001.00000002.1546305634.0000000000260000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1552306005.00000000002FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1552306005.0000000000322000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1553018664.000000000032C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1553203039.0000000000334000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_260000_file.jbxd

Similarity

API ID: CriticalExchangeFileInterlockedReadSection$EnterLeave
String ID:
API String ID: 3368777196-0
Opcode ID: e01e1186be223e038c71846cb5762ba70e5a3945cb33515a0e147db7844d0ca2
Instruction ID: 535f3b9a598e2e32fb821b626641238634e5ce792f1859cf183e84dbc0f803c4
Opcode Fuzzy Hash: e01e1186be223e038c71846cb5762ba70e5a3945cb33515a0e147db7844d0ca2
Instruction Fuzzy Hash: 9C416A71910209EBDF14AF54DD85AAA7778FF04310F2480B9ED049A2A6DB30EE65DFA4

Function 002F81DB Relevance: 9.1, APIs: 6, Instructions: 104windowCOMMON

Download Yara Rule

APIs

ShowWindow.USER32(FFFFFFFF,00000000,?,00000000,00000000,?,002BF3AB,00000000,?,?,00000000,?,002B682C,00000004,00000000,00000000), ref: 002F824C
EnableWindow.USER32(?,00000000), ref: 002F8272
ShowWindow.USER32(FFFFFFFF,00000000), ref: 002F82D1
ShowWindow.USER32(?,00000004), ref: 002F82E5
EnableWindow.USER32(?,00000001), ref: 002F830B
SendMessageW.USER32(?,0000130C,00000000,00000000), ref: 002F832F

Memory Dump Source

Source File: 00000001.00000002.1547293858.0000000000261000.00000020.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true

Associated: 00000001.00000002.1546305634.0000000000260000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1552306005.00000000002FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1552306005.0000000000322000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1553018664.000000000032C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1553203039.0000000000334000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_260000_file.jbxd

Similarity

API ID: Window$Show$Enable$MessageSend
String ID:
API String ID: 642888154-0
Opcode ID: 0c1410179fbf771f9685eec4b57f8023409c937efd248ed3a05993e68b6910e8
Instruction ID: b92601ea4449859298aabc3412511316f7b0d019c0b44c5f5d62bf090c8a85b4
Opcode Fuzzy Hash: 0c1410179fbf771f9685eec4b57f8023409c937efd248ed3a05993e68b6910e8
Instruction Fuzzy Hash: 3641813060164DEFDB16CF14D999BB8FBE4BB45754F1841B9EA084B272CB31A855CF50

Function 002C4C7D Relevance: 9.1, APIs: 6, Instructions: 87windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32(?), ref: 002C4C95
SendMessageW.USER32(?,0000000E,00000000,00000000), ref: 002C4CB2
SendMessageW.USER32(?,0000000D,00000001,00000000), ref: 002C4CEA
_wcslen.LIBCMT ref: 002C4D08
CharUpperBuffW.USER32(00000000,00000000,?,?,?,?), ref: 002C4D10
_wcsstr.LIBVCRUNTIME ref: 002C4D1A

Memory Dump Source

Source File: 00000001.00000002.1547293858.0000000000261000.00000020.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true

Associated: 00000001.00000002.1546305634.0000000000260000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1552306005.00000000002FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1552306005.0000000000322000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1553018664.000000000032C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1553203039.0000000000334000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_260000_file.jbxd

Similarity

API ID: MessageSend$BuffCharUpperVisibleWindow_wcslen_wcsstr
String ID:
API String ID: 72514467-0
Opcode ID: c23db650064311167ae091d9afbc50de31118e339356b520ba4a6410a5edf57a
Instruction ID: ae2b809e319c671c7c73c9e083ea804119fa3ba5e227334537dec7365f931f1d
Opcode Fuzzy Hash: c23db650064311167ae091d9afbc50de31118e339356b520ba4a6410a5edf57a
Instruction Fuzzy Hash: D4210A312181057BEB197F25AD19F7B7B9CDF45760F10813EF809CA1A1EA61DD20C7A0

Function 002D581E Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 336comCOMMON

Download Yara Rule

APIs

Part of subcall function 00263AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00263A97,?,?,00262E7F,?,?,?,00000000), ref: 00263AC2

_wcslen.LIBCMT ref: 002D587B
CoInitialize.OLE32(00000000), ref: 002D5995
CoCreateInstance.OLE32(002FFCF8,00000000,00000001,002FFB68,?), ref: 002D59AE
CoUninitialize.OLE32 ref: 002D59CC

Strings

.lnk, xrefs: 002D5876, 002D58C1, 002D5985

Memory Dump Source

Source File: 00000001.00000002.1547293858.0000000000261000.00000020.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true

Associated: 00000001.00000002.1546305634.0000000000260000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1552306005.00000000002FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1552306005.0000000000322000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1553018664.000000000032C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1553203039.0000000000334000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_260000_file.jbxd

Similarity

API ID: CreateFullInitializeInstanceNamePathUninitialize_wcslen
String ID: .lnk
API String ID: 3172280962-24824748
Opcode ID: 31f0443b17d367d6d0217755e6935a1e585054eb89239edb649b815f480cba3b
Instruction ID: f09e7018a29ab8b4288a9febed04b2ddfea04615817fbe4e4c45f481fb2e910b
Opcode Fuzzy Hash: 31f0443b17d367d6d0217755e6935a1e585054eb89239edb649b815f480cba3b
Instruction Fuzzy Hash: 12D164706247119FC714DF24C49096ABBE1EF89324F14885EF88A9B361DB71EC55CF92

Function 002C175D Relevance: 9.1, APIs: 6, Instructions: 68memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 002C0FB4: GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 002C0FCA
Part of subcall function 002C0FB4: GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 002C0FD6
Part of subcall function 002C0FB4: GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 002C0FE5
Part of subcall function 002C0FB4: HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 002C0FEC
Part of subcall function 002C0FB4: GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 002C1002

GetLengthSid.ADVAPI32(?,00000000,002C1335), ref: 002C17AE
GetProcessHeap.KERNEL32(00000008,00000000), ref: 002C17BA
HeapAlloc.KERNEL32(00000000), ref: 002C17C1
CopySid.ADVAPI32(00000000,00000000,?), ref: 002C17DA
GetProcessHeap.KERNEL32(00000000,00000000,002C1335), ref: 002C17EE
HeapFree.KERNEL32(00000000), ref: 002C17F5

Memory Dump Source

Source File: 00000001.00000002.1547293858.0000000000261000.00000020.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true

Associated: 00000001.00000002.1546305634.0000000000260000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1552306005.00000000002FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1552306005.0000000000322000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1553018664.000000000032C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1553203039.0000000000334000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_260000_file.jbxd

Similarity

API ID: Heap$Process$AllocInformationToken$CopyErrorFreeLastLength
String ID:
API String ID: 3008561057-0
Opcode ID: 00bb22beb6cd85df39cbd15975c741bdc768a6663b8b2007db5b0368bef9dd1b
Instruction ID: e58f16a352d10ef7692b2a9b4a54e3d85144700e07d785477633ddafa2b00dd0
Opcode Fuzzy Hash: 00bb22beb6cd85df39cbd15975c741bdc768a6663b8b2007db5b0368bef9dd1b
Instruction Fuzzy Hash: 1C119D31520209EFDB109FA4DD4AFBFBBA9EF46365F20422CF44597211C7359969CB60

Function 002C14CE Relevance: 9.1, APIs: 6, Instructions: 64processCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(0000000A,00000004), ref: 002C14FF
OpenProcessToken.ADVAPI32(00000000), ref: 002C1506
CreateEnvironmentBlock.USERENV(?,00000004,00000001), ref: 002C1515
CloseHandle.KERNEL32(00000004), ref: 002C1520
CreateProcessWithLogonW.ADVAPI32(?,?,?,00000000,00000000,?,?,00000000,?,?,?), ref: 002C154F
DestroyEnvironmentBlock.USERENV(00000000), ref: 002C1563

Memory Dump Source

Source File: 00000001.00000002.1547293858.0000000000261000.00000020.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true

Associated: 00000001.00000002.1546305634.0000000000260000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1552306005.00000000002FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1552306005.0000000000322000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1553018664.000000000032C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1553203039.0000000000334000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_260000_file.jbxd

Similarity

API ID: Process$BlockCreateEnvironment$CloseCurrentDestroyHandleLogonOpenTokenWith
String ID:
API String ID: 1413079979-0
Opcode ID: e2451ab38b745c856b7cdb0419f1911384261bd64ed22c2cbfb7563d74afe558
Instruction ID: ecb9cecf82105614989cb831d54d96009df7049979bd540d27ca96015df77628
Opcode Fuzzy Hash: e2451ab38b745c856b7cdb0419f1911384261bd64ed22c2cbfb7563d74afe558
Instruction Fuzzy Hash: 2B119D7210020EABDF119F94EE09FEE7BA9EF49794F144168FA05A2060C371CE65EB60

Function 00283382 Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,00283379,00282FE5), ref: 00283390
___vcrt_FlsGetValue.LIBVCRUNTIME ref: 0028339E
___vcrt_FlsSetValue.LIBVCRUNTIME ref: 002833B7
SetLastError.KERNEL32(00000000,?,00283379,00282FE5), ref: 00283409

Memory Dump Source

Source File: 00000001.00000002.1547293858.0000000000261000.00000020.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true

Associated: 00000001.00000002.1546305634.0000000000260000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1552306005.00000000002FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1552306005.0000000000322000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1553018664.000000000032C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1553203039.0000000000334000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_260000_file.jbxd

Similarity

API ID: ErrorLastValue___vcrt_
String ID:
API String ID: 3852720340-0
Opcode ID: 520e7321384a1af65fa901858b335f4064c013f44cfb0885195218338ee4ed4a
Instruction ID: 5bd8220ce3206b5477d0da84693b2790cc83e7f9ac05676d0e4b698909ba57ec
Opcode Fuzzy Hash: 520e7321384a1af65fa901858b335f4064c013f44cfb0885195218338ee4ed4a
Instruction Fuzzy Hash: C101283A23B322BEE6257B787C8596A2A98EB05B75730422DF410801F0EF118D325BC4

Function 00292D74 Relevance: 9.0, APIs: 6, Instructions: 50COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,00295686,002A3CD6,?,00000000,?,00295B6A,?,?,?,?,?,0028E6D1,?,00328A48), ref: 00292D78
_free.LIBCMT ref: 00292DAB
_free.LIBCMT ref: 00292DD3
SetLastError.KERNEL32(00000000,?,?,?,?,0028E6D1,?,00328A48,00000010,00264F4A,?,?,00000000,002A3CD6), ref: 00292DE0
SetLastError.KERNEL32(00000000,?,?,?,?,0028E6D1,?,00328A48,00000010,00264F4A,?,?,00000000,002A3CD6), ref: 00292DEC
_abort.LIBCMT ref: 00292DF2

Memory Dump Source

Source File: 00000001.00000002.1547293858.0000000000261000.00000020.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true

Associated: 00000001.00000002.1546305634.0000000000260000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1552306005.00000000002FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1552306005.0000000000322000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1553018664.000000000032C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1553203039.0000000000334000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_260000_file.jbxd

Similarity

API ID: ErrorLast$_free$_abort
String ID:
API String ID: 3160817290-0
Opcode ID: ac5dddeddbf890dd02f150f48986bbaf1644f75102f51788fa3db13988bea51e
Instruction ID: b32ad2b567fe966cd0a43155701aa1f5f4699e8a4949f99fb83f357115a56112
Opcode Fuzzy Hash: ac5dddeddbf890dd02f150f48986bbaf1644f75102f51788fa3db13988bea51e
Instruction Fuzzy Hash: 07F0A435535601F7CE226B34BC0AE6E3559AFC27F1F350429F824A2196EE649C3A46B0

Function 002F8A24 Relevance: 9.0, APIs: 6, Instructions: 49COMMON

Download Yara Rule

APIs

Part of subcall function 00279639: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00279693
Part of subcall function 00279639: SelectObject.GDI32(?,00000000), ref: 002796A2
Part of subcall function 00279639: BeginPath.GDI32(?), ref: 002796B9
Part of subcall function 00279639: SelectObject.GDI32(?,00000000), ref: 002796E2

MoveToEx.GDI32(?,-00000002,00000000,00000000), ref: 002F8A4E
LineTo.GDI32(?,00000003,00000000), ref: 002F8A62
MoveToEx.GDI32(?,00000000,-00000002,00000000), ref: 002F8A70
LineTo.GDI32(?,00000000,00000003), ref: 002F8A80
EndPath.GDI32(?), ref: 002F8A90
StrokePath.GDI32(?), ref: 002F8AA0

Memory Dump Source

Source File: 00000001.00000002.1547293858.0000000000261000.00000020.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true

Associated: 00000001.00000002.1546305634.0000000000260000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1552306005.00000000002FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1552306005.0000000000322000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1553018664.000000000032C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1553203039.0000000000334000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_260000_file.jbxd

Similarity

API ID: Path$LineMoveObjectSelect$BeginCreateStroke
String ID:
API String ID: 43455801-0
Opcode ID: cbb40e02648a3a4fc0cad26a04da9c181ec270fc249a5357dc7b969fcf9f7a43
Instruction ID: c83dc9bc212822da30a679ed8b6201b8ffc9f942678b31f2a3ab1166e04523fc
Opcode Fuzzy Hash: cbb40e02648a3a4fc0cad26a04da9c181ec270fc249a5357dc7b969fcf9f7a43
Instruction Fuzzy Hash: 32111E7600010DFFDF129F90ED88FAA7F6CEB043A4F108026BA1995161C7719D55DFA0

Function 002C51FD Relevance: 9.0, APIs: 6, Instructions: 49COMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 002C5218
GetDeviceCaps.GDI32(00000000,00000058), ref: 002C5229
GetDeviceCaps.GDI32(00000000,0000005A), ref: 002C5230
ReleaseDC.USER32(00000000,00000000), ref: 002C5238
MulDiv.KERNEL32(000009EC,?,00000000), ref: 002C524F
MulDiv.KERNEL32(000009EC,00000001,?), ref: 002C5261

Memory Dump Source

Source File: 00000001.00000002.1547293858.0000000000261000.00000020.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true

Associated: 00000001.00000002.1546305634.0000000000260000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1552306005.00000000002FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1552306005.0000000000322000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1553018664.000000000032C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1553203039.0000000000334000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_260000_file.jbxd

Similarity

API ID: CapsDevice$Release
String ID:
API String ID: 1035833867-0
Opcode ID: 1094beac7780f493e1b9d6e9744ad203d277a6c3deeed2e9a1206dbcabf30c77
Instruction ID: 656f316c87a5117d2aa260bdb3702cd654670d91ceb2b8715ff521967dd7f43b
Opcode Fuzzy Hash: 1094beac7780f493e1b9d6e9744ad203d277a6c3deeed2e9a1206dbcabf30c77
Instruction Fuzzy Hash: C7018F75A04719BBEB109FA59D49F5EBFB8EB483A1F144065FA08E7380DA709C10CFA0

Function 00261BC3 Relevance: 9.0, APIs: 6, Instructions: 44keyboardCOMMON

Download Yara Rule

APIs

MapVirtualKeyW.USER32(0000005B,00000000), ref: 00261BF4
MapVirtualKeyW.USER32(00000010,00000000), ref: 00261BFC
MapVirtualKeyW.USER32(000000A0,00000000), ref: 00261C07
MapVirtualKeyW.USER32(000000A1,00000000), ref: 00261C12
MapVirtualKeyW.USER32(00000011,00000000), ref: 00261C1A
MapVirtualKeyW.USER32(00000012,00000000), ref: 00261C22

Memory Dump Source

Source File: 00000001.00000002.1547293858.0000000000261000.00000020.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true

Associated: 00000001.00000002.1546305634.0000000000260000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1552306005.00000000002FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1552306005.0000000000322000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1553018664.000000000032C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1553203039.0000000000334000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_260000_file.jbxd

Similarity

API ID: Virtual
String ID:
API String ID: 4278518827-0
Opcode ID: 1885e4bc61bdafdb6346f0db47c20493fcdf89a755141fb560ea3d3a1ecd2a0b
Instruction ID: a76284e63bbe6eed6056f2d64904a2f2a084fe2722dd53e54a2e389994664e66
Opcode Fuzzy Hash: 1885e4bc61bdafdb6346f0db47c20493fcdf89a755141fb560ea3d3a1ecd2a0b
Instruction Fuzzy Hash: 1D016CB09027597DE3008F5A8C85B52FFA8FF59354F00411B915C47941C7F5A864CBE5

Function 002CEB20 Relevance: 9.0, APIs: 6, Instructions: 42windowtimethreadCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,00000000), ref: 002CEB30
SendMessageTimeoutW.USER32(?,00000010,00000000,00000000,00000002,000001F4,?), ref: 002CEB46
GetWindowThreadProcessId.USER32(?,?), ref: 002CEB55
OpenProcess.KERNEL32(001F0FFF,00000000,?,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 002CEB64
TerminateProcess.KERNEL32(00000000,00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 002CEB6E
CloseHandle.KERNEL32(00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 002CEB75

Memory Dump Source

Source File: 00000001.00000002.1547293858.0000000000261000.00000020.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true

Associated: 00000001.00000002.1546305634.0000000000260000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1552306005.00000000002FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1552306005.0000000000322000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1553018664.000000000032C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1553203039.0000000000334000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_260000_file.jbxd

Similarity

API ID: Process$Message$CloseHandleOpenPostSendTerminateThreadTimeoutWindow
String ID:
API String ID: 839392675-0
Opcode ID: 65d1be6aeb5fdb1a2844129b9c998048251805ed12e8f0ba6df378643b0068d3
Instruction ID: b115ef0ce7dc44cdbeb92cfc7bba0d87b2750e47ef4bee20b4cf2fe9d297e4fb
Opcode Fuzzy Hash: 65d1be6aeb5fdb1a2844129b9c998048251805ed12e8f0ba6df378643b0068d3
Instruction Fuzzy Hash: 81F03A7224015CBBE7215B62AD0EEFF3A7CEFCABA5F100168F601D1091DBA05A11DAB5

Function 002B7439 Relevance: 9.0, APIs: 6, Instructions: 37windowCOMMON

Download Yara Rule

APIs

GetClientRect.USER32(?), ref: 002B7452
SendMessageW.USER32(?,00001328,00000000,?), ref: 002B7469
GetWindowDC.USER32(?), ref: 002B7475
GetPixel.GDI32(00000000,?,?), ref: 002B7484
ReleaseDC.USER32(?,00000000), ref: 002B7496
GetSysColor.USER32(00000005), ref: 002B74B0

Memory Dump Source

Source File: 00000001.00000002.1547293858.0000000000261000.00000020.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true

Associated: 00000001.00000002.1546305634.0000000000260000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1552306005.00000000002FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1552306005.0000000000322000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1553018664.000000000032C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1553203039.0000000000334000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_260000_file.jbxd

Similarity

API ID: ClientColorMessagePixelRectReleaseSendWindow
String ID:
API String ID: 272304278-0
Opcode ID: 17e8746850c94d68138cac711ca306efb3c35250d67529d137cd730b418fb6cd
Instruction ID: 507ec645eee1b9c081b3ef03327852fc320e21a7ee2817a6334c4d99515bf5c9
Opcode Fuzzy Hash: 17e8746850c94d68138cac711ca306efb3c35250d67529d137cd730b418fb6cd
Instruction Fuzzy Hash: B2018B31414209EFEB115F64EE0CBFA7BB9FB443A2F600060F925A21A0CB311E61EB10

Function 002C1874 Relevance: 9.0, APIs: 6, Instructions: 23memorysynchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(?,000000FF), ref: 002C187F
UnloadUserProfile.USERENV(?,?), ref: 002C188B
CloseHandle.KERNEL32(?), ref: 002C1894
CloseHandle.KERNEL32(?), ref: 002C189C
GetProcessHeap.KERNEL32(00000000,?), ref: 002C18A5
HeapFree.KERNEL32(00000000), ref: 002C18AC

Memory Dump Source

Source File: 00000001.00000002.1547293858.0000000000261000.00000020.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true

Associated: 00000001.00000002.1546305634.0000000000260000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1552306005.00000000002FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1552306005.0000000000322000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1553018664.000000000032C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1553203039.0000000000334000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_260000_file.jbxd

Similarity

API ID: CloseHandleHeap$FreeObjectProcessProfileSingleUnloadUserWait
String ID:
API String ID: 146765662-0
Opcode ID: aed266dd95770c1bdafac73644698f86b17c9638011697d87966f6abc826cfcb
Instruction ID: 5ae0f0acac6f58154c326e379ce84249701b1b3df23c306ca59c69344aa2d693
Opcode Fuzzy Hash: aed266dd95770c1bdafac73644698f86b17c9638011697d87966f6abc826cfcb
Instruction Fuzzy Hash: C9E0C236004109BBDB016BA1FE0CD1ABF29FF49BB2B208230F22981070CB329430EF50

Function 0026BBE0 Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 232COMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 0026BEB3

Strings

D%3, xrefs: 0026BE9A
D%3D%3, xrefs: 0026BCA5
D%3, xrefs: 0026BDED, 0026BD91, 0026BD1B
D%3, xrefs: 0026BCA2

Memory Dump Source

Source File: 00000001.00000002.1547293858.0000000000261000.00000020.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true

Associated: 00000001.00000002.1546305634.0000000000260000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1552306005.00000000002FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1552306005.0000000000322000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1553018664.000000000032C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1553203039.0000000000334000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_260000_file.jbxd

Similarity

API ID: Init_thread_footer
String ID: D%3$D%3$D%3$D%3D%3
API String ID: 1385522511-1169000087
Opcode ID: 45bde60c31a368fe29dace863624581738f215ab34393c9d89bec42b0f41a811
Instruction ID: a08a1b333c8d13ade1efc98cdd88de785e5a3a9482347ae282084c4f32d9f54e
Opcode Fuzzy Hash: 45bde60c31a368fe29dace863624581738f215ab34393c9d89bec42b0f41a811
Instruction Fuzzy Hash: 03914975A2020ACFCB19CF59C0906AAB7F1FF59310F24816AD945EB351E771AAE1CB90

Function 002E7B7E Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 230COMMON

Download Yara Rule

APIs

Part of subcall function 00280242: EnterCriticalSection.KERNEL32(0033070C,00331884,?,?,0027198B,00332518,?,?,?,002612F9,00000000), ref: 0028024D
Part of subcall function 00280242: LeaveCriticalSection.KERNEL32(0033070C,?,0027198B,00332518,?,?,?,002612F9,00000000), ref: 0028028A

Part of subcall function 00269CB3: _wcslen.LIBCMT ref: 00269CBD

Part of subcall function 002800A3: __onexit.LIBCMT ref: 002800A9

__Init_thread_footer.LIBCMT ref: 002E7BFB

Part of subcall function 002801F8: EnterCriticalSection.KERNEL32(0033070C,?,?,00278747,00332514), ref: 00280202
Part of subcall function 002801F8: LeaveCriticalSection.KERNEL32(0033070C,?,00278747,00332514), ref: 00280235

Strings

Variable must be of type 'Object'., xrefs: 002E7C3A
+T+, xrefs: 002E7E2E
G, xrefs: 002E7C7F
5, xrefs: 002E7C78

Memory Dump Source

Source File: 00000001.00000002.1547293858.0000000000261000.00000020.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true

Associated: 00000001.00000002.1546305634.0000000000260000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1552306005.00000000002FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1552306005.0000000000322000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1553018664.000000000032C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1553203039.0000000000334000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_260000_file.jbxd

Similarity

API ID: CriticalSection$EnterLeave$Init_thread_footer__onexit_wcslen
String ID: +T+$5$G$Variable must be of type 'Object'.
API String ID: 535116098-2909380755
Opcode ID: 31d7a64d529379799450b3bc3890443b2b18bf4ead07c08fcd624a2cd28bc106
Instruction ID: c2ca1c30bb666dc55dc20e53a6f0f7be73a517cdf7145e3071b87927bbdd9d91
Opcode Fuzzy Hash: 31d7a64d529379799450b3bc3890443b2b18bf4ead07c08fcd624a2cd28bc106
Instruction Fuzzy Hash: 2091BD74A64249EFCB04EF56C8809BDB7B5FF48300F948059F806AB292DB70AE61CF50

Function 002CC5D0 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 191windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00267620: _wcslen.LIBCMT ref: 00267625

GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 002CC6EE
_wcslen.LIBCMT ref: 002CC735
SetMenuItemInfoW.USER32(?,?,00000000,?), ref: 002CC79C
SetMenuDefaultItem.USER32(?,000000FF,00000000), ref: 002CC7CA

Strings

0, xrefs: 002CC6AF

Memory Dump Source

Source File: 00000001.00000002.1547293858.0000000000261000.00000020.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true

Associated: 00000001.00000002.1546305634.0000000000260000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1552306005.00000000002FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1552306005.0000000000322000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1553018664.000000000032C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1553203039.0000000000334000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_260000_file.jbxd

