Edit tour

Windows Analysis Report
file.exe

Overview

General Information

Sample name:	file.exe
Analysis ID:	1561526
MD5:	16f8b17baceadaed2044ccfcaae7d31d
SHA1:	63383b3bc5a7acfd4404c12719d961c06aadedbb
SHA256:	d21b71f8d3ade0e63d229a8969f22f6c0d7b8f0a011f5b74af5c31d79d10dcd4
Tags:	exeuser-Bitsight
Infos:

Detection

Credential Flusher

Score:	72
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

Yara detected Credential Flusher

AI detected suspicious sample

Binary is likely a compiled AutoIt script file

Found API chain indicative of sandbox detection

Machine Learning detection for sample

Connects to many different domains

Contains functionality for execution timing, often used to detect debuggers

Contains functionality for read data from the clipboard

Contains functionality to block mouse and keyboard input (often used to hinder debugging)

Contains functionality to call native functions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Contains functionality to communicate with device drivers

Contains functionality to dynamically determine API calls

Contains functionality to execute programs as a different user

Contains functionality to launch a process as a different user

Contains functionality to launch a program with higher privileges

Contains functionality to modify clipboard data

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to query CPU information (cpuid)

Contains functionality to read the PEB

Contains functionality to read the clipboard data

Contains functionality to retrieve information about pressed keystrokes

Contains functionality to shutdown / reboot the system

Contains functionality to simulate keystroke presses

Contains functionality to simulate mouse events

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Detected potential crypto function

Drops PE files

Enables debug privileges

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

OS version to string mapping found (often used in BOTs)

PE file contains sections with non-standard names

Potential key logger detected (key state polling based)

Sample execution stops while process was sleeping (likely an evasion)

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Uses taskkill to terminate processes

Classification

Process Tree

System is w10x64

file.exe (PID: 3472 cmdline: "C:\Users\user\Desktop\file.exe" MD5: 16F8B17BACEADAED2044CCFCAAE7D31D)

taskkill.exe (PID: 2404 cmdline: taskkill /F /IM firefox.exe /T MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD)

conhost.exe (PID: 3524 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

taskkill.exe (PID: 6008 cmdline: taskkill /F /IM chrome.exe /T MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD)

conhost.exe (PID: 6628 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

taskkill.exe (PID: 5936 cmdline: taskkill /F /IM msedge.exe /T MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD)

conhost.exe (PID: 6124 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

taskkill.exe (PID: 2620 cmdline: taskkill /F /IM opera.exe /T MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD)

conhost.exe (PID: 828 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

taskkill.exe (PID: 4788 cmdline: taskkill /F /IM brave.exe /T MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD)

conhost.exe (PID: 5696 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

firefox.exe (PID: 2724 cmdline: "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

firefox.exe (PID: 2032 cmdline: "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking --attempting-deelevation MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

firefox.exe (PID: 5776 cmdline: "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

firefox.exe (PID: 3620 cmdline: "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2292 -parentBuildID 20230927232528 -prefsHandle 2228 -prefMapHandle 2212 -prefsLen 25250 -prefMapSize 238690 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {b3d3592d-2a7f-4998-ad9d-25d2e559128e} 5776 "\\.\pipe\gecko-crash-server-pipe.5776" 1804376f510 socket MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

firefox.exe (PID: 7504 cmdline: "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3300 -parentBuildID 20230927232528 -prefsHandle 3408 -prefMapHandle 3640 -prefsLen 26099 -prefMapSize 238690 -appDir "C:\Program Files\Mozilla Firefox\browser" - {b8716ed0-fba8-43a6-bdf8-f0c97c379a93} 5776 "\\.\pipe\gecko-crash-server-pipe.5776" 180536d6b10 rdd MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

firefox.exe (PID: 7196 cmdline: "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4860 -parentBuildID 20230927232528 -sandboxingKind 0 -prefsHandle 4840 -prefMapHandle 4748 -prefsLen 33076 -prefMapSize 238690 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {35a3a37c-b193-447c-aca0-ac37bcd14058} 5776 "\\.\pipe\gecko-crash-server-pipe.5776" 1805622f710 utility MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

cleanup

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
Process Memory Space: file.exe PID: 3472	JoeSecurity_CredentialFlusher	Yara detected Credential Flusher	Joe Security

Code function: 0_2_004BEAFF OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,

0_2_004BEAFF

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_004BED6A OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,

0_2_004BED6A

Source: C:\Users\user\Desktop\file.exe

0_2_004BEAFF

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_004AAA57 GetKeyboardState,SetKeyboardState,PostMessageW,SendInput,

0_2_004AAA57

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_004D9576 DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,

0_2_004D9576

System Summary

Binary is likely a compiled AutoIt script file

Source: file.exe	String found in binary or memory: This is a third-party compiled AutoIt script.
Source: file.exe, 00000000.00000000.2132397232.0000000000502000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_72973011-a
Source: file.exe, 00000000.00000000.2132397232.0000000000502000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_8299fff4-0
Source: file.exe	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_2a5272a3-a
Source: file.exe	String found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_c912315c-4

Source: C:\Program Files\Mozilla Firefox\firefox.exe	Code function: 18_2_000001FAC77B91B2 NtQuerySystemInformation,		18_2_000001FAC77B91B2
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Code function: 18_2_000001FAC77B2C37 NtQuerySystemInformation,		18_2_000001FAC77B2C37

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_004AD5EB: CreateFileW,DeviceIoControl,CloseHandle,

0_2_004AD5EB

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_004A1201 LogonUserW,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcslen,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,GetProcessHeap,HeapFree,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,

0_2_004A1201

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_004AE8F6 ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,

0_2_004AE8F6

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0044BF40	0_2_0044BF40
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_004B2046	0_2_004B2046
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00448060	0_2_00448060
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_004A8298	0_2_004A8298
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0047E4FF	0_2_0047E4FF
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0047676B	0_2_0047676B
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_004D4873	0_2_004D4873
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0044CAF0	0_2_0044CAF0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0046CAA0	0_2_0046CAA0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0045CC39	0_2_0045CC39
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00476DD9	0_2_00476DD9
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0045B119	0_2_0045B119
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_004491C0	0_2_004491C0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00461394	0_2_00461394
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0046781B	0_2_0046781B
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0045997D	0_2_0045997D
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00447920	0_2_00447920
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00467A4A	0_2_00467A4A
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00467CA7	0_2_00467CA7
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_004CBE44	0_2_004CBE44
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00479EEE	0_2_00479EEE
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Code function: 18_2_000001FAC77B91B2	18_2_000001FAC77B91B2
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Code function: 18_2_000001FAC77B2C37	18_2_000001FAC77B2C37
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Code function: 18_2_000001FAC77B91F2	18_2_000001FAC77B91F2
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Code function: 18_2_000001FAC77B98DC	18_2_000001FAC77B98DC

Source: C:\Users\user\Desktop\file.exe	Code function: String function: 00449CB3 appears 31 times
Source: C:\Users\user\Desktop\file.exe	Code function: String function: 0045F9F2 appears 40 times
Source: C:\Users\user\Desktop\file.exe	Code function: String function: 00460A30 appears 46 times

Source: file.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source: classification engine

Classification label: mal72.troj.evad.winEXE@34/34@66/12

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_004B37B5 GetLastError,FormatMessageW,

0_2_004B37B5

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_004A10BF AdjustTokenPrivileges,CloseHandle,		0_2_004A10BF
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_004A16C3 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,		0_2_004A16C3

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_004B51CD SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode,

0_2_004B51CD

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_004AD4DC CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,

0_2_004AD4DC

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_004B648E _wcslen,CoInitialize,CoCreateInstance,CoUninitialize,

0_2_004B648E

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_004442A2 CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource,

0_2_004442A2

Source: C:\Program Files\Mozilla Firefox\firefox.exe

File created: C:\Users\user\AppData\Local\Mozilla\Firefox\SkeletonUILock-c388d246

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3524:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6124:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6628:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5696:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:828:120:WilError_03

Source: C:\Program Files\Mozilla Firefox\firefox.exe

File created: C:\Users\user\AppData\Local\Temp\firefox

Jump to behavior

Source: file.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Windows\SysWOW64\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process

Source: C:\Program Files\Mozilla Firefox\firefox.exe

File read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: firefox.exe, 0000000E.00000003.2358909713.000001805F4A3000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2289176958.000001805F4A3000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2381298756.000001805F4BA000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2286186860.0000018060B2F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2340221500.0000018060B2F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2289176958.000001805F440000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SELECT * FROM events WHERE timestamp BETWEEN date(:dateFrom) AND date(:dateTo);
Source: firefox.exe, 0000000E.00000003.2358909713.000001805F4A3000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2289176958.000001805F4A3000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2381298756.000001805F4BA000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE events (id INTEGER PRIMARY KEY, type INTEGER NOT NULL, count INTEGER NOT NULL, timestamp DATE );
Source: firefox.exe, 0000000E.00000003.2358909713.000001805F4A3000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2289176958.000001805F4A3000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2381298756.000001805F4BA000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: INSERT INTO events (type, count, timestamp) VALUES (:type, 1, date(:date));
Source: firefox.exe, 0000000E.00000003.2358909713.000001805F4A3000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2289176958.000001805F4A3000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2381298756.000001805F4BA000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SELECT timestamp FROM events ORDER BY timestamp ASC LIMIT 1;;
Source: firefox.exe, 0000000E.00000003.2286367590.0000018060B12000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2340258929.0000018060B12000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SELECT sum(count) FROM events;
Source: firefox.exe, 0000000E.00000003.2358909713.000001805F4A3000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2289176958.000001805F4A3000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2381298756.000001805F4BA000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SELECT timestamp FROM events ORDER BY timestamp ASC LIMIT 1;;Fy6
Source: firefox.exe, 0000000E.00000003.2358909713.000001805F4A3000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2289176958.000001805F4A3000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2381298756.000001805F4BA000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: UPDATE events SET count = count + 1 WHERE id = :id;-
Source: firefox.exe, 0000000E.00000003.2358909713.000001805F4A3000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2289176958.000001805F4A3000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2381298756.000001805F4BA000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SELECT sum(count) FROM events;9'
Source: firefox.exe, 0000000E.00000003.2358909713.000001805F4A3000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2289176958.000001805F4A3000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2381298756.000001805F4BA000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SELECT sum(count) FROM events;9
Source: firefox.exe, 0000000E.00000003.2358909713.000001805F4A3000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2289176958.000001805F4A3000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2381298756.000001805F4BA000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SELECT * FROM events WHERE type = :type AND timestamp = date(:date);

Source: file.exe

ReversingLabs: Detection: 34%

Source: unknown	Process created: C:\Users\user\Desktop\file.exe "C:\Users\user\Desktop\file.exe"
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM firefox.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM chrome.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM msedge.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM opera.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM brave.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking
Source: unknown	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking --attempting-deelevation
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2292 -parentBuildID 20230927232528 -prefsHandle 2228 -prefMapHandle 2212 -prefsLen 25250 -prefMapSize 238690 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {b3d3592d-2a7f-4998-ad9d-25d2e559128e} 5776 "\\.\pipe\gecko-crash-server-pipe.5776" 1804376f510 socket
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3300 -parentBuildID 20230927232528 -prefsHandle 3408 -prefMapHandle 3640 -prefsLen 26099 -prefMapSize 238690 -appDir "C:\Program Files\Mozilla Firefox\browser" - {b8716ed0-fba8-43a6-bdf8-f0c97c379a93} 5776 "\\.\pipe\gecko-crash-server-pipe.5776" 180536d6b10 rdd
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4860 -parentBuildID 20230927232528 -sandboxingKind 0 -prefsHandle 4840 -prefMapHandle 4748 -prefsLen 33076 -prefMapSize 238690 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {35a3a37c-b193-447c-aca0-ac37bcd14058} 5776 "\\.\pipe\gecko-crash-server-pipe.5776" 1805622f710 utility
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM firefox.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM chrome.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM msedge.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM opera.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM brave.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2292 -parentBuildID 20230927232528 -prefsHandle 2228 -prefMapHandle 2212 -prefsLen 25250 -prefMapSize 238690 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {b3d3592d-2a7f-4998-ad9d-25d2e559128e} 5776 "\\.\pipe\gecko-crash-server-pipe.5776" 1804376f510 socket	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3300 -parentBuildID 20230927232528 -prefsHandle 3408 -prefMapHandle 3640 -prefsLen 26099 -prefMapSize 238690 -appDir "C:\Program Files\Mozilla Firefox\browser" - {b8716ed0-fba8-43a6-bdf8-f0c97c379a93} 5776 "\\.\pipe\gecko-crash-server-pipe.5776" 180536d6b10 rdd	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4860 -parentBuildID 20230927232528 -sandboxingKind 0 -prefsHandle 4840 -prefMapHandle 4748 -prefsLen 33076 -prefMapSize 238690 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {35a3a37c-b193-447c-aca0-ac37bcd14058} 5776 "\\.\pipe\gecko-crash-server-pipe.5776" 1805622f710 utility	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown	Jump to behavior

Source: C:\Users\user\Desktop\file.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: profapi.dll	Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: file.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: z:\task_1551543573\build\openh264\gmpopenh264.pdbV source: gmpopenh264.dll.tmp.14.dr
Source:	Binary string: wshbth.pdbGCTL source: firefox.exe, 0000000E.00000003.2256300675.000001805FD59000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: kbdus.pdb source: firefox.exe, 0000000E.00000003.2251320559.0000018051272000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: NapiNSP.pdbUGP source: firefox.exe, 0000000E.00000003.2253506994.000001805FD01000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: wshbth.pdb source: firefox.exe, 0000000E.00000003.2256300675.000001805FD59000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: pnrpnsp.pdb source: firefox.exe, 0000000E.00000003.2255044613.000001805FD01000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: NapiNSP.pdb source: firefox.exe, 0000000E.00000003.2253506994.000001805FD01000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: z:\task_1551543573\build\openh264\gmpopenh264.pdb source: gmpopenh264.dll.tmp.14.dr
Source:	Binary string: pnrpnsp.pdbUGP source: firefox.exe, 0000000E.00000003.2255044613.000001805FD01000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: kbdus.pdbGCTL source: firefox.exe, 0000000E.00000003.2251320559.0000018051272000.00000004.00000020.00020000.00000000.sdmp

Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_004442DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_004442DE

Source: gmpopenh264.dll.tmp.14.dr

Static PE information: section name: .rodata

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00460A76 push ecx; ret

0_2_00460A89

Source: C:\Program Files\Mozilla Firefox\firefox.exe	File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll (copy)			Jump to dropped file
Source: C:\Program Files\Mozilla Firefox\firefox.exe	File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll.tmp			Jump to dropped file

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0045F98E GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,		0_2_0045F98E
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_004D1C41 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,		0_2_004D1C41

Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Found API chain indicative of sandbox detection

Source: C:\Users\user\Desktop\file.exe

Sandbox detection routine: GetForegroundWindow, DecisionNode, Sleep

graph_0-94483

Source: C:\Program Files\Mozilla Firefox\firefox.exe

Code function: 18_2_000001FAC77B91B2 rdtsc

18_2_000001FAC77B91B2

Source: C:\Users\user\Desktop\file.exe

API coverage: 3.6 %

Source: C:\Users\user\Desktop\file.exe TID: 5388	Thread sleep count: 108 > 30			Jump to behavior
Source: C:\Users\user\Desktop\file.exe TID: 5388	Thread sleep count: 135 > 30			Jump to behavior

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_004ADBBE lstrlenW,GetFileAttributesW,FindFirstFileW,FindClose,	0_2_004ADBBE
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0047C2A2 FindFirstFileExW,	0_2_0047C2A2
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_004B68EE FindFirstFileW,FindClose,	0_2_004B68EE
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_004B698F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToSystemTime,FileTimeToSystemTime,	0_2_004B698F
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_004AD076 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_004AD076
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_004AD3A9 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_004AD3A9
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_004B9642 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_004B9642
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_004B979D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_004B979D
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_004B9B2B FindFirstFileW,Sleep,FindNextFileW,FindClose,	0_2_004B9B2B
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_004B5C97 FindFirstFileW,FindNextFileW,FindClose,	0_2_004B5C97

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_004442DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_004442DE

Source: firefox.exe, 00000012.00000002.3390102702.000001FAC7E10000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll&Q
Source: firefox.exe, 00000010.00000002.3391174712.000002424A240000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000010.00000002.3385334102.000002424990A000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000012.00000002.3390102702.000001FAC7E10000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000013.00000002.3389538976.00000150DC315000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: firefox.exe, 00000010.00000002.3390343423.0000024249E1C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW : 2 : 34 : 1 : 1 : 0x20026 : 0x8 : %SystemRoot%\system32\mswsock.dll : : 1234191b-4bf7-4ca7-86e0-dfd7c32b5445
Source: firefox.exe, 00000013.00000002.3384362162.00000150DBD9A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW`Q1
Source: firefox.exe, 00000010.00000002.3385334102.000002424990A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW=
Source: firefox.exe, 00000012.00000002.3384638865.000001FAC759A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW@
Source: firefox.exe, 00000010.00000002.3391174712.000002424A240000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: firefox.exe, 00000012.00000002.3390102702.000001FAC7E10000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllBWO

Source: C:\Users\user\Desktop\file.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Program Files\Mozilla Firefox\firefox.exe

Code function: 18_2_000001FAC77B91B2 rdtsc

18_2_000001FAC77B91B2

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_004BEAA2 BlockInput,

0_2_004BEAA2

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00472622 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

0_2_00472622

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_004442DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_004442DE

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00464CE8 mov eax, dword ptr fs:[00000030h]

0_2_00464CE8

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_004A0B62 GetSecurityDescriptorDacl,GetAclInformation,GetLengthSid,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,

0_2_004A0B62

Source: C:\Windows\SysWOW64\taskkill.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process token adjusted: Debug	Jump to behavior

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00472622 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00472622
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0046083F IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_0046083F
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_004609D5 SetUnhandledExceptionFilter,	0_2_004609D5
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00460C21 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_00460C21

Source: C:\Users\user\Desktop\file.exe

0_2_004A1201

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00482BA5 KiUserCallbackDispatcher,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

0_2_00482BA5

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_004AB226 SendInput,keybd_event,

0_2_004AB226

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_004C22DA GetForegroundWindow,GetDesktopWindow,GetWindowRect,mouse_event,GetCursorPos,mouse_event,

0_2_004C22DA

Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM firefox.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM chrome.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM msedge.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM opera.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM brave.exe /T	Jump to behavior

Source: C:\Users\user\Desktop\file.exe

0_2_004A0B62

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_004A1663 AllocateAndInitializeSid,CheckTokenMembership,FreeSid,

0_2_004A1663

Source: file.exe	Binary or memory string: Run Script:AutoIt script files (.au3, .a3x).au3;.a3xAll files (.).au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
Source: file.exe	Binary or memory string: Shell_TrayWnd
Source: firefox.exe, 0000000E.00000003.2242536588.000001805FD64000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: hSoftware\Policies\Microsoft\Windows\PersonalizationNoChangingStartMenuBackgroundPersonalColors_BackgroundWilStaging_02RtlDisownModuleHeapAllocationRtlQueryFeatureConfigurationRtlRegisterFeatureConfigurationChangeNotificationRtlSubscribeWnfStateChangeNotificationRtlDllShutdownInProgressntdll.dllNtQueryWnfStateDataLocal\SM0:%d:%d:%hs_p0Local\SessionImmersiveColorPreferenceBEGINTHMthmfile\Sessions\%d\Windows\ThemeSectionMessageWindowendthemewndThemeApiConnectionRequest\ThemeApiPortwinsta0SOFTWARE\Microsoft\Windows\CurrentVersion\Themes\PersonalizeAppsUseLightThemeSystemUsesLightThemedefaultshell\themes\uxtheme\render.cppCompositedWindow::WindowdeletedrcacheMDIClientSoftware\Microsoft\Windows\DWMColorPrevalenceSoftware\Microsoft\Windows\CurrentVersion\ImmersiveShellTabletModeMENUAccentColorSoftware\Microsoft\Windows\CurrentVersion\Explorer\AccentDefaultStartColorControl Panel\DesktopAutoColorizationAccentColorMenuStartColorMenuAutoColorSoftware\Microsoft\Windows\CurrentVersion\Themes\History\ColorsSoftware\Microsoft\Windows\CurrentVersion\Themes\HistoryAccentPaletteTab$Shell_TrayWndLocal\SessionImmersiveColorMutex

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00460698 cpuid

0_2_00460698

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_004B8195 GetLocalTime,SystemTimeToFileTime,LocalFileTimeToFileTime,GetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,

0_2_004B8195

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_0049D27A GetUserNameW,

0_2_0049D27A

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_0047B952 _free,_free,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,_free,

0_2_0047B952

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_004442DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_004442DE

Stealing of Sensitive Information

Yara detected Credential Flusher

Source: Yara match

File source: Process Memory Space: file.exe PID: 3472, type: MEMORYSTR

Source: file.exe	Binary or memory string: WIN_81
Source: file.exe	Binary or memory string: WIN_XP
Source: file.exe	Binary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_11WIN_10WIN_2022WIN_2019WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\AppearanceUSERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte64HKEY_LOCAL_MACHINEHKLMHKEY_CLASSES_ROOTHKCRHKEY_CURRENT_CONFIGHKCCHKEY_CURRENT_USERHKCUHKEY_USERSHKUREG_EXPAND_SZREG_SZREG_MULTI_SZREG_DWORDREG_QWORDREG_BINARYRegDeleteKeyExWadvapi32.dll+.-.\\[\\nrt]\|%%\|%[-+ 0#]?([0-9]\|\)?(\.[0-9]\|\.\)?[hlL]?[diouxXeEfgGs](*UCP)\XISVISIBLEISENABLEDTABLEFTTABRIGHTCURRENTTABSHOWDROPDOWNHIDEDROPDOWNADDSTRINGDELSTRINGFINDSTRINGGETCOUNTSETCURRENTSELECTIONGETCURRENTSELECTIONSELECTSTRINGISCHECKEDCHECKUNCHECKGETSELECTEDGETLINECOUNTGETCURRENTLINEGETCURRENTCOLEDITPASTEGETLINESENDCOMMANDIDGETITEMCOUNTGETSUBITEMCOUNTGETTEXTGETSELECTEDCOUNTISSELECTEDSELECTALLSELECTCLEARSELECTINVERTDESELECTFINDITEMVIEWCHANGEGETTOTALCOUNTCOLLAPSEEXPANDmsctls_statusbar321tooltips_class32%d/%02d/%02dbuttonComboboxListboxSysDateTimePick32SysMonthCal32.icl.exe.dllMsctls_Progress32msctls_trackbar32SysAnimate32msctls_updown32SysTabControl32SysTreeView32SysListView32-----@GUI_DRAGID@GUI_DROPID@GUI_DRAGFILEError text not found (please report)Q\EDEFINEUTF16)UTF)UCP)NO_AUTO_POSSESS)NO_START_OPT)LIMIT_MATCH=LIMIT_RECURSION=CR)LF)CRLF)ANY)ANYCRLF)BSR_ANYCRLF)BSR_UNICODE)argument is not a compiled regular expressionargument not compiled in 16 bit modeinternal error: opcode not recognizedinternal error: missing capturing bracketfailed to get memory
Source: file.exe	Binary or memory string: WIN_XPe
Source: file.exe	Binary or memory string: WIN_VISTA
Source: file.exe	Binary or memory string: WIN_7
Source: file.exe	Binary or memory string: WIN_8

Remote Access Functionality

Yara detected Credential Flusher

Source: Yara match

File source: Process Memory Space: file.exe PID: 3472, type: MEMORYSTR

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_004C1204 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,listen,WSAGetLastError,closesocket,		0_2_004C1204
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_004C1806 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,		0_2_004C1806

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	2 Valid Accounts	1 Windows Management Instrumentation	1 DLL Side-Loading	1 Exploitation for Privilege Escalation	2 Disable or Modify Tools	21 Input Capture	2 System Time Discovery	Remote Services	1 Archive Collected Data	2 Ingress Tool Transfer	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	1 Native API	2 Valid Accounts	1 DLL Side-Loading	1 Deobfuscate/Decode Files or Information	LSASS Memory	1 Account Discovery	Remote Desktop Protocol	21 Input Capture	12 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	1 Extra Window Memory Injection	2 Obfuscated Files or Information	Security Account Manager	2 File and Directory Discovery	SMB/Windows Admin Shares	3 Clipboard Data	2 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	2 Valid Accounts	1 DLL Side-Loading	NTDS	16 System Information Discovery	Distributed Component Object Model	Input Capture	3 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	21 Access Token Manipulation	1 Extra Window Memory Injection	LSA Secrets	131 Security Software Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	2 Process Injection	1 Masquerading	Cached Domain Credentials	11 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	2 Valid Accounts	DCSync	3 Process Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	11 Virtualization/Sandbox Evasion	Proc Filesystem	1 Application Window Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	21 Access Token Manipulation	/etc/passwd and /etc/shadow	1 System Owner/User Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement
IP Addresses	Compromise Infrastructure	Supply Chain Compromise	PowerShell	Cron	Cron	2 Process Injection	Network Sniffing	Network Service Discovery	Shared Webroot	Local Data Staging	File Transfer Protocols	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	External Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
file.exe	34%	ReversingLabs	Win32.Trojan.AutoitInject
file.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll (copy)	0%	ReversingLabs
C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll.tmp	0%	ReversingLabs