Similarity

API ID: ItemMenu$Info_wcslen$Default
String ID: 0
API String ID: 1227352736-4108050209
Opcode ID: 07bf8fd0445e731e38cb02e3c996c210b6b13311ecc2ea1e76681ffd8849b1f6
Instruction ID: c1f8c11b72385f97811e1719a621fe49e9327a7d0c8c1c13d2b60a2052566b26
Opcode Fuzzy Hash: 07bf8fd0445e731e38cb02e3c996c210b6b13311ecc2ea1e76681ffd8849b1f6
Instruction Fuzzy Hash: 30519E716283029BD7159E28C985F6BB7E8EF85310F240B2DF999E21D0DB70D968CF52

Function 002EAD64 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 176COMMON

Download Yara Rule

APIs

ShellExecuteExW.SHELL32(0000003C), ref: 002EAEA3

Part of subcall function 00267620: _wcslen.LIBCMT ref: 00267625

GetProcessId.KERNEL32(00000000), ref: 002EAF38
CloseHandle.KERNEL32(00000000), ref: 002EAF67

Strings

@, xrefs: 002EAE72
<, xrefs: 002EAE6B

Memory Dump Source

Source File: 00000001.00000002.1547293858.0000000000261000.00000020.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true

Associated: 00000001.00000002.1546305634.0000000000260000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1552306005.00000000002FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1552306005.0000000000322000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1553018664.000000000032C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1553203039.0000000000334000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_260000_file.jbxd

Similarity

API ID: CloseExecuteHandleProcessShell_wcslen
String ID: <$@
API String ID: 146682121-1426351568
Opcode ID: ab35f70205c94333c8a9eb497825fa4605fe422efbe17c55cb5b55cba594d526
Instruction ID: 87145ba9273d0987311ff197464d063804f4c62dfd0e5fa14eeadb4701275216
Opcode Fuzzy Hash: ab35f70205c94333c8a9eb497825fa4605fe422efbe17c55cb5b55cba594d526
Instruction Fuzzy Hash: 22719A70A20255CFCB14DF55C484A9EBBF0BF08314F5484A9E816AB3A2C770EDA5CF91

Function 002C719E Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 120comlibraryloaderCOMMON

Download Yara Rule

APIs

CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 002C7206
SetErrorMode.KERNEL32(00000001,?,?,?,?,?,?,?,?,?), ref: 002C723C
GetProcAddress.KERNEL32(?,DllGetClassObject), ref: 002C724D
SetErrorMode.KERNEL32(00000000,?,?,?,?,?,?,?,?,?), ref: 002C72CF

Strings

DllGetClassObject, xrefs: 002C7242

Memory Dump Source

Source File: 00000001.00000002.1547293858.0000000000261000.00000020.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true

Associated: 00000001.00000002.1546305634.0000000000260000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1552306005.00000000002FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1552306005.0000000000322000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1553018664.000000000032C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1553203039.0000000000334000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_260000_file.jbxd

Similarity

API ID: ErrorMode$AddressCreateInstanceProc
String ID: DllGetClassObject
API String ID: 753597075-1075368562
Opcode ID: a6fbeca5499ecf3b6240a2a105ee296ea7c15f218a9024bfb5e62e864807bd90
Instruction ID: a509edd9a0af875bdbe6515d63b94eda33df392ae9374f129459530220b4c200
Opcode Fuzzy Hash: a6fbeca5499ecf3b6240a2a105ee296ea7c15f218a9024bfb5e62e864807bd90
Instruction Fuzzy Hash: 24416E71614205AFDB15CF64C884FAA7BB9EF44350F2481ADBD059F20AD7B0D954CFA1

Function 002F3D7C Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 101windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 002F3E35
IsMenu.USER32(?), ref: 002F3E4A
InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 002F3E92
DrawMenuBar.USER32 ref: 002F3EA5

Strings

0, xrefs: 002F3D89

Memory Dump Source

Source File: 00000001.00000002.1547293858.0000000000261000.00000020.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true

Associated: 00000001.00000002.1546305634.0000000000260000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1552306005.00000000002FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1552306005.0000000000322000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1553018664.000000000032C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1553203039.0000000000334000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_260000_file.jbxd

Similarity

API ID: Menu$Item$DrawInfoInsert
String ID: 0
API String ID: 3076010158-4108050209
Opcode ID: ca7a480c57306d9f7b2014c31b0a650335a749186c01f43a71edc1022c05cf3c
Instruction ID: b5799dacff63c6b46fc3cd9852750d7e682a2c12075af14617f99d49a700654e
Opcode Fuzzy Hash: ca7a480c57306d9f7b2014c31b0a650335a749186c01f43a71edc1022c05cf3c
Instruction Fuzzy Hash: 0B414975A2120EEFDF10DF50D884AEABBB9FF483A4F044129EA05A7250D730AE65CF50

Function 002C1DE2 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 93windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00269CB3: _wcslen.LIBCMT ref: 00269CBD

Part of subcall function 002C3CA7: GetClassNameW.USER32(?,?,000000FF), ref: 002C3CCA

SendMessageW.USER32(?,00000188,00000000,00000000), ref: 002C1E66
SendMessageW.USER32(?,0000018A,00000000,00000000), ref: 002C1E79
SendMessageW.USER32(?,00000189,?,00000000), ref: 002C1EA9

Part of subcall function 00266B57: _wcslen.LIBCMT ref: 00266B6A

Strings

ListBox, xrefs: 002C1E25
ComboBox, xrefs: 002C1DF0

Memory Dump Source

Source File: 00000001.00000002.1547293858.0000000000261000.00000020.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true

Associated: 00000001.00000002.1546305634.0000000000260000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1552306005.00000000002FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1552306005.0000000000322000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1553018664.000000000032C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1553203039.0000000000334000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_260000_file.jbxd

Similarity

API ID: MessageSend$_wcslen$ClassName
String ID: ComboBox$ListBox
API String ID: 2081771294-1403004172
Opcode ID: 3514d5b4ebb9ef4b596d1a672de2f202a3b9c141023198986b60bd9399ba17bd
Instruction ID: 38c174b0a87d54e68c4b6565d7ff82b5c99692dd5622436cb9941647040ad32c
Opcode Fuzzy Hash: 3514d5b4ebb9ef4b596d1a672de2f202a3b9c141023198986b60bd9399ba17bd
Instruction Fuzzy Hash: CC210671A10104AADB18AF64DD56DFFB7A89F46360B10422DF815E31D1DB744979CA20

Function 002F2F17 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 78windowlibraryCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000467,00000000,?), ref: 002F2F8D
LoadLibraryW.KERNEL32(?), ref: 002F2F94
SendMessageW.USER32(?,00000467,00000000,00000000), ref: 002F2FA9
DestroyWindow.USER32(?), ref: 002F2FB1

Strings

SysAnimate32, xrefs: 002F2F68

Memory Dump Source

Source File: 00000001.00000002.1547293858.0000000000261000.00000020.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true

Associated: 00000001.00000002.1546305634.0000000000260000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1552306005.00000000002FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1552306005.0000000000322000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1553018664.000000000032C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1553203039.0000000000334000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_260000_file.jbxd

Similarity

API ID: MessageSend$DestroyLibraryLoadWindow
String ID: SysAnimate32
API String ID: 3529120543-1011021900
Opcode ID: f8c76c276228eec23c31e9bac6bb884eeeaa66b13718d48348bd15cab1521c13
Instruction ID: e5f29f2795702241fa0a67039d0d17273b45bd9f708f0f4bfff300663b998863
Opcode Fuzzy Hash: f8c76c276228eec23c31e9bac6bb884eeeaa66b13718d48348bd15cab1521c13
Instruction Fuzzy Hash: E921BB7123420AEBEB114F64DC84EBBB7BDEB5A3A4F100728FA10D25A0C371DC659B60

Function 00284D6D Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,00284D1E,002928E9,?,00284CBE,002928E9,003288B8,0000000C,00284E15,002928E9,00000002), ref: 00284D8D
GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 00284DA0
FreeLibrary.KERNEL32(00000000,?,?,?,00284D1E,002928E9,?,00284CBE,002928E9,003288B8,0000000C,00284E15,002928E9,00000002,00000000), ref: 00284DC3

Strings

mscoree.dll, xrefs: 00284D86
CorExitProcess, xrefs: 00284D98

Memory Dump Source

Source File: 00000001.00000002.1547293858.0000000000261000.00000020.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true

Associated: 00000001.00000002.1546305634.0000000000260000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1552306005.00000000002FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1552306005.0000000000322000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1553018664.000000000032C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1553203039.0000000000334000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_260000_file.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: 3fab631af4471eeabd91dbeba125d3d42df0aea4066ee9b7eb0467a1201a85b2
Instruction ID: 2bb13660ab5128d2d478d86ef1265c3368f79b0b2b92150870e33551745b82c7
Opcode Fuzzy Hash: 3fab631af4471eeabd91dbeba125d3d42df0aea4066ee9b7eb0467a1201a85b2
Instruction Fuzzy Hash: 4FF0C83451120DBBDB156F90DC5DBEEBFB5EF04B91F1000A4F809A2290CB305D50CB90

Function 00264E90 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 24libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,?,00264EDD,?,00331418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00264E9C
GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 00264EAE
FreeLibrary.KERNEL32(00000000,?,?,00264EDD,?,00331418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00264EC0

Strings

Wow64DisableWow64FsRedirection, xrefs: 00264EA8
kernel32.dll, xrefs: 00264E94

Memory Dump Source

Source File: 00000001.00000002.1547293858.0000000000261000.00000020.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true

Associated: 00000001.00000002.1546305634.0000000000260000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1552306005.00000000002FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1552306005.0000000000322000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1553018664.000000000032C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1553203039.0000000000334000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_260000_file.jbxd

Similarity

API ID: Library$AddressFreeLoadProc
String ID: Wow64DisableWow64FsRedirection$kernel32.dll
API String ID: 145871493-3689287502
Opcode ID: 4ef28f488e5b8ff23b923143c8398f52ca3e8cc0d0d6ee54c6e838c51032dcba
Instruction ID: ba9fbcf979514dd426586fe82e294beb91dccfa4ba8decc0e802b6120658eeb6
Opcode Fuzzy Hash: 4ef28f488e5b8ff23b923143c8398f52ca3e8cc0d0d6ee54c6e838c51032dcba
Instruction Fuzzy Hash: 12E08635A115279B92222B25BD1CA7BA554AF82BB27150125FD08D2100DB64CD6180A0

Function 00264E59 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 22libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,?,002A3CDE,?,00331418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00264E62
GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 00264E74
FreeLibrary.KERNEL32(00000000,?,?,002A3CDE,?,00331418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00264E87

Strings

Wow64RevertWow64FsRedirection, xrefs: 00264E6E
kernel32.dll, xrefs: 00264E5B

Memory Dump Source

Source File: 00000001.00000002.1547293858.0000000000261000.00000020.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true

Associated: 00000001.00000002.1546305634.0000000000260000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1552306005.00000000002FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1552306005.0000000000322000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1553018664.000000000032C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1553203039.0000000000334000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_260000_file.jbxd

Similarity

API ID: Library$AddressFreeLoadProc
String ID: Wow64RevertWow64FsRedirection$kernel32.dll
API String ID: 145871493-1355242751
Opcode ID: 16c36b9553bcf800f47eecb542a16d3fe247cbb0ef597d9487143e0b09b27652
Instruction ID: 98acf5f6c8807cf02c955a4d7bc5e227c0f0f4a47f4261c50bf5ce7a2f29f58d
Opcode Fuzzy Hash: 16c36b9553bcf800f47eecb542a16d3fe247cbb0ef597d9487143e0b09b27652
Instruction Fuzzy Hash: 97D02B395126375B46322F24BC1CDEF6A18AF82FB13250131F908E2110CF21CD71C1E0

Function 002D2947 Relevance: 7.8, APIs: 5, Instructions: 313fileCOMMON

Download Yara Rule

APIs

DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 002D2C05
DeleteFileW.KERNEL32(?), ref: 002D2C87
CopyFileW.KERNEL32(?,?,00000000,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 002D2C9D
DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 002D2CAE
DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 002D2CC0

Memory Dump Source

Source File: 00000001.00000002.1547293858.0000000000261000.00000020.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true

Associated: 00000001.00000002.1546305634.0000000000260000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1552306005.00000000002FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1552306005.0000000000322000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1553018664.000000000032C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1553203039.0000000000334000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_260000_file.jbxd

Similarity

API ID: File$Delete$Copy
String ID:
API String ID: 3226157194-0
Opcode ID: 43201f38a7e657b015980b9f53e9eeae8b7af3cec51d16582993f65efd2bb249
Instruction ID: 462f932e742666e3e51d92719ad6755801043d96c51aef45af0ce8070e6ec49e
Opcode Fuzzy Hash: 43201f38a7e657b015980b9f53e9eeae8b7af3cec51d16582993f65efd2bb249
Instruction Fuzzy Hash: CDB16F71921129ABDF21EFA4CC85EDEB77DEF58350F1040A7F909E6241EA309E588F61

Function 002EA387 Relevance: 7.8, APIs: 5, Instructions: 256COMMON

Download Yara Rule

APIs

GetCurrentProcessId.KERNEL32 ref: 002EA427
OpenProcess.KERNEL32(00000410,00000000,00000000), ref: 002EA435
GetProcessIoCounters.KERNEL32(00000000,?), ref: 002EA468
CloseHandle.KERNEL32(?), ref: 002EA63D

Memory Dump Source

Source File: 00000001.00000002.1547293858.0000000000261000.00000020.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true

Associated: 00000001.00000002.1546305634.0000000000260000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1552306005.00000000002FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1552306005.0000000000322000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1553018664.000000000032C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1553203039.0000000000334000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_260000_file.jbxd

Similarity

API ID: Process$CloseCountersCurrentHandleOpen
String ID:
API String ID: 3488606520-0
Opcode ID: 790a52943f4fdfc9f41b91d349b357678d12d618d08790747bbb35318fad9626
Instruction ID: 15d867b3f324d6484539f26afa6252af4c35648becbf6224e92099ee0932f319
Opcode Fuzzy Hash: 790a52943f4fdfc9f41b91d349b357678d12d618d08790747bbb35318fad9626
Instruction Fuzzy Hash: 0BA1CD71614301AFD720DF24C886F2AB7E5AF84714F54885DF99A9B292DBB0EC50CF92

Function 0029BB27 Relevance: 7.7, APIs: 5, Instructions: 171timeCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetTimeZoneInformation.KERNEL32(?,00000000,00000000,00000000,?,00303700), ref: 0029BB91
WideCharToMultiByte.KERNEL32(00000000,00000000,0033121C,000000FF,00000000,0000003F,00000000,?,?), ref: 0029BC09
WideCharToMultiByte.KERNEL32(00000000,00000000,00331270,000000FF,?,0000003F,00000000,?), ref: 0029BC36
_free.LIBCMT ref: 0029BB7F

Part of subcall function 002929C8: RtlFreeHeap.NTDLL(00000000,00000000,?,0029D7D1,00000000,00000000,00000000,00000000,?,0029D7F8,00000000,00000007,00000000,?,0029DBF5,00000000), ref: 002929DE
Part of subcall function 002929C8: GetLastError.KERNEL32(00000000,?,0029D7D1,00000000,00000000,00000000,00000000,?,0029D7F8,00000000,00000007,00000000,?,0029DBF5,00000000,00000000), ref: 002929F0

_free.LIBCMT ref: 0029BD4B

Memory Dump Source

Source File: 00000001.00000002.1547293858.0000000000261000.00000020.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true

Associated: 00000001.00000002.1546305634.0000000000260000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1552306005.00000000002FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1552306005.0000000000322000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1553018664.000000000032C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1553203039.0000000000334000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_260000_file.jbxd

Similarity

API ID: ByteCharMultiWide_free$ErrorFreeHeapInformationLastTimeZone
String ID:
API String ID: 1286116820-0
Opcode ID: ea29466bde2b374f78c40054d74c9ea7c9a9e1eb9714b1afea0bb226362014a3
Instruction ID: 1ec2b58cdd6a7a5c06cec4ce55ed61dcf4bc5d7a324c7b2c62d3c4be4842d21e
Opcode Fuzzy Hash: ea29466bde2b374f78c40054d74c9ea7c9a9e1eb9714b1afea0bb226362014a3
Instruction Fuzzy Hash: FB51E771910209EFCF12EF65AE819AEB7BCEF40360F10466AE554D7291EB709E618B90

Function 002CE3FB Relevance: 7.7, APIs: 5, Instructions: 167filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 002CDDE0: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,002CCF22,?), ref: 002CDDFD

Part of subcall function 002CDDE0: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,002CCF22,?), ref: 002CDE16

Part of subcall function 002CE199: GetFileAttributesW.KERNEL32(?,002CCF95), ref: 002CE19A

lstrcmpiW.KERNEL32(?,?), ref: 002CE473
MoveFileW.KERNEL32(?,?), ref: 002CE4AC
_wcslen.LIBCMT ref: 002CE5EB
_wcslen.LIBCMT ref: 002CE603
SHFileOperationW.SHELL32(?,?,?,?,?,?), ref: 002CE650

Memory Dump Source

Source File: 00000001.00000002.1547293858.0000000000261000.00000020.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true

Associated: 00000001.00000002.1546305634.0000000000260000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1552306005.00000000002FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1552306005.0000000000322000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1553018664.000000000032C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1553203039.0000000000334000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_260000_file.jbxd

Similarity

API ID: File$FullNamePath_wcslen$AttributesMoveOperationlstrcmpi
String ID:
API String ID: 3183298772-0
Opcode ID: e51aa45038ad0518d16df9569c9a97bfb67686c7925d9444ac4a752d1bf976fa
Instruction ID: 6433d262bc4bf216a2e12428f348ff0f654e4c2b0440fa0fe451328b764d413e
Opcode Fuzzy Hash: e51aa45038ad0518d16df9569c9a97bfb67686c7925d9444ac4a752d1bf976fa
Instruction Fuzzy Hash: 425182B24187855BCB34EB90D881EDB73DCAF84340F144A2EF689D3191EF74A5988B66

Function 002EB9C9 Relevance: 7.7, APIs: 5, Instructions: 167registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00269CB3: _wcslen.LIBCMT ref: 00269CBD

Part of subcall function 002EC998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,002EB6AE,?,?), ref: 002EC9B5
Part of subcall function 002EC998: _wcslen.LIBCMT ref: 002EC9F1
Part of subcall function 002EC998: _wcslen.LIBCMT ref: 002ECA68
Part of subcall function 002EC998: _wcslen.LIBCMT ref: 002ECA9E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 002EBAA5
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 002EBB00
RegEnumKeyExW.ADVAPI32(?,-00000001,?,?,00000000,00000000,00000000,?), ref: 002EBB63
RegCloseKey.ADVAPI32(?,?), ref: 002EBBA6
RegCloseKey.ADVAPI32(00000000), ref: 002EBBB3

Memory Dump Source

Source File: 00000001.00000002.1547293858.0000000000261000.00000020.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true

Associated: 00000001.00000002.1546305634.0000000000260000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1552306005.00000000002FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1552306005.0000000000322000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1553018664.000000000032C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1553203039.0000000000334000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_260000_file.jbxd

Similarity

API ID: _wcslen$Close$BuffCharConnectEnumOpenRegistryUpper
String ID:
API String ID: 826366716-0
Opcode ID: f559b47fd195c32dc79b98c91a133a8fb48b05eb0c136e1bd8c37bf93e686bf6
Instruction ID: 1b5e5e6d604467d7846239b2b853a9a19535c7b03925f816dce1c72ad433b2b9
Opcode Fuzzy Hash: f559b47fd195c32dc79b98c91a133a8fb48b05eb0c136e1bd8c37bf93e686bf6
Instruction Fuzzy Hash: B1618E31128241AFD715DF14C490E2BBBE5FF84308F64856DF4998B2A2DB31ED95CB92

Function 002C8BB0 Relevance: 7.7, APIs: 5, Instructions: 159COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 002C8BCD
VariantClear.OLEAUT32 ref: 002C8C3E
VariantClear.OLEAUT32 ref: 002C8C9D
VariantClear.OLEAUT32(?), ref: 002C8D10
VariantChangeType.OLEAUT32(?,?,00000000,00000013), ref: 002C8D3B

Memory Dump Source

Source File: 00000001.00000002.1547293858.0000000000261000.00000020.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true

Associated: 00000001.00000002.1546305634.0000000000260000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1552306005.00000000002FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1552306005.0000000000322000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1553018664.000000000032C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1553203039.0000000000334000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_260000_file.jbxd

Similarity

API ID: Variant$Clear$ChangeInitType
String ID:
API String ID: 4136290138-0
Opcode ID: 905542ba4099da0a5781a01fa745d394b1022bcf0c876e08d578337666724f9a
Instruction ID: acc661975b8e2f1e84f7b7bb02ae4c785a9e3270a033bcfdbb92f0fc35a425d6
Opcode Fuzzy Hash: 905542ba4099da0a5781a01fa745d394b1022bcf0c876e08d578337666724f9a
Instruction Fuzzy Hash: 39515BB5A10219EFCB14CF68D894EAAB7F8FF89314B158569E906DB350E730E911CF90

Function 002D8AFB Relevance: 7.6, APIs: 5, Instructions: 143COMMON

Download Yara Rule

APIs

GetPrivateProfileSectionW.KERNEL32(00000003,?,00007FFF,?), ref: 002D8BAE
GetPrivateProfileSectionW.KERNEL32(?,00000003,00000003,?), ref: 002D8BDA
WritePrivateProfileSectionW.KERNEL32(?,?,?), ref: 002D8C32
WritePrivateProfileStringW.KERNEL32(00000003,00000000,00000000,?), ref: 002D8C57
WritePrivateProfileStringW.KERNEL32(00000000,00000000,00000000,?), ref: 002D8C5F

Memory Dump Source

Source File: 00000001.00000002.1547293858.0000000000261000.00000020.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true

Associated: 00000001.00000002.1546305634.0000000000260000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1552306005.00000000002FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1552306005.0000000000322000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1553018664.000000000032C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1553203039.0000000000334000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_260000_file.jbxd

Similarity

API ID: PrivateProfile$SectionWrite$String
String ID:
API String ID: 2832842796-0
Opcode ID: 428ef03f08f64ea842bff4834179913195fb6906e5a80e17f7b93804c33c47d1
Instruction ID: 7fc36a428f08d629b6eff33017be35c4c1ba6188841330ffdcd4640f277fa093
Opcode Fuzzy Hash: 428ef03f08f64ea842bff4834179913195fb6906e5a80e17f7b93804c33c47d1
Instruction Fuzzy Hash: 34514C35A10215DFCB05DF64C880A69BBF5FF48314F088099E84AAB362DB31ED61CF90

Function 002E8EE4 Relevance: 7.6, APIs: 5, Instructions: 143libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32(?,00000000,?), ref: 002E8F40
GetProcAddress.KERNEL32(00000000,?), ref: 002E8FD0
GetProcAddress.KERNEL32(00000000,00000000), ref: 002E8FEC
GetProcAddress.KERNEL32(00000000,?), ref: 002E9032
FreeLibrary.KERNEL32(00000000), ref: 002E9052

Part of subcall function 0027F6C9: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,00000000,?,?,?,002D1043,?,7735E610), ref: 0027F6E6
Part of subcall function 0027F6C9: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,002BFA64,00000000,00000000,?,?,002D1043,?,7735E610,?,002BFA64), ref: 0027F70D

Memory Dump Source

Source File: 00000001.00000002.1547293858.0000000000261000.00000020.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true

Associated: 00000001.00000002.1546305634.0000000000260000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1552306005.00000000002FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1552306005.0000000000322000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1553018664.000000000032C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1553203039.0000000000334000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_260000_file.jbxd

Similarity

API ID: AddressProc$ByteCharLibraryMultiWide$FreeLoad
String ID:
API String ID: 666041331-0
Opcode ID: 1a946eebd679e0246e8ef6730182126ef3dbf27040263e688c6f8f0efa867669
Instruction ID: d80e2f0a50ec86c0e2484990fb14ecfaafda97dd9f04128d518578d59552f3fb
Opcode Fuzzy Hash: 1a946eebd679e0246e8ef6730182126ef3dbf27040263e688c6f8f0efa867669
Instruction Fuzzy Hash: 10517B34610245DFC711DF69C4848ADBBF1FF49324B9480A9E84A9B762DB31ED95CF90

Function 002F6B76 Relevance: 7.6, APIs: 5, Instructions: 131windowCOMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(00000002,000000F0,?), ref: 002F6C33
SetWindowLongW.USER32(?,000000EC,?), ref: 002F6C4A
SendMessageW.USER32(00000002,00001036,00000000,?), ref: 002F6C73
ShowWindow.USER32(00000002,00000000,00000002,00000002,?,?,?,?,?,?,?,002DAB79,00000000,00000000), ref: 002F6C98
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000027,00000002,?,00000001,00000002,00000002,?,?,?), ref: 002F6CC7

Memory Dump Source

Source File: 00000001.00000002.1547293858.0000000000261000.00000020.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true

Associated: 00000001.00000002.1546305634.0000000000260000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1552306005.00000000002FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1552306005.0000000000322000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1553018664.000000000032C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1553203039.0000000000334000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_260000_file.jbxd

Similarity

API ID: Window$Long$MessageSendShow
String ID:
API String ID: 3688381893-0
Opcode ID: 85d1010c9a0882adb7b9f8edec5280179ab8cfd2a31a05b36ad306715cd01871
Instruction ID: 39bb49ed599027aafd4126e871150feb9195c7a93c1cfdaa83adafec6b87f56e
Opcode Fuzzy Hash: 85d1010c9a0882adb7b9f8edec5280179ab8cfd2a31a05b36ad306715cd01871
Instruction Fuzzy Hash: 3F41A33562410DAFD7248F68CD5CBB9BBA9EB093A0F150235EA95A72A1C371AD61CA40

Function 00292051 Relevance: 7.6, APIs: 5, Instructions: 129COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 002920C3
_free.LIBCMT ref: 002920E3

Memory Dump Source

Source File: 00000001.00000002.1547293858.0000000000261000.00000020.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true

Associated: 00000001.00000002.1546305634.0000000000260000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1552306005.00000000002FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1552306005.0000000000322000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1553018664.000000000032C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1553203039.0000000000334000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_260000_file.jbxd

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: 70fc80d47149df92a5bd58324505c417a6cdfe9d04d0329d8cf80e750f1638f8
Instruction ID: da6a4145ea43af0ac6abb38bf5be686fc98560ac7f9d8f4df63042fc1d9db6e3
Opcode Fuzzy Hash: 70fc80d47149df92a5bd58324505c417a6cdfe9d04d0329d8cf80e750f1638f8
Instruction Fuzzy Hash: D841D232A20200EFCF24DF78C981A5DB7A5EF89714F158568E519EB392D631ED25CB81

Function 0027912D Relevance: 7.6, APIs: 5, Instructions: 121keyboardCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 00279141
ScreenToClient.USER32(00000000,?), ref: 0027915E
GetAsyncKeyState.USER32(00000001), ref: 00279183
GetAsyncKeyState.USER32(00000002), ref: 0027919D

Memory Dump Source

Source File: 00000001.00000002.1547293858.0000000000261000.00000020.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true

Associated: 00000001.00000002.1546305634.0000000000260000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1552306005.00000000002FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1552306005.0000000000322000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1553018664.000000000032C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1553203039.0000000000334000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_260000_file.jbxd

Similarity

API ID: AsyncState$ClientCursorScreen
String ID:
API String ID: 4210589936-0
Opcode ID: 4256586471d4ff6bffe5c2404b953db1b86285ce8c1647eddf711704c0bdf567
Instruction ID: d49d0ae99595544be1f076818d38ce881f94ad941782a5576efd782d3fa6456a
Opcode Fuzzy Hash: 4256586471d4ff6bffe5c2404b953db1b86285ce8c1647eddf711704c0bdf567
Instruction Fuzzy Hash: 7E417F7192860BEBDF059F68C848BEEB774FB45360F208226E42DA6290C77459A4DF61

Function 002D3874 Relevance: 7.6, APIs: 5, Instructions: 101windowCOMMON

Download Yara Rule

APIs

GetInputState.USER32 ref: 002D38CB
TranslateAcceleratorW.USER32(?,00000000,?), ref: 002D3922
TranslateMessage.USER32(?), ref: 002D394B
DispatchMessageW.USER32(?), ref: 002D3955
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 002D3966

Memory Dump Source

Source File: 00000001.00000002.1547293858.0000000000261000.00000020.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true

Associated: 00000001.00000002.1546305634.0000000000260000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1552306005.00000000002FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1552306005.0000000000322000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1553018664.000000000032C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1553203039.0000000000334000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_260000_file.jbxd

Similarity

API ID: Message$Translate$AcceleratorDispatchInputPeekState
String ID:
API String ID: 2256411358-0
Opcode ID: b20069a7c94f39e3d3704af745e5c0c30abd0da08c20b9f4c83615a739b13d04
Instruction ID: 8ac7dca6427322282c7a7694e686aa6380e71c166e53004653fadd8fd11e12f2
Opcode Fuzzy Hash: b20069a7c94f39e3d3704af745e5c0c30abd0da08c20b9f4c83615a739b13d04
Instruction Fuzzy Hash: AB31C870528346DEEB35CF34D898BF637A8AB05310F14056BE462C62A0D3F49E94DB13

Function 002DCF1A Relevance: 7.6, APIs: 5, Instructions: 93networkfileCOMMON

Download Yara Rule

APIs

InternetQueryDataAvailable.WININET(?,?,00000000,00000000,00000000,?,00000000,?,?,?,002DC21E,00000000), ref: 002DCF38
InternetReadFile.WININET(?,00000000,?,?), ref: 002DCF6F
GetLastError.KERNEL32(?,00000000,?,?,?,002DC21E,00000000), ref: 002DCFB4
SetEvent.KERNEL32(?,?,00000000,?,?,?,002DC21E,00000000), ref: 002DCFC8
SetEvent.KERNEL32(?,?,00000000,?,?,?,002DC21E,00000000), ref: 002DCFF2

Memory Dump Source

Source File: 00000001.00000002.1547293858.0000000000261000.00000020.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true

Associated: 00000001.00000002.1546305634.0000000000260000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1552306005.00000000002FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1552306005.0000000000322000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1553018664.000000000032C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1553203039.0000000000334000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_260000_file.jbxd

Similarity

API ID: EventInternet$AvailableDataErrorFileLastQueryRead
String ID:
API String ID: 3191363074-0
Opcode ID: 48c189ebfdb72b0c2bfbcd1310c8e7f8e73ef5e36206f47b869fef8968e87b85
Instruction ID: a3f0e965aa6f6be1d9b881a8bf42c8e16bda74bcc0e8b864f46612c529f11804
Opcode Fuzzy Hash: 48c189ebfdb72b0c2bfbcd1310c8e7f8e73ef5e36206f47b869fef8968e87b85
Instruction Fuzzy Hash: FF315E7152420BEFDB20DFA5D988AABBBF9EB14350B20442FF506D2651DB30AE50DB60

Function 002C1901 Relevance: 7.6, APIs: 5, Instructions: 93sleepwindowCOMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 002C1915
PostMessageW.USER32(00000001,00000201,00000001), ref: 002C19C1
Sleep.KERNEL32(00000000,?,?,?), ref: 002C19C9
PostMessageW.USER32(00000001,00000202,00000000), ref: 002C19DA
Sleep.KERNEL32(00000000,?,?,?,?), ref: 002C19E2

Memory Dump Source

Source File: 00000001.00000002.1547293858.0000000000261000.00000020.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true

Associated: 00000001.00000002.1546305634.0000000000260000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1552306005.00000000002FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1552306005.0000000000322000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1553018664.000000000032C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1553203039.0000000000334000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_260000_file.jbxd

Similarity

API ID: MessagePostSleep$RectWindow
String ID:
API String ID: 3382505437-0
Opcode ID: b1c72d7e1fba2772106900ee8b84f97bd34f0eae8147b32c1944f992df22ec97
Instruction ID: 4cb20720b3c996c924c36fd847c80804d5eece3cd2486c68e16028447ed3f8bc
Opcode Fuzzy Hash: b1c72d7e1fba2772106900ee8b84f97bd34f0eae8147b32c1944f992df22ec97
Instruction Fuzzy Hash: BE31CF7191021AEFCB04CFA8D99ABEE3BB5EB45324F104329F925A72D1C3709964CB90

Function 002F5706 Relevance: 7.6, APIs: 5, Instructions: 82windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001053,000000FF,?), ref: 002F5745
SendMessageW.USER32(?,00001074,?,00000001), ref: 002F579D
_wcslen.LIBCMT ref: 002F57AF
_wcslen.LIBCMT ref: 002F57BA
SendMessageW.USER32(?,00001002,00000000,?), ref: 002F5816

Memory Dump Source

Source File: 00000001.00000002.1547293858.0000000000261000.00000020.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true

Associated: 00000001.00000002.1546305634.0000000000260000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1552306005.00000000002FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1552306005.0000000000322000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1553018664.000000000032C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1553203039.0000000000334000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_260000_file.jbxd

Similarity

API ID: MessageSend$_wcslen
String ID:
API String ID: 763830540-0
Opcode ID: 9068265fb44047a92593ebfbb183422867e72dbbfbed2fb4c49305c613cee1ae
Instruction ID: 001ca5e02a54e8052661dcd762a4e7d9f61a6e9d8fd38facc3e26c6a517ab212
Opcode Fuzzy Hash: 9068265fb44047a92593ebfbb183422867e72dbbfbed2fb4c49305c613cee1ae
Instruction Fuzzy Hash: 0E21813592462D9ADB209F60CC84AFDF7B8FF443A0F108226EB19EA1C0D7708995CF50

Function 002E0930 Relevance: 7.6, APIs: 5, Instructions: 69COMMON

Download Yara Rule

APIs

IsWindow.USER32(00000000), ref: 002E0951
GetForegroundWindow.USER32 ref: 002E0968
GetDC.USER32(00000000), ref: 002E09A4
GetPixel.GDI32(00000000,?,00000003), ref: 002E09B0
ReleaseDC.USER32(00000000,00000003), ref: 002E09E8

Memory Dump Source

Source File: 00000001.00000002.1547293858.0000000000261000.00000020.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true

Associated: 00000001.00000002.1546305634.0000000000260000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1552306005.00000000002FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1552306005.0000000000322000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1553018664.000000000032C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1553203039.0000000000334000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_260000_file.jbxd

Similarity

API ID: Window$ForegroundPixelRelease
String ID:
API String ID: 4156661090-0
Opcode ID: ecd9ea76436ba8201098b632491efe08244755d16edf28f7c72368c30b22454e
Instruction ID: 0af21544aa5010c446221bbe56d7c4aae3b294e1ba2ba4ecc02f4eec89a309e1
Opcode Fuzzy Hash: ecd9ea76436ba8201098b632491efe08244755d16edf28f7c72368c30b22454e
Instruction Fuzzy Hash: 5721A135610204AFD704EF65E988AAEBBE9EF44750F108039E84AD7762DB70AC54CF50

Function 0029CDBD Relevance: 7.6, APIs: 5, Instructions: 68COMMON

Download Yara Rule

APIs

GetEnvironmentStringsW.KERNEL32 ref: 0029CDC6
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0029CDE9

Part of subcall function 00293820: RtlAllocateHeap.NTDLL(00000000,?,00331444,?,0027FDF5,?,?,0026A976,00000010,00331440,002613FC,?,002613C6,?,00261129), ref: 00293852

WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 0029CE0F
_free.LIBCMT ref: 0029CE22
FreeEnvironmentStringsW.KERNEL32(00000000), ref: 0029CE31

Memory Dump Source

Source File: 00000001.00000002.1547293858.0000000000261000.00000020.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true

Associated: 00000001.00000002.1546305634.0000000000260000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1552306005.00000000002FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1552306005.0000000000322000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1553018664.000000000032C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1553203039.0000000000334000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_260000_file.jbxd

Similarity

API ID: ByteCharEnvironmentMultiStringsWide$AllocateFreeHeap_free
String ID:
API String ID: 336800556-0
Opcode ID: c52a420adabbb2f4f22e99b2b7bd0f013a516960a859a7ac1c267ac1bb16728d
Instruction ID: 9529b907a214e1de5d3de1bfe8d8eeacad2af8427f4142dc859c3e26b55edd7a
Opcode Fuzzy Hash: c52a420adabbb2f4f22e99b2b7bd0f013a516960a859a7ac1c267ac1bb16728d
Instruction Fuzzy Hash: 8901A7726212167F2B215AB67C8CD7B796DEEC6BE13350129FD06C7205EA618D21C6F0

Function 00279639 Relevance: 7.6, APIs: 5, Instructions: 66COMMON

Download Yara Rule

APIs

ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00279693
SelectObject.GDI32(?,00000000), ref: 002796A2
BeginPath.GDI32(?), ref: 002796B9
SelectObject.GDI32(?,00000000), ref: 002796E2

Memory Dump Source

Source File: 00000001.00000002.1547293858.0000000000261000.00000020.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true

Associated: 00000001.00000002.1546305634.0000000000260000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1552306005.00000000002FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1552306005.0000000000322000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1553018664.000000000032C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1553203039.0000000000334000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_260000_file.jbxd

Similarity

API ID: ObjectSelect$BeginCreatePath
String ID:
API String ID: 3225163088-0
Opcode ID: b49ee38ab7f1ae1c2a1a05d94c98d2ca66982bbda1a3057dbc819ed679c2e36d
Instruction ID: e51b13cdadb639f958e194db543e56303352c82489004028b83b9cb1a6b7394c
Opcode Fuzzy Hash: b49ee38ab7f1ae1c2a1a05d94c98d2ca66982bbda1a3057dbc819ed679c2e36d
Instruction Fuzzy Hash: DA218031822306EBDB129F24ED48BA93BACBB40765F108326F418A61B0D37098A5CFD4

Function 002C5711 Relevance: 7.6, APIs: 5, Instructions: 61COMMON

Download Yara Rule

APIs

_memcmp.LIBVCRUNTIME ref: 002C5726
_memcmp.LIBVCRUNTIME ref: 002C5744
_memcmp.LIBVCRUNTIME ref: 002C5757
_memcmp.LIBVCRUNTIME ref: 002C576F
_memcmp.LIBVCRUNTIME ref: 002C5787

Memory Dump Source

Source File: 00000001.00000002.1547293858.0000000000261000.00000020.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true

Associated: 00000001.00000002.1546305634.0000000000260000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1552306005.00000000002FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1552306005.0000000000322000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1553018664.000000000032C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1553203039.0000000000334000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_260000_file.jbxd

Similarity

API ID: _memcmp
String ID:
API String ID: 2931989736-0
Opcode ID: ca2a3c0a96cd5f7d901c102074e2af0aaa487cf9c8add3ce65717c530193dfd9
Instruction ID: 53e46250c49f321964eb77edb6bd17246a6e22671b5aeb515634c13f9699d348
Opcode Fuzzy Hash: ca2a3c0a96cd5f7d901c102074e2af0aaa487cf9c8add3ce65717c530193dfd9
Instruction Fuzzy Hash: 3301DB652B1629BA920855109E41FBAF35C9F22395B000135FD085A1C1F660FDB586A4

Function 002C000E Relevance: 7.5, APIs: 5, Instructions: 47stringCOMMON

Download Yara Rule

APIs

CLSIDFromProgID.OLE32(?,?,?,00000000,?,?,?,-C000001E,00000001,?,002BFF41,80070057,?,?,?,002C035E), ref: 002C002B
ProgIDFromCLSID.OLE32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,002BFF41,80070057,?,?), ref: 002C0046
lstrcmpiW.KERNEL32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,002BFF41,80070057,?,?), ref: 002C0054
CoTaskMemFree.OLE32(00000000,?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,002BFF41,80070057,?), ref: 002C0064
CLSIDFromString.OLE32(?,?,?,?,?,00000000,?,?,?,-C000001E,00000001,?,002BFF41,80070057,?,?), ref: 002C0070

Memory Dump Source

Source File: 00000001.00000002.1547293858.0000000000261000.00000020.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true

Associated: 00000001.00000002.1546305634.0000000000260000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1552306005.00000000002FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1552306005.0000000000322000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1553018664.000000000032C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1553203039.0000000000334000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_260000_file.jbxd

Similarity

API ID: From$Prog$FreeStringTasklstrcmpi
String ID:
API String ID: 3897988419-0
Opcode ID: 68b314954d2a5afbd8b35cad6fd2575b320bdfab5d02aba427a2452c8a00de08
Instruction ID: 685bd50391d577c5e47cb0ef9ac668b44f6410d75507684ba989bcbcefff7eaa
Opcode Fuzzy Hash: 68b314954d2a5afbd8b35cad6fd2575b320bdfab5d02aba427a2452c8a00de08
Instruction Fuzzy Hash: 0C018F72610219FFDB114F68ED88FBA7AADEB447E1F254228F905D2210D771DD50CBA0

Function 002CE97B Relevance: 7.5, APIs: 5, Instructions: 47sleepCOMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?), ref: 002CE997
QueryPerformanceFrequency.KERNEL32(?), ref: 002CE9A5
Sleep.KERNEL32(00000000), ref: 002CE9AD
QueryPerformanceCounter.KERNEL32(?), ref: 002CE9B7
Sleep.KERNEL32 ref: 002CE9F3

Memory Dump Source

Source File: 00000001.00000002.1547293858.0000000000261000.00000020.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true

Associated: 00000001.00000002.1546305634.0000000000260000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1552306005.00000000002FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1552306005.0000000000322000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1553018664.000000000032C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1553203039.0000000000334000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_260000_file.jbxd

Similarity

API ID: PerformanceQuery$CounterSleep$Frequency
String ID:
API String ID: 2833360925-0
Opcode ID: 4266a166c721705b67321804055dfaf301ca8afed699acb3604ebe542bb91d25
Instruction ID: f514c6ac426108fbb8613cfd1d04173aa1ca3b8dfe8cf6f9e5fe282b0d25e392
Opcode Fuzzy Hash: 4266a166c721705b67321804055dfaf301ca8afed699acb3604ebe542bb91d25
Instruction Fuzzy Hash: A7015B31C1152DDBCF009FE4E949BEEBB78FF09310F11066AE502B2140CB309565CB62

Function 002C10F9 Relevance: 7.5, APIs: 5, Instructions: 46memoryCOMMON

Download Yara Rule

APIs

GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 002C1114
GetLastError.KERNEL32(?,00000000,00000000,?,?,002C0B9B,?,?,?), ref: 002C1120
GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,002C0B9B,?,?,?), ref: 002C112F
HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,002C0B9B,?,?,?), ref: 002C1136
GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 002C114D

Memory Dump Source

Source File: 00000001.00000002.1547293858.0000000000261000.00000020.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true

Associated: 00000001.00000002.1546305634.0000000000260000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1552306005.00000000002FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1552306005.0000000000322000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1553018664.000000000032C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1553203039.0000000000334000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_260000_file.jbxd

Similarity

API ID: HeapObjectSecurityUser$AllocErrorLastProcess
String ID:
API String ID: 842720411-0
Opcode ID: 115c33a19902eeee7b8eab03cd64a008020dc3657ef2f209c117818bbdcca3ad
Instruction ID: 756a14b858539b33eb5d3f298e84bc317ba0cd8f979c1e3ccff8f70107e86373
Opcode Fuzzy Hash: 115c33a19902eeee7b8eab03cd64a008020dc3657ef2f209c117818bbdcca3ad
Instruction Fuzzy Hash: 64014B75100209AFDB115FA4ED4DE6A3B6EEF862B0B240428FA45C2250DB71DC20CA60

Function 002C0FB4 Relevance: 7.5, APIs: 5, Instructions: 43memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 002C0FCA
GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 002C0FD6
GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 002C0FE5
HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 002C0FEC
GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 002C1002

Memory Dump Source

Source File: 00000001.00000002.1547293858.0000000000261000.00000020.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true

Associated: 00000001.00000002.1546305634.0000000000260000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1552306005.00000000002FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1552306005.0000000000322000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1553018664.000000000032C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1553203039.0000000000334000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_260000_file.jbxd

Similarity

API ID: HeapInformationToken$AllocErrorLastProcess
String ID:
API String ID: 44706859-0
Opcode ID: 32a50ed1945c6e321927a8eafcd3325e601945f09d248f915063ecae1ae69d39
Instruction ID: 2ff927b1e49375fc731067c49e3c2a98f14e86dd78dbcb65250580152e5e4b32
Opcode Fuzzy Hash: 32a50ed1945c6e321927a8eafcd3325e601945f09d248f915063ecae1ae69d39
Instruction Fuzzy Hash: 24F04F35100319ABD7215FA4AD4EF673B6DEF8A7A1F214429F949C6251CA70DC60CA60

Function 002C1014 Relevance: 7.5, APIs: 5, Instructions: 43memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 002C102A
GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 002C1036
GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 002C1045
HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 002C104C
GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 002C1062

Memory Dump Source

Source File: 00000001.00000002.1547293858.0000000000261000.00000020.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true

Associated: 00000001.00000002.1546305634.0000000000260000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1552306005.00000000002FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1552306005.0000000000322000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1553018664.000000000032C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1553203039.0000000000334000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_260000_file.jbxd

Similarity

API ID: HeapInformationToken$AllocErrorLastProcess
String ID:
API String ID: 44706859-0
Opcode ID: bfa5ca27ec384a87b168e7eb28d4b79c4a52a30510d795a91db5cf5e27ad8608
Instruction ID: 052107354c2fea8ad7f5a2396a3361726f82a8a73e8a6d0134bef949e2db32f0
Opcode Fuzzy Hash: bfa5ca27ec384a87b168e7eb28d4b79c4a52a30510d795a91db5cf5e27ad8608
Instruction Fuzzy Hash: F3F06235140319EBD7215FA4ED4EF673B6DEF8A7A1F210428FD45C7251CA70D860CA60

Function 002D030F Relevance: 7.5, APIs: 6, Instructions: 41COMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32(?,?,?,?,002D017D,?,002D32FC,?,00000001,002A2592,?), ref: 002D0324
CloseHandle.KERNEL32(?,?,?,?,002D017D,?,002D32FC,?,00000001,002A2592,?), ref: 002D0331
CloseHandle.KERNEL32(?,?,?,?,002D017D,?,002D32FC,?,00000001,002A2592,?), ref: 002D033E
CloseHandle.KERNEL32(?,?,?,?,002D017D,?,002D32FC,?,00000001,002A2592,?), ref: 002D034B
CloseHandle.KERNEL32(?,?,?,?,002D017D,?,002D32FC,?,00000001,002A2592,?), ref: 002D0358
CloseHandle.KERNEL32(?,?,?,?,002D017D,?,002D32FC,?,00000001,002A2592,?), ref: 002D0365

Memory Dump Source

Source File: 00000001.00000002.1547293858.0000000000261000.00000020.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true

Associated: 00000001.00000002.1546305634.0000000000260000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1552306005.00000000002FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1552306005.0000000000322000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1553018664.000000000032C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1553203039.0000000000334000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_260000_file.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: c7f45b7b6061ec1c7c1ea7f36d594a469abea38d811973470d68b6013fc3675b
Instruction ID: 36dff734d1ec3b729c076d215aa9d46449ac9bf43a08b5202a1fd76bfd60f324
Opcode Fuzzy Hash: c7f45b7b6061ec1c7c1ea7f36d594a469abea38d811973470d68b6013fc3675b
Instruction Fuzzy Hash: A3019C72810B569FCB30AF66D8C0916FBF9BF603153158A7FD19652A31C3B1A968DF80

Function 0029D73A Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 0029D752

Part of subcall function 002929C8: RtlFreeHeap.NTDLL(00000000,00000000,?,0029D7D1,00000000,00000000,00000000,00000000,?,0029D7F8,00000000,00000007,00000000,?,0029DBF5,00000000), ref: 002929DE
Part of subcall function 002929C8: GetLastError.KERNEL32(00000000,?,0029D7D1,00000000,00000000,00000000,00000000,?,0029D7F8,00000000,00000007,00000000,?,0029DBF5,00000000,00000000), ref: 002929F0

_free.LIBCMT ref: 0029D764
_free.LIBCMT ref: 0029D776
_free.LIBCMT ref: 0029D788
_free.LIBCMT ref: 0029D79A

Memory Dump Source

Source File: 00000001.00000002.1547293858.0000000000261000.00000020.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true

Associated: 00000001.00000002.1546305634.0000000000260000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1552306005.00000000002FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1552306005.0000000000322000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1553018664.000000000032C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1553203039.0000000000334000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_260000_file.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 2e4b1b769b3b81a2821afd362e73590450fb796fa1d441525d1abb432ac3a4f8
Instruction ID: ff4c901a4d809dfbcacfa3abb3996e294594a5f402206e1b388f0f1fe1288edb
Opcode Fuzzy Hash: 2e4b1b769b3b81a2821afd362e73590450fb796fa1d441525d1abb432ac3a4f8
Instruction Fuzzy Hash: C7F0FF32564205EB9A22EFA4F9C5C5AB7DDBB44710BA42809F04CE7501C720FC909AA4

Function 002C5C44 Relevance: 7.5, APIs: 5, Instructions: 40windowtimeCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003E9), ref: 002C5C58
GetWindowTextW.USER32(00000000,?,00000100), ref: 002C5C6F
MessageBeep.USER32(00000000), ref: 002C5C87
KillTimer.USER32(?,0000040A), ref: 002C5CA3
EndDialog.USER32(?,00000001), ref: 002C5CBD

Memory Dump Source

Source File: 00000001.00000002.1547293858.0000000000261000.00000020.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true