Source	Detection	Scanner	Label	Link
https://addons.mozilla.org(	0%	Avira URL Cloud	safe
http://ocsp.digice65fyo	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
example.org	93.184.215.14	true	false	high
star-mini.c10r.facebook.com	157.240.195.35	true	false	high
prod.classify-client.prod.webservices.mozgcp.net	35.190.72.216	true	false	high
prod.balrog.prod.cloudops.mozgcp.net	35.244.181.201	true	false	high
twitter.com	104.244.42.65	true	false	high
prod.detectportal.prod.cloudops.mozgcp.net	34.107.221.82	true	false	high
services.addons.mozilla.org	151.101.129.91	true	false	high
dyna.wikimedia.org	185.15.58.224	true	false	high
prod.remote-settings.prod.webservices.mozgcp.net	34.149.100.209	true	false	high
contile.services.mozilla.com	34.117.188.166	true	false	high
youtube.com	142.250.181.78	true	false	high
prod.content-signature-chains.prod.webservices.mozgcp.net	34.160.144.191	true	false	high
youtube-ui.l.google.com	142.250.181.142	true	false	high
reddit.map.fastly.net	151.101.129.140	true	false	high
us-west1.prod.sumo.prod.webservices.mozgcp.net	34.149.128.2	true	false	high
ipv4only.arpa	192.0.0.171	true	false	high
prod.ads.prod.webservices.mozgcp.net	34.117.188.166	true	false	high
push.services.mozilla.com	34.107.243.93	true	false	high
normandy-cdn.services.mozilla.com	35.201.103.21	true	false	high
telemetry-incoming.r53-2.services.mozilla.com	34.120.208.123	true	false	high
www.reddit.com	unknown	unknown	false	high
spocs.getpocket.com	unknown	unknown	false	high
content-signature-2.cdn.mozilla.net	unknown	unknown	false	high
support.mozilla.org	unknown	unknown	false	high
firefox.settings.services.mozilla.com	unknown	unknown	false	high
www.youtube.com	unknown	unknown	false	high
www.facebook.com	unknown	unknown	false	high
detectportal.firefox.com	unknown	unknown	false	high
normandy.cdn.mozilla.net	unknown	unknown	false	high
shavar.services.mozilla.com	unknown	unknown	false	high
www.wikipedia.org	unknown	unknown	false	high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://play.google.com/store/apps/details?id=org.mozilla.firefox.vpn&referrer=utm_source%3Dfirefox-	firefox.exe, 00000010.00000002.3386756444.0000024249AA0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3385449369.000001FAC7710000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.3385674464.00000150DBF80000.00000002.10000000.00040000.00000000.sdmp	false		high
https://getpocket.cdn.mozilla.net/v3/firefox/trending-topics?version=2&consumer_key=$apiKey&locale_l	firefox.exe, 00000013.00000002.3386159799.00000150DC1C4000.00000004.00000800.00020000.00000000.sdmp	false		high
http://detectportal.firefox.com/	firefox.exe, 0000000E.00000003.2341766075.0000018057698000.00000004.00000800.00020000.00000000.sdmp	false		high
https://services.addons.mozilla.org/api/v5/addons/browser-mappings/?browser=%BROWSER%	firefox.exe, 00000010.00000002.3386756444.0000024249AA0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3385449369.000001FAC7710000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.3385674464.00000150DBF80000.00000002.10000000.00040000.00000000.sdmp	false		high
https://datastudio.google.com/embed/reporting/	firefox.exe, 0000000E.00000003.2355263253.000001805DA05000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2351754820.000001805DA05000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2231296534.000001805C7B0000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.mozilla.com0	gmpopenh264.dll.tmp.14.dr	false		high
https://developer.mozilla.org/en-US/docs/Web/Web_Components/Using_custom_elements#using_the_lifecycl	firefox.exe, 0000000E.00000003.2326795948.000001805441D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2209160763.0000018054424000.00000004.00000800.00020000.00000000.sdmp	false		high
https://merino.services.mozilla.com/api/v1/suggest	firefox.exe, 00000012.00000002.3387215969.000001FAC78CE000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000013.00000002.3386159799.00000150DC18F000.00000004.00000800.00020000.00000000.sdmp	false		high
https://monitor.firefox.com/oauth/init?entrypoint=protection_report_monitor&utm_source=about-protect	firefox.exe, 00000010.00000002.3386756444.0000024249AA0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3385449369.000001FAC7710000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.3385674464.00000150DBF80000.00000002.10000000.00040000.00000000.sdmp	false		high
https://www.leboncoin.fr/	firefox.exe, 0000000E.00000003.2376994503.00000180543DA000.00000004.00000800.00020000.00000000.sdmp	false		high
https://spocs.getpocket.com/spocs	firefox.exe, 0000000E.00000003.2372509090.0000018054C19000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2372509090.0000018054C1C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2375373593.00000180532DE000.00000004.00000800.00020000.00000000.sdmp	false		high
https://screenshots.firefox.com	firefox.exe, 0000000E.00000003.2375373593.00000180532FA000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2375373593.00000180532BA000.00000004.00000800.00020000.00000000.sdmp	false		high
https://shavar.services.mozilla.com	firefox.exe, 0000000E.00000003.2370944668.0000018054ED1000.00000004.00000800.00020000.00000000.sdmp	false		high
https://completion.amazon.com/search/complete?q=	firefox.exe, 0000000E.00000003.2181220166.0000018053600000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2181618503.0000018053831000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2181445123.000001805380F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2181790015.0000018053852000.00000004.00000800.00020000.00000000.sdmp	false		high
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/social-media-tracking-report	firefox.exe, 00000010.00000002.3386756444.0000024249AA0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3385449369.000001FAC7710000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.3385674464.00000150DBF80000.00000002.10000000.00040000.00000000.sdmp	false		high
https://ads.stickyadstv.com/firefox-etp	firefox.exe, 0000000E.00000003.2355263253.000001805DA05000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2351754820.000001805DA05000.00000004.00000800.00020000.00000000.sdmp	false		high
https://identity.mozilla.com/ids/ecosystem_telemetryU	firefox.exe, 0000000E.00000003.2358909713.000001805F4A3000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2289176958.000001805F4A3000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2381386215.000001805F4A3000.00000004.00000800.00020000.00000000.sdmp	false		high
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/send-tab	firefox.exe, 00000010.00000002.3386756444.0000024249AA0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3385449369.000001FAC7710000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.3385674464.00000150DBF80000.00000002.10000000.00040000.00000000.sdmp	false		high
https://monitor.firefox.com/breach-details/	firefox.exe, 00000010.00000002.3386756444.0000024249AA0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3385449369.000001FAC7710000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.3385674464.00000150DBF80000.00000002.10000000.00040000.00000000.sdmp	false		high
https://versioncheck-bg.addons.mozilla.org/update/VersionCheck.php?reqVersion=%REQ_VERSION%&id=%ITEM	firefox.exe, 00000010.00000002.3386756444.0000024249AA0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3385449369.000001FAC7710000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.3385674464.00000150DBF80000.00000002.10000000.00040000.00000000.sdmp	false		high
https://www.amazon.com/exec/obidos/external-search/	firefox.exe, 0000000E.00000003.2181220166.0000018053600000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2181618503.0000018053831000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2364774155.0000018056226000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2387647241.0000018056226000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2302099208.00000180577F8000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2181445123.000001805380F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2181790015.0000018053852000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.msn.com	firefox.exe, 0000000E.00000003.2342055702.0000018056F3E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2385674178.0000018056F3E000.00000004.00000800.00020000.00000000.sdmp	false		high
https://github.com/mozilla-services/screenshots	firefox.exe, 0000000E.00000003.2181220166.0000018053600000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2181618503.0000018053831000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2181445123.000001805380F000.00000004.00000800.00020000.00000000.sdmp	false		high
https://services.addons.mozilla.org/api/v4/addons/addon/	firefox.exe, 00000010.00000002.3386756444.0000024249AA0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3385449369.000001FAC7710000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.3385674464.00000150DBF80000.00000002.10000000.00040000.00000000.sdmp	false		high
https://tracking-protection-issues.herokuapp.com/new	firefox.exe, 00000010.00000002.3386756444.0000024249AA0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3385449369.000001FAC7710000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.3385674464.00000150DBF80000.00000002.10000000.00040000.00000000.sdmp	false		high
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/password-manager-report	firefox.exe, 00000010.00000002.3386756444.0000024249AA0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3385449369.000001FAC7710000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.3385674464.00000150DBF80000.00000002.10000000.00040000.00000000.sdmp	false		high
https://youtube.com/	firefox.exe, 0000000E.00000003.2368273264.0000018055361000.00000004.00000800.00020000.00000000.sdmp	false		high
https://youtube.com/account?=https://ac	firefox.exe, 00000013.00000002.3389232222.00000150DC2F0000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.instagram.com/	firefox.exe, 0000000E.00000003.2221853538.00000180578DF000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2220588209.00000180578DF000.00000004.00000800.00020000.00000000.sdmp	false		high
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/fingerprinters-report	firefox.exe, 00000010.00000002.3386756444.0000024249AA0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3385449369.000001FAC7710000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.3385674464.00000150DBF80000.00000002.10000000.00040000.00000000.sdmp	false		high
https://api.accounts.firefox.com/v1	firefox.exe, 00000010.00000002.3386756444.0000024249AA0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3385449369.000001FAC7710000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.3385674464.00000150DBF80000.00000002.10000000.00040000.00000000.sdmp	false		high
https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4Qqm4pLk4pqk4pbW1pbWfpbW7ReNxR3UIG8zInwYIFIVs9eYi	prefs-1.js.14.dr	false		high
https://www.amazon.com/	firefox.exe, 0000000E.00000003.2350153005.000001805FC84000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2376994503.00000180543DA000.00000004.00000800.00020000.00000000.sdmp	false		high
https://addons.mozilla.org/%LOCALE%/%APP%/blocked-addon/%addonID%/%addonVersion%/	firefox.exe, 00000010.00000002.3386756444.0000024249AA0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3385449369.000001FAC7710000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.3385674464.00000150DBF80000.00000002.10000000.00040000.00000000.sdmp	false		high
https://monitor.firefox.com/?entrypoint=protection_report_monitor&utm_source=about-protections	firefox.exe, 00000010.00000002.3386756444.0000024249AA0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3385449369.000001FAC7710000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.3385674464.00000150DBF80000.00000002.10000000.00040000.00000000.sdmp	false		high
http://ocsp.rootca1.amazontrust.com0:	firefox.exe, 0000000E.00000003.2366330859.00000180557AB000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.youtube.com/	firefox.exe, 00000013.00000002.3386159799.00000150DC10C000.00000004.00000800.00020000.00000000.sdmp	false		high
https://bugzilla.mozilla.org/show_bug.cgi?id=1283601	firefox.exe, 0000000E.00000003.2223781524.000001805C7EC000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2226158449.000001805C718000.00000004.00000800.00020000.00000000.sdmp	false		high
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/shield	firefox.exe, 00000010.00000002.3386756444.0000024249AA0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3385449369.000001FAC7710000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.3385674464.00000150DBF80000.00000002.10000000.00040000.00000000.sdmp	false		high
https://MD8.mozilla.org/1/m	firefox.exe, 0000000E.00000003.2370944668.0000018054E68000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.bbc.co.uk/	firefox.exe, 0000000E.00000003.2376994503.00000180543DA000.00000004.00000800.00020000.00000000.sdmp	false		high
https://addons.mozilla.org/firefox/addon/to-google-translate/	firefox.exe, 0000000E.00000003.2354319677.000001805F17F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2350791589.000001805F17F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2381659545.000001805F17F000.00000004.00000800.00020000.00000000.sdmp	false		high
https://getpocket.cdn.mozilla.net/v3/firefox/global-recs?version=3&consumer_key=$apiKey&locale_lang=	firefox.exe, 00000013.00000002.3386159799.00000150DC1C4000.00000004.00000800.00020000.00000000.sdmp	false		high
http://127.0.0.1:	firefox.exe, 0000000E.00000003.2374976408.0000018053669000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2365978647.0000018055CAE000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2355307439.000001805BE52000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2376574309.0000018055CAE000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000002.3386756444.0000024249AA0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3385449369.000001FAC7710000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.3385674464.00000150DBF80000.00000002.10000000.00040000.00000000.sdmp	false		high
https://bugzilla.mozilla.org/show_bug.cgi?id=1266220	firefox.exe, 0000000E.00000003.2223836357.000001805C7BE000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2223836357.000001805C7D0000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2225861629.000001805C7F0000.00000004.00000800.00020000.00000000.sdmp	false		high
https://searchfox.org/mozilla-central/source/toolkit/components/search/SearchUtils.jsm#145-152	firefox.exe, 0000000E.00000003.2297890456.00000180563D2000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2347284156.00000180563D2000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2219031271.00000180563D4000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2228910748.00000180563D2000.00000004.00000800.00020000.00000000.sdmp	false		high
https://bugzilla.mo	firefox.exe, 0000000E.00000003.2381659545.000001805F17F000.00000004.00000800.00020000.00000000.sdmp	false		high
https://mitmdetection.services.mozilla.com/	firefox.exe, 00000010.00000002.3386756444.0000024249AA0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3385449369.000001FAC7710000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.3385674464.00000150DBF80000.00000002.10000000.00040000.00000000.sdmp	false		high
https://static.adsafeprotected.com/firefox-etp-js	firefox.exe, 0000000E.00000003.2354664390.000001805DA2E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2382597427.000001805DA2E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2351333317.000001805DA2E000.00000004.00000800.00020000.00000000.sdmp	false		high
https://youtube.com/account?=	recovery.jsonlz4.tmp.14.dr	false		high
https://spocs.getpocket.com/	firefox.exe, 00000012.00000002.3387215969.000001FAC785F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000013.00000002.3386159799.00000150DC113000.00000004.00000800.00020000.00000000.sdmp	false		high
https://services.addons.mozilla.org/api/v4/abuse/report/addon/	firefox.exe, 00000010.00000002.3386756444.0000024249AA0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3385449369.000001FAC7710000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.3385674464.00000150DBF80000.00000002.10000000.00040000.00000000.sdmp	false		high
https://services.addons.mozilla.org/api/v4/addons/search/?guid=%IDS%&lang=%LOCALE%	firefox.exe, 00000010.00000002.3386756444.0000024249AA0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3385449369.000001FAC7710000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.3385674464.00000150DBF80000.00000002.10000000.00040000.00000000.sdmp	false		high
https://color.firefox.com/?utm_source=firefox-browser&utm_medium=firefox-browser&utm_content=theme-f	firefox.exe, 00000010.00000002.3386756444.0000024249AA0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3385449369.000001FAC7710000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.3385674464.00000150DBF80000.00000002.10000000.00040000.00000000.sdmp	false		high
https://www.iqiyi.com/	firefox.exe, 0000000E.00000003.2376994503.00000180543DA000.00000004.00000800.00020000.00000000.sdmp	false		high
https://play.google.com/store/apps/details?id=org.mozilla.firefox&referrer=utm_source%3Dprotection_r	firefox.exe, 00000010.00000002.3386756444.0000024249AA0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3385449369.000001FAC7710000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.3385674464.00000150DBF80000.00000002.10000000.00040000.00000000.sdmp	false		high
https://monitor.firefox.com/user/breach-stats?includeResolved=true	firefox.exe, 00000010.00000002.3386756444.0000024249AA0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3385449369.000001FAC7710000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.3385674464.00000150DBF80000.00000002.10000000.00040000.00000000.sdmp	false		high
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/cross-site-tracking-report	firefox.exe, 00000010.00000002.3386756444.0000024249AA0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3385449369.000001FAC7710000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.3385674464.00000150DBF80000.00000002.10000000.00040000.00000000.sdmp	false		high
https://safebrowsing.google.com/safebrowsing/diagnostic?site=	firefox.exe, 00000010.00000002.3386756444.0000024249AA0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3385449369.000001FAC7710000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.3385674464.00000150DBF80000.00000002.10000000.00040000.00000000.sdmp	false		high
http://www.inbox.lv/rfc2368/?value=%su	firefox.exe, 0000000E.00000003.2375373593.0000018053267000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2373218498.0000018054236000.00000004.00000800.00020000.00000000.sdmp	false		high
https://monitor.firefox.com/user/dashboard	firefox.exe, 00000010.00000002.3386756444.0000024249AA0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3385449369.000001FAC7710000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.3385674464.00000150DBF80000.00000002.10000000.00040000.00000000.sdmp	false		high
https://bugzilla.mozilla.org/show_bug.cgi?id=1170143	firefox.exe, 0000000E.00000003.2223836357.000001805C7D0000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2225861629.000001805C7F0000.00000004.00000800.00020000.00000000.sdmp	false		high
https://versioncheck.addons.mozilla.org/update/VersionCheck.php?reqVersion=%REQ_VERSION%&id=%ITEM_ID	firefox.exe, 00000010.00000002.3386756444.0000024249AA0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3385449369.000001FAC7710000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.3385674464.00000150DBF80000.00000002.10000000.00040000.00000000.sdmp	false		high
https://addons.mozilla.org(	firefox.exe, 0000000E.00000003.2375373593.00000180532FA000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://monitor.firefox.com/about	firefox.exe, 00000010.00000002.3386756444.0000024249AA0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3385449369.000001FAC7710000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.3385674464.00000150DBF80000.00000002.10000000.00040000.00000000.sdmp	false		high
http://mozilla.org/MPL/2.0/.	firefox.exe, 0000000E.00000003.2226456916.00000180575A3000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2305471605.0000018057286000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2303682573.00000180575D6000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2331550102.0000018054BC0000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2332371584.0000018054BCF000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2220588209.00000180578A9000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2299684957.00000180566B8000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2297890456.00000180563CD000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2332371584.0000018054BDE000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2224233500.00000180575A3000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2223478672.0000018054BCF000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2300248092.0000018056355000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2221853538.00000180578C9000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2300248092.00000180563F4000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2300248092.00000180563DD000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2379262949.000001805FA23000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2369781006.000001805530C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2358317390.0000018053DC1000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2219031271.00000180563C7000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2186589731.0000018054BDF000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2210485228.00000180575A6000.00000004.00000800.00020000.00000000.sdmp	false		high
https://account.bellmedia.c	firefox.exe, 0000000E.00000003.2364873909.0000018055DA6000.00000004.00000800.00020000.00000000.sdmp	false		high
https://login.microsoftonline.com	firefox.exe, 0000000E.00000003.2385674178.0000018056F36000.00000004.00000800.00020000.00000000.sdmp	false		high
https://coverage.mozilla.org	firefox.exe, 00000010.00000002.3386756444.0000024249AA0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3385449369.000001FAC7710000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.3385674464.00000150DBF80000.00000002.10000000.00040000.00000000.sdmp	false		high
http://crl.thawte.com/ThawteTimestampingCA.crl0	gmpopenh264.dll.tmp.14.dr	false		high
http://x1.c.lencr.org/0	firefox.exe, 0000000E.00000003.2366330859.00000180557AB000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2289176958.000001805F440000.00000004.00000800.00020000.00000000.sdmp	false		high
http://x1.i.lencr.org/0	firefox.exe, 0000000E.00000003.2366330859.00000180557AB000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2289176958.000001805F440000.00000004.00000800.00020000.00000000.sdmp	false		high
https://infra.spec.whatwg.org/#ascii-whitespace	firefox.exe, 0000000E.00000003.2326795948.000001805441D000.00000004.00000800.00020000.00000000.sdmp	false		high
https://blocked.cdn.mozilla.net/	firefox.exe, 00000010.00000002.3386756444.0000024249AA0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3385449369.000001FAC7710000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.3385674464.00000150DBF80000.00000002.10000000.00040000.00000000.sdmp	false		high
https://json-schema.org/draft/2019-09/schema	firefox.exe, 0000000E.00000003.2376994503.00000180543F2000.00000004.00000800.00020000.00000000.sdmp	false		high
https://profiler.firefox.com	firefox.exe, 00000010.00000002.3386756444.0000024249AA0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3385449369.000001FAC7710000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.3385674464.00000150DBF80000.00000002.10000000.00040000.00000000.sdmp	false		high
https://outlook.live.com/default.aspx?rru=compose&to=%s	firefox.exe, 0000000E.00000003.2375373593.0000018053267000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2376373080.000001805628F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2360916596.000001805628F000.00000004.00000800.00020000.00000000.sdmp	false		high
https://bugzilla.mozilla.org/show_bug.cgi?id=793869	firefox.exe, 0000000E.00000003.2223836357.000001805C7D0000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2225861629.000001805C7F0000.00000004.00000800.00020000.00000000.sdmp	false		high
https://identity.mozilla.com/apps/relay	firefox.exe, 0000000E.00000003.2356835635.000001805647F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2360257730.000001805647F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2386417575.0000018056481000.00000004.00000800.00020000.00000000.sdmp	false		high
http://ocsp.digice65fyo	firefox.exe, 0000000E.00000003.2235963134.000001805126A000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://mozilla.cloudflare-dns.com/dns-query	firefox.exe, 00000010.00000002.3386756444.0000024249AA0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3385449369.000001FAC7710000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.3385674464.00000150DBF80000.00000002.10000000.00040000.00000000.sdmp	false		high
https://support.mozilla.org/kb/refresh-firefox-reset-add-ons-and-settings2	firefox.exe, 0000000E.00000003.2385567501.0000018056F50000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2342055702.0000018056F4C000.00000004.00000800.00020000.00000000.sdmp	false		high
https://bugzilla.mozilla.org/show_bug.cgi?id=1678448	firefox.exe, 0000000E.00000003.2223836357.000001805C7BE000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2223836357.000001805C7D0000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2223781524.000001805C7EC000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2226158449.000001805C718000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2225624625.000001805C7E1000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2225861629.000001805C7F0000.00000004.00000800.00020000.00000000.sdmp	false		high
https://mail.yahoo.co.jp/compose/?To=%s	firefox.exe, 0000000E.00000003.2375373593.0000018053267000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2376373080.000001805628F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2360916596.000001805628F000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.msn.	firefox.exe, 0000000E.00000003.2343693496.00000180550CD000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2214574386.00000180550AB000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2239372305.00000180550AB000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2319537589.00000180550B7000.00000004.00000800.00020000.00000000.sdmp	false		high
https://addons.mozilla.org/firefox/addon/reddit-enhancement-suite/	firefox.exe, 0000000E.00000003.2354319677.000001805F17F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2350791589.000001805F17F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2381659545.000001805F17F000.00000004.00000800.00020000.00000000.sdmp	false		high
https://contile.services.mozilla.com/v1/tiles	firefox.exe, 0000000E.00000003.2391259932.0000018055378000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2377760123.000001805439A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000002.3386756444.0000024249AA0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3385449369.000001FAC7710000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.3385674464.00000150DBF80000.00000002.10000000.00040000.00000000.sdmp	false		high
https://www.amazon.co.uk/	firefox.exe, 0000000E.00000003.2376994503.00000180543DA000.00000004.00000800.00020000.00000000.sdmp	false		high
https://firefox.settings.services.mozilla.com/v1/buckets/main/collections/ms-language-packs/records/	firefox.exe, 0000000E.00000003.2364774155.0000018056226000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2289176958.000001805F440000.00000004.00000800.00020000.00000000.sdmp	false		high
https://monitor.firefox.com/user/preferences	firefox.exe, 00000010.00000002.3386756444.0000024249AA0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3385449369.000001FAC7710000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.3385674464.00000150DBF80000.00000002.10000000.00040000.00000000.sdmp	false		high
https://screenshots.firefox.com/	firefox.exe, 0000000E.00000003.2181445123.000001805380F000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.google.com/search	firefox.exe, 0000000E.00000003.2181220166.0000018053600000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2181618503.0000018053831000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2364774155.0000018056226000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2387647241.0000018056226000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2302099208.00000180577F8000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2181445123.000001805380F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2369883283.00000180552C7000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2181790015.0000018053852000.00000004.00000800.00020000.00000000.sdmp	false		high
https://relay.firefox.com/api/v1/	firefox.exe, 00000010.00000002.3386756444.0000024249AA0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3385449369.000001FAC7710000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.3385674464.00000150DBF80000.00000002.10000000.00040000.00000000.sdmp	false		high
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/tracking-content-report	firefox.exe, 00000010.00000002.3386756444.0000024249AA0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3385449369.000001FAC7710000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.3385674464.00000150DBF80000.00000002.10000000.00040000.00000000.sdmp	false		high
https://topsites.services.mozilla.com/cid/	firefox.exe, 00000010.00000002.3386756444.0000024249AA0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3385449369.000001FAC7710000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.3385674464.00000150DBF80000.00000002.10000000.00040000.00000000.sdmp	false		high
https://www.wykop.pl/	firefox.exe, 0000000E.00000003.2376994503.00000180543DA000.00000004.00000800.00020000.00000000.sdmp	false		high
https://twitter.com/	firefox.exe, 0000000E.00000003.2350153005.000001805FC84000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2376994503.00000180543DA000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.olx.pl/	firefox.exe, 0000000E.00000003.2376994503.00000180543DA000.00000004.00000800.00020000.00000000.sdmp	false		high
https://bugzilla.mozilla.org/show_bug.cgi?id=1193802	firefox.exe, 0000000E.00000003.2223781524.000001805C7EC000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2226158449.000001805C718000.00000004.00000800.00020000.00000000.sdmp	false		high
https://support.mozilla.org/products/firefox	firefox.exe, 0000000E.00000003.2340783116.000001805C834000.00000004.00000800.00020000.00000000.sdmp	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
34.149.100.209	prod.remote-settings.prod.webservices.mozgcp.net	United States	2686	ATGS-MMD-ASUS	false
151.101.129.91	services.addons.mozilla.org	United States	54113	FASTLYUS	false
34.107.243.93	push.services.mozilla.com	United States	15169	GOOGLEUS	false
34.107.221.82	prod.detectportal.prod.cloudops.mozgcp.net	United States	15169	GOOGLEUS	false
35.244.181.201	prod.balrog.prod.cloudops.mozgcp.net	United States	15169	GOOGLEUS	false
34.117.188.166	contile.services.mozilla.com	United States	139070	GOOGLE-AS-APGoogleAsiaPacificPteLtdSG	false
35.201.103.21	normandy-cdn.services.mozilla.com	United States	15169	GOOGLEUS	false
142.250.181.78	youtube.com	United States	15169	GOOGLEUS	false
35.190.72.216	prod.classify-client.prod.webservices.mozgcp.net	United States	15169	GOOGLEUS	false
34.160.144.191	prod.content-signature-chains.prod.webservices.mozgcp.net	United States	2686	ATGS-MMD-ASUS	false
34.120.208.123	telemetry-incoming.r53-2.services.mozilla.com	United States	15169	GOOGLEUS	false

Private

IP
127.0.0.1

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1561526
Start date and time:	2024-11-23 16:28:07 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 7m 9s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	22
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	file.exe
Detection:	MAL
Classification:	mal72.troj.evad.winEXE@34/34@66/12
EGA Information:	Successful, ratio: 50%
HCA Information:	Successful, ratio: 94% Number of executed functions: 36 Number of non-executed functions: 315
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 52.12.64.98, 35.80.238.59, 35.164.125.63, 172.217.17.78, 88.221.134.155, 88.221.134.209, 172.217.17.74, 172.217.17.42
Excluded domains from analysis (whitelisted): client.wns.windows.com, fs.microsoft.com, shavar.prod.mozaws.net, ciscobinary.openh264.org, otelrules.azureedge.net, slscr.update.microsoft.com, incoming.telemetry.mozilla.org, ctldl.windowsupdate.com, a17.rackcdn.com.mdc.edgesuite.net, detectportal.prod.mozaws.net, aus5.mozilla.org, fe3cr.delivery.mp.microsoft.com, a19.dscg10.akamai.net, ocsp.digicert.com, redirector.gvt1.com, safebrowsing.googleapis.com, location.services.mozilla.com
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtCreateFile calls found.
Report size getting too big, too many NtOpenFile calls found.
VT rate limit hit for: file.exe

Simulations

Behavior and APIs

Time	Type	Description
10:29:11	API Interceptor	1x Sleep call for process: firefox.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
34.117.188.166	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Amadey, Credential Flusher, Cryptbot, LummaC Stealer, Stealc, Vidar	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Amadey, Clipboard Hijacker, Credential Flusher, Cryptbot, LummaC Stealer, Stealc	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
34.149.100.209	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Amadey, Credential Flusher, Cryptbot, LummaC Stealer, Stealc, Vidar	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
151.101.129.91	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Amadey, Credential Flusher, Cryptbot, LummaC Stealer, Stealc, Vidar	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, Cryptbot, LummaC Stealer, Stealc	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
example.org	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
	file.exe	Get hash	malicious	Amadey, Credential Flusher, Cryptbot, LummaC Stealer, Stealc, Vidar	Browse	93.184.215.14
	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
	file.exe	Get hash	malicious	Amadey, Clipboard Hijacker, Credential Flusher, Cryptbot, LummaC Stealer, Stealc	Browse	93.184.215.14
	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
twitter.com	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.129
	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.193
	file.exe	Get hash	malicious	Amadey, Credential Flusher, Cryptbot, LummaC Stealer, Stealc, Vidar	Browse	104.244.42.193
	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.129
	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.129
	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.1
	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.65
	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.193
	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.129
	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.1
star-mini.c10r.facebook.com	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.195.35
	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.196.35
	file.exe	Get hash	malicious	Amadey, Credential Flusher, Cryptbot, LummaC Stealer, Stealc, Vidar	Browse	157.240.196.35
	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.196.35
	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.196.35
	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.196.35
	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.196.35
	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.196.35
	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.196.35
	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.196.35

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
GOOGLE-AS-APGoogleAsiaPacificPteLtdSG	file.exe	Get hash	malicious	Credential Flusher	Browse	34.117.188.166
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.117.188.166
	file.exe	Get hash	malicious	Amadey, Credential Flusher, Cryptbot, LummaC Stealer, Stealc, Vidar	Browse	34.116.198.130
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.117.188.166
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.117.188.166
	file.exe	Get hash	malicious	Clipboard Hijacker, Cryptbot	Browse	34.116.198.130
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.117.188.166
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.117.188.166
	file.exe	Get hash	malicious	Amadey, Clipboard Hijacker, Credential Flusher, Cryptbot, LummaC Stealer, Stealc	Browse	34.116.198.130
	SystemCoreHelper.dll	Get hash	malicious	LummaC Stealer	Browse	34.117.59.81
FASTLYUS	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.129.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.193.91
	file.exe	Get hash	malicious	Amadey, Credential Flusher, Cryptbot, LummaC Stealer, Stealc, Vidar	Browse	151.101.129.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.65.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.65.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.65.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.193.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.193.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.65.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.129.91
ATGS-MMD-ASUS	sora.arm.elf	Get hash	malicious	Mirai	Browse	32.35.17.38
	sora.m68k.elf	Get hash	malicious	Mirai	Browse	57.28.196.7
	sora.sh4.elf	Get hash	malicious	Mirai	Browse	34.14.230.135
	sora.x86.elf	Get hash	malicious	Mirai	Browse	57.237.12.143
	sora.mips.elf	Get hash	malicious	Mirai	Browse	32.250.225.190
	sora.spc.elf	Get hash	malicious	Mirai	Browse	57.175.156.177
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	file.exe	Get hash	malicious	Amadey, Credential Flusher, Cryptbot, LummaC Stealer, Stealc, Vidar	Browse	34.160.144.191
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
fb0aa01abe9d8e4037eb3473ca6e2dca	file.exe	Get hash	malicious	Credential Flusher	Browse	35.244.181.201 34.149.100.209 34.160.144.191 151.101.129.91 34.120.208.123
	file.exe	Get hash	malicious	Credential Flusher	Browse	35.244.181.201 34.149.100.209 34.160.144.191 151.101.129.91 34.120.208.123
	file.exe	Get hash	malicious	Amadey, Credential Flusher, Cryptbot, LummaC Stealer, Stealc, Vidar	Browse	35.244.181.201 34.149.100.209 34.160.144.191 151.101.129.91 34.120.208.123
	file.exe	Get hash	malicious	Credential Flusher	Browse	35.244.181.201 34.149.100.209 34.160.144.191 151.101.129.91 34.120.208.123
	file.exe	Get hash	malicious	Credential Flusher	Browse	35.244.181.201 34.149.100.209 34.160.144.191 151.101.129.91 34.120.208.123
	file.exe	Get hash	malicious	Credential Flusher	Browse	35.244.181.201 34.149.100.209 34.160.144.191 151.101.129.91 34.120.208.123
	file.exe	Get hash	malicious	Credential Flusher	Browse	35.244.181.201 34.149.100.209 34.160.144.191 151.101.129.91 34.120.208.123
	file.exe	Get hash	malicious	Amadey, Clipboard Hijacker, Credential Flusher, Cryptbot, LummaC Stealer, Stealc	Browse	35.244.181.201 34.149.100.209 34.160.144.191 151.101.129.91 34.120.208.123
	file.exe	Get hash	malicious	Credential Flusher	Browse	35.244.181.201 34.149.100.209 34.160.144.191 151.101.129.91 34.120.208.123
	file.exe	Get hash	malicious	Credential Flusher	Browse	35.244.181.201 34.149.100.209 34.160.144.191 151.101.129.91 34.120.208.123

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll (copy)	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Amadey, Credential Flusher, Cryptbot, LummaC Stealer, Stealc, Vidar	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse

Created / dropped Files

C:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\uninstall_ping_308046B0AF4A39CB_5c9c6db3-4be8-4519-85ae-68ba3e2788e6.json (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	7946
Entropy (8bit):	5.170557694062599
Encrypted:	false
SSDEEP:	192:lBMX/LccbhbVbTbfbRbObtbyEl7ngr7JA6unSrDtTkdxSofy:liAcNhnzFSJAry1nSrDhkdxG
MD5:	65F51D98E22CA39A88D358A65E0619E1
SHA1:	187B9CABF5F6A1B935994D52AE7E7512BC9B60A7
SHA-256:	598192F2C2EAF211BD382256FD44C1883B64F47694C7C98B606685E196413F31
SHA-512:	7052632AF488B8CAE2DC07DE917563B22613FD8743DA97043E77C1CE771EBD7BC79D7C006CFB643C89BCCA8412D6F639F4D9AC10C9145D2FC6D13FB56A1BFBF7
Malicious:	false
Preview:	{"type":"uninstall","id":"5c9c6db3-4be8-4519-85ae-68ba3e2788e6","creationDate":"2024-11-23T17:17:20.716Z","version":4,"application":{"architecture":"x86-64","buildId":"20230927232528","name":"Firefox","version":"118.0.1","displayVersion":"118.0.1","vendor":"Mozilla","platformVersion":"118.0.1","xpcomAbi":"x86_64-msvc","channel":"release"},"payload":{"otherInstalls":0},"clientId":"7340e351-fad3-4a0f-b554-971fbfafe8fb","environment":{"build":{"applicationId":"{ec8030f7-c20a-464f-9b0e-13a3a9e97384}","applicationName":"Firefox","architecture":"x86-64","buildId":"20230927232528","version":"118.0.1","vendor":"Mozilla","displayVersion":"118.0.1","platformVersion":"118.0.1","xpcomAbi":"x86_64-msvc","updaterAvailable":true},"partner":{"distributionId":null,"distributionVersion":null,"partnerId":null,"distributor":null,"distributorChannel":null,"partnerNames":[]},"system":{"memoryMB":8191,"virtualMaxMB":134217728,"cpu":{"isWindowsSMode":false,"count":4,"cores":2,"vendor":"GenuineIntel","name":"I

C:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\uninstall_ping_308046B0AF4A39CB_5c9c6db3-4be8-4519-85ae-68ba3e2788e6.json.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	7946
Entropy (8bit):	5.170557694062599
Encrypted:	false
SSDEEP:	192:lBMX/LccbhbVbTbfbRbObtbyEl7ngr7JA6unSrDtTkdxSofy:liAcNhnzFSJAry1nSrDhkdxG
MD5:	65F51D98E22CA39A88D358A65E0619E1
SHA1:	187B9CABF5F6A1B935994D52AE7E7512BC9B60A7
SHA-256:	598192F2C2EAF211BD382256FD44C1883B64F47694C7C98B606685E196413F31
SHA-512:	7052632AF488B8CAE2DC07DE917563B22613FD8743DA97043E77C1CE771EBD7BC79D7C006CFB643C89BCCA8412D6F639F4D9AC10C9145D2FC6D13FB56A1BFBF7
Malicious:	false
Preview:	{"type":"uninstall","id":"5c9c6db3-4be8-4519-85ae-68ba3e2788e6","creationDate":"2024-11-23T17:17:20.716Z","version":4,"application":{"architecture":"x86-64","buildId":"20230927232528","name":"Firefox","version":"118.0.1","displayVersion":"118.0.1","vendor":"Mozilla","platformVersion":"118.0.1","xpcomAbi":"x86_64-msvc","channel":"release"},"payload":{"otherInstalls":0},"clientId":"7340e351-fad3-4a0f-b554-971fbfafe8fb","environment":{"build":{"applicationId":"{ec8030f7-c20a-464f-9b0e-13a3a9e97384}","applicationName":"Firefox","architecture":"x86-64","buildId":"20230927232528","version":"118.0.1","vendor":"Mozilla","displayVersion":"118.0.1","platformVersion":"118.0.1","xpcomAbi":"x86_64-msvc","updaterAvailable":true},"partner":{"distributionId":null,"distributionVersion":null,"partnerId":null,"distributor":null,"distributorChannel":null,"partnerNames":[]},"system":{"memoryMB":8191,"virtualMaxMB":134217728,"cpu":{"isWindowsSMode":false,"count":4,"cores":2,"vendor":"GenuineIntel","name":"I

C:\Users\user\AppData\Local\Temp\mozilla-temp-files\mozilla-temp-41

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	ISO Media, MP4 Base Media v1 [ISO 14496-12:2003]
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	0.4593089050301797
Encrypted:	false
SSDEEP:	48:9SP0nUgwyZXYI65yFRX2D3GNTTfyn0Mk1iA:9SDKaIjo3UzyE1L
MD5:	D910AD167F0217587501FDCDB33CC544
SHA1:	2F57441CEFDC781011B53C1C5D29AC54835AFC1D
SHA-256:	E3699D9404A3FFC1AFF0CA8A3972DC0EF38BDAB927741E9F627C7C55CEA42E81
SHA-512:	F1871BF28FF25EE52BDB99C7A80AB715C7CAC164DCD2FD87E681168EE927FD2C5E80E03C91BB638D955A4627213BF575FF4D9EECAEDA7718C128CF2CE8F7CB3D
Malicious:	false
Preview:	... ftypisom....isomiso2avc1mp41....free....mdat..........E...H..,. .#..x264 - core 152 r2851 ba24899 - H.264/MPEG-4 AVC codec - Copyleft 2003-2017 - http://www.videolan.org/x264.html - options: cabac=1 ref=3 deblock=1:0:0 analyse=0x3:0x113 me=hex subme=7 psy=1 psy_rd=1.00:0.00 mixed_ref=1 me_range=16 chroma_me=1 trellis=1 8x8dct=1 cqm=0 deadzone=21,11 fast_pskip=1 chroma_qp_offset=-2 threads=4 lookahead_threads=1 sliced_threads=0 nr=0 decimate=1 interlaced=0 bluray_compat=0 constrained_intra=0 bframes=3 b_pyramid=2 b_adapt=1 b_bias=0 direct=1 weightb=1 open_gop=0 weightp=2 keyint=250 keyint_min=25 scenecut=40 intra_refresh=0 rc_lookahead=40 rc=crf mbtree=1 crf=23.0 qcomp=0.60 qpmin=0 qpmax=69 qpstep=4 ip_ratio=1.40 aq=1:1.00......e...+...s\|.kG3...'.u.."...,J.w.~.d\..(K....!.+..;....h....(.T.*...M......0..~L..8..B..A.y..R..,.zBP.';j.@.].w..........c......C=.'f....gI.$^.......m5V.L...{U..%V[....8......B..i..^,....:...,..5.m.%dA....moov...lmvhd...................(...........