Associated: 00000001.00000002.1546305634.0000000000260000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1552306005.00000000002FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1552306005.0000000000322000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1553018664.000000000032C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1553203039.0000000000334000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_260000_file.jbxd

Similarity

API ID: BeepDialogItemKillMessageTextTimerWindow
String ID:
API String ID: 3741023627-0
Opcode ID: 67adf4d5b1f161e4ace7255252e1606756d09b8c7c8369545d72cdf299b3fa0d
Instruction ID: 85aba666c59c3050867e4e9568498136185eccbf0341385fce3d4e5374241e67
Opcode Fuzzy Hash: 67adf4d5b1f161e4ace7255252e1606756d09b8c7c8369545d72cdf299b3fa0d
Instruction Fuzzy Hash: 49016730510B189BFB205F10EE4EFA577BCBF00B45F10066EA552A10E1DBF4BA98CA50

Function 002922A0 Relevance: 7.5, APIs: 5, Instructions: 30COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 002922BE

Part of subcall function 002929C8: RtlFreeHeap.NTDLL(00000000,00000000,?,0029D7D1,00000000,00000000,00000000,00000000,?,0029D7F8,00000000,00000007,00000000,?,0029DBF5,00000000), ref: 002929DE
Part of subcall function 002929C8: GetLastError.KERNEL32(00000000,?,0029D7D1,00000000,00000000,00000000,00000000,?,0029D7F8,00000000,00000007,00000000,?,0029DBF5,00000000,00000000), ref: 002929F0

_free.LIBCMT ref: 002922D0
_free.LIBCMT ref: 002922E3
_free.LIBCMT ref: 002922F4
_free.LIBCMT ref: 00292305

Memory Dump Source

Source File: 00000001.00000002.1547293858.0000000000261000.00000020.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true

Associated: 00000001.00000002.1546305634.0000000000260000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1552306005.00000000002FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1552306005.0000000000322000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1553018664.000000000032C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1553203039.0000000000334000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_260000_file.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 39130e4f60fbe3e0d34078486a4281dec7bcc49a13a721e814783b7f095f1a7e
Instruction ID: bea4f23aeef28fe28c015f93a1fb3bdec5658d7fa26d1086366e28c0f80360a2
Opcode Fuzzy Hash: 39130e4f60fbe3e0d34078486a4281dec7bcc49a13a721e814783b7f095f1a7e
Instruction Fuzzy Hash: 3AF05E74820520EB9F27EF54BC8180D3B6CF718760F142A0AF814D22B1C7300926EFE5

Function 002795C5 Relevance: 7.5, APIs: 5, Instructions: 29COMMON

Download Yara Rule

APIs

EndPath.GDI32(?), ref: 002795D4
StrokeAndFillPath.GDI32(?,?,002B71F7,00000000,?,?,?), ref: 002795F0
SelectObject.GDI32(?,00000000), ref: 00279603
DeleteObject.GDI32 ref: 00279616
StrokePath.GDI32(?), ref: 00279631

Memory Dump Source

Source File: 00000001.00000002.1547293858.0000000000261000.00000020.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true

Associated: 00000001.00000002.1546305634.0000000000260000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1552306005.00000000002FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1552306005.0000000000322000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1553018664.000000000032C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1553203039.0000000000334000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_260000_file.jbxd

Similarity

API ID: Path$ObjectStroke$DeleteFillSelect
String ID:
API String ID: 2625713937-0
Opcode ID: 337f94e362f3e8f36b788c023933ca64f7c1ba5eee457a2c2828e39be050294a
Instruction ID: 4618a2552c39e3b9156a232bbb9bbdca470222bad34ad4d661b2f43e8ad00e52
Opcode Fuzzy Hash: 337f94e362f3e8f36b788c023933ca64f7c1ba5eee457a2c2828e39be050294a
Instruction Fuzzy Hash: 06F01935025709EBDB139F65EE5CB653B69AB01372F148324F469550F0CB3089A5DFA0

Function 00290F47 Relevance: 7.4, APIs: 2, Strings: 2, Instructions: 389COMMONLIBRARYCODE

Download Yara Rule

APIs

__freea.LIBCMT ref: 002910F9
__freea.LIBCMT ref: 00291117

Part of subcall function 00291537: _free.LIBCMT ref: 0029154F

Strings

a/p, xrefs: 002911DE
am/pm, xrefs: 0029117A

Memory Dump Source

Source File: 00000001.00000002.1547293858.0000000000261000.00000020.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true

Associated: 00000001.00000002.1546305634.0000000000260000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1552306005.00000000002FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1552306005.0000000000322000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1553018664.000000000032C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1553203039.0000000000334000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_260000_file.jbxd

Similarity

API ID: __freea$_free
String ID: a/p$am/pm
API String ID: 3432400110-3206640213
Opcode ID: 9deff8b454fdf8b9f407440621f52da2f0b894790deb992fe824eee0e2fba5e9
Instruction ID: 29e873459e7914ddb20083ee25d8bcc78e6473d1926b5436b0555d6c99df51b6
Opcode Fuzzy Hash: 9deff8b454fdf8b9f407440621f52da2f0b894790deb992fe824eee0e2fba5e9
Instruction Fuzzy Hash: 66D10131A30207DADF299F6AC895BFEB7B0EF05300F280199E9059BA54D3759DB0CB95

Function 002E61D0 Relevance: 7.3, APIs: 1, Strings: 3, Instructions: 324COMMON

Download Yara Rule

APIs

Part of subcall function 00280242: EnterCriticalSection.KERNEL32(0033070C,00331884,?,?,0027198B,00332518,?,?,?,002612F9,00000000), ref: 0028024D
Part of subcall function 00280242: LeaveCriticalSection.KERNEL32(0033070C,?,0027198B,00332518,?,?,?,002612F9,00000000), ref: 0028028A

Part of subcall function 002800A3: __onexit.LIBCMT ref: 002800A9

__Init_thread_footer.LIBCMT ref: 002E6238

Part of subcall function 002801F8: EnterCriticalSection.KERNEL32(0033070C,?,?,00278747,00332514), ref: 00280202
Part of subcall function 002801F8: LeaveCriticalSection.KERNEL32(0033070C,?,00278747,00332514), ref: 00280235

Part of subcall function 002D359C: LoadStringW.USER32(00000066,?,00000FFF,00000000), ref: 002D35E4
Part of subcall function 002D359C: LoadStringW.USER32(00332390,?,00000FFF,?), ref: 002D360A

Strings

x#3, xrefs: 002E6353
x#3, xrefs: 002E633A
x#3, xrefs: 002E636F

Memory Dump Source

Source File: 00000001.00000002.1547293858.0000000000261000.00000020.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true

Associated: 00000001.00000002.1546305634.0000000000260000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1552306005.00000000002FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1552306005.0000000000322000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1553018664.000000000032C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1553203039.0000000000334000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_260000_file.jbxd

Similarity

API ID: CriticalSection$EnterLeaveLoadString$Init_thread_footer__onexit
String ID: x#3$x#3$x#3
API String ID: 1072379062-762910278
Opcode ID: 9e937b8fd6670e683f56b5f18d8d17d55638cad7c10a3cb452fbf001e72d8fee
Instruction ID: 739a86b9710a19132030d7abd2fb97a0c05b5750026965826898bef5e472f5bf
Opcode Fuzzy Hash: 9e937b8fd6670e683f56b5f18d8d17d55638cad7c10a3cb452fbf001e72d8fee
Instruction Fuzzy Hash: 90C1CF31A60146AFCB24DF59C894EBEB7B9FF58340F508069FA059B291DB70ED64CB90

Function 00295AA9 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 186COMMONLIBRARYCODE

Download Yara Rule

Strings

JO&, xrefs: 00295BA8, 00295C6C

Memory Dump Source

Source File: 00000001.00000002.1547293858.0000000000261000.00000020.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true

Associated: 00000001.00000002.1546305634.0000000000260000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1552306005.00000000002FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1552306005.0000000000322000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1553018664.000000000032C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1553203039.0000000000334000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_260000_file.jbxd

Similarity

API ID:
String ID: JO&
API String ID: 0-664799027
Opcode ID: 66d1c9cb1413c9a66c559cbc9bab52d4eb52e2628a683739deec010ec1604c94
Instruction ID: 6c88ed95212b76c1fbe7687296cf8b6600bb9a6368cf9c22a1d74de515b01dea
Opcode Fuzzy Hash: 66d1c9cb1413c9a66c559cbc9bab52d4eb52e2628a683739deec010ec1604c94
Instruction Fuzzy Hash: 05510475F3062AAFCF12AFA4C945FEEBBB8AF05314F14001AF804A7291D7719921CB61

Function 00298A61 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 124COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,00000002,00000000,?,?,?,00000000,?,?,?,?), ref: 00298B6E
GetLastError.KERNEL32(?,?,00000000,?,?,?,?,?,?,?,?,00000000,00001000,?), ref: 00298B7A
__dosmaperr.LIBCMT ref: 00298B81

Strings

.(, xrefs: 00298A63

Memory Dump Source

Source File: 00000001.00000002.1547293858.0000000000261000.00000020.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true

Associated: 00000001.00000002.1546305634.0000000000260000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1552306005.00000000002FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1552306005.0000000000322000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1553018664.000000000032C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1553203039.0000000000334000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_260000_file.jbxd

Similarity

API ID: ByteCharErrorLastMultiWide__dosmaperr
String ID: .(
API String ID: 2434981716-2618553908
Opcode ID: 2415e56726fd7efbdd54e7fb840b5771588648cf6172eb681ece1df3bb0058db
Instruction ID: 214516c06beb73c4e7a0eabfaf13ad99f30652e18016cd661223ee01713009cd
Opcode Fuzzy Hash: 2415e56726fd7efbdd54e7fb840b5771588648cf6172eb681ece1df3bb0058db
Instruction Fuzzy Hash: 19415B71624145AFDF259F24C8A0A7D7FE5EB87308F2C41A9F889C7152DE318C22C790

Function 002C2716 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 121windowCOMMON

Download Yara Rule

APIs

Part of subcall function 002CB403: WriteProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,002C21D0,?,?,00000034,00000800,?,00000034), ref: 002CB42D

SendMessageW.USER32(?,00001104,00000000,00000000), ref: 002C2760

Part of subcall function 002CB3CE: ReadProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,002C21FF,?,?,00000800,?,00001073,00000000,?,?), ref: 002CB3F8

Part of subcall function 002CB32A: GetWindowThreadProcessId.USER32(?,?), ref: 002CB355
Part of subcall function 002CB32A: OpenProcess.KERNEL32(00000438,00000000,?,?,?,002C2194,00000034,?,?,00001004,00000000,00000000), ref: 002CB365
Part of subcall function 002CB32A: VirtualAllocEx.KERNEL32(00000000,00000000,?,00001000,00000004,?,?,002C2194,00000034,?,?,00001004,00000000,00000000), ref: 002CB37B

SendMessageW.USER32(?,00001111,00000000,00000000), ref: 002C27CD
SendMessageW.USER32(?,00001111,00000000,00000000), ref: 002C281A

Strings

@, xrefs: 002C2832

Memory Dump Source

Source File: 00000001.00000002.1547293858.0000000000261000.00000020.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true

Associated: 00000001.00000002.1546305634.0000000000260000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1552306005.00000000002FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1552306005.0000000000322000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1553018664.000000000032C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1553203039.0000000000334000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_260000_file.jbxd

Similarity

API ID: Process$MessageSend$Memory$AllocOpenReadThreadVirtualWindowWrite
String ID: @
API String ID: 4150878124-2766056989
Opcode ID: f10dfce5b566494a1ec1ce2b28394723501b8ecc861d9a33e58826fe3b1dedce
Instruction ID: 746ab4370589b94083f8d4c462f405ec028492be9e84afeab9fe706509f926d0
Opcode Fuzzy Hash: f10dfce5b566494a1ec1ce2b28394723501b8ecc861d9a33e58826fe3b1dedce
Instruction Fuzzy Hash: 3D413D72900218AEDB15DFA4CD86FEEBBB8AB05300F104199EA45B7181DA706E59CBA1

Function 0029172E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 115COMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\Desktop\file.exe,00000104), ref: 00291769
_free.LIBCMT ref: 00291834
_free.LIBCMT ref: 0029183E

Strings

C:\Users\user\Desktop\file.exe, xrefs: 00291760, 00291767, 00291796, 002917CE

Memory Dump Source

Source File: 00000001.00000002.1547293858.0000000000261000.00000020.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true

Associated: 00000001.00000002.1546305634.0000000000260000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1552306005.00000000002FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1552306005.0000000000322000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1553018664.000000000032C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1553203039.0000000000334000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_260000_file.jbxd

Similarity

API ID: _free$FileModuleName
String ID: C:\Users\user\Desktop\file.exe
API String ID: 2506810119-3587028468
Opcode ID: dab3e602e87f7034c991f02c3278a3208f97b8f3b8865959550afbaac1e7e8c4
Instruction ID: bf947f280203e964c22c9f878086713b25df7325c09b0b150099ca042c0c342b
Opcode Fuzzy Hash: dab3e602e87f7034c991f02c3278a3208f97b8f3b8865959550afbaac1e7e8c4
Instruction Fuzzy Hash: 2E318075A1021AEBDF22DF9A9885D9EBBFCEB85310F104166F804D7211D7708E60DBA0

Function 002CC27D Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 114windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(00000004,00000000,00000000,?), ref: 002CC306
DeleteMenu.USER32(?,00000007,00000000), ref: 002CC34C
DeleteMenu.USER32(?,00000000,00000000,?,00000000,00000000,00331990,014860B0), ref: 002CC395

Strings

0, xrefs: 002CC2DF

Memory Dump Source

Source File: 00000001.00000002.1547293858.0000000000261000.00000020.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true

Associated: 00000001.00000002.1546305634.0000000000260000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1552306005.00000000002FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1552306005.0000000000322000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1553018664.000000000032C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1553203039.0000000000334000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_260000_file.jbxd

Similarity

API ID: Menu$Delete$InfoItem
String ID: 0
API String ID: 135850232-4108050209
Opcode ID: 9f501d13c5b37df8f7e2a4c8b4dfd9120f40dc6ccf0583be9cf5df2687a04de7
Instruction ID: 9290d508cf078f957ee37ab53d4680a64812a097eaa3f0f1ac4c7a67168e60c2
Opcode Fuzzy Hash: 9f501d13c5b37df8f7e2a4c8b4dfd9120f40dc6ccf0583be9cf5df2687a04de7
Instruction Fuzzy Hash: 6341A2712143429FD720DF24E845F1ABBE4AF85320F2087ADF869972D1D770A954CB52

Function 002F4416 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 106COMMON

Download Yara Rule

APIs

SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000013,?,?,SysTreeView32,002FCC08,00000000,?,?,?,?), ref: 002F44AA
GetWindowLongW.USER32 ref: 002F44C7
SetWindowLongW.USER32(?,000000F0,00000000), ref: 002F44D7

Strings

SysTreeView32, xrefs: 002F447C

Memory Dump Source

Source File: 00000001.00000002.1547293858.0000000000261000.00000020.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true

Associated: 00000001.00000002.1546305634.0000000000260000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1552306005.00000000002FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1552306005.0000000000322000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1553018664.000000000032C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1553203039.0000000000334000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_260000_file.jbxd

Similarity

API ID: Window$Long
String ID: SysTreeView32
API String ID: 847901565-1698111956
Opcode ID: c3e6aa5ac1dbd1c02a99fbaea5b09df274a01e20f54b1244d0d472a577d670ba
Instruction ID: b8d427eaaf1b50be06062235b6a8555cf02a757640fa439eb05374d1b5049b48
Opcode Fuzzy Hash: c3e6aa5ac1dbd1c02a99fbaea5b09df274a01e20f54b1244d0d472a577d670ba
Instruction Fuzzy Hash: 0631723112460AAFDB11AE38DC45BE7B7A9EB48774F204725FA75E21D0D7B0EC609B50

Function 002C6E71 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 92memoryCOMMON

Download Yara Rule

APIs

SysReAllocString.OLEAUT32(?,?), ref: 002C6EED
VariantCopyInd.OLEAUT32(?,?), ref: 002C6F08
VariantClear.OLEAUT32(?), ref: 002C6F12

Strings

*j,, xrefs: 002C6E8B, 002C6E90, 002C6EF8

Memory Dump Source

Source File: 00000001.00000002.1547293858.0000000000261000.00000020.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true

Associated: 00000001.00000002.1546305634.0000000000260000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1552306005.00000000002FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1552306005.0000000000322000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1553018664.000000000032C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1553203039.0000000000334000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_260000_file.jbxd

Similarity

API ID: Variant$AllocClearCopyString
String ID: *j,
API String ID: 2173805711-1733424618
Opcode ID: 6bf02b795b477a2c93d4d913a8b2f614b00be3f0cf243737b7046107c568f7ea
Instruction ID: 9935fa4f7e67f0ae584e821e4dd16903f04a4fc0ba1b33e7ce4f92e5eee56c38
Opcode Fuzzy Hash: 6bf02b795b477a2c93d4d913a8b2f614b00be3f0cf243737b7046107c568f7ea
Instruction Fuzzy Hash: 7F31B371624205DFCB05AF64E858EBD3775EF8A300B2005ACFA038B6A1C7B09971DF90

Function 002E304E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 90networkCOMMON

Download Yara Rule

APIs

Part of subcall function 002E335B: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,?,?,?,?,002E3077,?,?), ref: 002E3378

inet_addr.WSOCK32(?), ref: 002E307A
_wcslen.LIBCMT ref: 002E309B
htons.WSOCK32(00000000), ref: 002E3106

Strings

255.255.255.255, xrefs: 002E3095, 002E309A

Memory Dump Source

Source File: 00000001.00000002.1547293858.0000000000261000.00000020.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true

Associated: 00000001.00000002.1546305634.0000000000260000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1552306005.00000000002FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1552306005.0000000000322000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1553018664.000000000032C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1553203039.0000000000334000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_260000_file.jbxd

Similarity

API ID: ByteCharMultiWide_wcslenhtonsinet_addr
String ID: 255.255.255.255
API String ID: 946324512-2422070025
Opcode ID: eb7bd83baf0cd749b5aaa4253a982ef916cf86eea239d0ecc3aa336cd7698618
Instruction ID: 9306b1223b4e53dd83b4b801b766aca44b46a7e7456bbff74d37e205c1c65c49
Opcode Fuzzy Hash: eb7bd83baf0cd749b5aaa4253a982ef916cf86eea239d0ecc3aa336cd7698618
Instruction Fuzzy Hash: C83107392102869FCB20CF2AC589EA977E0EF54315FA48059E8198F392DB72DF55CB60

Function 002F3EB8 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 89windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00001009,00000000,?), ref: 002F3F40
SetWindowPos.USER32(?,00000000,?,?,?,?,00000004), ref: 002F3F54
SendMessageW.USER32(?,00001002,00000000,?), ref: 002F3F78

Strings

SysMonthCal32, xrefs: 002F3F0B

Memory Dump Source

Source File: 00000001.00000002.1547293858.0000000000261000.00000020.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true

Associated: 00000001.00000002.1546305634.0000000000260000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1552306005.00000000002FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1552306005.0000000000322000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1553018664.000000000032C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1553203039.0000000000334000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_260000_file.jbxd

Similarity

API ID: MessageSend$Window
String ID: SysMonthCal32
API String ID: 2326795674-1439706946
Opcode ID: b776da4835ab05f62b6ac278c5bfe2b6d9190b3761205091c2de1d25356d8148
Instruction ID: 776859c8eb16d722b1a4c190762f32bcdf8a684fc19d4308dacee9bac7668b05
Opcode Fuzzy Hash: b776da4835ab05f62b6ac278c5bfe2b6d9190b3761205091c2de1d25356d8148
Instruction Fuzzy Hash: D0219F32620219BBDF25CF50DC46FEA7B79EF48764F110224FA15AB1D0D6B5A960CB90

Function 002F4653 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 87windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000469,?,00000000), ref: 002F4705
SendMessageW.USER32(00000000,00000465,00000000,80017FFF), ref: 002F4713
DestroyWindow.USER32(00000000,00000000,?,?,?,00000000,msctls_updown32,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 002F471A

Strings

msctls_updown32, xrefs: 002F4684

Memory Dump Source

Source File: 00000001.00000002.1547293858.0000000000261000.00000020.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true

Associated: 00000001.00000002.1546305634.0000000000260000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1552306005.00000000002FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1552306005.0000000000322000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1553018664.000000000032C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1553203039.0000000000334000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_260000_file.jbxd

Similarity

API ID: MessageSend$DestroyWindow
String ID: msctls_updown32
API String ID: 4014797782-2298589950
Opcode ID: 5726afb33ea315d4f0376520e215b984518c33de64f3f7591fd906272de070c0
Instruction ID: e16e06b313fdea3651f5239c76e41bab9a1acd67c156aaef197241be4e91b316
Opcode Fuzzy Hash: 5726afb33ea315d4f0376520e215b984518c33de64f3f7591fd906272de070c0
Instruction Fuzzy Hash: 0D2153B5610109AFEB11EF54DCC1DB777ADEB9A394B140069FA009B251C770EC61CE60

Function 002C95AD Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 85COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 002C961D

Strings

#requireadmin, xrefs: 002C95D9
#notrayicon, xrefs: 002C95B7
#OnAutoItStartRegister, xrefs: 002C95F3

Memory Dump Source

Source File: 00000001.00000002.1547293858.0000000000261000.00000020.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true

Associated: 00000001.00000002.1546305634.0000000000260000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1552306005.00000000002FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1552306005.0000000000322000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1553018664.000000000032C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1553203039.0000000000334000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_260000_file.jbxd

Similarity

API ID: _wcslen
String ID: #OnAutoItStartRegister$#notrayicon$#requireadmin
API String ID: 176396367-2734436370
Opcode ID: 0f71c8544542f3f684b832c44499d209bcef586bce069316bf411233dff1f2b7
Instruction ID: 5354f060b3469460b83b04c7fbcc52c76ff217ca6368aadd4a74b04a70b4b4a2
Opcode Fuzzy Hash: 0f71c8544542f3f684b832c44499d209bcef586bce069316bf411233dff1f2b7
Instruction Fuzzy Hash: 9C21343223451266C331AA28D90AFB7B39CAF55304F60412AFA4996081EBA19DF1C795

Function 002F37B7 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000180,00000000,?), ref: 002F3840
SendMessageW.USER32(?,00000186,00000000,00000000), ref: 002F3850
MoveWindow.USER32(00000000,?,?,?,?,00000000,?,?,Listbox,00000000,00000000,?,?,?,?,?), ref: 002F3876

Strings

Listbox, xrefs: 002F380F

Memory Dump Source

Source File: 00000001.00000002.1547293858.0000000000261000.00000020.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true

Associated: 00000001.00000002.1546305634.0000000000260000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1552306005.00000000002FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1552306005.0000000000322000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1553018664.000000000032C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1553203039.0000000000334000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_260000_file.jbxd

Similarity

API ID: MessageSend$MoveWindow
String ID: Listbox
API String ID: 3315199576-2633736733
Opcode ID: ee05af517696caea8bce88ed9f0cbbd8196ea0017dfe41593bf3bf2ec8bff6fb
Instruction ID: f0e4c8ef12957bd5f261df8e0b6b625900a8f7cd7493c387132efdbce23c72f0
Opcode Fuzzy Hash: ee05af517696caea8bce88ed9f0cbbd8196ea0017dfe41593bf3bf2ec8bff6fb
Instruction Fuzzy Hash: 3D21807262011DBBEB11DF54DC85EBBB76EEF897A0F118124FA049B190C675DC61CBA0

Function 002D49F4 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 78COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 002D4A08
GetVolumeInformationW.KERNEL32(?,?,00007FFF,?,00000000,00000000,00000000,00000000), ref: 002D4A5C
SetErrorMode.KERNEL32(00000000,?,?,002FCC08), ref: 002D4AD0

Strings

%lu, xrefs: 002D4A6F

Memory Dump Source

Source File: 00000001.00000002.1547293858.0000000000261000.00000020.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true

Associated: 00000001.00000002.1546305634.0000000000260000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1552306005.00000000002FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1552306005.0000000000322000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1553018664.000000000032C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1553203039.0000000000334000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_260000_file.jbxd

Similarity

API ID: ErrorMode$InformationVolume
String ID: %lu
API String ID: 2507767853-685833217
Opcode ID: f8e37198306ef536166296dddfafdac37a81428ac93bcabc30ef8491b22f88e8
Instruction ID: eecea4e67c5c7eb8797e40fc4c0667621c276c72ba1279672f7d0581b0b7f32d
Opcode Fuzzy Hash: f8e37198306ef536166296dddfafdac37a81428ac93bcabc30ef8491b22f88e8
Instruction Fuzzy Hash: 91318074A10109AFDB10DF54C985EAA77F8EF08318F1480A5E809DB352DB71EE55CF61

Function 002F41EB Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 67windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000405,00000000,00000000), ref: 002F424F
SendMessageW.USER32(?,00000406,00000000,00640000), ref: 002F4264
SendMessageW.USER32(?,00000414,0000000A,00000000), ref: 002F4271

Strings

msctls_trackbar32, xrefs: 002F4226

Memory Dump Source

Source File: 00000001.00000002.1547293858.0000000000261000.00000020.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true

Associated: 00000001.00000002.1546305634.0000000000260000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1552306005.00000000002FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1552306005.0000000000322000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1553018664.000000000032C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1553203039.0000000000334000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_260000_file.jbxd

Similarity

API ID: MessageSend
String ID: msctls_trackbar32
API String ID: 3850602802-1010561917
Opcode ID: fa95ec8eb42e5ea8b806e93d781b31efa5c6b1f6603c60ea020f3c0dbfaf2054
Instruction ID: 95ea70946e5002968bf66af84ed42912545888ed0d25c949207908d9b9a096e0
Opcode Fuzzy Hash: fa95ec8eb42e5ea8b806e93d781b31efa5c6b1f6603c60ea020f3c0dbfaf2054
Instruction Fuzzy Hash: 0511E73125024C7EEF215E24CC46FBB77ACEF857A4F110534FA55E6090D2B1D861DB10

Function 002C2F52 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 67windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00266B57: _wcslen.LIBCMT ref: 00266B6A

Part of subcall function 002C2DA7: SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,?), ref: 002C2DC5
Part of subcall function 002C2DA7: GetWindowThreadProcessId.USER32(?,00000000), ref: 002C2DD6
Part of subcall function 002C2DA7: GetCurrentThreadId.KERNEL32 ref: 002C2DDD
Part of subcall function 002C2DA7: AttachThreadInput.USER32(00000000,?,00000000,00000000), ref: 002C2DE4

GetFocus.USER32 ref: 002C2F78

Part of subcall function 002C2DEE: GetParent.USER32(00000000), ref: 002C2DF9

GetClassNameW.USER32(?,?,00000100), ref: 002C2FC3
EnumChildWindows.USER32(?,002C303B), ref: 002C2FEB

Strings

%s%d, xrefs: 002C2FFF

Memory Dump Source

Source File: 00000001.00000002.1547293858.0000000000261000.00000020.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true

Associated: 00000001.00000002.1546305634.0000000000260000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1552306005.00000000002FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1552306005.0000000000322000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1553018664.000000000032C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1553203039.0000000000334000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_260000_file.jbxd

Similarity

API ID: Thread$AttachChildClassCurrentEnumFocusInputMessageNameParentProcessSendTimeoutWindowWindows_wcslen
String ID: %s%d
API String ID: 1272988791-1110647743
Opcode ID: 6410ac3f135807f8d2e956e87c8ba89543a76f15a75be8f2acade4438bd3c99e
Instruction ID: 1ad3b8f71237065bc7d340e17d5e5ecc683159653b02012dc49288e617961f10
Opcode Fuzzy Hash: 6410ac3f135807f8d2e956e87c8ba89543a76f15a75be8f2acade4438bd3c99e
Instruction Fuzzy Hash: 4611D271210209ABCF40BF609C8AFFE376AAF94314F048079F909EB192DE709959CF60

Function 002F5882 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(?,?,?,00000030), ref: 002F58C1
SetMenuItemInfoW.USER32(?,?,?,00000030), ref: 002F58EE
DrawMenuBar.USER32(?), ref: 002F58FD

Strings

0, xrefs: 002F588F

Memory Dump Source

Source File: 00000001.00000002.1547293858.0000000000261000.00000020.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true

Associated: 00000001.00000002.1546305634.0000000000260000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1552306005.00000000002FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1552306005.0000000000322000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1553018664.000000000032C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1553203039.0000000000334000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_260000_file.jbxd

Similarity

API ID: Menu$InfoItem$Draw
String ID: 0
API String ID: 3227129158-4108050209
Opcode ID: 86f3f5a0c325335818032764b3cb516e743f8f0da42cd79de6ad1a65767ce302
Instruction ID: a8f9ec9cfd0e4d4b2faa58b2d2d95fd99e6db28176127016c53d5351b316450b
Opcode Fuzzy Hash: 86f3f5a0c325335818032764b3cb516e743f8f0da42cd79de6ad1a65767ce302
Instruction Fuzzy Hash: 8601A13152421CEFDB109F11DC44BBEBBB4FF457A0F1080A9EA49D6151DB708AA4DF60

Function 002BD3A0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 30libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32(?,GetSystemWow64DirectoryW), ref: 002BD3BF
FreeLibrary.KERNEL32 ref: 002BD3E5

Strings

X64, xrefs: 002BD2A8
GetSystemWow64DirectoryW, xrefs: 002BD3B9

Memory Dump Source

Source File: 00000001.00000002.1547293858.0000000000261000.00000020.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true

Associated: 00000001.00000002.1546305634.0000000000260000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1552306005.00000000002FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1552306005.0000000000322000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1553018664.000000000032C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1553203039.0000000000334000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_260000_file.jbxd

Similarity

API ID: AddressFreeLibraryProc
String ID: GetSystemWow64DirectoryW$X64
API String ID: 3013587201-2590602151
Opcode ID: 517327495f53f966d451cda2e0d211b9dfbcbe4a6f900ca27ade09f78dea01d9
Instruction ID: 03fefc6f2776a7c23ab44559f92c32f84c7ea63cb4c5111b02f3b27cd0ef46a5
Opcode Fuzzy Hash: 517327495f53f966d451cda2e0d211b9dfbcbe4a6f900ca27ade09f78dea01d9
Instruction Fuzzy Hash: 42F05C3583563687D33546104C689FA73606F107C1B6884B4E905E1007F7A0CCB48691

Function 002C007F Relevance: 6.3, APIs: 4, Instructions: 322COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1547293858.0000000000261000.00000020.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true

Associated: 00000001.00000002.1546305634.0000000000260000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1552306005.00000000002FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1552306005.0000000000322000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1553018664.000000000032C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1553203039.0000000000334000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_260000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5902bbb445beeb59be639619ab22da471d463468cb652530a468f119ec615f69
Instruction ID: cea89d9e45a582aed6e6481e3f0f47daa31d9ea33696c045ec04357426c67f0c
Opcode Fuzzy Hash: 5902bbb445beeb59be639619ab22da471d463468cb652530a468f119ec615f69
Instruction Fuzzy Hash: 9FC14875A1020AEFDB04CF94C894FAAB7B5FF48304F248698E905AB251C771ED91CB90

Function 002E342E Relevance: 6.3, APIs: 4, Instructions: 257COMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 002E3459
CoUninitialize.OLE32 ref: 002E3463
VariantInit.OLEAUT32(?), ref: 002E346E
VariantClear.OLEAUT32(?), ref: 002E371B

Memory Dump Source

Source File: 00000001.00000002.1547293858.0000000000261000.00000020.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true

Associated: 00000001.00000002.1546305634.0000000000260000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1552306005.00000000002FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1552306005.0000000000322000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1553018664.000000000032C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1553203039.0000000000334000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_260000_file.jbxd

Similarity

API ID: Variant$ClearInitInitializeUninitialize
String ID:
API String ID: 1998397398-0
Opcode ID: 2060eaf4571ee578cd1adb0e873b82616e36414c23a472c3f5c493be9375ea72
Instruction ID: a41720866632d70ace2dd7c63bbdfe75ad72e59a40e00227797b833918625e3e
Opcode Fuzzy Hash: 2060eaf4571ee578cd1adb0e873b82616e36414c23a472c3f5c493be9375ea72
Instruction Fuzzy Hash: D4A16C752243009FC700DF29C485A2AB7E5FF88314F548859F98A9B362DB70EE61CF51

Function 002C0436 Relevance: 6.2, APIs: 4, Instructions: 230COMMON

Download Yara Rule

APIs

ProgIDFromCLSID.OLE32(?,00000000,?,00000000,00000800,00000000,?,002FFC08,?), ref: 002C05F0
CoTaskMemFree.OLE32(00000000,00000000,?,00000000,00000800,00000000,?,002FFC08,?), ref: 002C0608
CLSIDFromProgID.OLE32(?,?,00000000,002FCC40,000000FF,?,00000000,00000800,00000000,?,002FFC08,?), ref: 002C062D
_memcmp.LIBVCRUNTIME ref: 002C064E

Memory Dump Source

Source File: 00000001.00000002.1547293858.0000000000261000.00000020.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true

Associated: 00000001.00000002.1546305634.0000000000260000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1552306005.00000000002FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1552306005.0000000000322000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1553018664.000000000032C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1553203039.0000000000334000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_260000_file.jbxd

Similarity

API ID: FromProg$FreeTask_memcmp
String ID:
API String ID: 314563124-0
Opcode ID: 4b370b3bc9482854d17ad51549a3327052d6961827403bce385f393ee5f92ed9
Instruction ID: 7455f76e85d1e34a145ab2c4d89f0f2ef84146238ed2f83e7cb59c3733946192
Opcode Fuzzy Hash: 4b370b3bc9482854d17ad51549a3327052d6961827403bce385f393ee5f92ed9
Instruction Fuzzy Hash: 34813B71A1010AEFCB04DF94C984EEEB7B9FF89315F204158E506AB250DB71AE56CF60

Function 002EA67C Relevance: 6.2, APIs: 4, Instructions: 175processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 002EA6AC
Process32FirstW.KERNEL32(00000000,?), ref: 002EA6BA

Part of subcall function 00269CB3: _wcslen.LIBCMT ref: 00269CBD

Process32NextW.KERNEL32(00000000,?), ref: 002EA79C
CloseHandle.KERNEL32(00000000), ref: 002EA7AB

Part of subcall function 0027CE60: CompareStringW.KERNEL32(00000409,00000001,?,00000000,00000000,?,?,00000000,?,002A3303,?), ref: 0027CE8A

Memory Dump Source

Source File: 00000001.00000002.1547293858.0000000000261000.00000020.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true

Associated: 00000001.00000002.1546305634.0000000000260000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1552306005.00000000002FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1552306005.0000000000322000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1553018664.000000000032C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1553203039.0000000000334000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_260000_file.jbxd

Similarity

API ID: Process32$CloseCompareCreateFirstHandleNextSnapshotStringToolhelp32_wcslen
String ID:
API String ID: 1991900642-0
Opcode ID: 000257fd972a7a8f663954a80b0782f93f0e2c338217898878d9cc34deb67144
Instruction ID: 2e381432a5cffebd5a6d91b4519eac3808086fd448a99667b302ccdce59bdb0c
Opcode Fuzzy Hash: 000257fd972a7a8f663954a80b0782f93f0e2c338217898878d9cc34deb67144
Instruction Fuzzy Hash: 5D517D715183409FD310EF25C886A6BBBE8FF89754F40892DF589972A1EB30E954CF92

Function 002A1391 Relevance: 6.2, APIs: 4, Instructions: 152COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 002A14C0

Memory Dump Source

Source File: 00000001.00000002.1547293858.0000000000261000.00000020.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true

Associated: 00000001.00000002.1546305634.0000000000260000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1552306005.00000000002FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1552306005.0000000000322000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1553018664.000000000032C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1553203039.0000000000334000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_260000_file.jbxd

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: db079ba83e6876db64ac0d17b290894ca9180035b7023cc74632f7f32607e6e7
Instruction ID: 57b6c758584c841e39be49cf42da9bba3c540ab158f8023a25eda53d5cccd9b6
Opcode Fuzzy Hash: db079ba83e6876db64ac0d17b290894ca9180035b7023cc74632f7f32607e6e7
Instruction Fuzzy Hash: 3B413A35A30115ABDF217FBC9C46AAE3BA4EF4B370F240225F818D61D1EE7448715B61

Function 002F6278 Relevance: 6.1, APIs: 4, Instructions: 138COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 002F62E2
ScreenToClient.USER32(?,?), ref: 002F6315
MoveWindow.USER32(?,?,?,?,000000FF,00000001,?,?,?,?,?), ref: 002F6382

Memory Dump Source

Source File: 00000001.00000002.1547293858.0000000000261000.00000020.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true

Associated: 00000001.00000002.1546305634.0000000000260000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1552306005.00000000002FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1552306005.0000000000322000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1553018664.000000000032C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1553203039.0000000000334000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_260000_file.jbxd

Similarity

API ID: Window$ClientMoveRectScreen
String ID:
API String ID: 3880355969-0
Opcode ID: 0c36be88b3d5ea8002f22d4488e9d21018bbd309373e9c80d76bcfde6701889e
Instruction ID: 25768b6a02ac573c59bb51da12616cc1beaddebe249c261153804ea511dae19e
Opcode Fuzzy Hash: 0c36be88b3d5ea8002f22d4488e9d21018bbd309373e9c80d76bcfde6701889e
Instruction Fuzzy Hash: 0A514C74A1020AEFCB14DF54D884ABEBBB5EF557A0F1081A9F91597290D730ED91CB90

Function 002E1AD6 Relevance: 6.1, APIs: 4, Instructions: 138networkCOMMON

Download Yara Rule

APIs

socket.WSOCK32(00000002,00000002,00000011), ref: 002E1AFD
WSAGetLastError.WSOCK32 ref: 002E1B0B
#21.WSOCK32(?,0000FFFF,00000020,00000002,00000004), ref: 002E1B8A
WSAGetLastError.WSOCK32 ref: 002E1B94

Memory Dump Source

Source File: 00000001.00000002.1547293858.0000000000261000.00000020.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true

Associated: 00000001.00000002.1546305634.0000000000260000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1552306005.00000000002FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1552306005.0000000000322000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1553018664.000000000032C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1553203039.0000000000334000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_260000_file.jbxd

Similarity

API ID: ErrorLast$socket
String ID:
API String ID: 1881357543-0
Opcode ID: 6f77846c7ab5bb89f084a18f1d933c038438dbefd1b35bef4cdfd1402f7b5ccd
Instruction ID: 7ba25588a6e51c50913ed3621d1a102b65063cc4faa63d1bab4e0cfc1b5d4511
Opcode Fuzzy Hash: 6f77846c7ab5bb89f084a18f1d933c038438dbefd1b35bef4cdfd1402f7b5ccd
Instruction Fuzzy Hash: FE41E534650201AFD720AF20C88AF2577E5AB44718F54C45CF91A9F3D2D772EDA1CB90

Function 0029B41F Relevance: 6.1, APIs: 4, Instructions: 133COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1547293858.0000000000261000.00000020.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true

Associated: 00000001.00000002.1546305634.0000000000260000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1552306005.00000000002FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1552306005.0000000000322000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1553018664.000000000032C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1553203039.0000000000334000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_260000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8e8bf157da2ecf4c753d34cb5a2c463e3a5ecd59edaf692339f55108ce3df96c
Instruction ID: 1ccf577977dd2075d850e2bd41ccdc5e21b3d0619c8a5e4884b2aa05f6c646e9
Opcode Fuzzy Hash: 8e8bf157da2ecf4c753d34cb5a2c463e3a5ecd59edaf692339f55108ce3df96c
Instruction Fuzzy Hash: 3C414E75A20304BFDB25AF78DD41B6ABBE9EF88720F10452EF501DB2D1D77199218B80

Function 002D56D9 Relevance: 6.1, APIs: 4, Instructions: 110fileCOMMON

Download Yara Rule

APIs

CreateHardLinkW.KERNEL32(00000002,?,00000000), ref: 002D5783
GetLastError.KERNEL32(?,00000000), ref: 002D57A9
DeleteFileW.KERNEL32(00000002,?,00000000), ref: 002D57CE
CreateHardLinkW.KERNEL32(00000002,?,00000000,?,00000000), ref: 002D57FA

Memory Dump Source

Source File: 00000001.00000002.1547293858.0000000000261000.00000020.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true

Associated: 00000001.00000002.1546305634.0000000000260000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1552306005.00000000002FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1552306005.0000000000322000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1553018664.000000000032C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1553203039.0000000000334000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_260000_file.jbxd

Similarity

API ID: CreateHardLink$DeleteErrorFileLast
String ID:
API String ID: 3321077145-0
Opcode ID: 23f67f1a61f9439b9d034628038e97408b1bfdc89132f60c45e868c7c7d70d29
Instruction ID: cfbbbcf192c7ee10d2781ff7c0234b61e8638acfed2e5d6d81e3d64bd7517a17
Opcode Fuzzy Hash: 23f67f1a61f9439b9d034628038e97408b1bfdc89132f60c45e868c7c7d70d29
Instruction Fuzzy Hash: 79414D35220611DFCB11EF15D544A5DBBE2EF89324B198489EC4A9B362CB70FDA0CF91

Function 0029D8C3 Relevance: 6.1, APIs: 4, Instructions: 110COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,00000000,?,00286D71,00000000,00000000,002882D9,?,002882D9,?,00000001,00286D71,?,00000001,002882D9,002882D9), ref: 0029D910
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 0029D999
GetStringTypeW.KERNEL32(?,00000000,00000000,?), ref: 0029D9AB
__freea.LIBCMT ref: 0029D9B4

Part of subcall function 00293820: RtlAllocateHeap.NTDLL(00000000,?,00331444,?,0027FDF5,?,?,0026A976,00000010,00331440,002613FC,?,002613C6,?,00261129), ref: 00293852

Memory Dump Source

Source File: 00000001.00000002.1547293858.0000000000261000.00000020.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true

Associated: 00000001.00000002.1546305634.0000000000260000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1552306005.00000000002FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1552306005.0000000000322000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1553018664.000000000032C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1553203039.0000000000334000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_260000_file.jbxd

Similarity

API ID: ByteCharMultiWide$AllocateHeapStringType__freea
String ID:
API String ID: 2652629310-0
Opcode ID: a4d184cb42dc17c683543a204ea0bf8e7b6b4a30efa0b1583d692ecb104e6bc8
Instruction ID: b093eef5ced436b5b4b5b7d38b1f892b17741d83a3bad979380039775f8d66c8
Opcode Fuzzy Hash: a4d184cb42dc17c683543a204ea0bf8e7b6b4a30efa0b1583d692ecb104e6bc8
Instruction Fuzzy Hash: A131E172A2020AABEF24EF64DC45EAF7BA5EB40310F154169FC04D7190EB35CD64DB90

Function 002F52C1 Relevance: 6.1, APIs: 4, Instructions: 104windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001024,00000000,?), ref: 002F5352
GetWindowLongW.USER32(?,000000F0), ref: 002F5375
SetWindowLongW.USER32(?,000000F0,00000000), ref: 002F5382
InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 002F53A8

Memory Dump Source

Source File: 00000001.00000002.1547293858.0000000000261000.00000020.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true

Associated: 00000001.00000002.1546305634.0000000000260000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1552306005.00000000002FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1552306005.0000000000322000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1553018664.000000000032C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1553203039.0000000000334000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_260000_file.jbxd

Similarity

API ID: LongWindow$InvalidateMessageRectSend
String ID:
API String ID: 3340791633-0
Opcode ID: d2b05bc5b02abf4bcefabebd865380260f0a04886a3a78dc97e143cf9327ca2e
Instruction ID: cac7c234f1f3e79a4e103d5d972fe649e25cf818d7308cdd2cdbf7edb035b6c2
Opcode Fuzzy Hash: d2b05bc5b02abf4bcefabebd865380260f0a04886a3a78dc97e143cf9327ca2e
Instruction Fuzzy Hash: 3C31C334A75A2DEFEB249E1CCC55BF8B765AB043D0F5440A1FB11962E1C7F099A0DB42

Function 002CAB9C Relevance: 6.1, APIs: 4, Instructions: 103keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,76C1C0D0,?,00008000), ref: 002CABF1
SetKeyboardState.USER32(00000080,?,00008000), ref: 002CAC0D
PostMessageW.USER32(00000000,00000101,00000000), ref: 002CAC74
SendInput.USER32(00000001,?,0000001C,76C1C0D0,?,00008000), ref: 002CACC6

Memory Dump Source

Source File: 00000001.00000002.1547293858.0000000000261000.00000020.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true

Associated: 00000001.00000002.1546305634.0000000000260000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1552306005.00000000002FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1552306005.0000000000322000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1553018664.000000000032C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1553203039.0000000000334000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_260000_file.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: 1628c0bbd5853bdd9ed9d4c33595476124b5c94200c6258c9f1040fb5a980a31
Instruction ID: 2c54cc339abfe31f078fb9f546d8fa60ea213f9cb89b6d46bb96f1bdb84bdfbd
Opcode Fuzzy Hash: 1628c0bbd5853bdd9ed9d4c33595476124b5c94200c6258c9f1040fb5a980a31
Instruction Fuzzy Hash: C9312630A6461D6FEF35CF688C08FFA7BA5AB89328F04431FE485921D1C3748BA58756

Function 002F7674 Relevance: 6.1, APIs: 4, Instructions: 102windowCOMMON

Download Yara Rule

APIs

ClientToScreen.USER32(?,?), ref: 002F769A
GetWindowRect.USER32(?,?), ref: 002F7710
PtInRect.USER32(?,?,002F8B89), ref: 002F7720
MessageBeep.USER32(00000000), ref: 002F778C

Memory Dump Source

Source File: 00000001.00000002.1547293858.0000000000261000.00000020.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true

Associated: 00000001.00000002.1546305634.0000000000260000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1552306005.00000000002FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1552306005.0000000000322000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1553018664.000000000032C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1553203039.0000000000334000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_260000_file.jbxd

Similarity

API ID: Rect$BeepClientMessageScreenWindow
String ID:
API String ID: 1352109105-0
Opcode ID: a50335d7547b64e1215ed957883d314e3a5072104ad04ecf6f83474ba6ca2f9d
Instruction ID: 6757563cfccbb0522bf19603db560ee61c1237cb15b1fabd5c9dc9c4badf4d13
Opcode Fuzzy Hash: a50335d7547b64e1215ed957883d314e3a5072104ad04ecf6f83474ba6ca2f9d
Instruction Fuzzy Hash: 78416B34A29219DFCB02EF59C894EB9F7F9BB49394F2540B8E6149B261C730A951CF90

Function 002F16DA Relevance: 6.1, APIs: 4, Instructions: 101COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32 ref: 002F16EB

Part of subcall function 002C3A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 002C3A57
Part of subcall function 002C3A3D: GetCurrentThreadId.KERNEL32 ref: 002C3A5E
Part of subcall function 002C3A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,002C25B3), ref: 002C3A65

GetCaretPos.USER32(?), ref: 002F16FF
ClientToScreen.USER32(00000000,?), ref: 002F174C
GetForegroundWindow.USER32 ref: 002F1752

Memory Dump Source

Source File: 00000001.00000002.1547293858.0000000000261000.00000020.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true

Associated: 00000001.00000002.1546305634.0000000000260000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1552306005.00000000002FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1552306005.0000000000322000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1553018664.000000000032C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1553203039.0000000000334000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_260000_file.jbxd

Similarity

API ID: ThreadWindow$Foreground$AttachCaretClientCurrentInputProcessScreen
String ID:
API String ID: 2759813231-0
Opcode ID: c282afa89ce386b6b63a184c6fc59fc5f04894144477c089c249f1517090e6d2
Instruction ID: fe38bf0ad73bf418f11e5e4709b3fc784160b6d603c429b321d9937e3406f28f
Opcode Fuzzy Hash: c282afa89ce386b6b63a184c6fc59fc5f04894144477c089c249f1517090e6d2
Instruction Fuzzy Hash: E7315D75D10249AFCB04EFA9C985CAEFBF9EF48304B5080AAE415E7211E7319E55CFA0

Function 002F8FC9 Relevance: 6.1, APIs: 4, Instructions: 78windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00279BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00279BB2

GetCursorPos.USER32(?), ref: 002F9001
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000,?,002B7711,?,?,?,?,?), ref: 002F9016
GetCursorPos.USER32(?), ref: 002F905E
DefDlgProcW.USER32(?,0000007B,?,?,?,?,?,?,?,?,?,?,002B7711,?,?,?), ref: 002F9094

Memory Dump Source

Source File: 00000001.00000002.1547293858.0000000000261000.00000020.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true

Associated: 00000001.00000002.1546305634.0000000000260000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1552306005.00000000002FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1552306005.0000000000322000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1553018664.000000000032C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1553203039.0000000000334000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_260000_file.jbxd

Similarity

API ID: Cursor$LongMenuPopupProcTrackWindow
String ID:
API String ID: 2864067406-0
Opcode ID: 709a69ac6506589038525b496077d50d34d54cf30fbdc6528dd9e409f031542f
Instruction ID: dca66e34302b2cedcf33c1393ed58011082e4c2b1071076623992f608c5836ab
Opcode Fuzzy Hash: 709a69ac6506589038525b496077d50d34d54cf30fbdc6528dd9e409f031542f
Instruction Fuzzy Hash: 9721623561011CEFDB168F54D858FFABBB9EB493A0F144079F6055B1A1C73199A0DF60

Function 002CD2C1 Relevance: 6.1, APIs: 4, Instructions: 78COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNEL32(?,002FCB68), ref: 002CD2FB
GetLastError.KERNEL32 ref: 002CD30A
CreateDirectoryW.KERNEL32(?,00000000), ref: 002CD319
CreateDirectoryW.KERNEL32(?,00000000,00000000,000000FF,002FCB68), ref: 002CD376