C:\Users\user\AppData\Local\Temp\tmpaddon

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Zip archive data, at least v2.0 to extract, compression method=deflate
Category:	dropped
Size (bytes):	453023
Entropy (8bit):	7.997718157581587
Encrypted:	true
SSDEEP:	12288:tESTeqTI2r4ZbCgUKWKNeRcPMb6qlV7hVZe3:tEsed2Xh9/bdzZe3
MD5:	85430BAED3398695717B0263807CF97C
SHA1:	FFFBEE923CEA216F50FCE5D54219A188A5100F41
SHA-256:	A9F4281F82B3579581C389E8583DC9F477C7FD0E20C9DFC91A2E611E21E3407E
SHA-512:	06511F1F6C6D44D076B3C593528C26A602348D9C41689DBF5FF716B671C3CA5756B12CB2E5869F836DEDCE27B1A5CFE79B93C707FD01F8E84B620923BB61B5F1
Malicious:	false
Preview:	PK.........bN...R..........gmpopenh264.dll..\|.E.0.=..I.....1....4f1q.`.........q.....'+....hm{.z..o_.{w........$..($A!...\|L...B&A2.s.{..Dd......c.U.U..9u.S...K.l`...../.d.-....\|.....&....9......wn..x......i.#O.+.Y.l......+....,3.3f..\..c.SSS,............N...GG...F.'.&.:'.K.Z&.>.@.g..M...M.`............ZR....^jg.G.Kb.o~va.....<Z..1.#.O.e.....D..X..i..$imBW..Q&.......P.....,M.,..:.c...-...\...........-i.K.I..4.a..6.....Ov=...W..F.CH.>...a.'.x...#@f...d..u.1....OV.1o}....g.5.._.3.J.Hi.Z.ipM....b.Z....%.G..F................/..3.q..J.....o...%.g.N..}..).3.N%.!..q........^I.m..~...6.#.~+.....A...I]r...x...<IYj....p0..`S.M@.E..f.=.;!.@.....E..E....... .0.n....Jd..d......uM.-.qI.lR..z..=}..r.D.XLZ....x.$..\|c.1.cUkM.&.Qn]..a]t.h...!.6 7..Jd.DvKJ"Wgd*%n...w...Jni.inmr.@M.$'Z.s....#)%..Rs..:.h....R....\..t.6..'.g.........Uj+F.cr:\|..!..K.W.Y...17......,....r.....>.N..3.R.Y.._\...Ir.DNJdM... .k...&V-....z.%...-...D..i..&...6....7.2T).>..0..%.&.

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\ExperimentStoreData.json (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	4419
Entropy (8bit):	4.932043622145994
Encrypted:	false
SSDEEP:	96:gXiNFS+OcPUFEOdwNIOdwBjvYVbsLEn68P:gXiNFS+OcUGOdwiOdwBjkYLE68P
MD5:	85E13323C0C5C087A079AE0159454D75
SHA1:	E28F9DE23E7CBA78297593106FECAD3C913024B5
SHA-256:	4842C3198B30A5F9B99142C1B605EF8370D41C537B770F6E89042116A8E9F710
SHA-512:	EAC72252396DF4E1C9C6493A82E125A2B8243B4F7EE405B78E143EC9B3CC010FF7FA202B61FD297C34E27B8676BAA45F7EA2C03A544CA408BEAB8A628F59FDC4
Malicious:	false
Preview:	{"bookmarks-toolbar-default-on":{"slug":"bookmarks-toolbar-default-on","branch":{"slug":"treatment-a","ratio":1,"feature":{"value":{},"enabled":false,"featureId":"this-is-included-for-desktop-pre-95-support"},"features":[{"value":{"enableBookmarksToolbar":"always"},"enabled":true,"featureId":"bookmarks"}]},"active":true,"enrollmentId":"d48f64a8-a4ab-4cdd-a650-4b386e41a201","experimentType":"nimbus","source":"rs-loader","userFacingName":"Bookmarks Toolbar Default On","userFacingDescription":"An experiment that turns the bookmarks toolbar on by default.","lastSeen":"2023-10-05T06:20:35.557Z","featureIds":["bookmarks"],"prefs":[{"name":"browser.toolbars.bookmarks.visibility","branch":"user","featureId":"bookmarks","variable":"enableBookmarksToolbar","originalValue":null}],"isRollout":false},"csv-import-release-rollout":{"slug":"csv-import-release-rollout","branch":{"slug":"enable-csv-import","ratio":1,"feature":{"value":{},"enabled":false,"featureId":"this-is-included-for-desktop-pre-95-s

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\ExperimentStoreData.json.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	4419
Entropy (8bit):	4.932043622145994
Encrypted:	false
SSDEEP:	96:gXiNFS+OcPUFEOdwNIOdwBjvYVbsLEn68P:gXiNFS+OcUGOdwiOdwBjkYLE68P
MD5:	85E13323C0C5C087A079AE0159454D75
SHA1:	E28F9DE23E7CBA78297593106FECAD3C913024B5
SHA-256:	4842C3198B30A5F9B99142C1B605EF8370D41C537B770F6E89042116A8E9F710
SHA-512:	EAC72252396DF4E1C9C6493A82E125A2B8243B4F7EE405B78E143EC9B3CC010FF7FA202B61FD297C34E27B8676BAA45F7EA2C03A544CA408BEAB8A628F59FDC4
Malicious:	false
Preview:	{"bookmarks-toolbar-default-on":{"slug":"bookmarks-toolbar-default-on","branch":{"slug":"treatment-a","ratio":1,"feature":{"value":{},"enabled":false,"featureId":"this-is-included-for-desktop-pre-95-support"},"features":[{"value":{"enableBookmarksToolbar":"always"},"enabled":true,"featureId":"bookmarks"}]},"active":true,"enrollmentId":"d48f64a8-a4ab-4cdd-a650-4b386e41a201","experimentType":"nimbus","source":"rs-loader","userFacingName":"Bookmarks Toolbar Default On","userFacingDescription":"An experiment that turns the bookmarks toolbar on by default.","lastSeen":"2023-10-05T06:20:35.557Z","featureIds":["bookmarks"],"prefs":[{"name":"browser.toolbars.bookmarks.visibility","branch":"user","featureId":"bookmarks","variable":"enableBookmarksToolbar","originalValue":null}],"isRollout":false},"csv-import-release-rollout":{"slug":"csv-import-release-rollout","branch":{"slug":"enable-csv-import","ratio":1,"feature":{"value":{},"enabled":false,"featureId":"this-is-included-for-desktop-pre-95-s

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\addonStartup.json.lz4 (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Mozilla lz4 compressed data, originally 22422 bytes
Category:	dropped
Size (bytes):	5308
Entropy (8bit):	6.599374203470186
Encrypted:	false
SSDEEP:	96:z2YbKsKNU2xWrp327tGmD4wBON6h6cHAHJVauvjZHjkTymdS1/qTMg6Uhm:zTx2x2t0FDJ4NpkuvjdeplTMohm
MD5:	EB56C2F4DA9435F3D5574161F414CD17
SHA1:	74A8FC3EC0559740FD9D835B638354985E2DEAB6
SHA-256:	394E803D5FF8E156DFA7D15E96B51A683F4624A1BCF88EAA532399AC2C9B0966
SHA-512:	DF90568D191C757392FB85BDDA5333C7FE7E3BB370C5DE8C50DD810B938D732E39B5608FB4494CAADAE99E1601989FDFC0FEBDCF70F27FFE581F904170A81E0F
Malicious:	false
Preview:	mozLz40..W....{"app-system-defaults":{"addon....formautofill@mozilla.org&..Gdependencies":[],"enabled":true,"lastModifiedTime":1695865283000,"loader":null,"path":s.....xpi","recommendationStateA...rootURI":"jar:file:///C:/Program%20Files/M.......refox/browser/features/...... !/...unInSafeMode..wsignedD...telemetryKey..7%40R...:1.0.1","version":"..`},"pic..#in.....T.n..w...........S.......(.[......0....0"},"screenshots..T.r.....[.......(.V....-39.......},"webcompat-reporter...Ofals..&.z.....[.......(.]....=1.5.............<.)....p....d......1.z.!18...5.....startupData...pX.astentL..!er...webRequest%..onBefore...[[{"incognitoi.UtabId..!yp...."main_frame"],"url...."://login.microsoftonline.com/","..@us/L.dwindows...},["blocking"]],...Iimag...https://smartT.".f.....etp/facebook.svg",...Aplay....8`script...P.....-....-testbed.herokuapp\.`shims_..3.jsh.bexampl\|.......Pexten{..Q../?..s...S.J/_2..@&_3U..s7.addthis . ic...officialK......-angularjs/current/dist(..t.min.js...track.adB...net/s

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\addonStartup.json.lz4.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Mozilla lz4 compressed data, originally 22422 bytes
Category:	dropped
Size (bytes):	5308
Entropy (8bit):	6.599374203470186
Encrypted:	false
SSDEEP:	96:z2YbKsKNU2xWrp327tGmD4wBON6h6cHAHJVauvjZHjkTymdS1/qTMg6Uhm:zTx2x2t0FDJ4NpkuvjdeplTMohm
MD5:	EB56C2F4DA9435F3D5574161F414CD17
SHA1:	74A8FC3EC0559740FD9D835B638354985E2DEAB6
SHA-256:	394E803D5FF8E156DFA7D15E96B51A683F4624A1BCF88EAA532399AC2C9B0966
SHA-512:	DF90568D191C757392FB85BDDA5333C7FE7E3BB370C5DE8C50DD810B938D732E39B5608FB4494CAADAE99E1601989FDFC0FEBDCF70F27FFE581F904170A81E0F
Malicious:	false
Preview:	mozLz40..W....{"app-system-defaults":{"addon....formautofill@mozilla.org&..Gdependencies":[],"enabled":true,"lastModifiedTime":1695865283000,"loader":null,"path":s.....xpi","recommendationStateA...rootURI":"jar:file:///C:/Program%20Files/M.......refox/browser/features/...... !/...unInSafeMode..wsignedD...telemetryKey..7%40R...:1.0.1","version":"..`},"pic..#in.....T.n..w...........S.......(.[......0....0"},"screenshots..T.r.....[.......(.V....-39.......},"webcompat-reporter...Ofals..&.z.....[.......(.]....=1.5.............<.)....p....d......1.z.!18...5.....startupData...pX.astentL..!er...webRequest%..onBefore...[[{"incognitoi.UtabId..!yp...."main_frame"],"url...."://login.microsoftonline.com/","..@us/L.dwindows...},["blocking"]],...Iimag...https://smartT.".f.....etp/facebook.svg",...Aplay....8`script...P.....-....-testbed.herokuapp\.`shims_..3.jsh.bexampl\|.......Pexten{..Q../?..s...S.J/_2..@&_3U..s7.addthis . ic...officialK......-angularjs/current/dist(..t.min.js...track.adB...net/s

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\addons.json (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	24
Entropy (8bit):	3.91829583405449
Encrypted:	false
SSDEEP:	3:YWGifTJE6iHQ:YWGif9EE
MD5:	3088F0272D29FAA42ED452C5E8120B08
SHA1:	C72AA542EF60AFA3DF5DFE1F9FCC06C0B135BE23
SHA-256:	D587CEC944023447DC91BC5F71E2291711BA5ADD337464837909A26F34BC5A06
SHA-512:	B662414EDD6DEF8589304904263584847586ECCA0B0E6296FB3ADB2192D92FB48697C99BD27C4375D192150E3F99102702AF2391117FFF50A9763C74C193D798
Malicious:	false
Preview:	{"schema":6,"addons":[]}

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\addons.json.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	24
Entropy (8bit):	3.91829583405449
Encrypted:	false
SSDEEP:	3:YWGifTJE6iHQ:YWGif9EE
MD5:	3088F0272D29FAA42ED452C5E8120B08
SHA1:	C72AA542EF60AFA3DF5DFE1F9FCC06C0B135BE23
SHA-256:	D587CEC944023447DC91BC5F71E2291711BA5ADD337464837909A26F34BC5A06
SHA-512:	B662414EDD6DEF8589304904263584847586ECCA0B0E6296FB3ADB2192D92FB48697C99BD27C4375D192150E3F99102702AF2391117FFF50A9763C74C193D798
Malicious:	false
Preview:	{"schema":6,"addons":[]}

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\content-prefs.sqlite

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	SQLite 3.x database, user version 5, last written using SQLite version 3042000, page size 32768, file counter 4, database pages 8, cookie 0x6, schema 4, largest root page 8, UTF-8, vacuum mode 1, version-valid-for 4
Category:	dropped
Size (bytes):	262144
Entropy (8bit):	0.04905141882491872
Encrypted:	false
SSDEEP:	24:DLSvwae+Q8Uu50xj0aWe9LxYkKA25Q5tvAA:DKwae+QtMImelekKDa5
MD5:	8736A542C5564A922C47B19D9CC5E0F2
SHA1:	CE9D58967DA9B5356D6C1D8A482F9CE74DA9097A
SHA-256:	97CE5D8AFBB0AA610219C4FAC3927E32C91BFFD9FD971AF68C718E7B27E40077
SHA-512:	99777325893DC7A95FD49B2DA18D32D65F97CC7A8E482D78EDC32F63245457FA5A52750800C074D552D20B6A215604161FDC88763D93C76A8703470C3064196B
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j......\|....~.}.}z}-\|.................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\crashes\store.json.mozlz4 (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Mozilla lz4 compressed data, originally 56 bytes
Category:	dropped
Size (bytes):	66
Entropy (8bit):	4.837595020998689
Encrypted:	false
SSDEEP:	3:3fX/xH8IXl/I3v0lb7iioW:vXpH1RPXt
MD5:	A6338865EB252D0EF8FCF11FA9AF3F0D
SHA1:	CECDD4C4DCAE10C2FFC8EB938121B6231DE48CD3
SHA-256:	078648C042B9B08483CE246B7F01371072541A2E90D1BEB0C8009A6118CBD965
SHA-512:	D950227AC83F4E8246D73F9F35C19E88CE65D0CA5F1EF8CCBB02ED6EFC66B1B7E683E2BA0200279D7CA4B49831FD8C3CEB0584265B10ACCFF2611EC1CA8C0C6C
Malicious:	false
Preview:	mozLz40.8.....{"v":1,"crashes":{},"countsByDay....rruptDate":null}

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\crashes\store.json.mozlz4.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Mozilla lz4 compressed data, originally 56 bytes
Category:	dropped
Size (bytes):	66
Entropy (8bit):	4.837595020998689
Encrypted:	false
SSDEEP:	3:3fX/xH8IXl/I3v0lb7iioW:vXpH1RPXt
MD5:	A6338865EB252D0EF8FCF11FA9AF3F0D
SHA1:	CECDD4C4DCAE10C2FFC8EB938121B6231DE48CD3
SHA-256:	078648C042B9B08483CE246B7F01371072541A2E90D1BEB0C8009A6118CBD965
SHA-512:	D950227AC83F4E8246D73F9F35C19E88CE65D0CA5F1EF8CCBB02ED6EFC66B1B7E683E2BA0200279D7CA4B49831FD8C3CEB0584265B10ACCFF2611EC1CA8C0C6C
Malicious:	false
Preview:	mozLz40.8.....{"v":1,"crashes":{},"countsByDay....rruptDate":null}

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\extensions.json (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	36830
Entropy (8bit):	5.185052013683835
Encrypted:	false
SSDEEP:	768:AI4wvfCXh496G4C4U1W4z4xuHhvp4N4Tc4Z4S4t24U:AruBv3
MD5:	10E2D85FEF0DB266E519048D63617FA8
SHA1:	EBB307C44EBEFFA271AC58FDDE5C3A1BA52AE7B0
SHA-256:	92143A48F55639B5BD01385D0E4E78EDED4F84401A91C12AC06251EE188CFE0E
SHA-512:	164CBE725B44020AD40D165A1B1C242A7016ED8933AB9502D0D38E6CD99887D9DF49533DE54068AA4E5D8476C7791B52518A8477B8961475B7CB2C3AF54B81B1
Malicious:	false
Preview:	{"schemaVersion":35,"addons":[{"id":"formautofill@mozilla.org","syncGUID":"{87ef1fa3-cb84-4bbf-a615-45a1d14b629d}","version":"1.0.1","type":"extension","loader":null,"updateURL":null,"installOrigins":null,"manifestVersion":2,"optionsURL":null,"optionsType":null,"optionsBrowserStyle":true,"aboutURL":null,"defaultLocale":{"name":"Form Autofill","creator":null,"developers":null,"translators":null,"contributors":null},"visible":true,"active":true,"userDisabled":false,"appDisabled":false,"embedderDisabled":false,"installDate":1695865283000,"updateDate":1695865283000,"applyBackgroundUpdates":1,"path":"C:\\Program Files\\Mozilla Firefox\\browser\\features\\formautofill@mozilla.org.xpi","skinnable":false,"sourceURI":null,"releaseNotesURI":null,"softDisabled":false,"foreignInstall":false,"strictCompatibility":true,"locales":[],"targetApplications":[{"id":"toolkit@mozilla.org","minVersion":null,"maxVersion":null}],"targetPlatforms":[],"signedDate":null,"seen":true,"dependencies":[],"incognito":"

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\extensions.json.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	36830
Entropy (8bit):	5.185052013683835
Encrypted:	false
SSDEEP:	768:AI4wvfCXh496G4C4U1W4z4xuHhvp4N4Tc4Z4S4t24U:AruBv3
MD5:	10E2D85FEF0DB266E519048D63617FA8
SHA1:	EBB307C44EBEFFA271AC58FDDE5C3A1BA52AE7B0
SHA-256:	92143A48F55639B5BD01385D0E4E78EDED4F84401A91C12AC06251EE188CFE0E
SHA-512:	164CBE725B44020AD40D165A1B1C242A7016ED8933AB9502D0D38E6CD99887D9DF49533DE54068AA4E5D8476C7791B52518A8477B8961475B7CB2C3AF54B81B1
Malicious:	false
Preview:	{"schemaVersion":35,"addons":[{"id":"formautofill@mozilla.org","syncGUID":"{87ef1fa3-cb84-4bbf-a615-45a1d14b629d}","version":"1.0.1","type":"extension","loader":null,"updateURL":null,"installOrigins":null,"manifestVersion":2,"optionsURL":null,"optionsType":null,"optionsBrowserStyle":true,"aboutURL":null,"defaultLocale":{"name":"Form Autofill","creator":null,"developers":null,"translators":null,"contributors":null},"visible":true,"active":true,"userDisabled":false,"appDisabled":false,"embedderDisabled":false,"installDate":1695865283000,"updateDate":1695865283000,"applyBackgroundUpdates":1,"path":"C:\\Program Files\\Mozilla Firefox\\browser\\features\\formautofill@mozilla.org.xpi","skinnable":false,"sourceURI":null,"releaseNotesURI":null,"softDisabled":false,"foreignInstall":false,"strictCompatibility":true,"locales":[],"targetApplications":[{"id":"toolkit@mozilla.org","minVersion":null,"maxVersion":null}],"targetPlatforms":[],"signedDate":null,"seen":true,"dependencies":[],"incognito":"

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\favicons.sqlite-shm

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	data
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	0.017262956703125623
Encrypted:	false
SSDEEP:	3:G8lQs2TSlElQs2TtPRp//:G0QjSaQjrpX
MD5:	B7C14EC6110FA820CA6B65F5AEC85911
SHA1:	608EEB7488042453C9CA40F7E1398FC1A270F3F4
SHA-256:	FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB
SHA-512:	D8D75760F29B1E27AC9430BC4F4FFCEC39F1590BE5AEF2BFB5A535850302E067C288EF59CF3B2C5751009A22A6957733F9F80FA18F2B0D33D90C068A3F08F3B0
Malicious:	false
Preview:	..-.....................................8...5.....-.....................................8...5...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1021904
Entropy (8bit):	6.648417932394748
Encrypted:	false
SSDEEP:	12288:vYLdTfFKbNSjv92eFN+3wH+NYriA0Iq6lh6VawYIpAvwHN/Uf1h47HAfg1oet:vYLdTZ923NYrjwNpgwef1hzfg1x
MD5:	FE3355639648C417E8307C6D051E3E37
SHA1:	F54602D4B4778DA21BC97C7238FC66AA68C8EE34
SHA-256:	1ED7877024BE63A049DA98733FD282C16BD620530A4FB580DACEC3A78ACE914E
SHA-512:	8F4030BB2464B98ECCBEA6F06EB186D7216932702D94F6B84C56419E9CF65A18309711AB342D1513BF85AED402BC3535A70DB4395874828F0D35C278DD2EAC9C
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......NH...)...)...)..eM...)..eM...)..eM..)..eM...)...)..i)..XA...)..XA..;)..XA...)...)..g)..cA...)..cA...)..Rich.)..........PE..d....z\.........." .....t................................................................`.........................................P...,...\|...(............P...H...z.................T...........................0...................p............................text...$s.......t.................. ..`.rdata...~...........x..............@..@.data....3..........................@....pdata...H...P...J..................@..@.rodata..............^..............@..@.reloc...............j..............@..B........................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1021904
Entropy (8bit):	6.648417932394748
Encrypted:	false
SSDEEP:	12288:vYLdTfFKbNSjv92eFN+3wH+NYriA0Iq6lh6VawYIpAvwHN/Uf1h47HAfg1oet:vYLdTZ923NYrjwNpgwef1hzfg1x
MD5:	FE3355639648C417E8307C6D051E3E37
SHA1:	F54602D4B4778DA21BC97C7238FC66AA68C8EE34
SHA-256:	1ED7877024BE63A049DA98733FD282C16BD620530A4FB580DACEC3A78ACE914E
SHA-512:	8F4030BB2464B98ECCBEA6F06EB186D7216932702D94F6B84C56419E9CF65A18309711AB342D1513BF85AED402BC3535A70DB4395874828F0D35C278DD2EAC9C
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......NH...)...)...)..eM...)..eM...)..eM..)..eM...)...)..i)..XA...)..XA..;)..XA...)...)..g)..cA...)..cA...)..Rich.)..........PE..d....z\.........." .....t................................................................`.........................................P...,...\|...(............P...H...z.................T...........................0...................p............................text...$s.......t.................. ..`.rdata...~...........x..............@..@.data....3..........................@....pdata...H...P...J..................@..@.rodata..............^..............@..@.reloc...............j..............@..B........................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.info (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	116
Entropy (8bit):	4.968220104601006
Encrypted:	false
SSDEEP:	3:C3OuN9RAM7VDXcEzq+rEakOvTMBv+FdBAIABv+FEn:0BDUmHlvAWeWEn
MD5:	3D33CDC0B3D281E67DD52E14435DD04F
SHA1:	4DB88689282FD4F9E9E6AB95FCBB23DF6E6485DB
SHA-256:	F526E9F98841D987606EFEAFF7F3E017BA9FD516C4BE83890C7F9A093EA4C47B
SHA-512:	A4A96743332CC8EF0F86BC2E6122618BFC75ED46781DADBAC9E580CD73DF89E74738638A2CCCB4CAA4CBBF393D771D7F2C73F825737CDB247362450A0D4A4BC1
Malicious:	false
Preview:	Name: gmpopenh264.Description: GMP Plugin for OpenH264..Version: 1.8.1.APIs: encode-video[h264], decode-video[h264].

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.info.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	116
Entropy (8bit):	4.968220104601006
Encrypted:	false
SSDEEP:	3:C3OuN9RAM7VDXcEzq+rEakOvTMBv+FdBAIABv+FEn:0BDUmHlvAWeWEn
MD5:	3D33CDC0B3D281E67DD52E14435DD04F
SHA1:	4DB88689282FD4F9E9E6AB95FCBB23DF6E6485DB
SHA-256:	F526E9F98841D987606EFEAFF7F3E017BA9FD516C4BE83890C7F9A093EA4C47B
SHA-512:	A4A96743332CC8EF0F86BC2E6122618BFC75ED46781DADBAC9E580CD73DF89E74738638A2CCCB4CAA4CBBF393D771D7F2C73F825737CDB247362450A0D4A4BC1
Malicious:	false
Preview:	Name: gmpopenh264.Description: GMP Plugin for OpenH264..Version: 1.8.1.APIs: encode-video[h264], decode-video[h264].

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\permissions.sqlite

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	SQLite 3.x database, user version 12, last written using SQLite version 3042000, page size 32768, file counter 4, database pages 3, cookie 0x2, schema 4, UTF-8, version-valid-for 4
Category:	dropped
Size (bytes):	98304
Entropy (8bit):	0.07316517065798613
Encrypted:	false
SSDEEP:	12:DBl/A0OWla0mwPxRymgObsCVR45wcYR4fmnsCVR4zkil0kN:DLhesh7Owd4+jiykN
MD5:	BFD993FCC4F902F3829781D4F4EC91D6
SHA1:	5216DA2D239D82C41ED621DB01B8C64989C634A8
SHA-256:	2A769933DC8A2D430C09D5F9B4019BB1ED8602A78389F0D5FC20AAC9A2696304
SHA-512:	1467B8619F237B51B13A1C3AB3D0743B2B5C267EFB4AC852888DEEBF56A3529AD3E35BD1BD22243DE62F16FFF22A47FE603D19BF9F941612867AF70F705C2448
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j......~s..F~s........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\places.sqlite-shm

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	data
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	0.035493804082653645
Encrypted:	false
SSDEEP:	3:GtlstFcaXvLMVO9HY/tlstFcaXvLMVOllD89//alEl:GtWteaXTMQHYtWteaXTMIlD89XuM
MD5:	8D6CA73A6FEA7BA6C2F7A0015F98B5E3
SHA1:	8F7D454A6E88EE301CD1472E57B97C4A6A98B08A
SHA-256:	296AD7CAE1390A10C55B3E570FBBBA5C0F152A408946E44E4379C1AC6F2A38E8
SHA-512:	663F5AB1616672BDC91E31ED29EEC7FF1C2917F6A70B727D0F4EF4C428CD335EDDC15ABC7F9D3A3CA57E64ADCA5E7477984B11D682E2F253B75035D5B3EBFD5F
Malicious:	false
Preview:	..-.....................K.. ...Y.H`.K.Qw..6.......-.....................K.. ...Y.H`.K.Qw..6.............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\places.sqlite-wal

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	SQLite Write-Ahead Log, version 3007000
Category:	dropped
Size (bytes):	32824
Entropy (8bit):	0.034691623142539825
Encrypted:	false
SSDEEP:	3:Ol1zCRt1KlANWueXnlnSrV//mwl8XW3R2:KWHWrSpuw93w
MD5:	E529CFC89A6D1D5AD6CF16183A815903
SHA1:	B3BC94220001B74FD53ECA3EA44A74774DE97BE2
SHA-256:	A007025755F4BF520615C81B1A3AF16835D2381902F1C28BA7D0B6DA762FA049
SHA-512:	B14291D03EB10565946FE6C48FF7FB9BD836949FF029DF5F7C48D83A5637FAD5379C1248DCE8C13D098CDE1FC83818DBC2DA98C4A25928A5C144BFBB8C5378F3
Malicious:	false
Preview:	7....-...........H`.K.Qw.'K.............H`.K.Qw ..KY..................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\prefs-1.js

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	ASCII text, with very long lines (1717), with CRLF line terminators
Category:	dropped
Size (bytes):	14081
Entropy (8bit):	5.465477501805094
Encrypted:	false
SSDEEP:	192:ynTFTRRUYbBp6YLZNMGaXb6qU4Juzy+/3/70l5RYiNBw8dHSl:YKexFNMaGOyCgdw00
MD5:	0F4F582B5AD3930BE1073D78678F14AE
SHA1:	9B4613BDBB8447B9EFDAA118AB8C63BC07B37712
SHA-256:	BA7188E2CCD977BF026404963DDC75DEF80425731246FC7F9B3E07581C428EF1
SHA-512:	1FD8C297F9399A0004DD6C45F165FDD9248F9A227BDEFE661213DFA6994707C030B04D917A7D82692500DC7A7847F8B9E72883C396317143F5FEB9EDCC971ADF
Malicious:	false
Preview:	// Mozilla User Preferences....// DO NOT EDIT THIS FILE...//..// If you make changes to this file while the application is running,..// the changes will be overwritten when the application exits...//..// To change a preference value, you can either:..// - modify it via the UI (e.g. via about:config in the browser); or..// - set it within a user.js file in your profile.....user_pref("app.normandy.first_run", false);..user_pref("app.normandy.migrationsApplied", 12);..user_pref("app.normandy.user_id", "a24b7aae-efcd-4433-83ad-3649b8231e2d");..user_pref("app.update.auto.migrated", true);..user_pref("app.update.background.rolledout", true);..user_pref("app.update.backgroundErrors", 2);..user_pref("app.update.lastUpdateTime.addon-background-update-timer", 1732382211);..user_pref("app.update.lastUpdateTime.background-update-timer", 1732382211);..user_pref("app.update.lastUpdateTime.browser-cleanup-thumbnails", 1732382211);..user_pref("app.update.lastUpdateTime.recipe-client-addon-run", 173238

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\prefs.js (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	ASCII text, with very long lines (1717), with CRLF line terminators
Category:	dropped
Size (bytes):	14081
Entropy (8bit):	5.465477501805094
Encrypted:	false
SSDEEP:	192:ynTFTRRUYbBp6YLZNMGaXb6qU4Juzy+/3/70l5RYiNBw8dHSl:YKexFNMaGOyCgdw00
MD5:	0F4F582B5AD3930BE1073D78678F14AE
SHA1:	9B4613BDBB8447B9EFDAA118AB8C63BC07B37712
SHA-256:	BA7188E2CCD977BF026404963DDC75DEF80425731246FC7F9B3E07581C428EF1
SHA-512:	1FD8C297F9399A0004DD6C45F165FDD9248F9A227BDEFE661213DFA6994707C030B04D917A7D82692500DC7A7847F8B9E72883C396317143F5FEB9EDCC971ADF
Malicious:	false
Preview:	// Mozilla User Preferences....// DO NOT EDIT THIS FILE...//..// If you make changes to this file while the application is running,..// the changes will be overwritten when the application exits...//..// To change a preference value, you can either:..// - modify it via the UI (e.g. via about:config in the browser); or..// - set it within a user.js file in your profile.....user_pref("app.normandy.first_run", false);..user_pref("app.normandy.migrationsApplied", 12);..user_pref("app.normandy.user_id", "a24b7aae-efcd-4433-83ad-3649b8231e2d");..user_pref("app.update.auto.migrated", true);..user_pref("app.update.background.rolledout", true);..user_pref("app.update.backgroundErrors", 2);..user_pref("app.update.lastUpdateTime.addon-background-update-timer", 1732382211);..user_pref("app.update.lastUpdateTime.background-update-timer", 1732382211);..user_pref("app.update.lastUpdateTime.browser-cleanup-thumbnails", 1732382211);..user_pref("app.update.lastUpdateTime.recipe-client-addon-run", 173238

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\protections.sqlite

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	SQLite 3.x database, user version 1, last written using SQLite version 3042000, page size 32768, file counter 4, database pages 2, cookie 0x1, schema 4, UTF-8, version-valid-for 4
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.04062825861060003
Encrypted:	false
SSDEEP:	3:lSGBl/l/zl9l/AltllPltlnKollzvulJOlzALRWemFxu7TuRjBFbrl58lcV+wgn8:ltBl/lqN1K4BEJYqWvLue3FMOrMZ0l
MD5:	60C09456D6362C6FBED48C69AA342C3C
SHA1:	58B6E22DAA48C75958B429F662DEC1C011AE74D3
SHA-256:	FE1A432A2CD096B7EEA870D46D07F5197E34B4D10666E6E1C357FAA3F2FE2389
SHA-512:	936DBC887276EF07732783B50EAFE450A8598B0492B8F6C838B337EF3E8A6EA595E7C7A2FA4B3E881887FAAE2D207B953A4C65ED8C964D93118E00D3E03882BD
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.......x..x..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\sessionCheckpoints.json (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	90
Entropy (8bit):	4.194538242412464
Encrypted:	false
SSDEEP:	3:YVXKQJAyiVLQwJtJDBA+AJ2LKZXJ3YFwHY:Y9KQOy6Lb1BA+m2L69Yr
MD5:	C4AB2EE59CA41B6D6A6EA911F35BDC00
SHA1:	5942CD6505FC8A9DABA403B082067E1CDEFDFBC4
SHA-256:	00AD9799527C3FD21F3A85012565EAE817490F3E0D417413BF9567BB5909F6A2
SHA-512:	71EA16900479E6AF161E0AAD08C8D1E9DED5868A8D848E7647272F3002E2F2013E16382B677ABE3C6F17792A26293B9E27EC78E16F00BD24BA3D21072BD1CAE2
Malicious:	false
Preview:	{"profile-after-change":true,"final-ui-startup":true,"sessionstore-windows-restored":true}

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\sessionCheckpoints.json.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	90
Entropy (8bit):	4.194538242412464
Encrypted:	false
SSDEEP:	3:YVXKQJAyiVLQwJtJDBA+AJ2LKZXJ3YFwHY:Y9KQOy6Lb1BA+m2L69Yr
MD5:	C4AB2EE59CA41B6D6A6EA911F35BDC00
SHA1:	5942CD6505FC8A9DABA403B082067E1CDEFDFBC4
SHA-256:	00AD9799527C3FD21F3A85012565EAE817490F3E0D417413BF9567BB5909F6A2
SHA-512:	71EA16900479E6AF161E0AAD08C8D1E9DED5868A8D848E7647272F3002E2F2013E16382B677ABE3C6F17792A26293B9E27EC78E16F00BD24BA3D21072BD1CAE2
Malicious:	false
Preview:	{"profile-after-change":true,"final-ui-startup":true,"sessionstore-windows-restored":true}

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\sessionstore-backups\recovery.baklz4 (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Mozilla lz4 compressed data, originally 5861 bytes
Category:	dropped
Size (bytes):	1582
Entropy (8bit):	6.350848822883863
Encrypted:	false
SSDEEP:	24:v+USUGlcAxSmdLXnI1/pnxQwRlscT5sKLFUB3eHVvwKXTdJamhu71JmyOOxmOmaL:GUpOxLanRfBUB3eNwCTdJ4JNKRhHI
MD5:	27DB97CA606D557B2FAAC901118881D4
SHA1:	058107560DEE48AA7E8D13A849EF8193ABBB5A8B
SHA-256:	C82BD9686F598E6F133F39FA74C0DD0322520636EEF363D52D6D0DD32A2A4125
SHA-512:	CA75EEF48B47F4DAAB830011CEF5BB477CE246D8760545281436B5ED19E77F7A75173585B6E973D610CD842EA2DE03DE719055DC766BD95DC20A766F89A6C105
Malicious:	false
Preview:	mozLz40.......{"version":["ses....restore",1],"windows":[{"tab..bentrie....url":"https://youtube.com/account?=.....rs.googl%...v3/signin/challenge/pwd","title[.C..cacheKey":0,"ID":6,"docshellUU...D"{a0b44b95-84c5-4cd8-9be3-eb5af77c1732}","resultPrincipalURI":null,"hasUserInteracte...true,"triggering8.p_base64z..\"3\":{}^...docIdentifier":7,"persistK...}],"lastAccessed":....382216094,"hidden":false,"searchMode...userContextId...attribut...{},"index":1...questedI..p0,"imag....chrome://global/skin/icons/warning.svg"..aselect...,"_closedTZ.@],"_...C..`GroupCF..":-1,"busy...t...Flags":2167541758...dth":116....eight":891,"screenX":4...Y..Aizem..."maximize......BeforeMin...&..workspace9...46f3a197-db49-410a-81b3-94975c835573","zD..1...Wm..l........j..:....1":{..mUpdate...startTim..`180616...centCrash..B0},".....Dcook.. hoc..."addons.mozilla.org","valu...Abfc0b67c202aaf415a5b7a51708a5c3270bb6f2f7664428a48797f00afbef6fc","path":"/","na..a"taarI\|.Recure...,`.Donly..eexpiry....185574,"originA....