Memory Dump Source

Source File: 00000001.00000002.1547293858.0000000000261000.00000020.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true

Associated: 00000001.00000002.1546305634.0000000000260000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1552306005.00000000002FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1552306005.0000000000322000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1553018664.000000000032C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1553203039.0000000000334000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_260000_file.jbxd

Similarity

API ID: CreateDirectory$AttributesErrorFileLast
String ID:
API String ID: 2267087916-0
Opcode ID: 0c30ead277289b54c799cf05f1ae79d72ed72500dcd90db5861a6a39d3b60d7c
Instruction ID: 0e20e41e64d22dd721db4553cb33322f09526fa17de08bb74f6162fb96e9161d
Opcode Fuzzy Hash: 0c30ead277289b54c799cf05f1ae79d72ed72500dcd90db5861a6a39d3b60d7c
Instruction Fuzzy Hash: 4121E5705243069F8300DF24C98196EB7E8EE56364F204B6EF899C72A1DB30D955CF93

Function 002C1571 Relevance: 6.1, APIs: 4, Instructions: 78memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 002C1014: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 002C102A
Part of subcall function 002C1014: GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 002C1036
Part of subcall function 002C1014: GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 002C1045
Part of subcall function 002C1014: HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 002C104C
Part of subcall function 002C1014: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 002C1062

LookupPrivilegeValueW.ADVAPI32(00000000,?,?), ref: 002C15BE
_memcmp.LIBVCRUNTIME ref: 002C15E1
GetProcessHeap.KERNEL32(00000000,00000000), ref: 002C1617
HeapFree.KERNEL32(00000000), ref: 002C161E

Memory Dump Source

Source File: 00000001.00000002.1547293858.0000000000261000.00000020.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true

Associated: 00000001.00000002.1546305634.0000000000260000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1552306005.00000000002FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1552306005.0000000000322000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1553018664.000000000032C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1553203039.0000000000334000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_260000_file.jbxd

Similarity

API ID: Heap$InformationProcessToken$AllocErrorFreeLastLookupPrivilegeValue_memcmp
String ID:
API String ID: 1592001646-0
Opcode ID: 3ab69bc04cd43f2e8334c67054eb7b4b99a738d511f5be7bdc13f7c64fbafed0
Instruction ID: 7792ecc03a5c74b51dfba495e2a6cc1882a43908a0d75bd68db259628625d33f
Opcode Fuzzy Hash: 3ab69bc04cd43f2e8334c67054eb7b4b99a738d511f5be7bdc13f7c64fbafed0
Instruction Fuzzy Hash: EA218E71E10109EFDF00DFA4C94AFEEB7B8EF45354F284559E445A7242D730AA25DB50

Function 002F2782 Relevance: 6.1, APIs: 4, Instructions: 75COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000EC), ref: 002F280A
SetWindowLongW.USER32(?,000000EC,00000000), ref: 002F2824
SetWindowLongW.USER32(?,000000EC,00000000), ref: 002F2832
SetLayeredWindowAttributes.USER32(?,00000000,?,00000002), ref: 002F2840

Memory Dump Source

Source File: 00000001.00000002.1547293858.0000000000261000.00000020.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true

Associated: 00000001.00000002.1546305634.0000000000260000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1552306005.00000000002FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1552306005.0000000000322000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1553018664.000000000032C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1553203039.0000000000334000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_260000_file.jbxd

Similarity

API ID: Window$Long$AttributesLayered
String ID:
API String ID: 2169480361-0
Opcode ID: d2c64484b8e0e6956ed5bdd3967f0f99271f9433607e9572f99712400360e896
Instruction ID: ffeffae841a0b004b6be971ea1eebffce6ca3be5dd9f5137354637bf1839c247
Opcode Fuzzy Hash: d2c64484b8e0e6956ed5bdd3967f0f99271f9433607e9572f99712400360e896
Instruction Fuzzy Hash: D3212431214119EFD710AB24C844FBAB795EF463A4F248168F526CB2E2C771FC96CB90

Function 002C78F5 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 71stringCOMMON

Download Yara Rule

APIs

Part of subcall function 002C8D7D: lstrlenW.KERNEL32(?,00000002,000000FF,?,?,?,002C790A,?,000000FF,?,002C8754,00000000,?,0000001C,?,?), ref: 002C8D8C
Part of subcall function 002C8D7D: lstrcpyW.KERNEL32(00000000,?,?,002C790A,?,000000FF,?,002C8754,00000000,?,0000001C,?,?,00000000), ref: 002C8DB2
Part of subcall function 002C8D7D: lstrcmpiW.KERNEL32(00000000,?,002C790A,?,000000FF,?,002C8754,00000000,?,0000001C,?,?), ref: 002C8DE3

lstrlenW.KERNEL32(?,00000002,000000FF,?,000000FF,?,002C8754,00000000,?,0000001C,?,?,00000000), ref: 002C7923
lstrcpyW.KERNEL32(00000000,?,?,002C8754,00000000,?,0000001C,?,?,00000000), ref: 002C7949
lstrcmpiW.KERNEL32(00000002,cdecl,?,002C8754,00000000,?,0000001C,?,?,00000000), ref: 002C7984

Strings

cdecl, xrefs: 002C797B

Memory Dump Source

Source File: 00000001.00000002.1547293858.0000000000261000.00000020.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true

Associated: 00000001.00000002.1546305634.0000000000260000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1552306005.00000000002FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1552306005.0000000000322000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1553018664.000000000032C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1553203039.0000000000334000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_260000_file.jbxd

Similarity

API ID: lstrcmpilstrcpylstrlen
String ID: cdecl
API String ID: 4031866154-3896280584
Opcode ID: 42881e667f89b0679366e8223246b1b8bc4d241058ce956e4f3c9be5c32e4a0d
Instruction ID: 532b24ab6243ee270b9b77a92f2b06a823d126ab3340262d92025670ad55b9c0
Opcode Fuzzy Hash: 42881e667f89b0679366e8223246b1b8bc4d241058ce956e4f3c9be5c32e4a0d
Instruction Fuzzy Hash: 9F11E93A214346ABCB155F38D845E7B77E5FF453A0B50812EF946C7264EB319821CB61

Function 002F7CC2 Relevance: 6.1, APIs: 4, Instructions: 70COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000F0), ref: 002F7D0B
SetWindowLongW.USER32(00000000,000000F0,?), ref: 002F7D2A
SetWindowLongW.USER32(00000000,000000EC,000000FF), ref: 002F7D42
SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,?,?,?,?,?,?,?,?,002DB7AD,00000000), ref: 002F7D6B

Part of subcall function 00279BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00279BB2

Memory Dump Source

Source File: 00000001.00000002.1547293858.0000000000261000.00000020.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true

Associated: 00000001.00000002.1546305634.0000000000260000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1552306005.00000000002FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1552306005.0000000000322000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1553018664.000000000032C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1553203039.0000000000334000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_260000_file.jbxd

Similarity

API ID: Window$Long
String ID:
API String ID: 847901565-0
Opcode ID: c7b7eb014f341755a88aabb31e5428f9f779d187b622ee73bdf25c885d548701
Instruction ID: 7cc305c5e26fb7e8480afcda1e47ff56a2b9b7a716a999554127ba979193c5ad
Opcode Fuzzy Hash: c7b7eb014f341755a88aabb31e5428f9f779d187b622ee73bdf25c885d548701
Instruction Fuzzy Hash: 9911AE3112461EAFCB109F28DC08A767BA9AF453B0F618334F939DB2E0D7308961CB80

Function 002F5660 Relevance: 6.1, APIs: 4, Instructions: 67windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001060,?,00000004), ref: 002F56BB
_wcslen.LIBCMT ref: 002F56CD
_wcslen.LIBCMT ref: 002F56D8
SendMessageW.USER32(?,00001002,00000000,?), ref: 002F5816

Memory Dump Source

Source File: 00000001.00000002.1547293858.0000000000261000.00000020.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true

Associated: 00000001.00000002.1546305634.0000000000260000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1552306005.00000000002FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1552306005.0000000000322000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1553018664.000000000032C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1553203039.0000000000334000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_260000_file.jbxd

Similarity

API ID: MessageSend_wcslen
String ID:
API String ID: 455545452-0
Opcode ID: 51f2d28f803e81ce56669fc522a7893fce3d7b979e9d38d8c2ed7c951782c3cd
Instruction ID: 533f8a4da97b4263657971a002acf0f56ea3283964becd4b13d2dd64c8420626
Opcode Fuzzy Hash: 51f2d28f803e81ce56669fc522a7893fce3d7b979e9d38d8c2ed7c951782c3cd
Instruction Fuzzy Hash: 8F11B47562062D96DB20AF619C85AFEB7ACBF117A0F104036FB15D6081E7B089A4CF60

Function 00291D09 Relevance: 6.1, APIs: 4, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1547293858.0000000000261000.00000020.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true

Associated: 00000001.00000002.1546305634.0000000000260000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1552306005.00000000002FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1552306005.0000000000322000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1553018664.000000000032C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1553203039.0000000000334000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_260000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: defa29e7c5fa74aac451c75551b368f623521d1921304088ca5b7fed452cd896
Instruction ID: 9add0a28f4f5613b9c490f3abecd837658b5dc2b3623c12580e84733b54ebdda
Opcode Fuzzy Hash: defa29e7c5fa74aac451c75551b368f623521d1921304088ca5b7fed452cd896
Instruction Fuzzy Hash: AA018BB222961B7EFE212A796CC0F27661CDF413B8F300325F525A11D2DB608C309570

Function 002C1A27 Relevance: 6.1, APIs: 4, Instructions: 56windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,000000B0,?,?), ref: 002C1A47
SendMessageW.USER32(?,000000C9,?,00000000), ref: 002C1A59
SendMessageW.USER32(?,000000C9,?,00000000), ref: 002C1A6F
SendMessageW.USER32(?,000000C9,?,00000000), ref: 002C1A8A

Memory Dump Source

Source File: 00000001.00000002.1547293858.0000000000261000.00000020.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true

Associated: 00000001.00000002.1546305634.0000000000260000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1552306005.00000000002FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1552306005.0000000000322000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1553018664.000000000032C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1553203039.0000000000334000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_260000_file.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 3fe0c0e1a3e38fb7a773d676e7870e4e200c79aff20ab06b3273554184bde977
Instruction ID: d0237f0bc2f4bc543980e5ac964370371a1c823f2f5d8875ec8c5c2aeea9359b
Opcode Fuzzy Hash: 3fe0c0e1a3e38fb7a773d676e7870e4e200c79aff20ab06b3273554184bde977
Instruction Fuzzy Hash: 3511393AD01219FFEB10DBA4CD85FADBB78EB08750F2001A5EA00B7294D6716E60DB94

Function 002CE1D6 Relevance: 6.1, APIs: 4, Instructions: 55synchronizationthreadwindowCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 002CE1FD
MessageBoxW.USER32(?,?,?,?), ref: 002CE230
WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?), ref: 002CE246
CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 002CE24D

Memory Dump Source

Source File: 00000001.00000002.1547293858.0000000000261000.00000020.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true

Associated: 00000001.00000002.1546305634.0000000000260000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1552306005.00000000002FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1552306005.0000000000322000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1553018664.000000000032C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1553203039.0000000000334000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_260000_file.jbxd

Similarity

API ID: CloseCurrentHandleMessageObjectSingleThreadWait
String ID:
API String ID: 2880819207-0
Opcode ID: d4d0f7389d59830224cb8a669af8dbe2da53bb1f17d5d664dc0c1f7515b54048
Instruction ID: 67df1444ac07fb3c792e1c4df0ac4f8fa8417e0e58dfa3c9d024dd813c10acd2
Opcode Fuzzy Hash: d4d0f7389d59830224cb8a669af8dbe2da53bb1f17d5d664dc0c1f7515b54048
Instruction Fuzzy Hash: 43110876914218BBCB019FA8AC49FAF7FAC9B45370F114369F824D3291D2B08D148BA1

Function 0028D1CC Relevance: 6.1, APIs: 4, Instructions: 55threadCOMMON

Download Yara Rule

APIs

CreateThread.KERNEL32(00000000,?,0028CFF9,00000000,00000004,00000000), ref: 0028D218
GetLastError.KERNEL32 ref: 0028D224
__dosmaperr.LIBCMT ref: 0028D22B
ResumeThread.KERNEL32(00000000), ref: 0028D249

Memory Dump Source

Source File: 00000001.00000002.1547293858.0000000000261000.00000020.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true

Associated: 00000001.00000002.1546305634.0000000000260000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1552306005.00000000002FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1552306005.0000000000322000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1553018664.000000000032C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1553203039.0000000000334000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_260000_file.jbxd

Similarity

API ID: Thread$CreateErrorLastResume__dosmaperr
String ID:
API String ID: 173952441-0
Opcode ID: 197a5222ebff2acac98f2660498711e821f4b1d8e11055dd9d5cadcd69acd1ec
Instruction ID: a95c5a3712700c87047488ca1bc818c0b8a7939f56315cf65022005a815be5b4
Opcode Fuzzy Hash: 197a5222ebff2acac98f2660498711e821f4b1d8e11055dd9d5cadcd69acd1ec
Instruction Fuzzy Hash: F701DB3A4261097BD7117FA5DC09BAE7B59DF81370F204215FD25951D1CB708929CBA0

Function 0026600E Relevance: 6.1, APIs: 4, Instructions: 53windowCOMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 0026604C
GetStockObject.GDI32(00000011), ref: 00266060
SendMessageW.USER32(00000000,00000030,00000000), ref: 0026606A

Memory Dump Source

Source File: 00000001.00000002.1547293858.0000000000261000.00000020.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true

Associated: 00000001.00000002.1546305634.0000000000260000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1552306005.00000000002FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1552306005.0000000000322000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1553018664.000000000032C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1553203039.0000000000334000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_260000_file.jbxd

Similarity

API ID: CreateMessageObjectSendStockWindow
String ID:
API String ID: 3970641297-0
Opcode ID: 09f36c60fdb75278a992431017c949074b51abc052f34b5b844adf60df59391b
Instruction ID: da5b08797562eb56d5a3b0942b16c3e82feff533a41dade426c27f4de32c9bf6
Opcode Fuzzy Hash: 09f36c60fdb75278a992431017c949074b51abc052f34b5b844adf60df59391b
Instruction Fuzzy Hash: 9C118B72111509BFEF125FA49C48AEABF6DFF083A4F100226FA0492010C7329CA0DBA0

Function 00283B3C Relevance: 6.1, APIs: 4, Instructions: 53COMMONLIBRARYCODE

Download Yara Rule

APIs

___BuildCatchObject.LIBVCRUNTIME ref: 00283B56

Part of subcall function 00283AA3: BuildCatchObjectHelperInternal.LIBVCRUNTIME ref: 00283AD2
Part of subcall function 00283AA3: ___AdjustPointer.LIBCMT ref: 00283AED

_UnwindNestedFrames.LIBCMT ref: 00283B6B
__FrameHandler3::FrameUnwindToState.LIBVCRUNTIME ref: 00283B7C
CallCatchBlock.LIBVCRUNTIME ref: 00283BA4

Memory Dump Source

Source File: 00000001.00000002.1547293858.0000000000261000.00000020.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true

Associated: 00000001.00000002.1546305634.0000000000260000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1552306005.00000000002FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1552306005.0000000000322000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1553018664.000000000032C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1553203039.0000000000334000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_260000_file.jbxd

Similarity

API ID: Catch$BuildFrameObjectUnwind$AdjustBlockCallFramesHandler3::HelperInternalNestedPointerState
String ID:
API String ID: 737400349-0
Opcode ID: 12ea49abee573113f57dbd3ec3a577afcc9c348439d29e6cbe32e78011ac24d3
Instruction ID: a4f67b60e980f0cfe42cb43e250713e4844cc6fccf4ccd47696070b01dc1f44a
Opcode Fuzzy Hash: 12ea49abee573113f57dbd3ec3a577afcc9c348439d29e6cbe32e78011ac24d3
Instruction Fuzzy Hash: 97011776111149BBDF12BE95CC42EEB3B69EF48B58F044014FE4856161D632E9719BA0

Function 00293073 Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(00000000,00000000,00000800,002613C6,00000000,00000000,?,0029301A,002613C6,00000000,00000000,00000000,?,0029328B,00000006,FlsSetValue), ref: 002930A5
GetLastError.KERNEL32(?,0029301A,002613C6,00000000,00000000,00000000,?,0029328B,00000006,FlsSetValue,00302290,FlsSetValue,00000000,00000364,?,00292E46), ref: 002930B1
LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,0029301A,002613C6,00000000,00000000,00000000,?,0029328B,00000006,FlsSetValue,00302290,FlsSetValue,00000000), ref: 002930BF

Memory Dump Source

Source File: 00000001.00000002.1547293858.0000000000261000.00000020.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true

Associated: 00000001.00000002.1546305634.0000000000260000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1552306005.00000000002FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1552306005.0000000000322000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1553018664.000000000032C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1553203039.0000000000334000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_260000_file.jbxd

Similarity

API ID: LibraryLoad$ErrorLast
String ID:
API String ID: 3177248105-0
Opcode ID: 29b85d6ae09f41d78500ca50718876f9f2720ded40e5fa6075bb3224319dada7
Instruction ID: 395bc45fcbf5456e13159d5ec7ebf27e0dc6a425e6b5597535cb87d16b77f9fa
Opcode Fuzzy Hash: 29b85d6ae09f41d78500ca50718876f9f2720ded40e5fa6075bb3224319dada7
Instruction Fuzzy Hash: F801D432331227ABCF31CE78AC489677B98AF45BB1B210630F915E3140C721D915C6E0

Function 002C7464 Relevance: 6.1, APIs: 4, Instructions: 51registryCOMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(?,?,00000104,00000000), ref: 002C747F
LoadTypeLibEx.OLEAUT32(?,00000002,?), ref: 002C7497
RegisterTypeLib.OLEAUT32(?,?,00000000), ref: 002C74AC
RegisterTypeLibForUser.OLEAUT32(?,?,00000000), ref: 002C74CA

Memory Dump Source

Source File: 00000001.00000002.1547293858.0000000000261000.00000020.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true

Associated: 00000001.00000002.1546305634.0000000000260000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1552306005.00000000002FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1552306005.0000000000322000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1553018664.000000000032C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1553203039.0000000000334000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_260000_file.jbxd

Similarity

API ID: Type$Register$FileLoadModuleNameUser
String ID:
API String ID: 1352324309-0
Opcode ID: 5d7452023b64a06432468c35bc5e1cc41a3f13f6490ad1a8ad7c41f6c6c6bb42
Instruction ID: 84dbdf28a18a254292a73a88d9f15653b1ad92baf82420ecd1f197b72b760e3e
Opcode Fuzzy Hash: 5d7452023b64a06432468c35bc5e1cc41a3f13f6490ad1a8ad7c41f6c6c6bb42
Instruction Fuzzy Hash: 1F118BB5225315ABE7308F14ED09FA2BBFCEB00B50F20866DA626D6191D7B0E914DF60

Function 002CB0A8 Relevance: 6.0, APIs: 4, Instructions: 50sleepCOMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,002CACD3,?,00008000), ref: 002CB0C4
Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,002CACD3,?,00008000), ref: 002CB0E9
QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,002CACD3,?,00008000), ref: 002CB0F3
Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,002CACD3,?,00008000), ref: 002CB126

Memory Dump Source

Source File: 00000001.00000002.1547293858.0000000000261000.00000020.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true

Associated: 00000001.00000002.1546305634.0000000000260000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1552306005.00000000002FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1552306005.0000000000322000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1553018664.000000000032C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1553203039.0000000000334000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_260000_file.jbxd

Similarity

API ID: CounterPerformanceQuerySleep
String ID:
API String ID: 2875609808-0
Opcode ID: cfb970ce5fd989c91a01c720442515e8f3cf48e54c7375109657aceddb8047a1
Instruction ID: c1456e780f49ac169c9094e53bbd00345dec3bb89b999c25ad8d94e51b779fea
Opcode Fuzzy Hash: cfb970ce5fd989c91a01c720442515e8f3cf48e54c7375109657aceddb8047a1
Instruction Fuzzy Hash: DC112731C2152DE7CF01AFA4E95ABFEBB78BF09721F114199D945B2181CB705A60CB52

Function 002F7E14 Relevance: 6.0, APIs: 4, Instructions: 46COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 002F7E33
ScreenToClient.USER32(?,?), ref: 002F7E4B
ScreenToClient.USER32(?,?), ref: 002F7E6F
InvalidateRect.USER32(?,?,?,?,?,?,?,?,?,?,?,?), ref: 002F7E8A

Memory Dump Source

Source File: 00000001.00000002.1547293858.0000000000261000.00000020.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true

Associated: 00000001.00000002.1546305634.0000000000260000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1552306005.00000000002FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1552306005.0000000000322000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1553018664.000000000032C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1553203039.0000000000334000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_260000_file.jbxd

Similarity

API ID: ClientRectScreen$InvalidateWindow
String ID:
API String ID: 357397906-0
Opcode ID: 337fe8e563097bb6c40d62d1843862a85c62215d211a88487da422d3ab202dd8
Instruction ID: 5f081dce34b531004f35a2eae903b0b82dcf1bc26f412b7c627c91bddf842210
Opcode Fuzzy Hash: 337fe8e563097bb6c40d62d1843862a85c62215d211a88487da422d3ab202dd8
Instruction Fuzzy Hash: 401143B9D0420EAFDB41DF98D9849EEFBF9FB08350F505066E915E2210D735AA54CF50

Function 002C2DA7 Relevance: 6.0, APIs: 4, Instructions: 34threadwindowtimeCOMMON

Download Yara Rule

APIs

SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,?), ref: 002C2DC5
GetWindowThreadProcessId.USER32(?,00000000), ref: 002C2DD6
GetCurrentThreadId.KERNEL32 ref: 002C2DDD
AttachThreadInput.USER32(00000000,?,00000000,00000000), ref: 002C2DE4

Memory Dump Source

Source File: 00000001.00000002.1547293858.0000000000261000.00000020.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true

Associated: 00000001.00000002.1546305634.0000000000260000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1552306005.00000000002FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1552306005.0000000000322000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1553018664.000000000032C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1553203039.0000000000334000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_260000_file.jbxd

Similarity

API ID: Thread$AttachCurrentInputMessageProcessSendTimeoutWindow
String ID:
API String ID: 2710830443-0
Opcode ID: 32d3145afbc618b7c905f8194f4fd9fd8cb2871fc4fad8813431024dd226b0f6
Instruction ID: 829d215df68093f7f32f68d8d2e001ee353e2e192b3744001f6dc22095b7a0a3
Opcode Fuzzy Hash: 32d3145afbc618b7c905f8194f4fd9fd8cb2871fc4fad8813431024dd226b0f6
Instruction Fuzzy Hash: 09E06D71115228BAD7201B62AD0DFFB3E6CEF93BB1F100129B106D10809EA08844C6B0

Function 002F8863 Relevance: 6.0, APIs: 4, Instructions: 31COMMON

Download Yara Rule

APIs

Part of subcall function 00279639: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00279693
Part of subcall function 00279639: SelectObject.GDI32(?,00000000), ref: 002796A2
Part of subcall function 00279639: BeginPath.GDI32(?), ref: 002796B9
Part of subcall function 00279639: SelectObject.GDI32(?,00000000), ref: 002796E2

MoveToEx.GDI32(?,00000000,00000000,00000000), ref: 002F8887
LineTo.GDI32(?,?,?), ref: 002F8894
EndPath.GDI32(?), ref: 002F88A4
StrokePath.GDI32(?), ref: 002F88B2

Memory Dump Source

Source File: 00000001.00000002.1547293858.0000000000261000.00000020.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true

Associated: 00000001.00000002.1546305634.0000000000260000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1552306005.00000000002FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1552306005.0000000000322000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1553018664.000000000032C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1553203039.0000000000334000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_260000_file.jbxd

Similarity

API ID: Path$ObjectSelect$BeginCreateLineMoveStroke
String ID:
API String ID: 1539411459-0
Opcode ID: 314055f67d8f837d2be15affb1f5a7b32289b392403342d733798a1517d6acd2
Instruction ID: f58be410c94720992ea27478c41d2effd568c2e684e7a3c1c5c650d36366a855
Opcode Fuzzy Hash: 314055f67d8f837d2be15affb1f5a7b32289b392403342d733798a1517d6acd2
Instruction Fuzzy Hash: FFF09A3601125DBADB125F94AD0DFEA3E19AF063A0F108010FA11610E1CB740521CFE5

Function 002798B0 Relevance: 6.0, APIs: 4, Instructions: 23COMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000008), ref: 002798CC
SetTextColor.GDI32(?,?), ref: 002798D6
SetBkMode.GDI32(?,00000001), ref: 002798E9
GetStockObject.GDI32(00000005), ref: 002798F1

Memory Dump Source

Source File: 00000001.00000002.1547293858.0000000000261000.00000020.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true

Associated: 00000001.00000002.1546305634.0000000000260000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1552306005.00000000002FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1552306005.0000000000322000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1553018664.000000000032C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1553203039.0000000000334000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_260000_file.jbxd

Similarity

API ID: Color$ModeObjectStockText
String ID:
API String ID: 4037423528-0
Opcode ID: a07542a88ed924d25721d2643eeef55d713ba674d85b3cc4a7122757e7b5f4b2
Instruction ID: 982b25fcac31d315520cf11912156eac7ebbff26b3e4fb6b94d98d4bf6a0f439
Opcode Fuzzy Hash: a07542a88ed924d25721d2643eeef55d713ba674d85b3cc4a7122757e7b5f4b2
Instruction Fuzzy Hash: 62E06531244245AAEB215F74BD0DBF93F20EB513B6F248229F6FD581E1C3714660DB10

Function 002C162B Relevance: 6.0, APIs: 4, Instructions: 22threadCOMMON

Download Yara Rule

APIs

GetCurrentThread.KERNEL32 ref: 002C1634
OpenThreadToken.ADVAPI32(00000000,?,?,?,002C11D9), ref: 002C163B
GetCurrentProcess.KERNEL32(00000028,?,?,?,?,002C11D9), ref: 002C1648
OpenProcessToken.ADVAPI32(00000000,?,?,?,002C11D9), ref: 002C164F

Memory Dump Source

Source File: 00000001.00000002.1547293858.0000000000261000.00000020.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true

Associated: 00000001.00000002.1546305634.0000000000260000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1552306005.00000000002FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1552306005.0000000000322000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1553018664.000000000032C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1553203039.0000000000334000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_260000_file.jbxd

Similarity

API ID: CurrentOpenProcessThreadToken
String ID:
API String ID: 3974789173-0
Opcode ID: c75f7e50cb9bc509ab90ff1e8dd0e428c75fc55438a29bd3ea0af4c2d3847b38
Instruction ID: ed7915ae7ba65cc86017fb82299fb446ec586880ab3d2b69ab943bfc3687f9ec
Opcode Fuzzy Hash: c75f7e50cb9bc509ab90ff1e8dd0e428c75fc55438a29bd3ea0af4c2d3847b38
Instruction Fuzzy Hash: 74E04F326012159BD7201FB0AE0DF663B6CAF457E1F24482CF645C9080DA244455CB50

Function 002BD858 Relevance: 6.0, APIs: 4, Instructions: 19COMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 002BD858
GetDC.USER32(00000000), ref: 002BD862
GetDeviceCaps.GDI32(00000000,0000000C), ref: 002BD882
ReleaseDC.USER32(?), ref: 002BD8A3

Memory Dump Source

Source File: 00000001.00000002.1547293858.0000000000261000.00000020.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true

Associated: 00000001.00000002.1546305634.0000000000260000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1552306005.00000000002FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1552306005.0000000000322000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1553018664.000000000032C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1553203039.0000000000334000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_260000_file.jbxd

Similarity

API ID: CapsDesktopDeviceReleaseWindow
String ID:
API String ID: 2889604237-0
Opcode ID: b443921296d3073a321288af3e3317bd7a4175d9538acd9768e01e07a0225fa9
Instruction ID: 8eeeaeecfc124893a377c1f3f01982ddc2d6762a37788b5e403374029d46e064
Opcode Fuzzy Hash: b443921296d3073a321288af3e3317bd7a4175d9538acd9768e01e07a0225fa9
Instruction Fuzzy Hash: ABE01AB0814208DFCB41AFA0EA0CA7DBBB5FB48361F208429E856E7350CB794952EF40

Function 002BD86C Relevance: 6.0, APIs: 4, Instructions: 18COMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 002BD86C
GetDC.USER32(00000000), ref: 002BD876
GetDeviceCaps.GDI32(00000000,0000000C), ref: 002BD882
ReleaseDC.USER32(?), ref: 002BD8A3

Memory Dump Source

Source File: 00000001.00000002.1547293858.0000000000261000.00000020.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true

Associated: 00000001.00000002.1546305634.0000000000260000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1552306005.00000000002FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1552306005.0000000000322000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1553018664.000000000032C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1553203039.0000000000334000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_260000_file.jbxd

Similarity

API ID: CapsDesktopDeviceReleaseWindow
String ID:
API String ID: 2889604237-0
Opcode ID: a127a6a8c375b1a5c3b270f786eafb75424d50c50a8801cc10b79f733dbab91c
Instruction ID: a81a82943a0c30b62d9f767121250898fe6b92d7bed0c12eb2b2ac985251ec43
Opcode Fuzzy Hash: a127a6a8c375b1a5c3b270f786eafb75424d50c50a8801cc10b79f733dbab91c
Instruction Fuzzy Hash: AAE01A70814208DFCB40AFA0E90C67DBBB5BB48360B208419E95AE7350CB795911DF40

Function 002D4D87 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 230shareCOMMON

Download Yara Rule

APIs

Part of subcall function 00267620: _wcslen.LIBCMT ref: 00267625

WNetUseConnectionW.MPR(00000000,?,0000002A,00000000,?,?,0000002A,?), ref: 002D4ED4

Strings

LPT, xrefs: 002D4DFB
*, xrefs: 002D4E10

Memory Dump Source

Source File: 00000001.00000002.1547293858.0000000000261000.00000020.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true

Associated: 00000001.00000002.1546305634.0000000000260000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1552306005.00000000002FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1552306005.0000000000322000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1553018664.000000000032C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1553203039.0000000000334000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_260000_file.jbxd

Similarity

API ID: Connection_wcslen
String ID: *$LPT
API String ID: 1725874428-3443410124
Opcode ID: 800f495012dd4417b21077fd80bebf35ac92183857f8d13d83fda13c11eb3dbe
Instruction ID: 609a7ebdf7796834f168895c65e76af4b861384715d14eae2ee869904fcdbeb7
Opcode Fuzzy Hash: 800f495012dd4417b21077fd80bebf35ac92183857f8d13d83fda13c11eb3dbe
Instruction Fuzzy Hash: 13919375A102459FCB14EF54C484EA9BBF1BF48308F18809AE80A9F7A2D771ED95CF90

Function 0028E27D Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 189COMMON

Download Yara Rule

APIs

__startOneArgErrorHandling.LIBCMT ref: 0028E30D

Strings

pow, xrefs: 0028E2E5, 0028E302

Memory Dump Source

Source File: 00000001.00000002.1547293858.0000000000261000.00000020.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true

Associated: 00000001.00000002.1546305634.0000000000260000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1552306005.00000000002FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1552306005.0000000000322000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1553018664.000000000032C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1553203039.0000000000334000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_260000_file.jbxd

Similarity

API ID: ErrorHandling__start
String ID: pow
API String ID: 3213639722-2276729525
Opcode ID: 99cc748fb09a09ac369e8685195de1e8110696f01f5f973ef71c6d5cd2841b63
Instruction ID: a9a321a733e54f0353f0e1caadfd14f7c16b36b1f7a3861fec253cdbc4b485e6
Opcode Fuzzy Hash: 99cc748fb09a09ac369e8685195de1e8110696f01f5f973ef71c6d5cd2841b63
Instruction Fuzzy Hash: 0F518F65A3E20396CF167F14CD1137A3BA8EF40B40F358999F4D5422E9DB348CB19B46

Function 002E7771 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 189COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(002B569E,00000000,?,002FCC08,?,00000000,00000000), ref: 002E78DD

Part of subcall function 00266B57: _wcslen.LIBCMT ref: 00266B6A

CharUpperBuffW.USER32(002B569E,00000000,?,002FCC08,00000000,?,00000000,00000000), ref: 002E783B

Strings

<s2, xrefs: 002E77C8

Memory Dump Source

Source File: 00000001.00000002.1547293858.0000000000261000.00000020.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true

Associated: 00000001.00000002.1546305634.0000000000260000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1552306005.00000000002FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1552306005.0000000000322000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1553018664.000000000032C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1553203039.0000000000334000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_260000_file.jbxd

Similarity

API ID: BuffCharUpper$_wcslen
String ID: <s2
API String ID: 3544283678-519421523
Opcode ID: 4039f0e8201bdc3fd36b8a3ded35f4adfbcb4d915151b636e14c868d6415a3b6
Instruction ID: 58a7b05cfce8df6732fdeccd435df763610ec8ec091d7bbebb8051e310f2952f
Opcode Fuzzy Hash: 4039f0e8201bdc3fd36b8a3ded35f4adfbcb4d915151b636e14c868d6415a3b6
Instruction Fuzzy Hash: C3617B32974159EACF04EBA5CC91DFDB378BF24300B944025E542B3192EF705AA5DFA0

Function 0027E187 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 184COMMON

Download Yara Rule

Strings

#, xrefs: 0027E1B1

Memory Dump Source

Source File: 00000001.00000002.1547293858.0000000000261000.00000020.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true

Associated: 00000001.00000002.1546305634.0000000000260000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1552306005.00000000002FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1552306005.0000000000322000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1553018664.000000000032C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1553203039.0000000000334000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_260000_file.jbxd

Similarity

API ID:
String ID: #
API String ID: 0-1885708031
Opcode ID: 224784132fe4210e0423204d3cdb131cee4225325d45e59cec2b5ba20ff838b9
Instruction ID: 84f0e936e30060cb4dc51acbdb94664f81a2d3a7821cccb328b1238e04f829f5
Opcode Fuzzy Hash: 224784132fe4210e0423204d3cdb131cee4225325d45e59cec2b5ba20ff838b9
Instruction Fuzzy Hash: 7B516635524247EFDF15DF68C0416FABBA8EF29310F258055EC919B2D1DA309D62EBA0

Function 0027F291 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 144sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(00000000), ref: 0027F2A2
GlobalMemoryStatusEx.KERNEL32(?), ref: 0027F2BB

Strings

@, xrefs: 0027F2AF

Memory Dump Source

Source File: 00000001.00000002.1547293858.0000000000261000.00000020.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true

Associated: 00000001.00000002.1546305634.0000000000260000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1552306005.00000000002FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1552306005.0000000000322000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1553018664.000000000032C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1553203039.0000000000334000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_260000_file.jbxd

Similarity

API ID: GlobalMemorySleepStatus
String ID: @
API String ID: 2783356886-2766056989
Opcode ID: 1de37db83b83e60a8871a9916c0b0ca971d6c539f9e35be65b5980213fa3c35e
Instruction ID: 996eeb4d8c333070c28d83c44a400f797c15295f5739f58e3f66a4ed1193ce30
Opcode Fuzzy Hash: 1de37db83b83e60a8871a9916c0b0ca971d6c539f9e35be65b5980213fa3c35e
Instruction Fuzzy Hash: EB5177714287449BD320AF50E886BABBBF8FB88304F81885DF1D9410A5EB718579CB66

Function 002E5745 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 125COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,?,00000003,?,?), ref: 002E57E0
_wcslen.LIBCMT ref: 002E57EC

Strings

CALLARGARRAY, xrefs: 002E57E6, 002E57EB

Memory Dump Source

Source File: 00000001.00000002.1547293858.0000000000261000.00000020.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true

Associated: 00000001.00000002.1546305634.0000000000260000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1552306005.00000000002FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1552306005.0000000000322000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1553018664.000000000032C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1553203039.0000000000334000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_260000_file.jbxd

Similarity

API ID: BuffCharUpper_wcslen
String ID: CALLARGARRAY
API String ID: 157775604-1150593374
Opcode ID: 2ea36cdea284d38d4907b091a74413fab3492b366e59c9f820536586aae41c5c
Instruction ID: 41bf22d3c21d008302927a041cee2e0ebc3042bb596bf5e9c1285dfa3fe43902
Opcode Fuzzy Hash: 2ea36cdea284d38d4907b091a74413fab3492b366e59c9f820536586aae41c5c
Instruction Fuzzy Hash: 0241E131E2021ADFCB14DFA9C8859BEBBB5FF59328F504129E505A7251E7309DA1CFA0

Function 002DD0F4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 98networkCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 002DD130
InternetCrackUrlW.WININET(?,00000000,00000000,0000007C), ref: 002DD13A

Strings

|, xrefs: 002DD10B

Memory Dump Source

Source File: 00000001.00000002.1547293858.0000000000261000.00000020.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true

Associated: 00000001.00000002.1546305634.0000000000260000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1552306005.00000000002FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1552306005.0000000000322000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1553018664.000000000032C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1553203039.0000000000334000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_260000_file.jbxd

Similarity

API ID: CrackInternet_wcslen
String ID: |
API String ID: 596671847-2343686810
Opcode ID: 840b97ba9fe50854e0daea9d2b43a3108bb3446bb856deec16230d027d62ac65
Instruction ID: 3e9deab24113b6a099e5a569ffaf2063dc8f3f7c7348f21ffb19399251dcffd1
Opcode Fuzzy Hash: 840b97ba9fe50854e0daea9d2b43a3108bb3446bb856deec16230d027d62ac65
Instruction Fuzzy Hash: 7C311971D10209ABCF15EFA4CC85EEEBFB9FF04300F100119E819A6266D731AA66DF90

Function 002F356C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 96COMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?,?,?), ref: 002F3621
MoveWindow.USER32(?,?,?,?,?,00000001,?,?,?), ref: 002F365C

Strings

static, xrefs: 002F35BC

Memory Dump Source

Source File: 00000001.00000002.1547293858.0000000000261000.00000020.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true

Associated: 00000001.00000002.1546305634.0000000000260000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1552306005.00000000002FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1552306005.0000000000322000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1553018664.000000000032C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1553203039.0000000000334000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_260000_file.jbxd

Similarity

API ID: Window$DestroyMove
String ID: static
API String ID: 2139405536-2160076837
Opcode ID: 4ee32a16c4d1d2ce30f02f3b18079792db9cd098f9bce35f054d2318a616606b
Instruction ID: 86e7f1104426f06b367b41e052fbaab6038854453a5d91134f19c75f0ad787c9
Opcode Fuzzy Hash: 4ee32a16c4d1d2ce30f02f3b18079792db9cd098f9bce35f054d2318a616606b
Instruction Fuzzy Hash: 6F318371120209AADB10DF64DC40EBBB3ADFF88764F108629F965D7150DA30EDA5DB64

Function 002F4537 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 95windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000027,00001132,00000000,?), ref: 002F461F
SendMessageW.USER32(?,00001105,00000000,00000000), ref: 002F4634

Strings

', xrefs: 002F458E

Memory Dump Source

Source File: 00000001.00000002.1547293858.0000000000261000.00000020.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true

Associated: 00000001.00000002.1546305634.0000000000260000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1552306005.00000000002FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1552306005.0000000000322000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1553018664.000000000032C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1553203039.0000000000334000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_260000_file.jbxd

Similarity

API ID: MessageSend
String ID: '
API String ID: 3850602802-1997036262
Opcode ID: 70347d27fdb8a9d1b07d61b809ef9d30dfb38c08c976bd5da523c9f1f5f4c9f3
Instruction ID: 986da2fbae5facbce81a84964a4f1e8279a90987132116579d9f512cce455ff2
Opcode Fuzzy Hash: 70347d27fdb8a9d1b07d61b809ef9d30dfb38c08c976bd5da523c9f1f5f4c9f3
Instruction Fuzzy Hash: 98314B74A1020E9FDB14DF69C990BEABBB9FF19340F50406AEA04EB351D7B0A951CF90

Function 002F31EF Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000143,00000000,?), ref: 002F327C
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 002F3287

Strings

Combobox, xrefs: 002F3249

Memory Dump Source

Source File: 00000001.00000002.1547293858.0000000000261000.00000020.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true

Associated: 00000001.00000002.1546305634.0000000000260000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1552306005.00000000002FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1552306005.0000000000322000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1553018664.000000000032C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1553203039.0000000000334000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_260000_file.jbxd

Similarity

API ID: MessageSend
String ID: Combobox
API String ID: 3850602802-2096851135
Opcode ID: d95de54175b1d09b7b510f404de9fa3e89b66ab71565144bb479433411fadeda
Instruction ID: 731be956f17e330284f8af9c708c4bbf4a4ef2e3bc34a95992219dc9800fd0ff
Opcode Fuzzy Hash: d95de54175b1d09b7b510f404de9fa3e89b66ab71565144bb479433411fadeda
Instruction Fuzzy Hash: 4511E27132020D7FFF25DE54DC84EBBB76AEB943A4F104134FA1897290D6319D619B60

Function 002F3710 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 67COMMON

Download Yara Rule

APIs

Part of subcall function 0026600E: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 0026604C
Part of subcall function 0026600E: GetStockObject.GDI32(00000011), ref: 00266060
Part of subcall function 0026600E: SendMessageW.USER32(00000000,00000030,00000000), ref: 0026606A

GetWindowRect.USER32(00000000,?), ref: 002F377A
GetSysColor.USER32(00000012), ref: 002F3794

Strings

static, xrefs: 002F3757

Memory Dump Source

Source File: 00000001.00000002.1547293858.0000000000261000.00000020.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true

Associated: 00000001.00000002.1546305634.0000000000260000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1552306005.00000000002FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1552306005.0000000000322000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1553018664.000000000032C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1553203039.0000000000334000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_260000_file.jbxd

Similarity

API ID: Window$ColorCreateMessageObjectRectSendStock
String ID: static
API String ID: 1983116058-2160076837
Opcode ID: 2433d8617df6d1bf1887d656441453eb876c6219f1ee1351084bb69a2511062c
Instruction ID: cbc80fe58766ed63d528815173a21f1b01d5fb114b4791b5f3b21379d5d233d0
Opcode Fuzzy Hash: 2433d8617df6d1bf1887d656441453eb876c6219f1ee1351084bb69a2511062c
Instruction Fuzzy Hash: 81112CB262020EAFDB01DFA8CC45AFABBB8FB08354F104524FA55E2250D775E861DB50

Function 002DCD1E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66networkCOMMON

Download Yara Rule

APIs

InternetOpenW.WININET(?,00000000,00000000,00000000,00000000), ref: 002DCD7D
InternetSetOptionW.WININET(00000000,00000032,?,00000008), ref: 002DCDA6

Strings

<local>, xrefs: 002DCD66

Memory Dump Source

Source File: 00000001.00000002.1547293858.0000000000261000.00000020.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true

Associated: 00000001.00000002.1546305634.0000000000260000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1552306005.00000000002FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1552306005.0000000000322000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1553018664.000000000032C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1553203039.0000000000334000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_260000_file.jbxd

Similarity

API ID: Internet$OpenOption
String ID: <local>
API String ID: 942729171-4266983199
Opcode ID: 3e1a084b40206227ea033fe149f08b3b6d8c5ce007b82fdc68278c661c8ada81
Instruction ID: 64a79833624a97c4157a792c01fce7e44a6ea0ef496780963df21e6119cabcc2
Opcode Fuzzy Hash: 3e1a084b40206227ea033fe149f08b3b6d8c5ce007b82fdc68278c661c8ada81
Instruction Fuzzy Hash: BB11A3712256377AD7284A669C49EF7BE6EEF127A4F204237B14983280D6609C50D6F0

Function 002F3429 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 64windowCOMMON

Download Yara Rule

APIs

GetWindowTextLengthW.USER32(00000000), ref: 002F34AB
SendMessageW.USER32(?,000000B1,00000000,00000000), ref: 002F34BA

Strings

edit, xrefs: 002F348F

Memory Dump Source

Source File: 00000001.00000002.1547293858.0000000000261000.00000020.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true

Associated: 00000001.00000002.1546305634.0000000000260000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1552306005.00000000002FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1552306005.0000000000322000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1553018664.000000000032C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1553203039.0000000000334000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_260000_file.jbxd

Similarity

API ID: LengthMessageSendTextWindow
String ID: edit
API String ID: 2978978980-2167791130
Opcode ID: cd3422d4fa83aba22d431cd89981bbb5e5cabc50b9ff8e74f320b5a1250b01ec
Instruction ID: f91299609a4b6787319f5c83793cbee492fc2495040a3fe4ed68bd43e42bd7cc
Opcode Fuzzy Hash: cd3422d4fa83aba22d431cd89981bbb5e5cabc50b9ff8e74f320b5a1250b01ec
Instruction Fuzzy Hash: 26118F7112010DABEB128E64DC44ABBB76AEB053B4F604734FA65971D0C771DC619B60

Function 002C6C86 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 56COMMON

Download Yara Rule

APIs

Part of subcall function 00269CB3: _wcslen.LIBCMT ref: 00269CBD

CharUpperBuffW.USER32(?,?,?), ref: 002C6CB6
_wcslen.LIBCMT ref: 002C6CC2

Strings

STOP, xrefs: 002C6CBC, 002C6CC1

Memory Dump Source

Source File: 00000001.00000002.1547293858.0000000000261000.00000020.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true

Associated: 00000001.00000002.1546305634.0000000000260000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1552306005.00000000002FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1552306005.0000000000322000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1553018664.000000000032C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1553203039.0000000000334000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_260000_file.jbxd

Similarity

API ID: _wcslen$BuffCharUpper
String ID: STOP
API String ID: 1256254125-2411985666
Opcode ID: fa0402ad0f8d5ebcdf9d1a8be0ee1b30ac1e326c7b690b7236f3ec2db5e2440a
Instruction ID: be71d34221648e3e309e607c0e4cfcc4917d4eac8b3a34940fc749517683bde7
Opcode Fuzzy Hash: fa0402ad0f8d5ebcdf9d1a8be0ee1b30ac1e326c7b690b7236f3ec2db5e2440a
Instruction Fuzzy Hash: 060108326305278BCB21AFFDDC88EBF33A4EA60710710063DE45293190EA31D960CA50

Function 002C1CDE Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 52windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00269CB3: _wcslen.LIBCMT ref: 00269CBD

Part of subcall function 002C3CA7: GetClassNameW.USER32(?,?,000000FF), ref: 002C3CCA

SendMessageW.USER32(?,000001A2,000000FF,?), ref: 002C1D4C

Strings

ListBox, xrefs: 002C1D16
ComboBox, xrefs: 002C1CEB

Memory Dump Source

Source File: 00000001.00000002.1547293858.0000000000261000.00000020.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true

Associated: 00000001.00000002.1546305634.0000000000260000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1552306005.00000000002FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1552306005.0000000000322000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1553018664.000000000032C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1553203039.0000000000334000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_260000_file.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: 6c409122002e05c6953b1d727a2dd756382fb63c1b1613955a6445a95552445b
Instruction ID: 4e4563ea13e8576e75724294739e0574853bfee031e25f600475bc38037deb8c
Opcode Fuzzy Hash: 6c409122002e05c6953b1d727a2dd756382fb63c1b1613955a6445a95552445b
Instruction Fuzzy Hash: CC01DD716611156BCB08EFA4CD56DFE7368EB57350B140B1EF823572C2DE305978CA60

Function 002C1BD8 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00269CB3: _wcslen.LIBCMT ref: 00269CBD

Part of subcall function 002C3CA7: GetClassNameW.USER32(?,?,000000FF), ref: 002C3CCA

SendMessageW.USER32(?,00000180,00000000,?), ref: 002C1C46

Strings

ListBox, xrefs: 002C1C10
ComboBox, xrefs: 002C1BE5

Memory Dump Source

Source File: 00000001.00000002.1547293858.0000000000261000.00000020.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true

Associated: 00000001.00000002.1546305634.0000000000260000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1552306005.00000000002FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1552306005.0000000000322000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1553018664.000000000032C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1553203039.0000000000334000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_260000_file.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: 32e834d5264aecc70ef899e2af471ec8e826f9ab9488cf9772be3972747a9515
Instruction ID: adedc732b988c553527cdca3a7ffd88245a1c29ba974de9b46be0667fab13454
Opcode Fuzzy Hash: 32e834d5264aecc70ef899e2af471ec8e826f9ab9488cf9772be3972747a9515
Instruction Fuzzy Hash: 820188756A110567CB04EB90DA52EFF77AC9B16340F14011EF40667182EE749B78DAB2

Function 002C1C5C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 49windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00269CB3: _wcslen.LIBCMT ref: 00269CBD

Part of subcall function 002C3CA7: GetClassNameW.USER32(?,?,000000FF), ref: 002C3CCA

SendMessageW.USER32(?,00000182,?,00000000), ref: 002C1CC8

Strings

ListBox, xrefs: 002C1C94
ComboBox, xrefs: 002C1C69

Memory Dump Source

Source File: 00000001.00000002.1547293858.0000000000261000.00000020.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true

Associated: 00000001.00000002.1546305634.0000000000260000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1552306005.00000000002FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1552306005.0000000000322000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1553018664.000000000032C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1553203039.0000000000334000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_260000_file.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: 62c73ba34d54fd825013510d028df525daaffff68fa83b4156f4f191d9876226
Instruction ID: 06f21587f3e4586d58beef8deb69b889d6a3d8dcb4317d83b0f80184789c04cf
Opcode Fuzzy Hash: 62c73ba34d54fd825013510d028df525daaffff68fa83b4156f4f191d9876226
Instruction Fuzzy Hash: F101A7716A011967CB04EB90CB12FFE73AC9B12340F14011AF80173282EA709F78DA72