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\sessionstore-backups\recovery.jsonlz4 (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Mozilla lz4 compressed data, originally 5861 bytes
Category:	dropped
Size (bytes):	1582
Entropy (8bit):	6.350848822883863
Encrypted:	false
SSDEEP:	24:v+USUGlcAxSmdLXnI1/pnxQwRlscT5sKLFUB3eHVvwKXTdJamhu71JmyOOxmOmaL:GUpOxLanRfBUB3eNwCTdJ4JNKRhHI
MD5:	27DB97CA606D557B2FAAC901118881D4
SHA1:	058107560DEE48AA7E8D13A849EF8193ABBB5A8B
SHA-256:	C82BD9686F598E6F133F39FA74C0DD0322520636EEF363D52D6D0DD32A2A4125
SHA-512:	CA75EEF48B47F4DAAB830011CEF5BB477CE246D8760545281436B5ED19E77F7A75173585B6E973D610CD842EA2DE03DE719055DC766BD95DC20A766F89A6C105
Malicious:	false
Preview:	mozLz40.......{"version":["ses....restore",1],"windows":[{"tab..bentrie....url":"https://youtube.com/account?=.....rs.googl%...v3/signin/challenge/pwd","title[.C..cacheKey":0,"ID":6,"docshellUU...D"{a0b44b95-84c5-4cd8-9be3-eb5af77c1732}","resultPrincipalURI":null,"hasUserInteracte...true,"triggering8.p_base64z..\"3\":{}^...docIdentifier":7,"persistK...}],"lastAccessed":....382216094,"hidden":false,"searchMode...userContextId...attribut...{},"index":1...questedI..p0,"imag....chrome://global/skin/icons/warning.svg"..aselect...,"_closedTZ.@],"_...C..`GroupCF..":-1,"busy...t...Flags":2167541758...dth":116....eight":891,"screenX":4...Y..Aizem..."maximize......BeforeMin...&..workspace9...46f3a197-db49-410a-81b3-94975c835573","zD..1...Wm..l........j..:....1":{..mUpdate...startTim..`180616...centCrash..B0},".....Dcook.. hoc..."addons.mozilla.org","valu...Abfc0b67c202aaf415a5b7a51708a5c3270bb6f2f7664428a48797f00afbef6fc","path":"/","na..a"taarI\|.Recure...,`.Donly..eexpiry....185574,"originA....

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\sessionstore-backups\recovery.jsonlz4.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Mozilla lz4 compressed data, originally 5861 bytes
Category:	dropped
Size (bytes):	1582
Entropy (8bit):	6.350848822883863
Encrypted:	false
SSDEEP:	24:v+USUGlcAxSmdLXnI1/pnxQwRlscT5sKLFUB3eHVvwKXTdJamhu71JmyOOxmOmaL:GUpOxLanRfBUB3eNwCTdJ4JNKRhHI
MD5:	27DB97CA606D557B2FAAC901118881D4
SHA1:	058107560DEE48AA7E8D13A849EF8193ABBB5A8B
SHA-256:	C82BD9686F598E6F133F39FA74C0DD0322520636EEF363D52D6D0DD32A2A4125
SHA-512:	CA75EEF48B47F4DAAB830011CEF5BB477CE246D8760545281436B5ED19E77F7A75173585B6E973D610CD842EA2DE03DE719055DC766BD95DC20A766F89A6C105
Malicious:	false
Preview:	mozLz40.......{"version":["ses....restore",1],"windows":[{"tab..bentrie....url":"https://youtube.com/account?=.....rs.googl%...v3/signin/challenge/pwd","title[.C..cacheKey":0,"ID":6,"docshellUU...D"{a0b44b95-84c5-4cd8-9be3-eb5af77c1732}","resultPrincipalURI":null,"hasUserInteracte...true,"triggering8.p_base64z..\"3\":{}^...docIdentifier":7,"persistK...}],"lastAccessed":....382216094,"hidden":false,"searchMode...userContextId...attribut...{},"index":1...questedI..p0,"imag....chrome://global/skin/icons/warning.svg"..aselect...,"_closedTZ.@],"_...C..`GroupCF..":-1,"busy...t...Flags":2167541758...dth":116....eight":891,"screenX":4...Y..Aizem..."maximize......BeforeMin...&..workspace9...46f3a197-db49-410a-81b3-94975c835573","zD..1...Wm..l........j..:....1":{..mUpdate...startTim..`180616...centCrash..B0},".....Dcook.. hoc..."addons.mozilla.org","valu...Abfc0b67c202aaf415a5b7a51708a5c3270bb6f2f7664428a48797f00afbef6fc","path":"/","na..a"taarI\|.Recure...,`.Donly..eexpiry....185574,"originA....

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\storage.sqlite

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	SQLite 3.x database, user version 131075, last written using SQLite version 3042000, page size 512, file counter 4, database pages 8, cookie 0x4, schema 4, UTF-8, version-valid-for 4
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	2.042811512334329
Encrypted:	false
SSDEEP:	24:JBkSldh/cEUcR9PzNFPFHx/GJRBdkOrDcRB1trwDeAq2gRMyxr3:jkSWEUo9LXtR+JdkOnohYsl
MD5:	21235938025E2102017AC8C9748948A4
SHA1:	A1EED1C4588724A8396C95FC9923C0A33B360FF8
SHA-256:	E34B06B180E3F73DC8E441650BB7FE694A9D58E927412D6ED40B0852B784824E
SHA-512:	D334B419A2A75179C17D7F53BF65FCC132ADE03B21059F0007ACDBB08284A281D8CE1C1CC598E6A070024D0DAE158E2E9618E121342BE068E87A051FE33D6061
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\targeting.snapshot.json (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	4411
Entropy (8bit):	5.009753407914435
Encrypted:	false
SSDEEP:	48:YrSAYSPHqUQZpExB1+anOdW6VhOGVpWJzzcsYMsku7f86SLAVL775FtsfAcbyJF4:ycSPCTEr5NfJzzcBvbw6Kkvrc2Rn27
MD5:	EC3131A595414F2595A94FD4760B4F29
SHA1:	895446FF84FACCB8B660EBD71BA9157B77E7B853
SHA-256:	9526E45851872456C6A19A98DBCEF6E8A866DBC1D32EBFC3D804830A212B7EB0
SHA-512:	CC55F6CFB9C95EEBF0CD8CD94A384F176C79557FF921EE73D9BCF10EAAB6644EB7FCCD9BEFA22B1E3FABCA0E69B1EF1270CEAD938A1084FE629E249B18897104
Malicious:	false
Preview:	{"environment":{"locale":"en-US","localeLanguageCode":"en","browserSettings":{"update":{"channel":"release","enabled":true,"autoDownload":true,"background":true}},"attributionData":{"campaign":"%2528not%2Bset%2529","content":"%2528not%2Bset%2529","dlsource":"mozorg","dltoken":"cd09ae95-e2cf-4b8b-8929-791b0dd48cdd","experiment":"%2528not%2Bset%2529","medium":"referral","source":"www.google.com","ua":"chrome","variation":"%2528not%2Bset%2529"},"currentDate":"2024-11-23T17:16:31.825Z","profileAgeCreated":1696486829272,"usesFirefoxSync":false,"isFxAEnabled":true,"isFxASignedIn":false,"sync":{"desktopDevices":0,"mobileDevices":0,"totalDevices":0},"xpinstallEnabled":true,"addonsInfo":{"addons":{"formautofill@mozilla.org":{"version":"1.0.1","type":"extension","isSystem":true,"isWebExtension":true,"name":"Form Autofill","userDisabled":false,"installDate":"2023-09-28T01:41:23.000Z"},"pictureinpicture@mozilla.org":{"version":"1.0.0","type":"extension","isSystem":true,"isWebExtension":true,"name"

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\targeting.snapshot.json.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	4411
Entropy (8bit):	5.009753407914435
Encrypted:	false
SSDEEP:	48:YrSAYSPHqUQZpExB1+anOdW6VhOGVpWJzzcsYMsku7f86SLAVL775FtsfAcbyJF4:ycSPCTEr5NfJzzcBvbw6Kkvrc2Rn27
MD5:	EC3131A595414F2595A94FD4760B4F29
SHA1:	895446FF84FACCB8B660EBD71BA9157B77E7B853
SHA-256:	9526E45851872456C6A19A98DBCEF6E8A866DBC1D32EBFC3D804830A212B7EB0
SHA-512:	CC55F6CFB9C95EEBF0CD8CD94A384F176C79557FF921EE73D9BCF10EAAB6644EB7FCCD9BEFA22B1E3FABCA0E69B1EF1270CEAD938A1084FE629E249B18897104
Malicious:	false
Preview:	{"environment":{"locale":"en-US","localeLanguageCode":"en","browserSettings":{"update":{"channel":"release","enabled":true,"autoDownload":true,"background":true}},"attributionData":{"campaign":"%2528not%2Bset%2529","content":"%2528not%2Bset%2529","dlsource":"mozorg","dltoken":"cd09ae95-e2cf-4b8b-8929-791b0dd48cdd","experiment":"%2528not%2Bset%2529","medium":"referral","source":"www.google.com","ua":"chrome","variation":"%2528not%2Bset%2529"},"currentDate":"2024-11-23T17:16:31.825Z","profileAgeCreated":1696486829272,"usesFirefoxSync":false,"isFxAEnabled":true,"isFxASignedIn":false,"sync":{"desktopDevices":0,"mobileDevices":0,"totalDevices":0},"xpinstallEnabled":true,"addonsInfo":{"addons":{"formautofill@mozilla.org":{"version":"1.0.1","type":"extension","isSystem":true,"isWebExtension":true,"name":"Form Autofill","userDisabled":false,"installDate":"2023-09-28T01:41:23.000Z"},"pictureinpicture@mozilla.org":{"version":"1.0.0","type":"extension","isSystem":true,"isWebExtension":true,"name"

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	6.592591435880394
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	file.exe
File size:	922'624 bytes
MD5:	16f8b17baceadaed2044ccfcaae7d31d
SHA1:	63383b3bc5a7acfd4404c12719d961c06aadedbb
SHA256:	d21b71f8d3ade0e63d229a8969f22f6c0d7b8f0a011f5b74af5c31d79d10dcd4
SHA512:	d9b7ee9c0cc9448c5765837e49a1c290acd0437640ad54f92f3d6ea7f609b1f2097f6f6ae34185faa16f5b0697c53e1f43c8ab8b8a3388c7320086d0100b3cf9
SSDEEP:	12288:wqDEvFo+yo4DdbbMWu/jrQu4M9lBAlKhQcDGB3cuBNGE6iOrpfe4JdaDgaYT9:wqDEvCTbMWu7rQYlBQcBiT6rprG8ag9
TLSH:	0E159E0273D1C062FFAB92334B5AF6515BBC69260123E61F13981DB9BE701B1563E7A3
File Content Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......................j:......j:..C...j:......@.*...............................n.......~.............{.......{.......{.........z....

File Icon


Icon Hash:	aaf3e3e3938382a0

Static PE Info

General

Entrypoint:	0x420577
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, TERMINAL_SERVER_AWARE
Time Stamp:	0x6741F41E [Sat Nov 23 15:26:22 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	1
File Version Major:	5
File Version Minor:	1
Subsystem Version Major:	5
Subsystem Version Minor:	1
Import Hash:	948cc502fe9226992dce9417f952fce3

Entrypoint Preview

Instruction
call 00007F8880D0E653h
jmp 00007F8880D0DF5Fh
push ebp
mov ebp, esp
push esi
push dword ptr [ebp+08h]
mov esi, ecx
call 00007F8880D0E13Dh
mov dword ptr [esi], 0049FDF0h
mov eax, esi
pop esi
pop ebp
retn 0004h
and dword ptr [ecx+04h], 00000000h
mov eax, ecx
and dword ptr [ecx+08h], 00000000h
mov dword ptr [ecx+04h], 0049FDF8h
mov dword ptr [ecx], 0049FDF0h
ret
push ebp
mov ebp, esp
push esi
push dword ptr [ebp+08h]
mov esi, ecx
call 00007F8880D0E10Ah
mov dword ptr [esi], 0049FE0Ch
mov eax, esi
pop esi
pop ebp
retn 0004h
and dword ptr [ecx+04h], 00000000h
mov eax, ecx
and dword ptr [ecx+08h], 00000000h
mov dword ptr [ecx+04h], 0049FE14h
mov dword ptr [ecx], 0049FE0Ch
ret
push ebp
mov ebp, esp
push esi
mov esi, ecx
lea eax, dword ptr [esi+04h]
mov dword ptr [esi], 0049FDD0h
and dword ptr [eax], 00000000h
and dword ptr [eax+04h], 00000000h
push eax
mov eax, dword ptr [ebp+08h]
add eax, 04h
push eax
call 00007F8880D10CFDh
pop ecx
pop ecx
mov eax, esi
pop esi
pop ebp
retn 0004h
lea eax, dword ptr [ecx+04h]
mov dword ptr [ecx], 0049FDD0h
push eax
call 00007F8880D10D48h
pop ecx
ret
push ebp
mov ebp, esp
push esi
mov esi, ecx
lea eax, dword ptr [esi+04h]
mov dword ptr [esi], 0049FDD0h
push eax
call 00007F8880D10D31h
test byte ptr [ebp+08h], 00000001h
pop ecx

Rich Headers

Programming Language:

[ C ] VS2008 SP1 build 30729
[IMP] VS2008 SP1 build 30729

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xc8e64	0x17c	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xd4000	0xa930	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xdf000	0x7594	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0xb0ff0	0x1c	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0xc3400	0x18	.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0xb1010	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x9c000	0x894	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x9ab1d	0x9ac00	0a1473f3064dcbc32ef93c5c8a90f3a6	False	0.565500681542811	data	6.668273581389308	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x9c000	0x2fb82	0x2fc00	c9cf2468b60bf4f80f136ed54b3989fb	False	0.35289185209424084	data	5.691811547483722	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0xcc000	0x706c	0x4800	53b9025d545d65e23295e30afdbd16d9	False	0.04356553819444445	DOS executable (block device driver @\273\)	0.5846666986982398	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0xd4000	0xa930	0xaa00	5066ce80cb642fe4b41856ef20659cdd	False	0.3740119485294118	data	5.653594150927351	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0xdf000	0x7594	0x7600	c68ee8931a32d45eb82dc450ee40efc3	False	0.7628111758474576	data	6.7972128181359786	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0xd45a8	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain	0.7466216216216216
RT_ICON	0xd46d0	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 128, 16 important colors	English	Great Britain	0.3277027027027027
RT_ICON	0xd47f8	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain	0.3885135135135135
RT_ICON	0xd4920	0x2e8	Device independent bitmap graphic, 32 x 64 x 4, image size 0	English	Great Britain	0.3333333333333333
RT_ICON	0xd4c08	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 0	English	Great Britain	0.5
RT_ICON	0xd4d30	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 0	English	Great Britain	0.2835820895522388
RT_ICON	0xd5bd8	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 0	English	Great Britain	0.37906137184115524
RT_ICON	0xd6480	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 0	English	Great Britain	0.23699421965317918
RT_ICON	0xd69e8	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0	English	Great Britain	0.13858921161825727
RT_ICON	0xd8f90	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 0	English	Great Britain	0.25070356472795496
RT_ICON	0xda038	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	English	Great Britain	0.3173758865248227
RT_MENU	0xda4a0	0x50	data	English	Great Britain	0.9
RT_STRING	0xda4f0	0x594	data	English	Great Britain	0.3333333333333333
RT_STRING	0xdaa84	0x68a	data	English	Great Britain	0.2735961768219833
RT_STRING	0xdb110	0x490	data	English	Great Britain	0.3715753424657534
RT_STRING	0xdb5a0	0x5fc	data	English	Great Britain	0.3087467362924282
RT_STRING	0xdbb9c	0x65c	data	English	Great Britain	0.34336609336609336
RT_STRING	0xdc1f8	0x466	data	English	Great Britain	0.3605683836589698
RT_STRING	0xdc660	0x158	Matlab v4 mat-file (little endian) n, numeric, rows 0, columns 0	English	Great Britain	0.502906976744186
RT_RCDATA	0xdc7b8	0x1bf8	data			1.0015363128491621
RT_GROUP_ICON	0xde3b0	0x76	data	English	Great Britain	0.6610169491525424
RT_GROUP_ICON	0xde428	0x14	data	English	Great Britain	1.25
RT_GROUP_ICON	0xde43c	0x14	data	English	Great Britain	1.15
RT_GROUP_ICON	0xde450	0x14	data	English	Great Britain	1.25
RT_VERSION	0xde464	0xdc	data	English	Great Britain	0.6181818181818182
RT_MANIFEST	0xde540	0x3ef	ASCII text, with CRLF line terminators	English	Great Britain	0.5074478649453823

Imports

DLL	Import
WSOCK32.dll	gethostbyname, recv, send, socket, inet_ntoa, setsockopt, ntohs, WSACleanup, WSAStartup, sendto, htons, __WSAFDIsSet, select, accept, listen, bind, inet_addr, ioctlsocket, recvfrom, WSAGetLastError, closesocket, gethostname, connect
VERSION.dll	GetFileVersionInfoW, VerQueryValueW, GetFileVersionInfoSizeW
WINMM.dll	timeGetTime, waveOutSetVolume, mciSendStringW
COMCTL32.dll	ImageList_ReplaceIcon, ImageList_Destroy, ImageList_Remove, ImageList_SetDragCursorImage, ImageList_BeginDrag, ImageList_DragEnter, ImageList_DragLeave, ImageList_EndDrag, ImageList_DragMove, InitCommonControlsEx, ImageList_Create
MPR.dll	WNetGetConnectionW, WNetCancelConnection2W, WNetUseConnectionW, WNetAddConnection2W
WININET.dll	HttpOpenRequestW, InternetCloseHandle, InternetOpenW, InternetSetOptionW, InternetCrackUrlW, HttpQueryInfoW, InternetQueryOptionW, InternetConnectW, HttpSendRequestW, FtpOpenFileW, FtpGetFileSize, InternetOpenUrlW, InternetReadFile, InternetQueryDataAvailable
PSAPI.DLL	GetProcessMemoryInfo
IPHLPAPI.DLL	IcmpSendEcho, IcmpCloseHandle, IcmpCreateFile
USERENV.dll	DestroyEnvironmentBlock, LoadUserProfileW, CreateEnvironmentBlock, UnloadUserProfile
UxTheme.dll	IsThemeActive
KERNEL32.dll	DuplicateHandle, CreateThread, WaitForSingleObject, HeapAlloc, GetProcessHeap, HeapFree, Sleep, GetCurrentThreadId, MultiByteToWideChar, MulDiv, GetVersionExW, IsWow64Process, GetSystemInfo, FreeLibrary, LoadLibraryA, GetProcAddress, SetErrorMode, GetModuleFileNameW, WideCharToMultiByte, lstrcpyW, lstrlenW, GetModuleHandleW, QueryPerformanceCounter, VirtualFreeEx, OpenProcess, VirtualAllocEx, WriteProcessMemory, ReadProcessMemory, CreateFileW, SetFilePointerEx, SetEndOfFile, ReadFile, WriteFile, FlushFileBuffers, TerminateProcess, CreateToolhelp32Snapshot, Process32FirstW, Process32NextW, SetFileTime, GetFileAttributesW, FindFirstFileW, FindClose, GetLongPathNameW, GetShortPathNameW, DeleteFileW, IsDebuggerPresent, CopyFileExW, MoveFileW, CreateDirectoryW, RemoveDirectoryW, SetSystemPowerState, QueryPerformanceFrequency, LoadResource, LockResource, SizeofResource, OutputDebugStringW, GetTempPathW, GetTempFileNameW, DeviceIoControl, LoadLibraryW, GetLocalTime, CompareStringW, GetCurrentThread, EnterCriticalSection, LeaveCriticalSection, GetStdHandle, CreatePipe, InterlockedExchange, TerminateThread, LoadLibraryExW, FindResourceExW, CopyFileW, VirtualFree, FormatMessageW, GetExitCodeProcess, GetPrivateProfileStringW, WritePrivateProfileStringW, GetPrivateProfileSectionW, WritePrivateProfileSectionW, GetPrivateProfileSectionNamesW, FileTimeToLocalFileTime, FileTimeToSystemTime, SystemTimeToFileTime, LocalFileTimeToFileTime, GetDriveTypeW, GetDiskFreeSpaceExW, GetDiskFreeSpaceW, GetVolumeInformationW, SetVolumeLabelW, CreateHardLinkW, SetFileAttributesW, CreateEventW, SetEvent, GetEnvironmentVariableW, SetEnvironmentVariableW, GlobalLock, GlobalUnlock, GlobalAlloc, GetFileSize, GlobalFree, GlobalMemoryStatusEx, Beep, GetSystemDirectoryW, HeapReAlloc, HeapSize, GetComputerNameW, GetWindowsDirectoryW, GetCurrentProcessId, GetProcessIoCounters, CreateProcessW, GetProcessId, SetPriorityClass, VirtualAlloc, GetCurrentDirectoryW, lstrcmpiW, DecodePointer, GetLastError, RaiseException, InitializeCriticalSectionAndSpinCount, DeleteCriticalSection, InterlockedDecrement, InterlockedIncrement, ResetEvent, WaitForSingleObjectEx, IsProcessorFeaturePresent, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetCurrentProcess, CloseHandle, GetFullPathNameW, GetStartupInfoW, GetSystemTimeAsFileTime, InitializeSListHead, RtlUnwind, SetLastError, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, EncodePointer, ExitProcess, GetModuleHandleExW, ExitThread, ResumeThread, FreeLibraryAndExitThread, GetACP, GetDateFormatW, GetTimeFormatW, LCMapStringW, GetStringTypeW, GetFileType, SetStdHandle, GetConsoleCP, GetConsoleMode, ReadConsoleW, GetTimeZoneInformation, FindFirstFileExW, IsValidCodePage, GetOEMCP, GetCPInfo, GetCommandLineA, GetCommandLineW, GetEnvironmentStringsW, FreeEnvironmentStringsW, SetEnvironmentVariableA, SetCurrentDirectoryW, FindNextFileW, WriteConsoleW
USER32.dll	GetKeyboardLayoutNameW, IsCharAlphaW, IsCharAlphaNumericW, IsCharLowerW, IsCharUpperW, GetMenuStringW, GetSubMenu, GetCaretPos, IsZoomed, GetMonitorInfoW, SetWindowLongW, SetLayeredWindowAttributes, FlashWindow, GetClassLongW, TranslateAcceleratorW, IsDialogMessageW, GetSysColor, InflateRect, DrawFocusRect, DrawTextW, FrameRect, DrawFrameControl, FillRect, PtInRect, DestroyAcceleratorTable, CreateAcceleratorTableW, SetCursor, GetWindowDC, GetSystemMetrics, GetActiveWindow, CharNextW, wsprintfW, RedrawWindow, DrawMenuBar, DestroyMenu, SetMenu, GetWindowTextLengthW, CreateMenu, IsDlgButtonChecked, DefDlgProcW, CallWindowProcW, ReleaseCapture, SetCapture, PeekMessageW, GetInputState, UnregisterHotKey, CharLowerBuffW, MonitorFromPoint, MonitorFromRect, LoadImageW, mouse_event, ExitWindowsEx, SetActiveWindow, FindWindowExW, EnumThreadWindows, SetMenuDefaultItem, InsertMenuItemW, IsMenu, ClientToScreen, GetCursorPos, DeleteMenu, CheckMenuRadioItem, GetMenuItemID, GetMenuItemCount, SetMenuItemInfoW, GetMenuItemInfoW, SetForegroundWindow, IsIconic, FindWindowW, SystemParametersInfoW, LockWindowUpdate, SendInput, GetAsyncKeyState, SetKeyboardState, GetKeyboardState, GetKeyState, VkKeyScanW, LoadStringW, DialogBoxParamW, MessageBeep, EndDialog, SendDlgItemMessageW, GetDlgItem, SetWindowTextW, CopyRect, ReleaseDC, GetDC, EndPaint, BeginPaint, GetClientRect, GetMenu, DestroyWindow, EnumWindows, GetDesktopWindow, IsWindow, IsWindowEnabled, IsWindowVisible, EnableWindow, InvalidateRect, GetWindowLongW, GetWindowThreadProcessId, AttachThreadInput, GetFocus, GetWindowTextW, SendMessageTimeoutW, EnumChildWindows, CharUpperBuffW, GetClassNameW, GetParent, GetDlgCtrlID, SendMessageW, MapVirtualKeyW, PostMessageW, GetWindowRect, SetUserObjectSecurity, CloseDesktop, CloseWindowStation, OpenDesktopW, RegisterHotKey, GetCursorInfo, SetWindowPos, CopyImage, AdjustWindowRectEx, SetRect, SetClipboardData, EmptyClipboard, CountClipboardFormats, CloseClipboard, GetClipboardData, IsClipboardFormatAvailable, OpenClipboard, BlockInput, TrackPopupMenuEx, GetMessageW, SetProcessWindowStation, GetProcessWindowStation, OpenWindowStationW, GetUserObjectSecurity, MessageBoxW, DefWindowProcW, MoveWindow, SetFocus, PostQuitMessage, KillTimer, CreatePopupMenu, RegisterWindowMessageW, SetTimer, ShowWindow, CreateWindowExW, RegisterClassExW, LoadIconW, LoadCursorW, GetSysColorBrush, GetForegroundWindow, MessageBoxA, DestroyIcon, DispatchMessageW, keybd_event, TranslateMessage, ScreenToClient
GDI32.dll	EndPath, DeleteObject, GetTextExtentPoint32W, ExtCreatePen, StrokeAndFillPath, GetDeviceCaps, SetPixel, CloseFigure, LineTo, AngleArc, MoveToEx, Ellipse, CreateCompatibleBitmap, CreateCompatibleDC, PolyDraw, BeginPath, Rectangle, SetViewportOrgEx, GetObjectW, SetBkMode, RoundRect, SetBkColor, CreatePen, SelectObject, StretchBlt, CreateSolidBrush, SetTextColor, CreateFontW, GetTextFaceW, GetStockObject, CreateDCW, GetPixel, DeleteDC, GetDIBits, StrokePath
COMDLG32.dll	GetSaveFileNameW, GetOpenFileNameW
ADVAPI32.dll	GetAce, RegEnumValueW, RegDeleteValueW, RegDeleteKeyW, RegEnumKeyExW, RegSetValueExW, RegOpenKeyExW, RegCloseKey, RegQueryValueExW, RegConnectRegistryW, InitializeSecurityDescriptor, InitializeAcl, AdjustTokenPrivileges, OpenThreadToken, OpenProcessToken, LookupPrivilegeValueW, DuplicateTokenEx, CreateProcessAsUserW, CreateProcessWithLogonW, GetLengthSid, CopySid, LogonUserW, AllocateAndInitializeSid, CheckTokenMembership, FreeSid, GetTokenInformation, RegCreateKeyExW, GetSecurityDescriptorDacl, GetAclInformation, GetUserNameW, AddAce, SetSecurityDescriptorDacl, InitiateSystemShutdownExW
SHELL32.dll	DragFinish, DragQueryPoint, ShellExecuteExW, DragQueryFileW, SHEmptyRecycleBinW, SHGetPathFromIDListW, SHBrowseForFolderW, SHCreateShellItem, SHGetDesktopFolder, SHGetSpecialFolderLocation, SHGetFolderPathW, SHFileOperationW, ExtractIconExW, Shell_NotifyIconW, ShellExecuteW
ole32.dll	CoTaskMemAlloc, CoTaskMemFree, CLSIDFromString, ProgIDFromCLSID, CLSIDFromProgID, OleSetMenuDescriptor, MkParseDisplayName, OleSetContainedObject, CoCreateInstance, IIDFromString, StringFromGUID2, CreateStreamOnHGlobal, OleInitialize, OleUninitialize, CoInitialize, CoUninitialize, GetRunningObjectTable, CoGetInstanceFromFile, CoGetObject, CoInitializeSecurity, CoCreateInstanceEx, CoSetProxyBlanket
OLEAUT32.dll	CreateStdDispatch, CreateDispTypeInfo, UnRegisterTypeLib, UnRegisterTypeLibForUser, RegisterTypeLibForUser, RegisterTypeLib, LoadTypeLibEx, VariantCopyInd, SysReAllocString, SysFreeString, VariantChangeType, SafeArrayDestroyData, SafeArrayUnaccessData, SafeArrayAccessData, SafeArrayAllocData, SafeArrayAllocDescriptorEx, SafeArrayCreateVector, SysStringLen, QueryPathOfRegTypeLib, SysAllocString, VariantInit, VariantClear, DispCallFunc, VariantTimeToSystemTime, VarR8FromDec, SafeArrayGetVartype, SafeArrayDestroyDescriptor, VariantCopy, OleLoadPicture

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	Great Britain

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 23, 2024 16:29:10.002672911 CET	49715	443	192.168.2.6	142.250.181.78
Nov 23, 2024 16:29:10.002748966 CET	443	49715	142.250.181.78	192.168.2.6
Nov 23, 2024 16:29:10.002810001 CET	49716	443	192.168.2.6	142.250.181.78
Nov 23, 2024 16:29:10.002852917 CET	443	49716	142.250.181.78	192.168.2.6
Nov 23, 2024 16:29:10.003031969 CET	49717	443	192.168.2.6	35.190.72.216
Nov 23, 2024 16:29:10.003083944 CET	443	49717	35.190.72.216	192.168.2.6
Nov 23, 2024 16:29:10.009440899 CET	49715	443	192.168.2.6	142.250.181.78
Nov 23, 2024 16:29:10.009455919 CET	49716	443	192.168.2.6	142.250.181.78
Nov 23, 2024 16:29:10.009463072 CET	49717	443	192.168.2.6	35.190.72.216
Nov 23, 2024 16:29:10.014671087 CET	49715	443	192.168.2.6	142.250.181.78
Nov 23, 2024 16:29:10.014709949 CET	443	49715	142.250.181.78	192.168.2.6
Nov 23, 2024 16:29:10.016068935 CET	49716	443	192.168.2.6	142.250.181.78
Nov 23, 2024 16:29:10.016086102 CET	443	49716	142.250.181.78	192.168.2.6
Nov 23, 2024 16:29:10.020107985 CET	49717	443	192.168.2.6	35.190.72.216
Nov 23, 2024 16:29:10.020143032 CET	443	49717	35.190.72.216	192.168.2.6
Nov 23, 2024 16:29:10.281886101 CET	49719	80	192.168.2.6	34.107.221.82
Nov 23, 2024 16:29:10.386379957 CET	49720	443	192.168.2.6	34.117.188.166
Nov 23, 2024 16:29:10.386442900 CET	443	49720	34.117.188.166	192.168.2.6
Nov 23, 2024 16:29:10.386646986 CET	49720	443	192.168.2.6	34.117.188.166
Nov 23, 2024 16:29:10.388160944 CET	49720	443	192.168.2.6	34.117.188.166
Nov 23, 2024 16:29:10.388185024 CET	443	49720	34.117.188.166	192.168.2.6
Nov 23, 2024 16:29:10.401969910 CET	80	49719	34.107.221.82	192.168.2.6
Nov 23, 2024 16:29:10.402147055 CET	49719	80	192.168.2.6	34.107.221.82
Nov 23, 2024 16:29:10.402321100 CET	49719	80	192.168.2.6	34.107.221.82
Nov 23, 2024 16:29:10.422606945 CET	49721	443	192.168.2.6	34.117.188.166
Nov 23, 2024 16:29:10.422651052 CET	443	49721	34.117.188.166	192.168.2.6
Nov 23, 2024 16:29:10.422751904 CET	49721	443	192.168.2.6	34.117.188.166
Nov 23, 2024 16:29:10.424777985 CET	49721	443	192.168.2.6	34.117.188.166
Nov 23, 2024 16:29:10.424792051 CET	443	49721	34.117.188.166	192.168.2.6
Nov 23, 2024 16:29:10.425520897 CET	49722	443	192.168.2.6	35.244.181.201
Nov 23, 2024 16:29:10.425537109 CET	443	49722	35.244.181.201	192.168.2.6
Nov 23, 2024 16:29:10.426009893 CET	49722	443	192.168.2.6	35.244.181.201
Nov 23, 2024 16:29:10.426122904 CET	49722	443	192.168.2.6	35.244.181.201
Nov 23, 2024 16:29:10.426132917 CET	443	49722	35.244.181.201	192.168.2.6
Nov 23, 2024 16:29:10.523921967 CET	80	49719	34.107.221.82	192.168.2.6
Nov 23, 2024 16:29:10.640988111 CET	49723	443	192.168.2.6	34.160.144.191
Nov 23, 2024 16:29:10.641026020 CET	443	49723	34.160.144.191	192.168.2.6
Nov 23, 2024 16:29:10.641133070 CET	49723	443	192.168.2.6	34.160.144.191
Nov 23, 2024 16:29:10.641293049 CET	49723	443	192.168.2.6	34.160.144.191
Nov 23, 2024 16:29:10.641304970 CET	443	49723	34.160.144.191	192.168.2.6
Nov 23, 2024 16:29:11.315408945 CET	443	49717	35.190.72.216	192.168.2.6
Nov 23, 2024 16:29:11.315707922 CET	49717	443	192.168.2.6	35.190.72.216
Nov 23, 2024 16:29:11.323240042 CET	49717	443	192.168.2.6	35.190.72.216
Nov 23, 2024 16:29:11.323273897 CET	443	49717	35.190.72.216	192.168.2.6
Nov 23, 2024 16:29:11.323422909 CET	49717	443	192.168.2.6	35.190.72.216
Nov 23, 2024 16:29:11.323435068 CET	443	49717	35.190.72.216	192.168.2.6
Nov 23, 2024 16:29:11.323445082 CET	443	49717	35.190.72.216	192.168.2.6
Nov 23, 2024 16:29:11.323827982 CET	49725	443	192.168.2.6	35.190.72.216
Nov 23, 2024 16:29:11.323854923 CET	443	49725	35.190.72.216	192.168.2.6
Nov 23, 2024 16:29:11.323889017 CET	49717	443	192.168.2.6	35.190.72.216
Nov 23, 2024 16:29:11.324696064 CET	49725	443	192.168.2.6	35.190.72.216
Nov 23, 2024 16:29:11.326176882 CET	49725	443	192.168.2.6	35.190.72.216
Nov 23, 2024 16:29:11.326191902 CET	443	49725	35.190.72.216	192.168.2.6
Nov 23, 2024 16:29:11.582901001 CET	80	49719	34.107.221.82	192.168.2.6
Nov 23, 2024 16:29:11.626604080 CET	49719	80	192.168.2.6	34.107.221.82
Nov 23, 2024 16:29:11.643656015 CET	443	49722	35.244.181.201	192.168.2.6
Nov 23, 2024 16:29:11.643738031 CET	49722	443	192.168.2.6	35.244.181.201
Nov 23, 2024 16:29:11.646652937 CET	49722	443	192.168.2.6	35.244.181.201
Nov 23, 2024 16:29:11.646663904 CET	443	49722	35.244.181.201	192.168.2.6
Nov 23, 2024 16:29:11.646928072 CET	443	49722	35.244.181.201	192.168.2.6
Nov 23, 2024 16:29:11.648603916 CET	49722	443	192.168.2.6	35.244.181.201
Nov 23, 2024 16:29:11.648675919 CET	49722	443	192.168.2.6	35.244.181.201
Nov 23, 2024 16:29:11.648742914 CET	443	49722	35.244.181.201	192.168.2.6
Nov 23, 2024 16:29:11.648804903 CET	49722	443	192.168.2.6	35.244.181.201
Nov 23, 2024 16:29:11.648804903 CET	49722	443	192.168.2.6	35.244.181.201
Nov 23, 2024 16:29:11.663721085 CET	443	49720	34.117.188.166	192.168.2.6
Nov 23, 2024 16:29:11.663849115 CET	49720	443	192.168.2.6	34.117.188.166
Nov 23, 2024 16:29:11.668627977 CET	49720	443	192.168.2.6	34.117.188.166
Nov 23, 2024 16:29:11.668678999 CET	443	49720	34.117.188.166	192.168.2.6
Nov 23, 2024 16:29:11.668737888 CET	49720	443	192.168.2.6	34.117.188.166
Nov 23, 2024 16:29:11.668965101 CET	443	49720	34.117.188.166	192.168.2.6
Nov 23, 2024 16:29:11.669401884 CET	49720	443	192.168.2.6	34.117.188.166
Nov 23, 2024 16:29:11.732832909 CET	443	49715	142.250.181.78	192.168.2.6
Nov 23, 2024 16:29:11.732842922 CET	443	49715	142.250.181.78	192.168.2.6
Nov 23, 2024 16:29:11.733122110 CET	49715	443	192.168.2.6	142.250.181.78
Nov 23, 2024 16:29:11.733582020 CET	443	49715	142.250.181.78	192.168.2.6
Nov 23, 2024 16:29:11.734088898 CET	49715	443	192.168.2.6	142.250.181.78
Nov 23, 2024 16:29:11.738250017 CET	49715	443	192.168.2.6	142.250.181.78
Nov 23, 2024 16:29:11.738291979 CET	443	49715	142.250.181.78	192.168.2.6
Nov 23, 2024 16:29:11.738393068 CET	49715	443	192.168.2.6	142.250.181.78
Nov 23, 2024 16:29:11.738478899 CET	443	49715	142.250.181.78	192.168.2.6
Nov 23, 2024 16:29:11.739087105 CET	49715	443	192.168.2.6	142.250.181.78
Nov 23, 2024 16:29:11.745049953 CET	443	49721	34.117.188.166	192.168.2.6
Nov 23, 2024 16:29:11.745687962 CET	49721	443	192.168.2.6	34.117.188.166
Nov 23, 2024 16:29:11.750160933 CET	49721	443	192.168.2.6	34.117.188.166
Nov 23, 2024 16:29:11.750174999 CET	443	49721	34.117.188.166	192.168.2.6
Nov 23, 2024 16:29:11.750266075 CET	49721	443	192.168.2.6	34.117.188.166
Nov 23, 2024 16:29:11.750444889 CET	443	49721	34.117.188.166	192.168.2.6
Nov 23, 2024 16:29:11.750536919 CET	49721	443	192.168.2.6	34.117.188.166
Nov 23, 2024 16:29:11.753092051 CET	49719	80	192.168.2.6	34.107.221.82
Nov 23, 2024 16:29:11.784990072 CET	443	49716	142.250.181.78	192.168.2.6
Nov 23, 2024 16:29:11.785007954 CET	443	49716	142.250.181.78	192.168.2.6
Nov 23, 2024 16:29:11.785168886 CET	49716	443	192.168.2.6	142.250.181.78
Nov 23, 2024 16:29:11.786036968 CET	443	49716	142.250.181.78	192.168.2.6
Nov 23, 2024 16:29:11.786103964 CET	49716	443	192.168.2.6	142.250.181.78
Nov 23, 2024 16:29:11.789676905 CET	49716	443	192.168.2.6	142.250.181.78
Nov 23, 2024 16:29:11.789693117 CET	443	49716	142.250.181.78	192.168.2.6
Nov 23, 2024 16:29:11.789805889 CET	49716	443	192.168.2.6	142.250.181.78
Nov 23, 2024 16:29:11.789896965 CET	443	49716	142.250.181.78	192.168.2.6
Nov 23, 2024 16:29:11.790213108 CET	49727	443	192.168.2.6	142.250.181.78
Nov 23, 2024 16:29:11.790237904 CET	443	49727	142.250.181.78	192.168.2.6
Nov 23, 2024 16:29:11.790381908 CET	49716	443	192.168.2.6	142.250.181.78
Nov 23, 2024 16:29:11.790421963 CET	49727	443	192.168.2.6	142.250.181.78
Nov 23, 2024 16:29:11.791754007 CET	49727	443	192.168.2.6	142.250.181.78
Nov 23, 2024 16:29:11.791775942 CET	443	49727	142.250.181.78	192.168.2.6
Nov 23, 2024 16:29:11.876548052 CET	80	49719	34.107.221.82	192.168.2.6
Nov 23, 2024 16:29:11.878277063 CET	49719	80	192.168.2.6	34.107.221.82
Nov 23, 2024 16:29:11.909003973 CET	443	49723	34.160.144.191	192.168.2.6
Nov 23, 2024 16:29:11.912477970 CET	49723	443	192.168.2.6	34.160.144.191
Nov 23, 2024 16:29:11.915378094 CET	49723	443	192.168.2.6	34.160.144.191
Nov 23, 2024 16:29:11.915389061 CET	443	49723	34.160.144.191	192.168.2.6
Nov 23, 2024 16:29:11.915705919 CET	443	49723	34.160.144.191	192.168.2.6
Nov 23, 2024 16:29:11.917850018 CET	49723	443	192.168.2.6	34.160.144.191
Nov 23, 2024 16:29:11.917938948 CET	49723	443	192.168.2.6	34.160.144.191
Nov 23, 2024 16:29:11.917995930 CET	443	49723	34.160.144.191	192.168.2.6
Nov 23, 2024 16:29:11.918055058 CET	49723	443	192.168.2.6	34.160.144.191
Nov 23, 2024 16:29:12.230925083 CET	49728	443	192.168.2.6	34.117.188.166
Nov 23, 2024 16:29:12.230979919 CET	443	49728	34.117.188.166	192.168.2.6
Nov 23, 2024 16:29:12.238274097 CET	49729	443	192.168.2.6	34.107.243.93
Nov 23, 2024 16:29:12.238308907 CET	443	49729	34.107.243.93	192.168.2.6
Nov 23, 2024 16:29:12.239337921 CET	49728	443	192.168.2.6	34.117.188.166
Nov 23, 2024 16:29:12.241096020 CET	49728	443	192.168.2.6	34.117.188.166
Nov 23, 2024 16:29:12.241111040 CET	443	49728	34.117.188.166	192.168.2.6
Nov 23, 2024 16:29:12.241282940 CET	49729	443	192.168.2.6	34.107.243.93
Nov 23, 2024 16:29:12.242789984 CET	49729	443	192.168.2.6	34.107.243.93
Nov 23, 2024 16:29:12.242805958 CET	443	49729	34.107.243.93	192.168.2.6
Nov 23, 2024 16:29:12.380578041 CET	49730	443	192.168.2.6	34.120.208.123
Nov 23, 2024 16:29:12.380626917 CET	443	49730	34.120.208.123	192.168.2.6
Nov 23, 2024 16:29:12.381084919 CET	49731	80	192.168.2.6	34.107.221.82
Nov 23, 2024 16:29:12.381335974 CET	49732	80	192.168.2.6	34.107.221.82
Nov 23, 2024 16:29:12.384742975 CET	49730	443	192.168.2.6	34.120.208.123
Nov 23, 2024 16:29:12.386308908 CET	49730	443	192.168.2.6	34.120.208.123
Nov 23, 2024 16:29:12.386321068 CET	443	49730	34.120.208.123	192.168.2.6
Nov 23, 2024 16:29:12.474277020 CET	49733	443	192.168.2.6	34.149.100.209
Nov 23, 2024 16:29:12.474322081 CET	443	49733	34.149.100.209	192.168.2.6
Nov 23, 2024 16:29:12.475809097 CET	49733	443	192.168.2.6	34.149.100.209
Nov 23, 2024 16:29:12.477442980 CET	49733	443	192.168.2.6	34.149.100.209
Nov 23, 2024 16:29:12.477454901 CET	443	49733	34.149.100.209	192.168.2.6
Nov 23, 2024 16:29:12.500732899 CET	80	49731	34.107.221.82	192.168.2.6
Nov 23, 2024 16:29:12.501313925 CET	49734	443	192.168.2.6	35.244.181.201
Nov 23, 2024 16:29:12.501351118 CET	443	49734	35.244.181.201	192.168.2.6
Nov 23, 2024 16:29:12.501852036 CET	49731	80	192.168.2.6	34.107.221.82
Nov 23, 2024 16:29:12.501935959 CET	49734	443	192.168.2.6	35.244.181.201
Nov 23, 2024 16:29:12.501970053 CET	49731	80	192.168.2.6	34.107.221.82
Nov 23, 2024 16:29:12.502156019 CET	49734	443	192.168.2.6	35.244.181.201
Nov 23, 2024 16:29:12.502173901 CET	443	49734	35.244.181.201	192.168.2.6
Nov 23, 2024 16:29:12.510787010 CET	80	49732	34.107.221.82	192.168.2.6
Nov 23, 2024 16:29:12.514632940 CET	49732	80	192.168.2.6	34.107.221.82
Nov 23, 2024 16:29:12.514771938 CET	49732	80	192.168.2.6	34.107.221.82
Nov 23, 2024 16:29:12.582976103 CET	443	49725	35.190.72.216	192.168.2.6
Nov 23, 2024 16:29:12.584223032 CET	49725	443	192.168.2.6	35.190.72.216
Nov 23, 2024 16:29:12.589644909 CET	49725	443	192.168.2.6	35.190.72.216
Nov 23, 2024 16:29:12.589677095 CET	443	49725	35.190.72.216	192.168.2.6
Nov 23, 2024 16:29:12.589786053 CET	49725	443	192.168.2.6	35.190.72.216
Nov 23, 2024 16:29:12.589802027 CET	443	49725	35.190.72.216	192.168.2.6
Nov 23, 2024 16:29:12.604530096 CET	49725	443	192.168.2.6	35.190.72.216
Nov 23, 2024 16:29:12.621532917 CET	80	49731	34.107.221.82	192.168.2.6
Nov 23, 2024 16:29:12.634413004 CET	80	49732	34.107.221.82	192.168.2.6
Nov 23, 2024 16:29:12.970638037 CET	49735	443	192.168.2.6	34.149.100.209
Nov 23, 2024 16:29:12.970664024 CET	443	49735	34.149.100.209	192.168.2.6
Nov 23, 2024 16:29:12.974034071 CET	49735	443	192.168.2.6	34.149.100.209
Nov 23, 2024 16:29:12.975461960 CET	49735	443	192.168.2.6	34.149.100.209
Nov 23, 2024 16:29:12.975476027 CET	443	49735	34.149.100.209	192.168.2.6
Nov 23, 2024 16:29:13.521795988 CET	443	49728	34.117.188.166	192.168.2.6
Nov 23, 2024 16:29:13.521816969 CET	443	49728	34.117.188.166	192.168.2.6
Nov 23, 2024 16:29:13.521900892 CET	49728	443	192.168.2.6	34.117.188.166
Nov 23, 2024 16:29:13.526122093 CET	49728	443	192.168.2.6	34.117.188.166
Nov 23, 2024 16:29:13.526145935 CET	443	49728	34.117.188.166	192.168.2.6
Nov 23, 2024 16:29:13.526252031 CET	49728	443	192.168.2.6	34.117.188.166
Nov 23, 2024 16:29:13.526366949 CET	443	49728	34.117.188.166	192.168.2.6
Nov 23, 2024 16:29:13.533237934 CET	49728	443	192.168.2.6	34.117.188.166
Nov 23, 2024 16:29:13.554354906 CET	443	49727	142.250.181.78	192.168.2.6
Nov 23, 2024 16:29:13.554621935 CET	49727	443	192.168.2.6	142.250.181.78
Nov 23, 2024 16:29:13.555254936 CET	443	49727	142.250.181.78	192.168.2.6
Nov 23, 2024 16:29:13.555335999 CET	49727	443	192.168.2.6	142.250.181.78
Nov 23, 2024 16:29:13.559098005 CET	49727	443	192.168.2.6	142.250.181.78
Nov 23, 2024 16:29:13.559106112 CET	443	49727	142.250.181.78	192.168.2.6
Nov 23, 2024 16:29:13.559214115 CET	49727	443	192.168.2.6	142.250.181.78
Nov 23, 2024 16:29:13.559366941 CET	443	49727	142.250.181.78	192.168.2.6
Nov 23, 2024 16:29:13.559657097 CET	49727	443	192.168.2.6	142.250.181.78
Nov 23, 2024 16:29:13.581154108 CET	443	49729	34.107.243.93	192.168.2.6
Nov 23, 2024 16:29:13.584260941 CET	49729	443	192.168.2.6	34.107.243.93
Nov 23, 2024 16:29:13.591160059 CET	49729	443	192.168.2.6	34.107.243.93
Nov 23, 2024 16:29:13.591167927 CET	443	49729	34.107.243.93	192.168.2.6
Nov 23, 2024 16:29:13.591240883 CET	49729	443	192.168.2.6	34.107.243.93
Nov 23, 2024 16:29:13.591399908 CET	443	49729	34.107.243.93	192.168.2.6
Nov 23, 2024 16:29:13.591490030 CET	49729	443	192.168.2.6	34.107.243.93
Nov 23, 2024 16:29:13.749737024 CET	80	49731	34.107.221.82	192.168.2.6
Nov 23, 2024 16:29:13.749752998 CET	80	49732	34.107.221.82	192.168.2.6
Nov 23, 2024 16:29:13.763046980 CET	49731	80	192.168.2.6	34.107.221.82
Nov 23, 2024 16:29:13.791079998 CET	443	49730	34.120.208.123	192.168.2.6
Nov 23, 2024 16:29:13.791171074 CET	49730	443	192.168.2.6	34.120.208.123
Nov 23, 2024 16:29:13.794843912 CET	49730	443	192.168.2.6	34.120.208.123
Nov 23, 2024 16:29:13.794855118 CET	443	49730	34.120.208.123	192.168.2.6
Nov 23, 2024 16:29:13.794950008 CET	49730	443	192.168.2.6	34.120.208.123
Nov 23, 2024 16:29:13.795037031 CET	443	49730	34.120.208.123	192.168.2.6
Nov 23, 2024 16:29:13.795619011 CET	49730	443	192.168.2.6	34.120.208.123
Nov 23, 2024 16:29:13.801608086 CET	49732	80	192.168.2.6	34.107.221.82
Nov 23, 2024 16:29:13.880346060 CET	443	49734	35.244.181.201	192.168.2.6
Nov 23, 2024 16:29:13.880446911 CET	49734	443	192.168.2.6	35.244.181.201
Nov 23, 2024 16:29:13.882999897 CET	49734	443	192.168.2.6	35.244.181.201
Nov 23, 2024 16:29:13.883028984 CET	443	49734	35.244.181.201	192.168.2.6
Nov 23, 2024 16:29:13.883274078 CET	443	49734	35.244.181.201	192.168.2.6
Nov 23, 2024 16:29:13.885925055 CET	49734	443	192.168.2.6	35.244.181.201
Nov 23, 2024 16:29:13.886003971 CET	49734	443	192.168.2.6	35.244.181.201
Nov 23, 2024 16:29:13.886068106 CET	443	49734	35.244.181.201	192.168.2.6
Nov 23, 2024 16:29:13.886159897 CET	49734	443	192.168.2.6	35.244.181.201
Nov 23, 2024 16:29:13.969801903 CET	49732	80	192.168.2.6	34.107.221.82
Nov 23, 2024 16:29:13.988739967 CET	80	49731	34.107.221.82	192.168.2.6
Nov 23, 2024 16:29:13.996038914 CET	443	49733	34.149.100.209	192.168.2.6
Nov 23, 2024 16:29:13.996120930 CET	49733	443	192.168.2.6	34.149.100.209
Nov 23, 2024 16:29:14.000684023 CET	49733	443	192.168.2.6	34.149.100.209
Nov 23, 2024 16:29:14.000691891 CET	443	49733	34.149.100.209	192.168.2.6
Nov 23, 2024 16:29:14.000760078 CET	49733	443	192.168.2.6	34.149.100.209
Nov 23, 2024 16:29:14.000852108 CET	443	49733	34.149.100.209	192.168.2.6
Nov 23, 2024 16:29:14.000916004 CET	49733	443	192.168.2.6	34.149.100.209
Nov 23, 2024 16:29:14.086966038 CET	80	49731	34.107.221.82	192.168.2.6
Nov 23, 2024 16:29:14.089400053 CET	80	49732	34.107.221.82	192.168.2.6
Nov 23, 2024 16:29:14.118846893 CET	49742	443	192.168.2.6	34.120.208.123
Nov 23, 2024 16:29:14.118885994 CET	443	49742	34.120.208.123	192.168.2.6
Nov 23, 2024 16:29:14.119290113 CET	49742	443	192.168.2.6	34.120.208.123
Nov 23, 2024 16:29:14.120635033 CET	49742	443	192.168.2.6	34.120.208.123
Nov 23, 2024 16:29:14.120657921 CET	443	49742	34.120.208.123	192.168.2.6
Nov 23, 2024 16:29:14.122744083 CET	49743	443	192.168.2.6	34.120.208.123
Nov 23, 2024 16:29:14.122775078 CET	443	49743	34.120.208.123	192.168.2.6
Nov 23, 2024 16:29:14.123327017 CET	49743	443	192.168.2.6	34.120.208.123
Nov 23, 2024 16:29:14.123405933 CET	49743	443	192.168.2.6	34.120.208.123
Nov 23, 2024 16:29:14.123420000 CET	443	49743	34.120.208.123	192.168.2.6
Nov 23, 2024 16:29:14.127294064 CET	49744	443	192.168.2.6	34.120.208.123
Nov 23, 2024 16:29:14.127329111 CET	443	49744	34.120.208.123	192.168.2.6
Nov 23, 2024 16:29:14.127537012 CET	49744	443	192.168.2.6	34.120.208.123
Nov 23, 2024 16:29:14.127649069 CET	49744	443	192.168.2.6	34.120.208.123
Nov 23, 2024 16:29:14.127659082 CET	443	49744	34.120.208.123	192.168.2.6
Nov 23, 2024 16:29:14.140197992 CET	49731	80	192.168.2.6	34.107.221.82
Nov 23, 2024 16:29:14.250540018 CET	443	49735	34.149.100.209	192.168.2.6
Nov 23, 2024 16:29:14.250639915 CET	49735	443	192.168.2.6	34.149.100.209
Nov 23, 2024 16:29:14.293217897 CET	80	49732	34.107.221.82	192.168.2.6
Nov 23, 2024 16:29:14.335834026 CET	49735	443	192.168.2.6	34.149.100.209
Nov 23, 2024 16:29:14.335845947 CET	443	49735	34.149.100.209	192.168.2.6
Nov 23, 2024 16:29:14.335932016 CET	49735	443	192.168.2.6	34.149.100.209
Nov 23, 2024 16:29:14.335978985 CET	443	49735	34.149.100.209	192.168.2.6
Nov 23, 2024 16:29:14.336229086 CET	49735	443	192.168.2.6	34.149.100.209
Nov 23, 2024 16:29:14.340789080 CET	49732	80	192.168.2.6	34.107.221.82
Nov 23, 2024 16:29:15.391500950 CET	443	49744	34.120.208.123	192.168.2.6
Nov 23, 2024 16:29:15.391621113 CET	49744	443	192.168.2.6	34.120.208.123
Nov 23, 2024 16:29:15.394216061 CET	49744	443	192.168.2.6	34.120.208.123
Nov 23, 2024 16:29:15.394227982 CET	443	49744	34.120.208.123	192.168.2.6
Nov 23, 2024 16:29:15.394543886 CET	443	49744	34.120.208.123	192.168.2.6
Nov 23, 2024 16:29:15.396611929 CET	49744	443	192.168.2.6	34.120.208.123
Nov 23, 2024 16:29:15.396771908 CET	49744	443	192.168.2.6	34.120.208.123
Nov 23, 2024 16:29:15.396787882 CET	443	49744	34.120.208.123	192.168.2.6
Nov 23, 2024 16:29:15.396897078 CET	49744	443	192.168.2.6	34.120.208.123
Nov 23, 2024 16:29:15.425240040 CET	443	49742	34.120.208.123	192.168.2.6
Nov 23, 2024 16:29:15.425347090 CET	49742	443	192.168.2.6	34.120.208.123
Nov 23, 2024 16:29:15.425992966 CET	443	49743	34.120.208.123	192.168.2.6
Nov 23, 2024 16:29:15.426492929 CET	49743	443	192.168.2.6	34.120.208.123
Nov 23, 2024 16:29:15.429748058 CET	49743	443	192.168.2.6	34.120.208.123
Nov 23, 2024 16:29:15.429754972 CET	443	49743	34.120.208.123	192.168.2.6
Nov 23, 2024 16:29:15.430001974 CET	443	49743	34.120.208.123	192.168.2.6
Nov 23, 2024 16:29:15.432635069 CET	49742	443	192.168.2.6	34.120.208.123
Nov 23, 2024 16:29:15.432666063 CET	443	49742	34.120.208.123	192.168.2.6
Nov 23, 2024 16:29:15.432709932 CET	49742	443	192.168.2.6	34.120.208.123
Nov 23, 2024 16:29:15.432858944 CET	443	49742	34.120.208.123	192.168.2.6
Nov 23, 2024 16:29:15.432981014 CET	49742	443	192.168.2.6	34.120.208.123
Nov 23, 2024 16:29:15.433212996 CET	49743	443	192.168.2.6	34.120.208.123
Nov 23, 2024 16:29:15.433319092 CET	49743	443	192.168.2.6	34.120.208.123
Nov 23, 2024 16:29:15.433351040 CET	443	49743	34.120.208.123	192.168.2.6
Nov 23, 2024 16:29:15.433408976 CET	49743	443	192.168.2.6	34.120.208.123
Nov 23, 2024 16:29:23.110433102 CET	49731	80	192.168.2.6	34.107.221.82
Nov 23, 2024 16:29:23.112032890 CET	49732	80	192.168.2.6	34.107.221.82
Nov 23, 2024 16:29:23.113600016 CET	49770	443	192.168.2.6	34.120.208.123
Nov 23, 2024 16:29:23.113643885 CET	443	49770	34.120.208.123	192.168.2.6
Nov 23, 2024 16:29:23.113853931 CET	49771	443	192.168.2.6	34.120.208.123
Nov 23, 2024 16:29:23.113898039 CET	443	49771	34.120.208.123	192.168.2.6
Nov 23, 2024 16:29:23.114103079 CET	49772	443	192.168.2.6	34.120.208.123
Nov 23, 2024 16:29:23.114181995 CET	443	49772	34.120.208.123	192.168.2.6
Nov 23, 2024 16:29:23.115139961 CET	49770	443	192.168.2.6	34.120.208.123
Nov 23, 2024 16:29:23.115276098 CET	49770	443	192.168.2.6	34.120.208.123
Nov 23, 2024 16:29:23.115277052 CET	49771	443	192.168.2.6	34.120.208.123
Nov 23, 2024 16:29:23.115284920 CET	49772	443	192.168.2.6	34.120.208.123
Nov 23, 2024 16:29:23.115288973 CET	443	49770	34.120.208.123	192.168.2.6
Nov 23, 2024 16:29:23.116938114 CET	49771	443	192.168.2.6	34.120.208.123
Nov 23, 2024 16:29:23.116956949 CET	443	49771	34.120.208.123	192.168.2.6
Nov 23, 2024 16:29:23.117054939 CET	49772	443	192.168.2.6	34.120.208.123
Nov 23, 2024 16:29:23.117094994 CET	443	49772	34.120.208.123	192.168.2.6
Nov 23, 2024 16:29:23.231146097 CET	80	49731	34.107.221.82	192.168.2.6
Nov 23, 2024 16:29:23.232393980 CET	80	49732	34.107.221.82	192.168.2.6
Nov 23, 2024 16:29:23.439985991 CET	80	49732	34.107.221.82	192.168.2.6
Nov 23, 2024 16:29:23.440071106 CET	80	49731	34.107.221.82	192.168.2.6
Nov 23, 2024 16:29:23.495238066 CET	49732	80	192.168.2.6	34.107.221.82
Nov 23, 2024 16:29:23.495301008 CET	49731	80	192.168.2.6	34.107.221.82
Nov 23, 2024 16:29:24.344813108 CET	49732	80	192.168.2.6	34.107.221.82
Nov 23, 2024 16:29:24.379929066 CET	49777	443	192.168.2.6	34.107.243.93
Nov 23, 2024 16:29:24.379945040 CET	443	49777	34.107.243.93	192.168.2.6
Nov 23, 2024 16:29:24.380275965 CET	49777	443	192.168.2.6	34.107.243.93
Nov 23, 2024 16:29:24.381712914 CET	49777	443	192.168.2.6	34.107.243.93
Nov 23, 2024 16:29:24.381728888 CET	443	49777	34.107.243.93	192.168.2.6
Nov 23, 2024 16:29:24.384160995 CET	443	49772	34.120.208.123	192.168.2.6
Nov 23, 2024 16:29:24.384457111 CET	443	49770	34.120.208.123	192.168.2.6
Nov 23, 2024 16:29:24.384661913 CET	443	49771	34.120.208.123	192.168.2.6
Nov 23, 2024 16:29:24.385282993 CET	49772	443	192.168.2.6	34.120.208.123
Nov 23, 2024 16:29:24.385435104 CET	49771	443	192.168.2.6	34.120.208.123
Nov 23, 2024 16:29:24.385441065 CET	49770	443	192.168.2.6	34.120.208.123
Nov 23, 2024 16:29:24.388595104 CET	49772	443	192.168.2.6	34.120.208.123
Nov 23, 2024 16:29:24.388622999 CET	443	49772	34.120.208.123	192.168.2.6
Nov 23, 2024 16:29:24.389031887 CET	443	49772	34.120.208.123	192.168.2.6
Nov 23, 2024 16:29:24.390863895 CET	49770	443	192.168.2.6	34.120.208.123
Nov 23, 2024 16:29:24.390881062 CET	443	49770	34.120.208.123	192.168.2.6
Nov 23, 2024 16:29:24.391277075 CET	443	49770	34.120.208.123	192.168.2.6
Nov 23, 2024 16:29:24.395889997 CET	49772	443	192.168.2.6	34.120.208.123
Nov 23, 2024 16:29:24.395977020 CET	49772	443	192.168.2.6	34.120.208.123
Nov 23, 2024 16:29:24.396323919 CET	443	49772	34.120.208.123	192.168.2.6
Nov 23, 2024 16:29:24.397221088 CET	49770	443	192.168.2.6	34.120.208.123
Nov 23, 2024 16:29:24.397299051 CET	49770	443	192.168.2.6	34.120.208.123
Nov 23, 2024 16:29:24.397672892 CET	443	49770	34.120.208.123	192.168.2.6
Nov 23, 2024 16:29:24.397840977 CET	49772	443	192.168.2.6	34.120.208.123
Nov 23, 2024 16:29:24.397865057 CET	49770	443	192.168.2.6	34.120.208.123
Nov 23, 2024 16:29:24.397886992 CET	49770	443	192.168.2.6	34.120.208.123
Nov 23, 2024 16:29:24.397892952 CET	49772	443	192.168.2.6	34.120.208.123
Nov 23, 2024 16:29:24.400177002 CET	49771	443	192.168.2.6	34.120.208.123
Nov 23, 2024 16:29:24.400206089 CET	443	49771	34.120.208.123	192.168.2.6
Nov 23, 2024 16:29:24.400243998 CET	49771	443	192.168.2.6	34.120.208.123
Nov 23, 2024 16:29:24.400729895 CET	443	49771	34.120.208.123	192.168.2.6
Nov 23, 2024 16:29:24.405245066 CET	49771	443	192.168.2.6	34.120.208.123
Nov 23, 2024 16:29:24.468759060 CET	80	49732	34.107.221.82	192.168.2.6
Nov 23, 2024 16:29:24.674442053 CET	80	49732	34.107.221.82	192.168.2.6
Nov 23, 2024 16:29:24.720838070 CET	49732	80	192.168.2.6	34.107.221.82
Nov 23, 2024 16:29:25.375559092 CET	49731	80	192.168.2.6	34.107.221.82
Nov 23, 2024 16:29:25.495115042 CET	80	49731	34.107.221.82	192.168.2.6
Nov 23, 2024 16:29:25.699049950 CET	443	49777	34.107.243.93	192.168.2.6
Nov 23, 2024 16:29:25.699139118 CET	49777	443	192.168.2.6	34.107.243.93
Nov 23, 2024 16:29:25.699265003 CET	80	49731	34.107.221.82	192.168.2.6
Nov 23, 2024 16:29:25.754966974 CET	49731	80	192.168.2.6	34.107.221.82
Nov 23, 2024 16:29:26.697549105 CET	49777	443	192.168.2.6	34.107.243.93
Nov 23, 2024 16:29:26.697586060 CET	443	49777	34.107.243.93	192.168.2.6
Nov 23, 2024 16:29:26.697767973 CET	49777	443	192.168.2.6	34.107.243.93
Nov 23, 2024 16:29:26.697849035 CET	443	49777	34.107.243.93	192.168.2.6
Nov 23, 2024 16:29:26.705681086 CET	49777	443	192.168.2.6	34.107.243.93
Nov 23, 2024 16:29:26.919861078 CET	49732	80	192.168.2.6	34.107.221.82
Nov 23, 2024 16:29:27.041476965 CET	80	49732	34.107.221.82	192.168.2.6
Nov 23, 2024 16:29:27.245333910 CET	80	49732	34.107.221.82	192.168.2.6
Nov 23, 2024 16:29:27.290513992 CET	49732	80	192.168.2.6	34.107.221.82
Nov 23, 2024 16:29:28.288716078 CET	49731	80	192.168.2.6	34.107.221.82
Nov 23, 2024 16:29:28.408390045 CET	80	49731	34.107.221.82	192.168.2.6
Nov 23, 2024 16:29:28.615782976 CET	80	49731	34.107.221.82	192.168.2.6
Nov 23, 2024 16:29:28.663321018 CET	49731	80	192.168.2.6	34.107.221.82
Nov 23, 2024 16:29:36.704457045 CET	49805	443	192.168.2.6	34.149.100.209
Nov 23, 2024 16:29:36.704507113 CET	443	49805	34.149.100.209	192.168.2.6
Nov 23, 2024 16:29:36.704649925 CET	49805	443	192.168.2.6	34.149.100.209
Nov 23, 2024 16:29:36.705049992 CET	49805	443	192.168.2.6	34.149.100.209
Nov 23, 2024 16:29:36.705070019 CET	443	49805	34.149.100.209	192.168.2.6
Nov 23, 2024 16:29:36.705874920 CET	49806	443	192.168.2.6	35.190.72.216
Nov 23, 2024 16:29:36.705897093 CET	443	49806	35.190.72.216	192.168.2.6
Nov 23, 2024 16:29:36.706305981 CET	49806	443	192.168.2.6	35.190.72.216
Nov 23, 2024 16:29:36.708298922 CET	49806	443	192.168.2.6	35.190.72.216
Nov 23, 2024 16:29:36.708321095 CET	443	49806	35.190.72.216	192.168.2.6
Nov 23, 2024 16:29:36.716700077 CET	49807	443	192.168.2.6	34.107.243.93
Nov 23, 2024 16:29:36.716742992 CET	443	49807	34.107.243.93	192.168.2.6
Nov 23, 2024 16:29:36.722479105 CET	49807	443	192.168.2.6	34.107.243.93
Nov 23, 2024 16:29:36.723968029 CET	49807	443	192.168.2.6	34.107.243.93
Nov 23, 2024 16:29:36.723999977 CET	443	49807	34.107.243.93	192.168.2.6
Nov 23, 2024 16:29:36.846842051 CET	49808	443	192.168.2.6	35.244.181.201
Nov 23, 2024 16:29:36.846884966 CET	443	49808	35.244.181.201	192.168.2.6
Nov 23, 2024 16:29:36.847443104 CET	49808	443	192.168.2.6	35.244.181.201
Nov 23, 2024 16:29:36.847615957 CET	49808	443	192.168.2.6	35.244.181.201
Nov 23, 2024 16:29:36.847620964 CET	49809	443	192.168.2.6	151.101.129.91
Nov 23, 2024 16:29:36.847628117 CET	443	49808	35.244.181.201	192.168.2.6
Nov 23, 2024 16:29:36.847670078 CET	443	49809	151.101.129.91	192.168.2.6
Nov 23, 2024 16:29:36.848015070 CET	49809	443	192.168.2.6	151.101.129.91
Nov 23, 2024 16:29:36.848015070 CET	49809	443	192.168.2.6	151.101.129.91
Nov 23, 2024 16:29:36.848062992 CET	443	49809	151.101.129.91	192.168.2.6
Nov 23, 2024 16:29:37.021030903 CET	49810	443	192.168.2.6	35.201.103.21
Nov 23, 2024 16:29:37.021071911 CET	443	49810	35.201.103.21	192.168.2.6
Nov 23, 2024 16:29:37.021184921 CET	49810	443	192.168.2.6	35.201.103.21
Nov 23, 2024 16:29:37.022543907 CET	49810	443	192.168.2.6	35.201.103.21
Nov 23, 2024 16:29:37.022555113 CET	443	49810	35.201.103.21	192.168.2.6
Nov 23, 2024 16:29:37.255143881 CET	49732	80	192.168.2.6	34.107.221.82
Nov 23, 2024 16:29:37.485629082 CET	80	49732	34.107.221.82	192.168.2.6
Nov 23, 2024 16:29:38.030410051 CET	443	49806	35.190.72.216	192.168.2.6
Nov 23, 2024 16:29:38.030507088 CET	49806	443	192.168.2.6	35.190.72.216
Nov 23, 2024 16:29:38.035547018 CET	49806	443	192.168.2.6	35.190.72.216
Nov 23, 2024 16:29:38.035567999 CET	443	49806	35.190.72.216	192.168.2.6
Nov 23, 2024 16:29:38.035649061 CET	49806	443	192.168.2.6	35.190.72.216
Nov 23, 2024 16:29:38.035799026 CET	443	49806	35.190.72.216	192.168.2.6
Nov 23, 2024 16:29:38.036717892 CET	49806	443	192.168.2.6	35.190.72.216
Nov 23, 2024 16:29:38.038647890 CET	49732	80	192.168.2.6	34.107.221.82
Nov 23, 2024 16:29:38.066026926 CET	443	49805	34.149.100.209	192.168.2.6
Nov 23, 2024 16:29:38.071355104 CET	443	49805	34.149.100.209	192.168.2.6
Nov 23, 2024 16:29:38.071393013 CET	49805	443	192.168.2.6	34.149.100.209
Nov 23, 2024 16:29:38.074069977 CET	49805	443	192.168.2.6	34.149.100.209
Nov 23, 2024 16:29:38.074079037 CET	443	49805	34.149.100.209	192.168.2.6
Nov 23, 2024 16:29:38.074839115 CET	443	49805	34.149.100.209	192.168.2.6
Nov 23, 2024 16:29:38.079622030 CET	49805	443	192.168.2.6	34.149.100.209
Nov 23, 2024 16:29:38.081397057 CET	49805	443	192.168.2.6	34.149.100.209
Nov 23, 2024 16:29:38.081501007 CET	49805	443	192.168.2.6	34.149.100.209
Nov 23, 2024 16:29:38.081737041 CET	443	49805	34.149.100.209	192.168.2.6
Nov 23, 2024 16:29:38.082072973 CET	49805	443	192.168.2.6	34.149.100.209
Nov 23, 2024 16:29:38.130194902 CET	443	49809	151.101.129.91	192.168.2.6
Nov 23, 2024 16:29:38.132823944 CET	49809	443	192.168.2.6	151.101.129.91
Nov 23, 2024 16:29:38.135725021 CET	49809	443	192.168.2.6	151.101.129.91
Nov 23, 2024 16:29:38.135739088 CET	443	49809	151.101.129.91	192.168.2.6
Nov 23, 2024 16:29:38.136184931 CET	443	49809	151.101.129.91	192.168.2.6
Nov 23, 2024 16:29:38.138492107 CET	49809	443	192.168.2.6	151.101.129.91
Nov 23, 2024 16:29:38.138570070 CET	49809	443	192.168.2.6	151.101.129.91
Nov 23, 2024 16:29:38.138696909 CET	443	49809	151.101.129.91	192.168.2.6
Nov 23, 2024 16:29:38.138806105 CET	49809	443	192.168.2.6	151.101.129.91
Nov 23, 2024 16:29:38.146626949 CET	49816	443	192.168.2.6	35.244.181.201
Nov 23, 2024 16:29:38.146687984 CET	443	49816	35.244.181.201	192.168.2.6
Nov 23, 2024 16:29:38.147339106 CET	49816	443	192.168.2.6	35.244.181.201
Nov 23, 2024 16:29:38.147454977 CET	49816	443	192.168.2.6	35.244.181.201
Nov 23, 2024 16:29:38.147488117 CET	443	49816	35.244.181.201	192.168.2.6
Nov 23, 2024 16:29:38.149434090 CET	49817	443	192.168.2.6	35.244.181.201
Nov 23, 2024 16:29:38.149466038 CET	443	49817	35.244.181.201	192.168.2.6
Nov 23, 2024 16:29:38.150836945 CET	49817	443	192.168.2.6	35.244.181.201
Nov 23, 2024 16:29:38.150979042 CET	49817	443	192.168.2.6	35.244.181.201
Nov 23, 2024 16:29:38.150995970 CET	443	49817	35.244.181.201	192.168.2.6
Nov 23, 2024 16:29:38.152332067 CET	49818	443	192.168.2.6	35.244.181.201
Nov 23, 2024 16:29:38.152354956 CET	443	49818	35.244.181.201	192.168.2.6
Nov 23, 2024 16:29:38.152604103 CET	49818	443	192.168.2.6	35.244.181.201
Nov 23, 2024 16:29:38.152729988 CET	49818	443	192.168.2.6	35.244.181.201
Nov 23, 2024 16:29:38.152750969 CET	443	49818	35.244.181.201	192.168.2.6
Nov 23, 2024 16:29:38.158126116 CET	80	49732	34.107.221.82	192.168.2.6
Nov 23, 2024 16:29:38.179635048 CET	443	49807	34.107.243.93	192.168.2.6
Nov 23, 2024 16:29:38.179698944 CET	49807	443	192.168.2.6	34.107.243.93
Nov 23, 2024 16:29:38.182816982 CET	49807	443	192.168.2.6	34.107.243.93
Nov 23, 2024 16:29:38.182823896 CET	443	49807	34.107.243.93	192.168.2.6
Nov 23, 2024 16:29:38.182893991 CET	49807	443	192.168.2.6	34.107.243.93
Nov 23, 2024 16:29:38.182940960 CET	443	49807	34.107.243.93	192.168.2.6
Nov 23, 2024 16:29:38.183197021 CET	49807	443	192.168.2.6	34.107.243.93
Nov 23, 2024 16:29:38.238907099 CET	443	49808	35.244.181.201	192.168.2.6
Nov 23, 2024 16:29:38.239041090 CET	49808	443	192.168.2.6	35.244.181.201
Nov 23, 2024 16:29:38.241596937 CET	49808	443	192.168.2.6	35.244.181.201
Nov 23, 2024 16:29:38.241610050 CET	443	49808	35.244.181.201	192.168.2.6
Nov 23, 2024 16:29:38.241925955 CET	443	49808	35.244.181.201	192.168.2.6
Nov 23, 2024 16:29:38.244169950 CET	49808	443	192.168.2.6	35.244.181.201
Nov 23, 2024 16:29:38.244246006 CET	49808	443	192.168.2.6	35.244.181.201
Nov 23, 2024 16:29:38.244354963 CET	443	49808	35.244.181.201	192.168.2.6
Nov 23, 2024 16:29:38.245851040 CET	49808	443	192.168.2.6	35.244.181.201
Nov 23, 2024 16:29:38.291408062 CET	443	49810	35.201.103.21	192.168.2.6
Nov 23, 2024 16:29:38.291476011 CET	49810	443	192.168.2.6	35.201.103.21
Nov 23, 2024 16:29:38.295105934 CET	49810	443	192.168.2.6	35.201.103.21
Nov 23, 2024 16:29:38.295114994 CET	443	49810	35.201.103.21	192.168.2.6
Nov 23, 2024 16:29:38.295181990 CET	49810	443	192.168.2.6	35.201.103.21
Nov 23, 2024 16:29:38.295489073 CET	443	49810	35.201.103.21	192.168.2.6
Nov 23, 2024 16:29:38.295645952 CET	49810	443	192.168.2.6	35.201.103.21
Nov 23, 2024 16:29:38.307265997 CET	49819	443	192.168.2.6	34.149.100.209
Nov 23, 2024 16:29:38.307302952 CET	443	49819	34.149.100.209	192.168.2.6
Nov 23, 2024 16:29:38.307447910 CET	49819	443	192.168.2.6	34.149.100.209
Nov 23, 2024 16:29:38.307537079 CET	49819	443	192.168.2.6	34.149.100.209
Nov 23, 2024 16:29:38.307550907 CET	443	49819	34.149.100.209	192.168.2.6
Nov 23, 2024 16:29:38.362257957 CET	80	49732	34.107.221.82	192.168.2.6
Nov 23, 2024 16:29:38.364588976 CET	49731	80	192.168.2.6	34.107.221.82
Nov 23, 2024 16:29:38.411657095 CET	49732	80	192.168.2.6	34.107.221.82
Nov 23, 2024 16:29:38.484191895 CET	80	49731	34.107.221.82	192.168.2.6
Nov 23, 2024 16:29:38.692461967 CET	80	49731	34.107.221.82	192.168.2.6
Nov 23, 2024 16:29:38.743798018 CET	49731	80	192.168.2.6	34.107.221.82
Nov 23, 2024 16:29:39.364089966 CET	443	49817	35.244.181.201	192.168.2.6
Nov 23, 2024 16:29:39.364655972 CET	49817	443	192.168.2.6	35.244.181.201
Nov 23, 2024 16:29:39.367661953 CET	49817	443	192.168.2.6	35.244.181.201
Nov 23, 2024 16:29:39.367682934 CET	443	49817	35.244.181.201	192.168.2.6
Nov 23, 2024 16:29:39.368017912 CET	443	49817	35.244.181.201	192.168.2.6
Nov 23, 2024 16:29:39.370467901 CET	49817	443	192.168.2.6	35.244.181.201
Nov 23, 2024 16:29:39.370661020 CET	49817	443	192.168.2.6	35.244.181.201
Nov 23, 2024 16:29:39.370666981 CET	443	49817	35.244.181.201	192.168.2.6
Nov 23, 2024 16:29:39.370690107 CET	443	49817	35.244.181.201	192.168.2.6
Nov 23, 2024 16:29:39.374505997 CET	49732	80	192.168.2.6	34.107.221.82
Nov 23, 2024 16:29:39.417927027 CET	443	49818	35.244.181.201	192.168.2.6
Nov 23, 2024 16:29:39.418034077 CET	49818	443	192.168.2.6	35.244.181.201
Nov 23, 2024 16:29:39.420862913 CET	49818	443	192.168.2.6	35.244.181.201
Nov 23, 2024 16:29:39.420877934 CET	443	49818	35.244.181.201	192.168.2.6
Nov 23, 2024 16:29:39.421715975 CET	443	49818	35.244.181.201	192.168.2.6
Nov 23, 2024 16:29:39.423346043 CET	49818	443	192.168.2.6	35.244.181.201
Nov 23, 2024 16:29:39.423424006 CET	49818	443	192.168.2.6	35.244.181.201
Nov 23, 2024 16:29:39.423554897 CET	443	49818	35.244.181.201	192.168.2.6
Nov 23, 2024 16:29:39.424309969 CET	49818	443	192.168.2.6	35.244.181.201
Nov 23, 2024 16:29:39.450859070 CET	443	49816	35.244.181.201	192.168.2.6
Nov 23, 2024 16:29:39.450954914 CET	49816	443	192.168.2.6	35.244.181.201
Nov 23, 2024 16:29:39.453298092 CET	49816	443	192.168.2.6	35.244.181.201
Nov 23, 2024 16:29:39.453325033 CET	443	49816	35.244.181.201	192.168.2.6
Nov 23, 2024 16:29:39.453574896 CET	443	49816	35.244.181.201	192.168.2.6
Nov 23, 2024 16:29:39.455183029 CET	49816	443	192.168.2.6	35.244.181.201
Nov 23, 2024 16:29:39.455269098 CET	49816	443	192.168.2.6	35.244.181.201
Nov 23, 2024 16:29:39.455348015 CET	443	49816	35.244.181.201	192.168.2.6
Nov 23, 2024 16:29:39.461486101 CET	49816	443	192.168.2.6	35.244.181.201
Nov 23, 2024 16:29:39.461486101 CET	49816	443	192.168.2.6	35.244.181.201
Nov 23, 2024 16:29:39.494431019 CET	80	49732	34.107.221.82	192.168.2.6
Nov 23, 2024 16:29:39.575340986 CET	443	49817	35.244.181.201	192.168.2.6
Nov 23, 2024 16:29:39.575418949 CET	49817	443	192.168.2.6	35.244.181.201
Nov 23, 2024 16:29:39.611107111 CET	443	49819	34.149.100.209	192.168.2.6
Nov 23, 2024 16:29:39.611224890 CET	49819	443	192.168.2.6	34.149.100.209
Nov 23, 2024 16:29:39.614531040 CET	49819	443	192.168.2.6	34.149.100.209
Nov 23, 2024 16:29:39.614542007 CET	443	49819	34.149.100.209	192.168.2.6
Nov 23, 2024 16:29:39.614743948 CET	443	49819	34.149.100.209	192.168.2.6
Nov 23, 2024 16:29:39.617070913 CET	49819	443	192.168.2.6	34.149.100.209
Nov 23, 2024 16:29:39.617173910 CET	49819	443	192.168.2.6	34.149.100.209
Nov 23, 2024 16:29:39.617185116 CET	443	49819	34.149.100.209	192.168.2.6
Nov 23, 2024 16:29:39.617331028 CET	49819	443	192.168.2.6	34.149.100.209
Nov 23, 2024 16:29:39.698340893 CET	80	49732	34.107.221.82	192.168.2.6
Nov 23, 2024 16:29:39.701702118 CET	49731	80	192.168.2.6	34.107.221.82
Nov 23, 2024 16:29:39.746681929 CET	49732	80	192.168.2.6	34.107.221.82
Nov 23, 2024 16:29:39.821316004 CET	80	49731	34.107.221.82	192.168.2.6
Nov 23, 2024 16:29:40.029568911 CET	80	49731	34.107.221.82	192.168.2.6
Nov 23, 2024 16:29:40.085356951 CET	49731	80	192.168.2.6	34.107.221.82
Nov 23, 2024 16:29:49.700099945 CET	49732	80	192.168.2.6	34.107.221.82
Nov 23, 2024 16:29:49.820321083 CET	80	49732	34.107.221.82	192.168.2.6
Nov 23, 2024 16:29:50.032236099 CET	49731	80	192.168.2.6	34.107.221.82
Nov 23, 2024 16:29:50.158760071 CET	80	49731	34.107.221.82	192.168.2.6
Nov 23, 2024 16:29:54.790045023 CET	49732	80	192.168.2.6	34.107.221.82
Nov 23, 2024 16:29:54.914998055 CET	80	49732	34.107.221.82	192.168.2.6
Nov 23, 2024 16:29:55.120754957 CET	80	49732	34.107.221.82	192.168.2.6
Nov 23, 2024 16:29:55.124660015 CET	49731	80	192.168.2.6	34.107.221.82
Nov 23, 2024 16:29:55.169373989 CET	49732	80	192.168.2.6	34.107.221.82
Nov 23, 2024 16:29:55.249403000 CET	80	49731	34.107.221.82	192.168.2.6
Nov 23, 2024 16:29:55.454291105 CET	80	49731	34.107.221.82	192.168.2.6
Nov 23, 2024 16:29:55.501513958 CET	49731	80	192.168.2.6	34.107.221.82
Nov 23, 2024 16:29:58.567735910 CET	49864	443	192.168.2.6	34.107.243.93
Nov 23, 2024 16:29:58.567781925 CET	443	49864	34.107.243.93	192.168.2.6
Nov 23, 2024 16:29:58.568139076 CET	49864	443	192.168.2.6	34.107.243.93
Nov 23, 2024 16:29:58.569561958 CET	49864	443	192.168.2.6	34.107.243.93
Nov 23, 2024 16:29:58.569588900 CET	443	49864	34.107.243.93	192.168.2.6
Nov 23, 2024 16:29:59.827300072 CET	443	49864	34.107.243.93	192.168.2.6
Nov 23, 2024 16:29:59.827444077 CET	49864	443	192.168.2.6	34.107.243.93
Nov 23, 2024 16:29:59.831386089 CET	49864	443	192.168.2.6	34.107.243.93
Nov 23, 2024 16:29:59.831413031 CET	443	49864	34.107.243.93	192.168.2.6
Nov 23, 2024 16:29:59.831474066 CET	49864	443	192.168.2.6	34.107.243.93
Nov 23, 2024 16:29:59.831598043 CET	443	49864	34.107.243.93	192.168.2.6
Nov 23, 2024 16:29:59.836532116 CET	49864	443	192.168.2.6	34.107.243.93
Nov 23, 2024 16:29:59.838823080 CET	49732	80	192.168.2.6	34.107.221.82
Nov 23, 2024 16:29:59.958583117 CET	80	49732	34.107.221.82	192.168.2.6
Nov 23, 2024 16:30:00.162405014 CET	80	49732	34.107.221.82	192.168.2.6
Nov 23, 2024 16:30:00.166229963 CET	49731	80	192.168.2.6	34.107.221.82
Nov 23, 2024 16:30:00.214874029 CET	49732	80	192.168.2.6	34.107.221.82
Nov 23, 2024 16:30:00.285888910 CET	80	49731	34.107.221.82	192.168.2.6
Nov 23, 2024 16:30:00.492410898 CET	80	49731	34.107.221.82	192.168.2.6
Nov 23, 2024 16:30:00.546981096 CET	49731	80	192.168.2.6	34.107.221.82
Nov 23, 2024 16:30:06.644998074 CET	49882	443	192.168.2.6	34.120.208.123
Nov 23, 2024 16:30:06.645052910 CET	443	49882	34.120.208.123	192.168.2.6
Nov 23, 2024 16:30:06.645229101 CET	49883	443	192.168.2.6	34.120.208.123
Nov 23, 2024 16:30:06.645320892 CET	443	49883	34.120.208.123	192.168.2.6
Nov 23, 2024 16:30:06.645401955 CET	49884	443	192.168.2.6	34.120.208.123
Nov 23, 2024 16:30:06.645448923 CET	443	49884	34.120.208.123	192.168.2.6
Nov 23, 2024 16:30:06.645615101 CET	49885	443	192.168.2.6	34.120.208.123
Nov 23, 2024 16:30:06.645683050 CET	443	49885	34.120.208.123	192.168.2.6
Nov 23, 2024 16:30:06.645787001 CET	49886	443	192.168.2.6	34.120.208.123
Nov 23, 2024 16:30:06.645801067 CET	443	49886	34.120.208.123	192.168.2.6
Nov 23, 2024 16:30:06.645946026 CET	49887	443	192.168.2.6	34.120.208.123
Nov 23, 2024 16:30:06.645963907 CET	443	49887	34.120.208.123	192.168.2.6
Nov 23, 2024 16:30:06.646095991 CET	49882	443	192.168.2.6	34.120.208.123
Nov 23, 2024 16:30:06.646102905 CET	49883	443	192.168.2.6	34.120.208.123
Nov 23, 2024 16:30:06.646116018 CET	49884	443	192.168.2.6	34.120.208.123
Nov 23, 2024 16:30:06.646121025 CET	49885	443	192.168.2.6	34.120.208.123
Nov 23, 2024 16:30:06.646296978 CET	49886	443	192.168.2.6	34.120.208.123
Nov 23, 2024 16:30:06.646301031 CET	49887	443	192.168.2.6	34.120.208.123
Nov 23, 2024 16:30:06.646354914 CET	49882	443	192.168.2.6	34.120.208.123
Nov 23, 2024 16:30:06.646384001 CET	443	49882	34.120.208.123	192.168.2.6
Nov 23, 2024 16:30:06.646471024 CET	49887	443	192.168.2.6	34.120.208.123
Nov 23, 2024 16:30:06.646498919 CET	443	49887	34.120.208.123	192.168.2.6
Nov 23, 2024 16:30:06.646534920 CET	49886	443	192.168.2.6	34.120.208.123
Nov 23, 2024 16:30:06.646555901 CET	443	49886	34.120.208.123	192.168.2.6
Nov 23, 2024 16:30:06.646624088 CET	49885	443	192.168.2.6	34.120.208.123
Nov 23, 2024 16:30:06.646650076 CET	443	49885	34.120.208.123	192.168.2.6
Nov 23, 2024 16:30:06.646668911 CET	49884	443	192.168.2.6	34.120.208.123
Nov 23, 2024 16:30:06.646687031 CET	443	49884	34.120.208.123	192.168.2.6
Nov 23, 2024 16:30:06.646744013 CET	49883	443	192.168.2.6	34.120.208.123
Nov 23, 2024 16:30:06.646775007 CET	443	49883	34.120.208.123	192.168.2.6
Nov 23, 2024 16:30:07.864867926 CET	443	49887	34.120.208.123	192.168.2.6
Nov 23, 2024 16:30:07.864998102 CET	49887	443	192.168.2.6	34.120.208.123
Nov 23, 2024 16:30:07.868613005 CET	49887	443	192.168.2.6	34.120.208.123
Nov 23, 2024 16:30:07.868643045 CET	443	49887	34.120.208.123	192.168.2.6
Nov 23, 2024 16:30:07.868966103 CET	443	49887	34.120.208.123	192.168.2.6
Nov 23, 2024 16:30:07.871586084 CET	49887	443	192.168.2.6	34.120.208.123
Nov 23, 2024 16:30:07.871705055 CET	49887	443	192.168.2.6	34.120.208.123
Nov 23, 2024 16:30:07.871747017 CET	443	49887	34.120.208.123	192.168.2.6
Nov 23, 2024 16:30:07.872183084 CET	49892	443	192.168.2.6	34.120.208.123
Nov 23, 2024 16:30:07.872227907 CET	443	49892	34.120.208.123	192.168.2.6
Nov 23, 2024 16:30:07.872286081 CET	49887	443	192.168.2.6	34.120.208.123
Nov 23, 2024 16:30:07.872313023 CET	49892	443	192.168.2.6	34.120.208.123
Nov 23, 2024 16:30:07.872570038 CET	49892	443	192.168.2.6	34.120.208.123
Nov 23, 2024 16:30:07.872581959 CET	443	49892	34.120.208.123	192.168.2.6
Nov 23, 2024 16:30:07.876100063 CET	49732	80	192.168.2.6	34.107.221.82
Nov 23, 2024 16:30:07.908394098 CET	443	49885	34.120.208.123	192.168.2.6
Nov 23, 2024 16:30:07.908577919 CET	49885	443	192.168.2.6	34.120.208.123
Nov 23, 2024 16:30:07.910721064 CET	443	49886	34.120.208.123	192.168.2.6
Nov 23, 2024 16:30:07.911169052 CET	49885	443	192.168.2.6	34.120.208.123
Nov 23, 2024 16:30:07.911189079 CET	443	49885	34.120.208.123	192.168.2.6
Nov 23, 2024 16:30:07.911421061 CET	443	49885	34.120.208.123	192.168.2.6
Nov 23, 2024 16:30:07.911550045 CET	49886	443	192.168.2.6	34.120.208.123
Nov 23, 2024 16:30:07.913640022 CET	49886	443	192.168.2.6	34.120.208.123
Nov 23, 2024 16:30:07.913661003 CET	443	49886	34.120.208.123	192.168.2.6
Nov 23, 2024 16:30:07.913992882 CET	443	49886	34.120.208.123	192.168.2.6
Nov 23, 2024 16:30:07.915328979 CET	49885	443	192.168.2.6	34.120.208.123
Nov 23, 2024 16:30:07.915424109 CET	49885	443	192.168.2.6	34.120.208.123
Nov 23, 2024 16:30:07.915462017 CET	443	49885	34.120.208.123	192.168.2.6
Nov 23, 2024 16:30:07.915868044 CET	49893	443	192.168.2.6	34.120.208.123
Nov 23, 2024 16:30:07.915889978 CET	443	49893	34.120.208.123	192.168.2.6
Nov 23, 2024 16:30:07.916645050 CET	49886	443	192.168.2.6	34.120.208.123
Nov 23, 2024 16:30:07.916726112 CET	49886	443	192.168.2.6	34.120.208.123
Nov 23, 2024 16:30:07.916802883 CET	443	49886	34.120.208.123	192.168.2.6
Nov 23, 2024 16:30:07.923324108 CET	443	49886	34.120.208.123	192.168.2.6
Nov 23, 2024 16:30:07.923692942 CET	49886	443	192.168.2.6	34.120.208.123
Nov 23, 2024 16:30:07.923693895 CET	49885	443	192.168.2.6	34.120.208.123
Nov 23, 2024 16:30:07.923727989 CET	49886	443	192.168.2.6	34.120.208.123
Nov 23, 2024 16:30:07.923743010 CET	49893	443	192.168.2.6	34.120.208.123
Nov 23, 2024 16:30:07.923753023 CET	49886	443	192.168.2.6	34.120.208.123
Nov 23, 2024 16:30:07.923851967 CET	49893	443	192.168.2.6	34.120.208.123
Nov 23, 2024 16:30:07.923862934 CET	443	49893	34.120.208.123	192.168.2.6
Nov 23, 2024 16:30:07.955348969 CET	443	49883	34.120.208.123	192.168.2.6
Nov 23, 2024 16:30:07.955424070 CET	49883	443	192.168.2.6	34.120.208.123
Nov 23, 2024 16:30:07.956557035 CET	443	49882	34.120.208.123	192.168.2.6
Nov 23, 2024 16:30:07.957748890 CET	443	49884	34.120.208.123	192.168.2.6
Nov 23, 2024 16:30:07.958250999 CET	49883	443	192.168.2.6	34.120.208.123
Nov 23, 2024 16:30:07.958261013 CET	443	49883	34.120.208.123	192.168.2.6
Nov 23, 2024 16:30:07.958451033 CET	49882	443	192.168.2.6	34.120.208.123
Nov 23, 2024 16:30:07.958543062 CET	49884	443	192.168.2.6	34.120.208.123
Nov 23, 2024 16:30:07.958570004 CET	443	49883	34.120.208.123	192.168.2.6
Nov 23, 2024 16:30:07.960594893 CET	49882	443	192.168.2.6	34.120.208.123
Nov 23, 2024 16:30:07.960622072 CET	443	49882	34.120.208.123	192.168.2.6
Nov 23, 2024 16:30:07.960944891 CET	443	49882	34.120.208.123	192.168.2.6
Nov 23, 2024 16:30:07.962727070 CET	49884	443	192.168.2.6	34.120.208.123
Nov 23, 2024 16:30:07.962740898 CET	443	49884	34.120.208.123	192.168.2.6
Nov 23, 2024 16:30:07.962975979 CET	443	49884	34.120.208.123	192.168.2.6
Nov 23, 2024 16:30:07.966753006 CET	49883	443	192.168.2.6	34.120.208.123
Nov 23, 2024 16:30:07.966850042 CET	49883	443	192.168.2.6	34.120.208.123
Nov 23, 2024 16:30:07.966900110 CET	443	49883	34.120.208.123	192.168.2.6
Nov 23, 2024 16:30:07.967098951 CET	49882	443	192.168.2.6	34.120.208.123
Nov 23, 2024 16:30:07.967147112 CET	49882	443	192.168.2.6	34.120.208.123
Nov 23, 2024 16:30:07.967272043 CET	443	49882	34.120.208.123	192.168.2.6
Nov 23, 2024 16:30:07.967519999 CET	49884	443	192.168.2.6	34.120.208.123
Nov 23, 2024 16:30:07.967569113 CET	49884	443	192.168.2.6	34.120.208.123
Nov 23, 2024 16:30:07.967649937 CET	443	49884	34.120.208.123	192.168.2.6
Nov 23, 2024 16:30:07.967703104 CET	49883	443	192.168.2.6	34.120.208.123
Nov 23, 2024 16:30:07.967736006 CET	49884	443	192.168.2.6	34.120.208.123
Nov 23, 2024 16:30:07.967737913 CET	49882	443	192.168.2.6	34.120.208.123
Nov 23, 2024 16:30:07.996313095 CET	80	49732	34.107.221.82	192.168.2.6
Nov 23, 2024 16:30:08.201123953 CET	80	49732	34.107.221.82	192.168.2.6
Nov 23, 2024 16:30:08.205842972 CET	49731	80	192.168.2.6	34.107.221.82
Nov 23, 2024 16:30:08.243663073 CET	49732	80	192.168.2.6	34.107.221.82
Nov 23, 2024 16:30:08.329102993 CET	80	49731	34.107.221.82	192.168.2.6
Nov 23, 2024 16:30:08.545783997 CET	80	49731	34.107.221.82	192.168.2.6
Nov 23, 2024 16:30:08.598030090 CET	49731	80	192.168.2.6	34.107.221.82
Nov 23, 2024 16:30:09.099611044 CET	443	49892	34.120.208.123	192.168.2.6
Nov 23, 2024 16:30:09.099697113 CET	49892	443	192.168.2.6	34.120.208.123
Nov 23, 2024 16:30:09.104321957 CET	49892	443	192.168.2.6	34.120.208.123
Nov 23, 2024 16:30:09.104370117 CET	443	49892	34.120.208.123	192.168.2.6
Nov 23, 2024 16:30:09.104768038 CET	443	49892	34.120.208.123	192.168.2.6
Nov 23, 2024 16:30:09.107294083 CET	49892	443	192.168.2.6	34.120.208.123
Nov 23, 2024 16:30:09.107480049 CET	49892	443	192.168.2.6	34.120.208.123
Nov 23, 2024 16:30:09.107515097 CET	443	49892	34.120.208.123	192.168.2.6
Nov 23, 2024 16:30:09.108351946 CET	49892	443	192.168.2.6	34.120.208.123
Nov 23, 2024 16:30:09.110565901 CET	49732	80	192.168.2.6	34.107.221.82
Nov 23, 2024 16:30:09.154031992 CET	443	49893	34.120.208.123	192.168.2.6
Nov 23, 2024 16:30:09.154067039 CET	443	49893	34.120.208.123	192.168.2.6
Nov 23, 2024 16:30:09.154201984 CET	49893	443	192.168.2.6	34.120.208.123
Nov 23, 2024 16:30:09.157403946 CET	49893	443	192.168.2.6	34.120.208.123
Nov 23, 2024 16:30:09.157413960 CET	443	49893	34.120.208.123	192.168.2.6
Nov 23, 2024 16:30:09.157623053 CET	443	49893	34.120.208.123	192.168.2.6
Nov 23, 2024 16:30:09.160043001 CET	49893	443	192.168.2.6	34.120.208.123
Nov 23, 2024 16:30:09.160151958 CET	49893	443	192.168.2.6	34.120.208.123
Nov 23, 2024 16:30:09.160192966 CET	443	49893	34.120.208.123	192.168.2.6
Nov 23, 2024 16:30:09.161073923 CET	49893	443	192.168.2.6	34.120.208.123
Nov 23, 2024 16:30:09.230145931 CET	80	49732	34.107.221.82	192.168.2.6
Nov 23, 2024 16:30:09.441993952 CET	80	49732	34.107.221.82	192.168.2.6
Nov 23, 2024 16:30:09.445044041 CET	49731	80	192.168.2.6	34.107.221.82
Nov 23, 2024 16:30:09.484949112 CET	49732	80	192.168.2.6	34.107.221.82
Nov 23, 2024 16:30:09.564701080 CET	80	49731	34.107.221.82	192.168.2.6
Nov 23, 2024 16:30:09.769058943 CET	80	49731	34.107.221.82	192.168.2.6
Nov 23, 2024 16:30:09.817147017 CET	49731	80	192.168.2.6	34.107.221.82
Nov 23, 2024 16:30:19.443854094 CET	49732	80	192.168.2.6	34.107.221.82
Nov 23, 2024 16:30:19.564666986 CET	80	49732	34.107.221.82	192.168.2.6
Nov 23, 2024 16:30:19.775974035 CET	49731	80	192.168.2.6	34.107.221.82
Nov 23, 2024 16:30:19.902452946 CET	80	49731	34.107.221.82	192.168.2.6
Nov 23, 2024 16:30:29.572160959 CET	49732	80	192.168.2.6	34.107.221.82
Nov 23, 2024 16:30:29.695492029 CET	80	49732	34.107.221.82	192.168.2.6
Nov 23, 2024 16:30:29.904311895 CET	49731	80	192.168.2.6	34.107.221.82
Nov 23, 2024 16:30:30.025408983 CET	80	49731	34.107.221.82	192.168.2.6
Nov 23, 2024 16:30:39.699531078 CET	49732	80	192.168.2.6	34.107.221.82
Nov 23, 2024 16:30:39.819274902 CET	80	49732	34.107.221.82	192.168.2.6
Nov 23, 2024 16:30:39.991333008 CET	49966	443	192.168.2.6	34.107.243.93
Nov 23, 2024 16:30:39.991393089 CET	443	49966	34.107.243.93	192.168.2.6
Nov 23, 2024 16:30:39.992163897 CET	49966	443	192.168.2.6	34.107.243.93
Nov 23, 2024 16:30:39.993418932 CET	49966	443	192.168.2.6	34.107.243.93
Nov 23, 2024 16:30:39.993438005 CET	443	49966	34.107.243.93	192.168.2.6
Nov 23, 2024 16:30:40.031622887 CET	49731	80	192.168.2.6	34.107.221.82
Nov 23, 2024 16:30:40.151273966 CET	80	49731	34.107.221.82	192.168.2.6
Nov 23, 2024 16:30:41.312710047 CET	443	49966	34.107.243.93	192.168.2.6
Nov 23, 2024 16:30:41.312827110 CET	49966	443	192.168.2.6	34.107.243.93
Nov 23, 2024 16:30:41.318375111 CET	49966	443	192.168.2.6	34.107.243.93
Nov 23, 2024 16:30:41.318403006 CET	443	49966	34.107.243.93	192.168.2.6
Nov 23, 2024 16:30:41.318494081 CET	49966	443	192.168.2.6	34.107.243.93
Nov 23, 2024 16:30:41.318763018 CET	443	49966	34.107.243.93	192.168.2.6
Nov 23, 2024 16:30:41.319251060 CET	49966	443	192.168.2.6	34.107.243.93
Nov 23, 2024 16:30:41.321090937 CET	49732	80	192.168.2.6	34.107.221.82
Nov 23, 2024 16:30:41.441023111 CET	80	49732	34.107.221.82	192.168.2.6
Nov 23, 2024 16:30:41.645478964 CET	80	49732	34.107.221.82	192.168.2.6
Nov 23, 2024 16:30:41.648819923 CET	49731	80	192.168.2.6	34.107.221.82
Nov 23, 2024 16:30:41.689616919 CET	49732	80	192.168.2.6	34.107.221.82
Nov 23, 2024 16:30:41.768676996 CET	80	49731	34.107.221.82	192.168.2.6
Nov 23, 2024 16:30:41.972510099 CET	80	49731	34.107.221.82	192.168.2.6
Nov 23, 2024 16:30:42.021805048 CET	49731	80	192.168.2.6	34.107.221.82
Nov 23, 2024 16:30:51.650125027 CET	49732	80	192.168.2.6	34.107.221.82
Nov 23, 2024 16:30:51.769643068 CET	80	49732	34.107.221.82	192.168.2.6
Nov 23, 2024 16:30:51.989031076 CET	49731	80	192.168.2.6	34.107.221.82
Nov 23, 2024 16:30:52.109801054 CET	80	49731	34.107.221.82	192.168.2.6
Nov 23, 2024 16:31:01.779618025 CET	49732	80	192.168.2.6	34.107.221.82
Nov 23, 2024 16:31:01.899334908 CET	80	49732	34.107.221.82	192.168.2.6
Nov 23, 2024 16:31:02.118210077 CET	49731	80	192.168.2.6	34.107.221.82
Nov 23, 2024 16:31:02.238229036 CET	80	49731	34.107.221.82	192.168.2.6

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 23, 2024 16:29:09.762936115 CET	56784	53	192.168.2.6	1.1.1.1
Nov 23, 2024 16:29:09.764007092 CET	54117	53	192.168.2.6	1.1.1.1
Nov 23, 2024 16:29:09.901990891 CET	53	56784	1.1.1.1	192.168.2.6
Nov 23, 2024 16:29:10.003599882 CET	52352	53	192.168.2.6	1.1.1.1
Nov 23, 2024 16:29:10.003846884 CET	56176	53	192.168.2.6	1.1.1.1
Nov 23, 2024 16:29:10.003982067 CET	60186	53	192.168.2.6	1.1.1.1
Nov 23, 2024 16:29:10.141877890 CET	53	52352	1.1.1.1	192.168.2.6
Nov 23, 2024 16:29:10.142703056 CET	64041	53	192.168.2.6	1.1.1.1
Nov 23, 2024 16:29:10.142955065 CET	53	56176	1.1.1.1	192.168.2.6
Nov 23, 2024 16:29:10.143711090 CET	52215	53	192.168.2.6	1.1.1.1
Nov 23, 2024 16:29:10.143805981 CET	53	60186	1.1.1.1	192.168.2.6
Nov 23, 2024 16:29:10.144280910 CET	63183	53	192.168.2.6	1.1.1.1
Nov 23, 2024 16:29:10.243691921 CET	56681	53	192.168.2.6	1.1.1.1
Nov 23, 2024 16:29:10.280277014 CET	53	64041	1.1.1.1	192.168.2.6
Nov 23, 2024 16:29:10.280989885 CET	53	52215	1.1.1.1	192.168.2.6
Nov 23, 2024 16:29:10.282887936 CET	62091	53	192.168.2.6	1.1.1.1
Nov 23, 2024 16:29:10.385114908 CET	53	56681	1.1.1.1	192.168.2.6
Nov 23, 2024 16:29:10.386560917 CET	64343	53	192.168.2.6	1.1.1.1
Nov 23, 2024 16:29:10.396641016 CET	53	63183	1.1.1.1	192.168.2.6
Nov 23, 2024 16:29:10.421082020 CET	53	62091	1.1.1.1	192.168.2.6
Nov 23, 2024 16:29:10.422341108 CET	63503	53	192.168.2.6	1.1.1.1
Nov 23, 2024 16:29:10.426105976 CET	55236	53	192.168.2.6	1.1.1.1
Nov 23, 2024 16:29:10.497834921 CET	49188	53	192.168.2.6	1.1.1.1
Nov 23, 2024 16:29:10.525738955 CET	53	64343	1.1.1.1	192.168.2.6
Nov 23, 2024 16:29:10.549602985 CET	53843	53	192.168.2.6	1.1.1.1
Nov 23, 2024 16:29:10.639858961 CET	53	49188	1.1.1.1	192.168.2.6
Nov 23, 2024 16:29:10.671451092 CET	53	55236	1.1.1.1	192.168.2.6
Nov 23, 2024 16:29:10.672259092 CET	64973	53	192.168.2.6	1.1.1.1
Nov 23, 2024 16:29:10.689326048 CET	53	53843	1.1.1.1	192.168.2.6
Nov 23, 2024 16:29:10.690571070 CET	61290	53	192.168.2.6	1.1.1.1
Nov 23, 2024 16:29:10.701581001 CET	65101	53	192.168.2.6	1.1.1.1
Nov 23, 2024 16:29:10.748765945 CET	53	63503	1.1.1.1	192.168.2.6
Nov 23, 2024 16:29:10.749854088 CET	57005	53	192.168.2.6	1.1.1.1
Nov 23, 2024 16:29:10.810372114 CET	53	64973	1.1.1.1	192.168.2.6
Nov 23, 2024 16:29:10.827946901 CET	53	61290	1.1.1.1	192.168.2.6
Nov 23, 2024 16:29:10.834028959 CET	54892	53	192.168.2.6	1.1.1.1
Nov 23, 2024 16:29:10.888501883 CET	53	57005	1.1.1.1	192.168.2.6
Nov 23, 2024 16:29:10.973419905 CET	53	54892	1.1.1.1	192.168.2.6
Nov 23, 2024 16:29:11.275439024 CET	53	58618	1.1.1.1	192.168.2.6
Nov 23, 2024 16:29:11.448898077 CET	49937	53	192.168.2.6	1.1.1.1
Nov 23, 2024 16:29:11.588130951 CET	53	49937	1.1.1.1	192.168.2.6
Nov 23, 2024 16:29:11.590329885 CET	61035	53	192.168.2.6	1.1.1.1
Nov 23, 2024 16:29:11.733772039 CET	53	61035	1.1.1.1	192.168.2.6
Nov 23, 2024 16:29:11.736955881 CET	57571	53	192.168.2.6	1.1.1.1
Nov 23, 2024 16:29:11.752136946 CET	61802	53	192.168.2.6	1.1.1.1
Nov 23, 2024 16:29:11.752726078 CET	56878	53	192.168.2.6	1.1.1.1
Nov 23, 2024 16:29:11.892457008 CET	53	57571	1.1.1.1	192.168.2.6
Nov 23, 2024 16:29:11.892471075 CET	53	56878	1.1.1.1	192.168.2.6
Nov 23, 2024 16:29:11.892875910 CET	53	61802	1.1.1.1	192.168.2.6
Nov 23, 2024 16:29:12.226948023 CET	62252	53	192.168.2.6	1.1.1.1
Nov 23, 2024 16:29:12.304739952 CET	64402	53	192.168.2.6	1.1.1.1
Nov 23, 2024 16:29:12.382719040 CET	52027	53	192.168.2.6	1.1.1.1
Nov 23, 2024 16:29:12.442003965 CET	53	64402	1.1.1.1	192.168.2.6
Nov 23, 2024 16:29:12.475119114 CET	54961	53	192.168.2.6	1.1.1.1
Nov 23, 2024 16:29:12.528106928 CET	53	52027	1.1.1.1	192.168.2.6
Nov 23, 2024 16:29:12.612891912 CET	53	54961	1.1.1.1	192.168.2.6
Nov 23, 2024 16:29:12.618520975 CET	62008	53	192.168.2.6	1.1.1.1
Nov 23, 2024 16:29:12.624126911 CET	51453	53	192.168.2.6	1.1.1.1
Nov 23, 2024 16:29:12.759480000 CET	53	62008	1.1.1.1	192.168.2.6
Nov 23, 2024 16:29:12.766429901 CET	53	51453	1.1.1.1	192.168.2.6
Nov 23, 2024 16:29:13.158032894 CET	64701	53	192.168.2.6	1.1.1.1
Nov 23, 2024 16:29:13.158598900 CET	64126	53	192.168.2.6	1.1.1.1
Nov 23, 2024 16:29:13.159075022 CET	63939	53	192.168.2.6	1.1.1.1
Nov 23, 2024 16:29:13.295471907 CET	53	64701	1.1.1.1	192.168.2.6
Nov 23, 2024 16:29:13.295959949 CET	53	63939	1.1.1.1	192.168.2.6
Nov 23, 2024 16:29:13.301059008 CET	53	64126	1.1.1.1	192.168.2.6
Nov 23, 2024 16:29:13.302532911 CET	58401	53	192.168.2.6	1.1.1.1
Nov 23, 2024 16:29:13.302532911 CET	57347	53	192.168.2.6	1.1.1.1
Nov 23, 2024 16:29:13.302881002 CET	54839	53	192.168.2.6	1.1.1.1
Nov 23, 2024 16:29:13.439974070 CET	53	57347	1.1.1.1	192.168.2.6
Nov 23, 2024 16:29:13.440689087 CET	53	54839	1.1.1.1	192.168.2.6
Nov 23, 2024 16:29:13.444850922 CET	53	58401	1.1.1.1	192.168.2.6
Nov 23, 2024 16:29:13.490608931 CET	56368	53	192.168.2.6	1.1.1.1
Nov 23, 2024 16:29:13.490788937 CET	49974	53	192.168.2.6	1.1.1.1
Nov 23, 2024 16:29:13.490892887 CET	49395	53	192.168.2.6	1.1.1.1
Nov 23, 2024 16:29:13.629290104 CET	53	56368	1.1.1.1	192.168.2.6
Nov 23, 2024 16:29:13.629940033 CET	53	49974	1.1.1.1	192.168.2.6
Nov 23, 2024 16:29:13.632045984 CET	53	49395	1.1.1.1	192.168.2.6
Nov 23, 2024 16:29:13.641861916 CET	55088	53	192.168.2.6	1.1.1.1
Nov 23, 2024 16:29:13.659729004 CET	62132	53	192.168.2.6	1.1.1.1
Nov 23, 2024 16:29:13.878070116 CET	53	55088	1.1.1.1	192.168.2.6
Nov 23, 2024 16:29:13.878957987 CET	54562	53	192.168.2.6	1.1.1.1
Nov 23, 2024 16:29:13.988717079 CET	53	62132	1.1.1.1	192.168.2.6
Nov 23, 2024 16:29:13.989511967 CET	60499	53	192.168.2.6	1.1.1.1
Nov 23, 2024 16:29:14.100251913 CET	53	54562	1.1.1.1	192.168.2.6
Nov 23, 2024 16:29:14.102233887 CET	51447	53	192.168.2.6	1.1.1.1
Nov 23, 2024 16:29:14.130980968 CET	53	60499	1.1.1.1	192.168.2.6
Nov 23, 2024 16:29:14.131488085 CET	60770	53	192.168.2.6	1.1.1.1
Nov 23, 2024 16:29:14.241378069 CET	53	51447	1.1.1.1	192.168.2.6
Nov 23, 2024 16:29:14.268313885 CET	53	60770	1.1.1.1	192.168.2.6
Nov 23, 2024 16:29:17.682451010 CET	53208	53	192.168.2.6	1.1.1.1
Nov 23, 2024 16:29:17.819551945 CET	53	53208	1.1.1.1	192.168.2.6
Nov 23, 2024 16:29:18.232616901 CET	54016	53	192.168.2.6	1.1.1.1
Nov 23, 2024 16:29:18.373713017 CET	53	54016	1.1.1.1	192.168.2.6
Nov 23, 2024 16:29:18.374613047 CET	58622	53	192.168.2.6	1.1.1.1
Nov 23, 2024 16:29:18.690896988 CET	53	58622	1.1.1.1	192.168.2.6
Nov 23, 2024 16:29:23.120202065 CET	50807	53	192.168.2.6	1.1.1.1
Nov 23, 2024 16:29:23.257607937 CET	53	50807	1.1.1.1	192.168.2.6
Nov 23, 2024 16:29:24.380290031 CET	63060	53	192.168.2.6	1.1.1.1
Nov 23, 2024 16:29:24.529540062 CET	53	63060	1.1.1.1	192.168.2.6
Nov 23, 2024 16:29:36.702115059 CET	63911	53	192.168.2.6	1.1.1.1
Nov 23, 2024 16:29:36.708302021 CET	65427	53	192.168.2.6	1.1.1.1
Nov 23, 2024 16:29:36.716700077 CET	53304	53	192.168.2.6	1.1.1.1
Nov 23, 2024 16:29:36.846400976 CET	53	63911	1.1.1.1	192.168.2.6
Nov 23, 2024 16:29:36.846847057 CET	63757	53	192.168.2.6	1.1.1.1
Nov 23, 2024 16:29:36.848458052 CET	63987	53	192.168.2.6	1.1.1.1
Nov 23, 2024 16:29:37.017884970 CET	53	53304	1.1.1.1	192.168.2.6
Nov 23, 2024 16:29:37.018913984 CET	53	63757	1.1.1.1	192.168.2.6
Nov 23, 2024 16:29:37.019300938 CET	53	63987	1.1.1.1	192.168.2.6
Nov 23, 2024 16:29:37.020020008 CET	53546	53	192.168.2.6	1.1.1.1
Nov 23, 2024 16:29:37.020065069 CET	53	65427	1.1.1.1	192.168.2.6
Nov 23, 2024 16:29:37.021190882 CET	54590	53	192.168.2.6	1.1.1.1
Nov 23, 2024 16:29:37.157356977 CET	53	53546	1.1.1.1	192.168.2.6
Nov 23, 2024 16:29:37.245357037 CET	53	54590	1.1.1.1	192.168.2.6
Nov 23, 2024 16:29:37.246206999 CET	62710	53	192.168.2.6	1.1.1.1
Nov 23, 2024 16:29:37.597019911 CET	53	62710	1.1.1.1	192.168.2.6
Nov 23, 2024 16:29:54.790395975 CET	65242	53	192.168.2.6	1.1.1.1
Nov 23, 2024 16:29:58.428616047 CET	58281	53	192.168.2.6	1.1.1.1
Nov 23, 2024 16:29:58.566549063 CET	53	58281	1.1.1.1	192.168.2.6
Nov 23, 2024 16:29:58.568078995 CET	53839	53	192.168.2.6	1.1.1.1
Nov 23, 2024 16:29:58.705085039 CET	53	53839	1.1.1.1	192.168.2.6
Nov 23, 2024 16:30:06.643815994 CET	57980	53	192.168.2.6	1.1.1.1
Nov 23, 2024 16:30:06.785813093 CET	53	57980	1.1.1.1	192.168.2.6
Nov 23, 2024 16:30:39.992106915 CET	54168	53	192.168.2.6	1.1.1.1
Nov 23, 2024 16:30:40.130326033 CET	53	54168	1.1.1.1	192.168.2.6
Nov 23, 2024 16:30:41.321379900 CET	49944	53	192.168.2.6	1.1.1.1
Nov 23, 2024 16:30:41.520431042 CET	49944	53	192.168.2.6	1.1.1.1

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Nov 23, 2024 16:29:09.762936115 CET	192.168.2.6	1.1.1.1	0xc12a	Standard query (0)	youtube.com	A (IP address)	IN (0x0001)	false
Nov 23, 2024 16:29:09.764007092 CET	192.168.2.6	1.1.1.1	0xf692	Standard query (0)	detectportal.firefox.com	A (IP address)	IN (0x0001)	false
Nov 23, 2024 16:29:10.003599882 CET	192.168.2.6	1.1.1.1	0x36e4	Standard query (0)	youtube.com	A (IP address)	IN (0x0001)	false
Nov 23, 2024 16:29:10.003846884 CET	192.168.2.6	1.1.1.1	0xf310	Standard query (0)	prod.detectportal.prod.cloudops.mozgcp.net	A (IP address)	IN (0x0001)	false
Nov 23, 2024 16:29:10.003982067 CET	192.168.2.6	1.1.1.1	0xe256	Standard query (0)	prod.classify-client.prod.webservices.mozgcp.net	A (IP address)	IN (0x0001)	false
Nov 23, 2024 16:29:10.142703056 CET	192.168.2.6	1.1.1.1	0xd815	Standard query (0)	youtube.com	28	IN (0x0001)	false
Nov 23, 2024 16:29:10.143711090 CET	192.168.2.6	1.1.1.1	0x52ed	Standard query (0)	prod.detectportal.prod.cloudops.mozgcp.net	28	IN (0x0001)	false
Nov 23, 2024 16:29:10.144280910 CET	192.168.2.6	1.1.1.1	0x4245	Standard query (0)	prod.classify-client.prod.webservices.mozgcp.net	28	IN (0x0001)	false
Nov 23, 2024 16:29:10.243691921 CET	192.168.2.6	1.1.1.1	0xbba0	Standard query (0)	contile.services.mozilla.com	A (IP address)	IN (0x0001)	false
Nov 23, 2024 16:29:10.282887936 CET	192.168.2.6	1.1.1.1	0xe927	Standard query (0)	spocs.getpocket.com	A (IP address)	IN (0x0001)	false
Nov 23, 2024 16:29:10.386560917 CET	192.168.2.6	1.1.1.1	0xccfa	Standard query (0)	contile.services.mozilla.com	A (IP address)	IN (0x0001)	false
Nov 23, 2024 16:29:10.422341108 CET	192.168.2.6	1.1.1.1	0xc9a8	Standard query (0)	prod.ads.prod.webservices.mozgcp.net	A (IP address)	IN (0x0001)	false
Nov 23, 2024 16:29:10.426105976 CET	192.168.2.6	1.1.1.1	0xaa54	Standard query (0)	prod.balrog.prod.cloudops.mozgcp.net	A (IP address)	IN (0x0001)	false
Nov 23, 2024 16:29:10.497834921 CET	192.168.2.6	1.1.1.1	0x3fe6	Standard query (0)	content-signature-2.cdn.mozilla.net	A (IP address)	IN (0x0001)	false
Nov 23, 2024 16:29:10.549602985 CET	192.168.2.6	1.1.1.1	0x3f67	Standard query (0)	contile.services.mozilla.com	28	IN (0x0001)	false
Nov 23, 2024 16:29:10.672259092 CET	192.168.2.6	1.1.1.1	0x288b	Standard query (0)	prod.balrog.prod.cloudops.mozgcp.net	28	IN (0x0001)	false
Nov 23, 2024 16:29:10.690571070 CET	192.168.2.6	1.1.1.1	0xfcc8	Standard query (0)	prod.content-signature-chains.prod.webservices.mozgcp.net	A (IP address)	IN (0x0001)	false
Nov 23, 2024 16:29:10.701581001 CET	192.168.2.6	1.1.1.1	0xaf00	Standard query (0)	shavar.services.mozilla.com	A (IP address)	IN (0x0001)	false
Nov 23, 2024 16:29:10.749854088 CET	192.168.2.6	1.1.1.1	0x82a2	Standard query (0)	prod.ads.prod.webservices.mozgcp.net	28	IN (0x0001)	false
Nov 23, 2024 16:29:10.834028959 CET	192.168.2.6	1.1.1.1	0x7801	Standard query (0)	prod.content-signature-chains.prod.webservices.mozgcp.net	28	IN (0x0001)	false
Nov 23, 2024 16:29:11.448898077 CET	192.168.2.6	1.1.1.1	0x6801	Standard query (0)	push.services.mozilla.com	A (IP address)	IN (0x0001)	false
Nov 23, 2024 16:29:11.590329885 CET	192.168.2.6	1.1.1.1	0x1290	Standard query (0)	push.services.mozilla.com	A (IP address)	IN (0x0001)	false
Nov 23, 2024 16:29:11.736955881 CET	192.168.2.6	1.1.1.1	0xc080	Standard query (0)	push.services.mozilla.com	28	IN (0x0001)	false
Nov 23, 2024 16:29:11.752136946 CET	192.168.2.6	1.1.1.1	0xa0d	Standard query (0)	example.org	A (IP address)	IN (0x0001)	false
Nov 23, 2024 16:29:11.752726078 CET	192.168.2.6	1.1.1.1	0x1585	Standard query (0)	ipv4only.arpa	A (IP address)	IN (0x0001)	false
Nov 23, 2024 16:29:12.226948023 CET	192.168.2.6	1.1.1.1	0x22a2	Standard query (0)	detectportal.firefox.com	A (IP address)	IN (0x0001)	false
Nov 23, 2024 16:29:12.304739952 CET	192.168.2.6	1.1.1.1	0xd002	Standard query (0)	firefox.settings.services.mozilla.com	A (IP address)	IN (0x0001)	false
Nov 23, 2024 16:29:12.382719040 CET	192.168.2.6	1.1.1.1	0x84c6	Standard query (0)	telemetry-incoming.r53-2.services.mozilla.com	A (IP address)	IN (0x0001)	false
Nov 23, 2024 16:29:12.475119114 CET	192.168.2.6	1.1.1.1	0xcb77	Standard query (0)	prod.remote-settings.prod.webservices.mozgcp.net	A (IP address)	IN (0x0001)	false
Nov 23, 2024 16:29:12.618520975 CET	192.168.2.6	1.1.1.1	0x5e44	Standard query (0)	telemetry-incoming.r53-2.services.mozilla.com	28	IN (0x0001)	false
Nov 23, 2024 16:29:12.624126911 CET	192.168.2.6	1.1.1.1	0x38fa	Standard query (0)	prod.remote-settings.prod.webservices.mozgcp.net	28	IN (0x0001)	false
Nov 23, 2024 16:29:13.158032894 CET	192.168.2.6	1.1.1.1	0x645f	Standard query (0)	www.youtube.com	A (IP address)	IN (0x0001)	false
Nov 23, 2024 16:29:13.158598900 CET	192.168.2.6	1.1.1.1	0xf2ba	Standard query (0)	www.wikipedia.org	A (IP address)	IN (0x0001)	false
Nov 23, 2024 16:29:13.159075022 CET	192.168.2.6	1.1.1.1	0xc2ac	Standard query (0)	www.facebook.com	A (IP address)	IN (0x0001)	false
Nov 23, 2024 16:29:13.302532911 CET	192.168.2.6	1.1.1.1	0xe38e	Standard query (0)	dyna.wikimedia.org	A (IP address)	IN (0x0001)	false
Nov 23, 2024 16:29:13.302532911 CET	192.168.2.6	1.1.1.1	0xf9eb	Standard query (0)	youtube-ui.l.google.com	A (IP address)	IN (0x0001)	false
Nov 23, 2024 16:29:13.302881002 CET	192.168.2.6	1.1.1.1	0xdc2d	Standard query (0)	star-mini.c10r.facebook.com	A (IP address)	IN (0x0001)	false
Nov 23, 2024 16:29:13.490608931 CET	192.168.2.6	1.1.1.1	0x9945	Standard query (0)	dyna.wikimedia.org	28	IN (0x0001)	false
Nov 23, 2024 16:29:13.490788937 CET	192.168.2.6	1.1.1.1	0x5a86	Standard query (0)	youtube-ui.l.google.com	28	IN (0x0001)	false
Nov 23, 2024 16:29:13.490892887 CET	192.168.2.6	1.1.1.1	0xefb6	Standard query (0)	star-mini.c10r.facebook.com	28	IN (0x0001)	false
Nov 23, 2024 16:29:13.641861916 CET	192.168.2.6	1.1.1.1	0x9edf	Standard query (0)	www.reddit.com	A (IP address)	IN (0x0001)	false
Nov 23, 2024 16:29:13.659729004 CET	192.168.2.6	1.1.1.1	0xc503	Standard query (0)	twitter.com	A (IP address)	IN (0x0001)	false
Nov 23, 2024 16:29:13.878957987 CET	192.168.2.6	1.1.1.1	0x7f0c	Standard query (0)	reddit.map.fastly.net	A (IP address)	IN (0x0001)	false
Nov 23, 2024 16:29:13.989511967 CET	192.168.2.6	1.1.1.1	0x508d	Standard query (0)	twitter.com	A (IP address)	IN (0x0001)	false
Nov 23, 2024 16:29:14.102233887 CET	192.168.2.6	1.1.1.1	0x5c71	Standard query (0)	reddit.map.fastly.net	28	IN (0x0001)	false
Nov 23, 2024 16:29:14.131488085 CET	192.168.2.6	1.1.1.1	0x7cc2	Standard query (0)	twitter.com	28	IN (0x0001)	false
Nov 23, 2024 16:29:17.682451010 CET	192.168.2.6	1.1.1.1	0x4f4d	Standard query (0)	support.mozilla.org	A (IP address)	IN (0x0001)	false
Nov 23, 2024 16:29:18.232616901 CET	192.168.2.6	1.1.1.1	0x3652	Standard query (0)	us-west1.prod.sumo.prod.webservices.mozgcp.net	A (IP address)	IN (0x0001)	false
Nov 23, 2024 16:29:18.374613047 CET	192.168.2.6	1.1.1.1	0xf180	Standard query (0)	us-west1.prod.sumo.prod.webservices.mozgcp.net	28	IN (0x0001)	false
Nov 23, 2024 16:29:23.120202065 CET	192.168.2.6	1.1.1.1	0x12b7	Standard query (0)	telemetry-incoming.r53-2.services.mozilla.com	28	IN (0x0001)	false
Nov 23, 2024 16:29:24.380290031 CET	192.168.2.6	1.1.1.1	0x8321	Standard query (0)	push.services.mozilla.com	28	IN (0x0001)	false
Nov 23, 2024 16:29:36.702115059 CET	192.168.2.6	1.1.1.1	0x90ec	Standard query (0)	services.addons.mozilla.org	A (IP address)	IN (0x0001)	false
Nov 23, 2024 16:29:36.708302021 CET	192.168.2.6	1.1.1.1	0xe80c	Standard query (0)	normandy.cdn.mozilla.net	A (IP address)	IN (0x0001)	false
Nov 23, 2024 16:29:36.716700077 CET	192.168.2.6	1.1.1.1	0x41f3	Standard query (0)	push.services.mozilla.com	28	IN (0x0001)	false
Nov 23, 2024 16:29:36.846847057 CET	192.168.2.6	1.1.1.1	0xb652	Standard query (0)	prod.balrog.prod.cloudops.mozgcp.net	28	IN (0x0001)	false
Nov 23, 2024 16:29:36.848458052 CET	192.168.2.6	1.1.1.1	0xf0fd	Standard query (0)	services.addons.mozilla.org	A (IP address)	IN (0x0001)	false
Nov 23, 2024 16:29:37.020020008 CET	192.168.2.6	1.1.1.1	0xf26e	Standard query (0)	services.addons.mozilla.org	28	IN (0x0001)	false
Nov 23, 2024 16:29:37.021190882 CET	192.168.2.6	1.1.1.1	0x23b2	Standard query (0)	normandy-cdn.services.mozilla.com	A (IP address)	IN (0x0001)	false
Nov 23, 2024 16:29:37.246206999 CET	192.168.2.6	1.1.1.1	0x24f4	Standard query (0)	normandy-cdn.services.mozilla.com	28	IN (0x0001)	false
Nov 23, 2024 16:29:54.790395975 CET	192.168.2.6	1.1.1.1	0xae1a	Standard query (0)	detectportal.firefox.com	A (IP address)	IN (0x0001)	false
Nov 23, 2024 16:29:58.428616047 CET	192.168.2.6	1.1.1.1	0x5391	Standard query (0)	push.services.mozilla.com	A (IP address)	IN (0x0001)	false
Nov 23, 2024 16:29:58.568078995 CET	192.168.2.6	1.1.1.1	0x94ee	Standard query (0)	push.services.mozilla.com	28	IN (0x0001)	false
Nov 23, 2024 16:30:06.643815994 CET	192.168.2.6	1.1.1.1	0xdc7b	Standard query (0)	telemetry-incoming.r53-2.services.mozilla.com	28	IN (0x0001)	false
Nov 23, 2024 16:30:39.992106915 CET	192.168.2.6	1.1.1.1	0x18e4	Standard query (0)	push.services.mozilla.com	28	IN (0x0001)	false
Nov 23, 2024 16:30:41.321379900 CET	192.168.2.6	1.1.1.1	0x423c	Standard query (0)	detectportal.firefox.com	A (IP address)	IN (0x0001)	false
Nov 23, 2024 16:30:41.520431042 CET	192.168.2.6	1.1.1.1	0x423c	Standard query (0)	detectportal.firefox.com	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Nov 23, 2024 16:29:09.893651009 CET	1.1.1.1	192.168.2.6	0xaaaa	No error (0)	prod.classify-client.prod.webservices.mozgcp.net		35.190.72.216	A (IP address)	IN (0x0001)	false
Nov 23, 2024 16:29:09.901990891 CET	1.1.1.1	192.168.2.6	0xc12a	No error (0)	youtube.com		142.250.181.78	A (IP address)	IN (0x0001)	false
Nov 23, 2024 16:29:09.903888941 CET	1.1.1.1	192.168.2.6	0xf692	No error (0)	detectportal.firefox.com	detectportal.prod.mozaws.net		CNAME (Canonical name)	IN (0x0001)	false
Nov 23, 2024 16:29:09.903888941 CET	1.1.1.1	192.168.2.6	0xf692	No error (0)	prod.detectportal.prod.cloudops.mozgcp.net		34.107.221.82	A (IP address)	IN (0x0001)	false
Nov 23, 2024 16:29:10.141877890 CET	1.1.1.1	192.168.2.6	0x36e4	No error (0)	youtube.com		142.250.181.78	A (IP address)	IN (0x0001)	false
Nov 23, 2024 16:29:10.142955065 CET	1.1.1.1	192.168.2.6	0xf310	No error (0)	prod.detectportal.prod.cloudops.mozgcp.net		34.107.221.82	A (IP address)	IN (0x0001)	false
Nov 23, 2024 16:29:10.143805981 CET	1.1.1.1	192.168.2.6	0xe256	No error (0)	prod.classify-client.prod.webservices.mozgcp.net		35.190.72.216	A (IP address)	IN (0x0001)	false
Nov 23, 2024 16:29:10.280277014 CET	1.1.1.1	192.168.2.6	0xd815	No error (0)	youtube.com			28	IN (0x0001)	false
Nov 23, 2024 16:29:10.280989885 CET	1.1.1.1	192.168.2.6	0x52ed	No error (0)	prod.detectportal.prod.cloudops.mozgcp.net			28	IN (0x0001)	false
Nov 23, 2024 16:29:10.385114908 CET	1.1.1.1	192.168.2.6	0xbba0	No error (0)	contile.services.mozilla.com		34.117.188.166	A (IP address)	IN (0x0001)	false
Nov 23, 2024 16:29:10.421082020 CET	1.1.1.1	192.168.2.6	0xe927	No error (0)	spocs.getpocket.com	prod.ads.prod.webservices.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Nov 23, 2024 16:29:10.421082020 CET	1.1.1.1	192.168.2.6	0xe927	No error (0)	prod.ads.prod.webservices.mozgcp.net		34.117.188.166	A (IP address)	IN (0x0001)	false
Nov 23, 2024 16:29:10.423582077 CET	1.1.1.1	192.168.2.6	0x105f	No error (0)	balrog-aus5.r53-2.services.mozilla.com	prod.balrog.prod.cloudops.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Nov 23, 2024 16:29:10.423582077 CET	1.1.1.1	192.168.2.6	0x105f	No error (0)	prod.balrog.prod.cloudops.mozgcp.net		35.244.181.201	A (IP address)	IN (0x0001)	false
Nov 23, 2024 16:29:10.525738955 CET	1.1.1.1	192.168.2.6	0xccfa	No error (0)	contile.services.mozilla.com		34.117.188.166	A (IP address)	IN (0x0001)	false
Nov 23, 2024 16:29:10.639858961 CET	1.1.1.1	192.168.2.6	0x3fe6	No error (0)	content-signature-2.cdn.mozilla.net	content-signature-chains.prod.autograph.services.mozaws.net		CNAME (Canonical name)	IN (0x0001)	false
Nov 23, 2024 16:29:10.639858961 CET	1.1.1.1	192.168.2.6	0x3fe6	No error (0)	content-signature-chains.prod.autograph.services.mozaws.net	prod.content-signature-chains.prod.webservices.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Nov 23, 2024 16:29:10.639858961 CET	1.1.1.1	192.168.2.6	0x3fe6	No error (0)	prod.content-signature-chains.prod.webservices.mozgcp.net		34.160.144.191	A (IP address)	IN (0x0001)	false
Nov 23, 2024 16:29:10.671451092 CET	1.1.1.1	192.168.2.6	0xaa54	No error (0)	prod.balrog.prod.cloudops.mozgcp.net		35.244.181.201	A (IP address)	IN (0x0001)	false
Nov 23, 2024 16:29:10.748765945 CET	1.1.1.1	192.168.2.6	0xc9a8	No error (0)	prod.ads.prod.webservices.mozgcp.net		34.117.188.166	A (IP address)	IN (0x0001)	false
Nov 23, 2024 16:29:10.827946901 CET	1.1.1.1	192.168.2.6	0xfcc8	No error (0)	prod.content-signature-chains.prod.webservices.mozgcp.net		34.160.144.191	A (IP address)	IN (0x0001)	false
Nov 23, 2024 16:29:10.909295082 CET	1.1.1.1	192.168.2.6	0xaf00	No error (0)	shavar.services.mozilla.com	shavar.prod.mozaws.net		CNAME (Canonical name)	IN (0x0001)	false
Nov 23, 2024 16:29:10.973419905 CET	1.1.1.1	192.168.2.6	0x7801	No error (0)	prod.content-signature-chains.prod.webservices.mozgcp.net			28	IN (0x0001)	false
Nov 23, 2024 16:29:11.588130951 CET	1.1.1.1	192.168.2.6	0x6801	No error (0)	push.services.mozilla.com		34.107.243.93	A (IP address)	IN (0x0001)	false
Nov 23, 2024 16:29:11.733772039 CET	1.1.1.1	192.168.2.6	0x1290	No error (0)	push.services.mozilla.com		34.107.243.93	A (IP address)	IN (0x0001)	false
Nov 23, 2024 16:29:11.892471075 CET	1.1.1.1	192.168.2.6	0x1585	No error (0)	ipv4only.arpa		192.0.0.171	A (IP address)	IN (0x0001)	false
Nov 23, 2024 16:29:11.892471075 CET	1.1.1.1	192.168.2.6	0x1585	No error (0)	ipv4only.arpa		192.0.0.170	A (IP address)	IN (0x0001)	false
Nov 23, 2024 16:29:11.892875910 CET	1.1.1.1	192.168.2.6	0xa0d	No error (0)	example.org		93.184.215.14	A (IP address)	IN (0x0001)	false
Nov 23, 2024 16:29:12.364857912 CET	1.1.1.1	192.168.2.6	0x22a2	No error (0)	detectportal.firefox.com	detectportal.prod.mozaws.net		CNAME (Canonical name)	IN (0x0001)	false
Nov 23, 2024 16:29:12.364857912 CET	1.1.1.1	192.168.2.6	0x22a2	No error (0)	prod.detectportal.prod.cloudops.mozgcp.net		34.107.221.82	A (IP address)	IN (0x0001)	false
Nov 23, 2024 16:29:12.365093946 CET	1.1.1.1	192.168.2.6	0xe8ea	No error (0)	telemetry-incoming.r53-2.services.mozilla.com		34.120.208.123	A (IP address)	IN (0x0001)	false
Nov 23, 2024 16:29:12.442003965 CET	1.1.1.1	192.168.2.6	0xd002	No error (0)	firefox.settings.services.mozilla.com	prod.remote-settings.prod.webservices.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Nov 23, 2024 16:29:12.442003965 CET	1.1.1.1	192.168.2.6	0xd002	No error (0)	prod.remote-settings.prod.webservices.mozgcp.net		34.149.100.209	A (IP address)	IN (0x0001)	false
Nov 23, 2024 16:29:12.491240978 CET	1.1.1.1	192.168.2.6	0xf472	No error (0)	balrog-aus5.r53-2.services.mozilla.com	prod.balrog.prod.cloudops.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Nov 23, 2024 16:29:12.491240978 CET	1.1.1.1	192.168.2.6	0xf472	No error (0)	prod.balrog.prod.cloudops.mozgcp.net		35.244.181.201	A (IP address)	IN (0x0001)	false
Nov 23, 2024 16:29:12.528106928 CET	1.1.1.1	192.168.2.6	0x84c6	No error (0)	telemetry-incoming.r53-2.services.mozilla.com		34.120.208.123	A (IP address)	IN (0x0001)	false
Nov 23, 2024 16:29:12.612891912 CET	1.1.1.1	192.168.2.6	0xcb77	No error (0)	prod.remote-settings.prod.webservices.mozgcp.net		34.149.100.209	A (IP address)	IN (0x0001)	false
Nov 23, 2024 16:29:13.295471907 CET	1.1.1.1	192.168.2.6	0x645f	No error (0)	www.youtube.com	youtube-ui.l.google.com		CNAME (Canonical name)	IN (0x0001)	false
Nov 23, 2024 16:29:13.295471907 CET	1.1.1.1	192.168.2.6	0x645f	No error (0)	youtube-ui.l.google.com		142.250.181.142	A (IP address)	IN (0x0001)	false
Nov 23, 2024 16:29:13.295471907 CET	1.1.1.1	192.168.2.6	0x645f	No error (0)	youtube-ui.l.google.com		172.217.19.238	A (IP address)	IN (0x0001)	false
Nov 23, 2024 16:29:13.295471907 CET	1.1.1.1	192.168.2.6	0x645f	No error (0)	youtube-ui.l.google.com		142.250.181.46	A (IP address)	IN (0x0001)	false
Nov 23, 2024 16:29:13.295471907 CET	1.1.1.1	192.168.2.6	0x645f	No error (0)	youtube-ui.l.google.com		142.250.181.78	A (IP address)	IN (0x0001)	false
Nov 23, 2024 16:29:13.295471907 CET	1.1.1.1	192.168.2.6	0x645f	No error (0)	youtube-ui.l.google.com		172.217.19.206	A (IP address)	IN (0x0001)	false
Nov 23, 2024 16:29:13.295471907 CET	1.1.1.1	192.168.2.6	0x645f	No error (0)	youtube-ui.l.google.com		172.217.17.46	A (IP address)	IN (0x0001)	false
Nov 23, 2024 16:29:13.295471907 CET	1.1.1.1	192.168.2.6	0x645f	No error (0)	youtube-ui.l.google.com		142.250.181.110	A (IP address)	IN (0x0001)	false
Nov 23, 2024 16:29:13.295471907 CET	1.1.1.1	192.168.2.6	0x645f	No error (0)	youtube-ui.l.google.com		172.217.17.78	A (IP address)	IN (0x0001)	false
Nov 23, 2024 16:29:13.295471907 CET	1.1.1.1	192.168.2.6	0x645f	No error (0)	youtube-ui.l.google.com		216.58.208.238	A (IP address)	IN (0x0001)	false
Nov 23, 2024 16:29:13.295959949 CET	1.1.1.1	192.168.2.6	0xc2ac	No error (0)	www.facebook.com	star-mini.c10r.facebook.com		CNAME (Canonical name)	IN (0x0001)	false
Nov 23, 2024 16:29:13.295959949 CET	1.1.1.1	192.168.2.6	0xc2ac	No error (0)	star-mini.c10r.facebook.com		157.240.195.35	A (IP address)	IN (0x0001)	false
Nov 23, 2024 16:29:13.301059008 CET	1.1.1.1	192.168.2.6	0xf2ba	No error (0)	www.wikipedia.org	dyna.wikimedia.org		CNAME (Canonical name)	IN (0x0001)	false
Nov 23, 2024 16:29:13.301059008 CET	1.1.1.1	192.168.2.6	0xf2ba	No error (0)	dyna.wikimedia.org		185.15.58.224	A (IP address)	IN (0x0001)	false
Nov 23, 2024 16:29:13.439974070 CET	1.1.1.1	192.168.2.6	0xf9eb	No error (0)	youtube-ui.l.google.com		216.58.208.238	A (IP address)	IN (0x0001)	false
Nov 23, 2024 16:29:13.439974070 CET	1.1.1.1	192.168.2.6	0xf9eb	No error (0)	youtube-ui.l.google.com		172.217.19.238	A (IP address)	IN (0x0001)	false
Nov 23, 2024 16:29:13.439974070 CET	1.1.1.1	192.168.2.6	0xf9eb	No error (0)	youtube-ui.l.google.com		172.217.19.206	A (IP address)	IN (0x0001)	false
Nov 23, 2024 16:29:13.439974070 CET	1.1.1.1	192.168.2.6	0xf9eb	No error (0)	youtube-ui.l.google.com		142.250.181.78	A (IP address)	IN (0x0001)	false
Nov 23, 2024 16:29:13.439974070 CET	1.1.1.1	192.168.2.6	0xf9eb	No error (0)	youtube-ui.l.google.com		142.250.181.110	A (IP address)	IN (0x0001)	false
Nov 23, 2024 16:29:13.439974070 CET	1.1.1.1	192.168.2.6	0xf9eb	No error (0)	youtube-ui.l.google.com		142.250.181.142	A (IP address)	IN (0x0001)	false
Nov 23, 2024 16:29:13.439974070 CET	1.1.1.1	192.168.2.6	0xf9eb	No error (0)	youtube-ui.l.google.com		172.217.17.46	A (IP address)	IN (0x0001)	false
Nov 23, 2024 16:29:13.439974070 CET	1.1.1.1	192.168.2.6	0xf9eb	No error (0)	youtube-ui.l.google.com		142.250.181.46	A (IP address)	IN (0x0001)	false
Nov 23, 2024 16:29:13.439974070 CET	1.1.1.1	192.168.2.6	0xf9eb	No error (0)	youtube-ui.l.google.com		172.217.17.78	A (IP address)	IN (0x0001)	false
Nov 23, 2024 16:29:13.440689087 CET	1.1.1.1	192.168.2.6	0xdc2d	No error (0)	star-mini.c10r.facebook.com		157.240.196.35	A (IP address)	IN (0x0001)	false
Nov 23, 2024 16:29:13.444850922 CET	1.1.1.1	192.168.2.6	0xe38e	No error (0)	dyna.wikimedia.org		185.15.58.224	A (IP address)	IN (0x0001)	false
Nov 23, 2024 16:29:13.629290104 CET	1.1.1.1	192.168.2.6	0x9945	No error (0)	dyna.wikimedia.org			28	IN (0x0001)	false
Nov 23, 2024 16:29:13.629940033 CET	1.1.1.1	192.168.2.6	0x5a86	No error (0)	youtube-ui.l.google.com			28	IN (0x0001)	false
Nov 23, 2024 16:29:13.629940033 CET	1.1.1.1	192.168.2.6	0x5a86	No error (0)	youtube-ui.l.google.com			28	IN (0x0001)	false
Nov 23, 2024 16:29:13.629940033 CET	1.1.1.1	192.168.2.6	0x5a86	No error (0)	youtube-ui.l.google.com			28	IN (0x0001)	false
Nov 23, 2024 16:29:13.629940033 CET	1.1.1.1	192.168.2.6	0x5a86	No error (0)	youtube-ui.l.google.com			28	IN (0x0001)	false
Nov 23, 2024 16:29:13.632045984 CET	1.1.1.1	192.168.2.6	0xefb6	No error (0)	star-mini.c10r.facebook.com			28	IN (0x0001)	false
Nov 23, 2024 16:29:13.878070116 CET	1.1.1.1	192.168.2.6	0x9edf	No error (0)	www.reddit.com	reddit.map.fastly.net		CNAME (Canonical name)	IN (0x0001)	false
Nov 23, 2024 16:29:13.878070116 CET	1.1.1.1	192.168.2.6	0x9edf	No error (0)	reddit.map.fastly.net		151.101.129.140	A (IP address)	IN (0x0001)	false
Nov 23, 2024 16:29:13.878070116 CET	1.1.1.1	192.168.2.6	0x9edf	No error (0)	reddit.map.fastly.net		151.101.65.140	A (IP address)	IN (0x0001)	false
Nov 23, 2024 16:29:13.878070116 CET	1.1.1.1	192.168.2.6	0x9edf	No error (0)	reddit.map.fastly.net		151.101.1.140	A (IP address)	IN (0x0001)	false
Nov 23, 2024 16:29:13.878070116 CET	1.1.1.1	192.168.2.6	0x9edf	No error (0)	reddit.map.fastly.net		151.101.193.140	A (IP address)	IN (0x0001)	false
Nov 23, 2024 16:29:13.988717079 CET	1.1.1.1	192.168.2.6	0xc503	No error (0)	twitter.com		104.244.42.65	A (IP address)	IN (0x0001)	false
Nov 23, 2024 16:29:14.100251913 CET	1.1.1.1	192.168.2.6	0x7f0c	No error (0)	reddit.map.fastly.net		151.101.1.140	A (IP address)	IN (0x0001)	false
Nov 23, 2024 16:29:14.100251913 CET	1.1.1.1	192.168.2.6	0x7f0c	No error (0)	reddit.map.fastly.net		151.101.65.140	A (IP address)	IN (0x0001)	false
Nov 23, 2024 16:29:14.100251913 CET	1.1.1.1	192.168.2.6	0x7f0c	No error (0)	reddit.map.fastly.net		151.101.129.140	A (IP address)	IN (0x0001)	false
Nov 23, 2024 16:29:14.100251913 CET	1.1.1.1	192.168.2.6	0x7f0c	No error (0)	reddit.map.fastly.net		151.101.193.140	A (IP address)	IN (0x0001)	false
Nov 23, 2024 16:29:14.107829094 CET	1.1.1.1	192.168.2.6	0x9f90	No error (0)	telemetry-incoming.r53-2.services.mozilla.com		34.120.208.123	A (IP address)	IN (0x0001)	false
Nov 23, 2024 16:29:14.130980968 CET	1.1.1.1	192.168.2.6	0x508d	No error (0)	twitter.com		104.244.42.129	A (IP address)	IN (0x0001)	false
Nov 23, 2024 16:29:17.819551945 CET	1.1.1.1	192.168.2.6	0x4f4d	No error (0)	support.mozilla.org	prod.sumo.prod.webservices.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Nov 23, 2024 16:29:17.819551945 CET	1.1.1.1	192.168.2.6	0x4f4d	No error (0)	prod.sumo.prod.webservices.mozgcp.net	us-west1.prod.sumo.prod.webservices.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Nov 23, 2024 16:29:17.819551945 CET	1.1.1.1	192.168.2.6	0x4f4d	No error (0)	us-west1.prod.sumo.prod.webservices.mozgcp.net		34.149.128.2	A (IP address)	IN (0x0001)	false
Nov 23, 2024 16:29:18.373713017 CET	1.1.1.1	192.168.2.6	0x3652	No error (0)	us-west1.prod.sumo.prod.webservices.mozgcp.net		34.149.128.2	A (IP address)	IN (0x0001)	false
Nov 23, 2024 16:29:36.845350027 CET	1.1.1.1	192.168.2.6	0x675a	No error (0)	balrog-aus5.r53-2.services.mozilla.com	prod.balrog.prod.cloudops.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Nov 23, 2024 16:29:36.845350027 CET	1.1.1.1	192.168.2.6	0x675a	No error (0)	prod.balrog.prod.cloudops.mozgcp.net		35.244.181.201	A (IP address)	IN (0x0001)	false
Nov 23, 2024 16:29:36.846400976 CET	1.1.1.1	192.168.2.6	0x90ec	No error (0)	services.addons.mozilla.org		151.101.129.91	A (IP address)	IN (0x0001)	false
Nov 23, 2024 16:29:36.846400976 CET	1.1.1.1	192.168.2.6	0x90ec	No error (0)	services.addons.mozilla.org		151.101.193.91	A (IP address)	IN (0x0001)	false
Nov 23, 2024 16:29:36.846400976 CET	1.1.1.1	192.168.2.6	0x90ec	No error (0)	services.addons.mozilla.org		151.101.1.91	A (IP address)	IN (0x0001)	false
Nov 23, 2024 16:29:36.846400976 CET	1.1.1.1	192.168.2.6	0x90ec	No error (0)	services.addons.mozilla.org		151.101.65.91	A (IP address)	IN (0x0001)	false
Nov 23, 2024 16:29:37.019300938 CET	1.1.1.1	192.168.2.6	0xf0fd	No error (0)	services.addons.mozilla.org		151.101.65.91	A (IP address)	IN (0x0001)	false
Nov 23, 2024 16:29:37.019300938 CET	1.1.1.1	192.168.2.6	0xf0fd	No error (0)	services.addons.mozilla.org		151.101.193.91	A (IP address)	IN (0x0001)	false
Nov 23, 2024 16:29:37.019300938 CET	1.1.1.1	192.168.2.6	0xf0fd	No error (0)	services.addons.mozilla.org		151.101.129.91	A (IP address)	IN (0x0001)	false
Nov 23, 2024 16:29:37.019300938 CET	1.1.1.1	192.168.2.6	0xf0fd	No error (0)	services.addons.mozilla.org		151.101.1.91	A (IP address)	IN (0x0001)	false
Nov 23, 2024 16:29:37.020065069 CET	1.1.1.1	192.168.2.6	0xe80c	No error (0)	normandy.cdn.mozilla.net	normandy-cdn.services.mozilla.com		CNAME (Canonical name)	IN (0x0001)	false
Nov 23, 2024 16:29:37.020065069 CET	1.1.1.1	192.168.2.6	0xe80c	No error (0)	normandy-cdn.services.mozilla.com		35.201.103.21	A (IP address)	IN (0x0001)	false
Nov 23, 2024 16:29:37.157356977 CET	1.1.1.1	192.168.2.6	0xf26e	No error (0)	services.addons.mozilla.org			28	IN (0x0001)	false
Nov 23, 2024 16:29:37.157356977 CET	1.1.1.1	192.168.2.6	0xf26e	No error (0)	services.addons.mozilla.org			28	IN (0x0001)	false
Nov 23, 2024 16:29:37.157356977 CET	1.1.1.1	192.168.2.6	0xf26e	No error (0)	services.addons.mozilla.org			28	IN (0x0001)	false
Nov 23, 2024 16:29:37.157356977 CET	1.1.1.1	192.168.2.6	0xf26e	No error (0)	services.addons.mozilla.org			28	IN (0x0001)	false
Nov 23, 2024 16:29:37.245357037 CET	1.1.1.1	192.168.2.6	0x23b2	No error (0)	normandy-cdn.services.mozilla.com		35.201.103.21	A (IP address)	IN (0x0001)	false
Nov 23, 2024 16:29:40.249281883 CET	1.1.1.1	192.168.2.6	0xf3c	No error (0)	a21ed24aedde648804e7-228765c84088fef4ff5e70f2710398e9.r17.cf1.rackcdn.com	a17.rackcdn.com		CNAME (Canonical name)	IN (0x0001)	false
Nov 23, 2024 16:29:40.249281883 CET	1.1.1.1	192.168.2.6	0xf3c	No error (0)	a17.rackcdn.com	a17.rackcdn.com.mdc.edgesuite.net		CNAME (Canonical name)	IN (0x0001)	false
Nov 23, 2024 16:29:54.934822083 CET	1.1.1.1	192.168.2.6	0xae1a	No error (0)	detectportal.firefox.com	detectportal.prod.mozaws.net		CNAME (Canonical name)	IN (0x0001)	false
Nov 23, 2024 16:29:54.934822083 CET	1.1.1.1	192.168.2.6	0xae1a	No error (0)	prod.detectportal.prod.cloudops.mozgcp.net		34.107.221.82	A (IP address)	IN (0x0001)	false
Nov 23, 2024 16:29:58.566549063 CET	1.1.1.1	192.168.2.6	0x5391	No error (0)	push.services.mozilla.com		34.107.243.93	A (IP address)	IN (0x0001)	false
Nov 23, 2024 16:30:06.642246008 CET	1.1.1.1	192.168.2.6	0x634	No error (0)	telemetry-incoming.r53-2.services.mozilla.com		34.120.208.123	A (IP address)	IN (0x0001)	false
Nov 23, 2024 16:30:41.732872009 CET	1.1.1.1	192.168.2.6	0x423c	No error (0)	detectportal.firefox.com	detectportal.prod.mozaws.net		CNAME (Canonical name)	IN (0x0001)	false
Nov 23, 2024 16:30:41.732872009 CET	1.1.1.1	192.168.2.6	0x423c	No error (0)	prod.detectportal.prod.cloudops.mozgcp.net		34.107.221.82	A (IP address)	IN (0x0001)	false
Nov 23, 2024 16:30:41.733014107 CET	1.1.1.1	192.168.2.6	0x423c	No error (0)	detectportal.firefox.com	detectportal.prod.mozaws.net		CNAME (Canonical name)	IN (0x0001)	false
Nov 23, 2024 16:30:41.733014107 CET	1.1.1.1	192.168.2.6	0x423c	No error (0)	prod.detectportal.prod.cloudops.mozgcp.net		34.107.221.82	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

detectportal.firefox.com

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.6	49719	34.107.221.82	80	5776	C:\Program Files\Mozilla Firefox\firefox.exe

Timestamp	Bytes transferred	Direction	Data
Nov 23, 2024 16:29:10.402321100 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Nov 23, 2024 16:29:11.582901001 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Sat, 23 Nov 2024 06:47:57 GMT Age: 31274 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.6	49731	34.107.221.82	80	5776	C:\Program Files\Mozilla Firefox\firefox.exe

Timestamp	Bytes transferred	Direction	Data
Nov 23, 2024 16:29:12.501970053 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Nov 23, 2024 16:29:13.749737024 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Sat, 23 Nov 2024 00:44:18 GMT Age: 53095 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Nov 23, 2024 16:29:13.763046980 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Nov 23, 2024 16:29:14.086966038 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Sat, 23 Nov 2024 00:44:18 GMT Age: 53095 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Nov 23, 2024 16:29:23.110433102 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Nov 23, 2024 16:29:23.440071106 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Sat, 23 Nov 2024 00:44:18 GMT Age: 53105 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Nov 23, 2024 16:29:25.375559092 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Nov 23, 2024 16:29:25.699265003 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Sat, 23 Nov 2024 00:44:18 GMT Age: 53107 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Nov 23, 2024 16:29:28.288716078 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Nov 23, 2024 16:29:28.615782976 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Sat, 23 Nov 2024 00:44:18 GMT Age: 53110 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Nov 23, 2024 16:29:38.364588976 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Nov 23, 2024 16:29:38.692461967 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Sat, 23 Nov 2024 00:44:18 GMT Age: 53120 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Nov 23, 2024 16:29:39.701702118 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Nov 23, 2024 16:29:40.029568911 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Sat, 23 Nov 2024 00:44:18 GMT Age: 53121 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Nov 23, 2024 16:29:50.032236099 CET	6	OUT	Data Raw: 00 Data Ascii:
Nov 23, 2024 16:29:55.124660015 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Nov 23, 2024 16:29:55.454291105 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Sat, 23 Nov 2024 00:44:18 GMT Age: 53137 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Nov 23, 2024 16:30:00.166229963 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Nov 23, 2024 16:30:00.492410898 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Sat, 23 Nov 2024 00:44:18 GMT Age: 53142 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Nov 23, 2024 16:30:08.205842972 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Nov 23, 2024 16:30:08.545783997 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Sat, 23 Nov 2024 00:44:18 GMT Age: 53150 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Nov 23, 2024 16:30:09.445044041 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Nov 23, 2024 16:30:09.769058943 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Sat, 23 Nov 2024 00:44:18 GMT Age: 53151 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Nov 23, 2024 16:30:19.775974035 CET	6	OUT	Data Raw: 00 Data Ascii:
Nov 23, 2024 16:30:29.904311895 CET	6	OUT	Data Raw: 00 Data Ascii:
Nov 23, 2024 16:30:40.031622887 CET	6	OUT	Data Raw: 00 Data Ascii:
Nov 23, 2024 16:30:41.648819923 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Nov 23, 2024 16:30:41.972510099 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Sat, 23 Nov 2024 00:44:18 GMT Age: 53183 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Nov 23, 2024 16:30:51.989031076 CET	6	OUT	Data Raw: 00 Data Ascii:
Nov 23, 2024 16:31:02.118210077 CET	6	OUT	Data Raw: 00 Data Ascii:

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.6	49732	34.107.221.82	80	5776	C:\Program Files\Mozilla Firefox\firefox.exe

Timestamp	Bytes transferred	Direction	Data
Nov 23, 2024 16:29:12.514771938 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Nov 23, 2024 16:29:13.749752998 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Fri, 22 Nov 2024 16:44:55 GMT Age: 81858 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Nov 23, 2024 16:29:13.969801903 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Nov 23, 2024 16:29:14.293217897 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Fri, 22 Nov 2024 16:44:55 GMT Age: 81859 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Nov 23, 2024 16:29:23.112032890 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Nov 23, 2024 16:29:23.439985991 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Fri, 22 Nov 2024 16:44:55 GMT Age: 81868 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Nov 23, 2024 16:29:24.344813108 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Nov 23, 2024 16:29:24.674442053 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Fri, 22 Nov 2024 16:44:55 GMT Age: 81869 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Nov 23, 2024 16:29:26.919861078 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Nov 23, 2024 16:29:27.245333910 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Fri, 22 Nov 2024 16:44:55 GMT Age: 81872 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Nov 23, 2024 16:29:37.255143881 CET	6	OUT	Data Raw: 00 Data Ascii:
Nov 23, 2024 16:29:38.038647890 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Nov 23, 2024 16:29:38.362257957 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Fri, 22 Nov 2024 16:44:55 GMT Age: 81883 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Nov 23, 2024 16:29:39.374505997 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Nov 23, 2024 16:29:39.698340893 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Fri, 22 Nov 2024 16:44:55 GMT Age: 81884 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Nov 23, 2024 16:29:49.700099945 CET	6	OUT	Data Raw: 00 Data Ascii:
Nov 23, 2024 16:29:54.790045023 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Nov 23, 2024 16:29:55.120754957 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Fri, 22 Nov 2024 16:44:55 GMT Age: 81899 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Nov 23, 2024 16:29:59.838823080 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Nov 23, 2024 16:30:00.162405014 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Fri, 22 Nov 2024 16:44:55 GMT Age: 81905 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Nov 23, 2024 16:30:07.876100063 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Nov 23, 2024 16:30:08.201123953 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Fri, 22 Nov 2024 16:44:55 GMT Age: 81913 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Nov 23, 2024 16:30:09.110565901 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Nov 23, 2024 16:30:09.441993952 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Fri, 22 Nov 2024 16:44:55 GMT Age: 81914 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Nov 23, 2024 16:30:19.443854094 CET	6	OUT	Data Raw: 00 Data Ascii:
Nov 23, 2024 16:30:29.572160959 CET	6	OUT	Data Raw: 00 Data Ascii:
Nov 23, 2024 16:30:39.699531078 CET	6	OUT	Data Raw: 00 Data Ascii:
Nov 23, 2024 16:30:41.321090937 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Nov 23, 2024 16:30:41.645478964 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Fri, 22 Nov 2024 16:44:55 GMT Age: 81946 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Nov 23, 2024 16:30:51.650125027 CET	6	OUT	Data Raw: 00 Data Ascii:
Nov 23, 2024 16:31:01.779618025 CET	6	OUT	Data Raw: 00 Data Ascii:

Target ID:	0
Start time:	10:29:01
Start date:	23/11/2024
Path:	C:\Users\user\Desktop\file.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\file.exe"
Imagebase:	0x440000
File size:	922'624 bytes
MD5 hash:	16F8B17BACEADAED2044CCFCAAE7D31D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	10:29:02
Start date:	23/11/2024
Path:	C:\Windows\SysWOW64\taskkill.exe
Wow64 process (32bit):	true
Commandline:	taskkill /F /IM firefox.exe /T
Imagebase:	0xdf0000
File size:	74'240 bytes
MD5 hash:	CA313FD7E6C2A778FFD21CFB5C1C56CD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	10:29:02
Start date:	23/11/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff66e660000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	10:29:04
Start date:	23/11/2024
Path:	C:\Windows\SysWOW64\taskkill.exe
Wow64 process (32bit):	true
Commandline:	taskkill /F /IM chrome.exe /T
Imagebase:	0xdf0000
File size:	74'240 bytes
MD5 hash:	CA313FD7E6C2A778FFD21CFB5C1C56CD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	10:29:04
Start date:	23/11/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff66e660000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	10:29:04
Start date:	23/11/2024
Path:	C:\Windows\SysWOW64\taskkill.exe
Wow64 process (32bit):	true
Commandline:	taskkill /F /IM msedge.exe /T
Imagebase:	0xdf0000
File size:	74'240 bytes
MD5 hash:	CA313FD7E6C2A778