Function 0027A4D6 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 47COMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 0027A529

Part of subcall function 00269CB3: _wcslen.LIBCMT ref: 00269CBD

Strings

,%3, xrefs: 0027A509
3y+, xrefs: 0027A545, 0027A54D, 0027A552

Memory Dump Source

Source File: 00000001.00000002.1547293858.0000000000261000.00000020.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true

Associated: 00000001.00000002.1546305634.0000000000260000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1552306005.00000000002FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1552306005.0000000000322000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1553018664.000000000032C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1553203039.0000000000334000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_260000_file.jbxd

Similarity

API ID: Init_thread_footer_wcslen
String ID: ,%3$3y+
API String ID: 2551934079-2142077466
Opcode ID: 0e54f3c24f309587967ac78d4bb9e2226f95e458eceb78bdb7769e9129e15288
Instruction ID: 33d96b05ba00c75fde9c189bd138d2e450c31a2ee6ab8f9a22afe9abb839dbde
Opcode Fuzzy Hash: 0e54f3c24f309587967ac78d4bb9e2226f95e458eceb78bdb7769e9129e15288
Instruction Fuzzy Hash: 4C017B31B2061087C501F778D89BA6E73188B86B30F808024F509571C2DE705D658F87

Function 002C1D68 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 46windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00269CB3: _wcslen.LIBCMT ref: 00269CBD

Part of subcall function 002C3CA7: GetClassNameW.USER32(?,?,000000FF), ref: 002C3CCA

SendMessageW.USER32(?,0000018B,00000000,00000000), ref: 002C1DD3

Strings

ListBox, xrefs: 002C1DA0
ComboBox, xrefs: 002C1D75

Memory Dump Source

Source File: 00000001.00000002.1547293858.0000000000261000.00000020.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true

Associated: 00000001.00000002.1546305634.0000000000260000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1552306005.00000000002FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1552306005.0000000000322000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1553018664.000000000032C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1553203039.0000000000334000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_260000_file.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: b232d791a47e85c060a300840edca25c40474e24789bbdeaa1a1587ec9ebe2f8
Instruction ID: 9b469453b972ad19f7944c20e2360b9cc3160e6bb413094d7c0daa85b8f661cd
Opcode Fuzzy Hash: b232d791a47e85c060a300840edca25c40474e24789bbdeaa1a1587ec9ebe2f8
Instruction Fuzzy Hash: C3F0A971A6121567D704F7A4DD52FFE776CAB16350F040A19F422632C2DE705A788660

Function 002F8172 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 40processCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000020,00000000,00000000,00333018,0033305C), ref: 002F81BF
CloseHandle.KERNEL32 ref: 002F81D1

Strings

\03, xrefs: 002F818A

Memory Dump Source

Source File: 00000001.00000002.1547293858.0000000000261000.00000020.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true

Associated: 00000001.00000002.1546305634.0000000000260000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1552306005.00000000002FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1552306005.0000000000322000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1553018664.000000000032C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1553203039.0000000000334000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_260000_file.jbxd

Similarity

API ID: CloseCreateHandleProcess
String ID: \03
API String ID: 3712363035-4201732387
Opcode ID: 089a4aabd433e88585d31b21bb869903fc228d08b8e8841cfe9c612e087f55e9
Instruction ID: 6cef0e31116571ee05f274155c7391e756b2dc3255e7261dcd83de0b6e978df0
Opcode Fuzzy Hash: 089a4aabd433e88585d31b21bb869903fc228d08b8e8841cfe9c612e087f55e9
Instruction Fuzzy Hash: 25F0B4F5640304BAF31567206C85F773A4CDB04791F008060BB09D51A1D6798A5487B4

Function 002E747E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 36COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 002E7493
_wcslen.LIBCMT ref: 002E74B9

Strings

3, 3, 16, 1, xrefs: 002E7483

Memory Dump Source

Source File: 00000001.00000002.1547293858.0000000000261000.00000020.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true

Associated: 00000001.00000002.1546305634.0000000000260000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1552306005.00000000002FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1552306005.0000000000322000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1553018664.000000000032C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1553203039.0000000000334000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_260000_file.jbxd

Similarity

API ID: _wcslen
String ID: 3, 3, 16, 1
API String ID: 176396367-3042988571
Opcode ID: 50d830e801a1d898e99e59f5b94a306b5039cd9b2b148a7df60fa8ef1114bb50
Instruction ID: 9180434170d24e5e051e8de271130fc987703a7ddcff3fe0ed21b1ebe00cf74d
Opcode Fuzzy Hash: 50d830e801a1d898e99e59f5b94a306b5039cd9b2b148a7df60fa8ef1114bb50
Instruction Fuzzy Hash: D4E0AB0A2762A2119231323BACC19BF4699DFC9750350082BF984C22E7EB80CDB193A0

Function 002C0B15 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 28windowCOMMON

Download Yara Rule

APIs

MessageBoxW.USER32(00000000,Error allocating memory.,AutoIt,00000010), ref: 002C0B23

Strings

AutoIt, xrefs: 002C0B17
Error allocating memory., xrefs: 002C0B1C

Memory Dump Source

Source File: 00000001.00000002.1547293858.0000000000261000.00000020.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true

Associated: 00000001.00000002.1546305634.0000000000260000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1552306005.00000000002FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1552306005.0000000000322000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1553018664.000000000032C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1553203039.0000000000334000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_260000_file.jbxd

Similarity

API ID: Message
String ID: AutoIt$Error allocating memory.
API String ID: 2030045667-4017498283
Opcode ID: cc9d87363ccfde21eed1f6cc05bec5ff7c79f6e3e4680556323535bf5b7d0340
Instruction ID: 6de0e4d32bdf9b34b08b18eac0882b5de61ac2189f4ab992dfe0dd90b75c4445
Opcode Fuzzy Hash: cc9d87363ccfde21eed1f6cc05bec5ff7c79f6e3e4680556323535bf5b7d0340
Instruction Fuzzy Hash: 49E0D8312A931C2BD21436947D07FD9BA848F05F60F20443AF748954C38BE124B04AE9

Function 00280D42 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22COMMON

Download Yara Rule

APIs

Part of subcall function 0027F7C9: InitializeCriticalSectionAndSpinCount.KERNEL32(?,00000000,?,00280D71,?,?,?,0026100A), ref: 0027F7CE

IsDebuggerPresent.KERNEL32(?,?,?,0026100A), ref: 00280D75
OutputDebugStringW.KERNEL32(ERROR : Unable to initialize critical section in CAtlBaseModule,?,?,?,0026100A), ref: 00280D84

Strings

ERROR : Unable to initialize critical section in CAtlBaseModule, xrefs: 00280D7F

Memory Dump Source

Source File: 00000001.00000002.1547293858.0000000000261000.00000020.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true

Associated: 00000001.00000002.1546305634.0000000000260000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1552306005.00000000002FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1552306005.0000000000322000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1553018664.000000000032C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1553203039.0000000000334000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_260000_file.jbxd

Similarity

API ID: CountCriticalDebugDebuggerInitializeOutputPresentSectionSpinString
String ID: ERROR : Unable to initialize critical section in CAtlBaseModule
API String ID: 55579361-631824599
Opcode ID: 1dd61e327004947258becbcdffd8a6146611fb301dc3a9e3bdc07af90c9b1420
Instruction ID: 550a5b39ee91dffdf7813db57ff96ab359768c712bdd47a142e4735656137672
Opcode Fuzzy Hash: 1dd61e327004947258becbcdffd8a6146611fb301dc3a9e3bdc07af90c9b1420
Instruction Fuzzy Hash: 44E065742113414BE3A0AF78E648752BBE4EF00791F00493DE886C6755DBB0E458CB91

Function 0027E398 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 21COMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 0027E3D5

Strings

0%3, xrefs: 0027E3B5
8%3, xrefs: 0027E3CA

Memory Dump Source

Source File: 00000001.00000002.1547293858.0000000000261000.00000020.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true

Associated: 00000001.00000002.1546305634.0000000000260000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1552306005.00000000002FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1552306005.0000000000322000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1553018664.000000000032C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1553203039.0000000000334000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_260000_file.jbxd

Similarity

API ID: Init_thread_footer
String ID: 0%3$8%3
API String ID: 1385522511-3605270863
Opcode ID: 6a6f30057d2414c9bceec665414b3f18dcc357b37d6d24e90656c04825c130ae
Instruction ID: 357354fb18c1430f0a9f051f885005b8453672fd4e227ee82eb9424a100dec9c
Opcode Fuzzy Hash: 6a6f30057d2414c9bceec665414b3f18dcc357b37d6d24e90656c04825c130ae
Instruction Fuzzy Hash: 52E02036430910CBEE06E718B4D4F5D7355AB0E320F1141E4F245871D19B7019518B64

Function 002D3017 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 18COMMON

Download Yara Rule

APIs

GetTempPathW.KERNEL32(00000104,?,00000001), ref: 002D302F
GetTempFileNameW.KERNEL32(?,aut,00000000,?), ref: 002D3044

Strings

aut, xrefs: 002D3038

Memory Dump Source

Source File: 00000001.00000002.1547293858.0000000000261000.00000020.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true

Associated: 00000001.00000002.1546305634.0000000000260000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1552306005.00000000002FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1552306005.0000000000322000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1553018664.000000000032C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1553203039.0000000000334000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_260000_file.jbxd

Similarity

API ID: Temp$FileNamePath
String ID: aut
API String ID: 3285503233-3010740371
Opcode ID: ef756dac412263b00716901744adf27a6afd56f9dc6d1b9e254d2b872dbed831
Instruction ID: 21f845797b180003a642977344e472d1b888c49fd975ffdf999d065d6414330c
Opcode Fuzzy Hash: ef756dac412263b00716901744adf27a6afd56f9dc6d1b9e254d2b872dbed831
Instruction Fuzzy Hash: A3D05B7150032867DA209794BD0EFD73A6CDB04760F000161BA55D2091DAB09544CAD0

Function 002BD21C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 17timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?), ref: 002BD220

Strings

%.3d, xrefs: 002BD22B
X64, xrefs: 002BD2A8

Memory Dump Source

Source File: 00000001.00000002.1547293858.0000000000261000.00000020.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true

Associated: 00000001.00000002.1546305634.0000000000260000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1552306005.00000000002FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1552306005.0000000000322000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1553018664.000000000032C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1553203039.0000000000334000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_260000_file.jbxd

Similarity

API ID: LocalTime
String ID: %.3d$X64
API String ID: 481472006-1077770165
Opcode ID: ce92a59d1c2628157c7a6bead34895c9070ce5863deee499df0d23d2c029a886
Instruction ID: f380ad4387630ddb0c523738a8ef20998a31e593c97bc390ed89777ec5474523
Opcode Fuzzy Hash: ce92a59d1c2628157c7a6bead34895c9070ce5863deee499df0d23d2c029a886
Instruction Fuzzy Hash: A6D01275C39158EACB9096D0DD498FAB37CFB08381F608462FD1A91041F674D528AB61

Function 002F2322 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON

Download Yara Rule

APIs

FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 002F232C
PostMessageW.USER32(00000000,00000111,00000197,00000000), ref: 002F233F

Part of subcall function 002CE97B: Sleep.KERNEL32 ref: 002CE9F3

Strings

Shell_TrayWnd, xrefs: 002F2325

Memory Dump Source

Source File: 00000001.00000002.1547293858.0000000000261000.00000020.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true

Associated: 00000001.00000002.1546305634.0000000000260000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1552306005.00000000002FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1552306005.0000000000322000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1553018664.000000000032C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1553203039.0000000000334000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_260000_file.jbxd

Similarity

API ID: FindMessagePostSleepWindow
String ID: Shell_TrayWnd
API String ID: 529655941-2988720461
Opcode ID: ad37923577ebaf4171d01ce5280ffd81f84beaa7a2fecf0d7eacd59ccc2be4c9
Instruction ID: 6bbf663f59816cb779913c26689024c0e38efc8590857a7e6430dbe4db166fb0
Opcode Fuzzy Hash: ad37923577ebaf4171d01ce5280ffd81f84beaa7a2fecf0d7eacd59ccc2be4c9
Instruction Fuzzy Hash: A1D02272394310B7E668B330FC0FFD67A189F40B20F100A26B305EA0D0C8F0A800CA00

Function 002F2356 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON

Download Yara Rule

APIs

FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 002F236C
PostMessageW.USER32(00000000), ref: 002F2373

Part of subcall function 002CE97B: Sleep.KERNEL32 ref: 002CE9F3

Strings

Shell_TrayWnd, xrefs: 002F2365

Memory Dump Source

Source File: 00000001.00000002.1547293858.0000000000261000.00000020.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true

Associated: 00000001.00000002.1546305634.0000000000260000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1552306005.00000000002FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1552306005.0000000000322000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1553018664.000000000032C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1553203039.0000000000334000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_260000_file.jbxd

Similarity

API ID: FindMessagePostSleepWindow
String ID: Shell_TrayWnd
API String ID: 529655941-2988720461
Opcode ID: 0028fb32512db4f29058f8e38eddbbc3311e8d3c29ddfc8d381591d83eddd0af
Instruction ID: af404211973fb4c45e920deaa4d4cca7f8e9d3e8a5d75b7f8d274d19c1a2dc96
Opcode Fuzzy Hash: 0028fb32512db4f29058f8e38eddbbc3311e8d3c29ddfc8d381591d83eddd0af
Instruction Fuzzy Hash: 4BD022723C03107BE668B330FC0FFC676189B40B20F100A26B301EA0D0C8F0B800CA04

Function 0029BDFD Relevance: 5.1, APIs: 4, Instructions: 139COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,00000009,?,00000000,00000000,?,?,?,00000000,?,?,?,?,?,00000000,?), ref: 0029BE93
GetLastError.KERNEL32 ref: 0029BEA1
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 0029BEFC

Memory Dump Source

Source File: 00000001.00000002.1547293858.0000000000261000.00000020.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true

Associated: 00000001.00000002.1546305634.0000000000260000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1552306005.00000000002FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1552306005.0000000000322000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1553018664.000000000032C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1553203039.0000000000334000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_260000_file.jbxd

Similarity

API ID: ByteCharMultiWide$ErrorLast
String ID:
API String ID: 1717984340-0
Opcode ID: c1f5a71f82a4d9d8c8075deb6c8fcf4603e2b95cc0768a0b0efb753a012bef3e
Instruction ID: 191e36f4bff41903f999982c5b8e2846615bda274f44e34f2a5f8bfa219fc74a
Opcode Fuzzy Hash: c1f5a71f82a4d9d8c8075deb6c8fcf4603e2b95cc0768a0b0efb753a012bef3e
Instruction Fuzzy Hash: 2541073562420BEFCF229F64EE44ABA7BA9EF41360F244169F959975E1DB708C20CF50

Source: Joe Sandbox View	IP Address: 34.149.100.209 34.149.100.209
Source: Joe Sandbox View	IP Address: 151.101.65.91 151.101.65.91
Source: Joe Sandbox View	IP Address: 34.117.188.166 34.117.188.166
Source: Joe Sandbox View	IP Address: 34.160.144.191 34.160.144.191

Source: Network traffic	Suricata IDS: 2022930 - Severity 1 - ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow : 20.12.23.50:443 -> 192.168.2.8:49732
Source: Network traffic	Suricata IDS: 2022930 - Severity 1 - ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow : 20.12.23.50:443 -> 192.168.2.8:64363

Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache

Source: firefox.exe, 0000000E.00000003.1676065035.0000022DC8F83000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: "default.sites": "https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/", equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000E.00000003.1676065035.0000022DC8F83000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: "default.sites": "https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/", equals www.twitter.com (Twitter)
Source: firefox.exe, 0000000E.00000003.1676065035.0000022DC8F83000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: "default.sites": "https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/", equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000E.00000003.1675472167.0000022DCA679000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1693533792.0000022DCA67F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1688120336.0000022DCA67F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: 8://www.facebook.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000E.00000003.1660679944.0000022DCCE99000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1673562912.0000022DCCE99000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1609585614.0000022DCCE99000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: 8://www.youtube.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000E.00000003.1675472167.0000022DCA679000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1693533792.0000022DCA67F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1688120336.0000022DCA67F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: 8www.facebook.com equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000E.00000003.1681755597.0000022DC8E45000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1696924118.0000022DC8E45000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: `https://www.facebook.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000E.00000003.1681755597.0000022DC8E45000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1696924118.0000022DC8E45000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: `https://www.youtube.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 00000012.00000002.2715072642.000001F2D5E03000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000014.00000002.2716818426.000001A35FB0C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 00000012.00000002.2715072642.000001F2D5E03000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000014.00000002.2716818426.000001A35FB0C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/ equals www.twitter.com (Twitter)
Source: firefox.exe, 00000012.00000002.2715072642.000001F2D5E03000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000014.00000002.2716818426.000001A35FB0C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000E.00000003.1673562912.0000022DCCE93000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1660679944.0000022DCCE8E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1609585614.0000022DCCE8E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: moz-extension://89c83477-7a1a-4f5a-bda8-ef3858d4c7d0/injections/js/bug1842437-www.youtube.com-performance-now-precision.js equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000E.00000003.1679888944.0000022DCC611000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1675472167.0000022DCA679000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1693533792.0000022DCA67F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: www.facebook.com equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000E.00000003.1684032179.0000022DC3C63000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1681051915.0000022DC8E9B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1613861142.0000022DC8E9B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: www.youtube.com equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000E.00000003.1679888944.0000022DCC611000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1662579671.0000022DCC611000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: www.youtube.com- equals www.youtube.com (Youtube)

Source: global traffic	DNS traffic detected: DNS query: youtube.com
Source: global traffic	DNS traffic detected: DNS query: detectportal.firefox.com
Source: global traffic	DNS traffic detected: DNS query: prod.classify-client.prod.webservices.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: prod.detectportal.prod.cloudops.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: example.org
Source: global traffic	DNS traffic detected: DNS query: ipv4only.arpa
Source: global traffic	DNS traffic detected: DNS query: contile.services.mozilla.com
Source: global traffic	DNS traffic detected: DNS query: spocs.getpocket.com
Source: global traffic	DNS traffic detected: DNS query: prod.balrog.prod.cloudops.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: prod.ads.prod.webservices.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: content-signature-2.cdn.mozilla.net
Source: global traffic	DNS traffic detected: DNS query: prod.content-signature-chains.prod.webservices.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: shavar.services.mozilla.com
Source: global traffic	DNS traffic detected: DNS query: push.services.mozilla.com
Source: global traffic	DNS traffic detected: DNS query: support.mozilla.org
Source: global traffic	DNS traffic detected: DNS query: us-west1.prod.sumo.prod.webservices.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: telemetry-incoming.r53-2.services.mozilla.com
Source: global traffic	DNS traffic detected: DNS query: firefox.settings.services.mozilla.com
Source: global traffic	DNS traffic detected: DNS query: prod.remote-settings.prod.webservices.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: www.youtube.com
Source: global traffic	DNS traffic detected: DNS query: www.facebook.com
Source: global traffic	DNS traffic detected: DNS query: www.wikipedia.org
Source: global traffic	DNS traffic detected: DNS query: dyna.wikimedia.org
Source: global traffic	DNS traffic detected: DNS query: youtube-ui.l.google.com
Source: global traffic	DNS traffic detected: DNS query: star-mini.c10r.facebook.com
Source: global traffic	DNS traffic detected: DNS query: www.reddit.com
Source: global traffic	DNS traffic detected: DNS query: twitter.com
Source: global traffic	DNS traffic detected: DNS query: reddit.map.fastly.net
Source: global traffic	DNS traffic detected: DNS query: services.addons.mozilla.org
Source: global traffic	DNS traffic detected: DNS query: normandy.cdn.mozilla.net
Source: global traffic	DNS traffic detected: DNS query: normandy-cdn.services.mozilla.com

Source: unknown	HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.8:49718 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.160.144.191:443 -> 192.168.2.8:49722 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.160.144.191:443 -> 192.168.2.8:49726 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.8:49741 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.149.100.209:443 -> 192.168.2.8:49748 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.8:49749 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.8:49752 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.8:49750 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.8:49751 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.8:49757 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.149.100.209:443 -> 192.168.2.8:49758 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 151.101.65.91:443 -> 192.168.2.8:49760 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.149.100.209:443 -> 192.168.2.8:49762 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.8:49765 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.8:49764 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.8:49763 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.8:64367 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.8:64365 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.8:64368 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.8:64366 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.8:64369 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.8:64370 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.8:64372 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.8:64371 version: TLS 1.2

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49744
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49743
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49742
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49741
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49740
Source: unknown	Network traffic detected: HTTP traffic on port 49743 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49746 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49720 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49717 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49731
Source: unknown	Network traffic detected: HTTP traffic on port 64365 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49711 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49749 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49763 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 64376 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49752 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49727
Source: unknown	Network traffic detected: HTTP traffic on port 49714 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49726
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49723
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49722
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49721
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49720
Source: unknown	Network traffic detected: HTTP traffic on port 49731 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49712 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49748 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49760 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 64370 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49745 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49718
Source: unknown	Network traffic detected: HTTP traffic on port 49751 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49717
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49716
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49714
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49712
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49711
Source: unknown	Network traffic detected: HTTP traffic on port 49757 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 64367 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 64370
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 64372
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 64371
Source: unknown	Network traffic detected: HTTP traffic on port 49726 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49740 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49765 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 64365
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 64364
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 64367
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 64366
Source: unknown	Network traffic detected: HTTP traffic on port 49754 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 64364 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 64369
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 64368
Source: unknown	Network traffic detected: HTTP traffic on port 64366 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49727 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 64372 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49762 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 64376
Source: unknown	Network traffic detected: HTTP traffic on port 49759 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49753 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 64369 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49742 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49756 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49758 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49765
Source: unknown	Network traffic detected: HTTP traffic on port 64368 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49764
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49763
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49762
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49761
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49760
Source: unknown	Network traffic detected: HTTP traffic on port 49741 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49764 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49722 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49759
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49758
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49757
Source: unknown	Network traffic detected: HTTP traffic on port 49755 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49756
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49755
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49754
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49753
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49752
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49751
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49750
Source: unknown	Network traffic detected: HTTP traffic on port 49761 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 64371 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49747 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49744 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49750 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49716 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49749
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49748
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49747
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49746
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49745

Description:	Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access, network devices, and remote desktop.Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence.
Tactics:	Defense Evasion, Initial Access, Persistence, Privilege Escalation
Data Sources:	Logon Session: Logon Session Creation, Logon Session: Logon Session Metadata, User Account: User Account Authentication
Platforms:	Azure AD, Containers, Google Workspace, IaaS, Linux, macOS, Network, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in an attempt to elevate privileges. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. Security constructs such as permission levels will often hinder access to information and use of certain techniques, so adversaries will likely need to perform privilege escalation to include use of software exploitation to circumvent those restrictions.
Tactics:	Privilege Escalation
Data Sources:	Driver: Driver Load, Process: Process Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject malicious code into process via Extra Window Memory (EWM) in order to evade process-based defenses as well as possibly elevate privileges. EWM injection is a method of executing arbitrary code in the address space of a separate live process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Process: OS API Execution
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of valid accounts, usernames, or email addresses on a system or within a compromised environment. This information can help adversaries determine which accounts exist, which can aid in follow-on behavior such as brute-forcing, spear-phishing attacks, or account takeovers (e.g., Valid Accounts ).
Tactics:	Discovery
Data Sources:	Command: Command Execution, File: File Access, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report file.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Memory Dumps

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\uninstall_ping_308046B0AF4A39CB_8713d400-52b9-44dc-ae62-bf9b220c7483.json (copy)

C:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\uninstall_ping_308046B0AF4A39CB_8713d400-52b9-44dc-ae62-bf9b220c7483.json.tmp

C:\Users\user\AppData\Local\Temp\mozilla-temp-files\mozilla-temp-41

C:\Users\user\AppData\Local\Temp\tmpaddon

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\ExperimentStoreData.json (copy)

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\ExperimentStoreData.json.tmp

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\addonStartup.json.lz4 (copy)

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\addonStartup.json.lz4.tmp

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\addons.json (copy)

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\addons.json.tmp

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\content-prefs.sqlite

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\crashes\store.json.mozlz4 (copy)

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\crashes\store.json.mozlz4.tmp

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\extensions.json (copy)

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\extensions.json.tmp

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\favicons.sqlite-shm

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll (copy)

Windows Analysis Report
file.exe

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems. Operating systems may contain commands to initiate a shutdown/reboot of a machine or network device. In some cases, these commands may also be used to initiate a shutdown/reboot of a remote computer or network device via Network Device CLI (e.g. `reload` ).
Tactics:	Impact
Data Sources:	Command: Command Execution, Process: Process Creation, Sensor Health: Host Status
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre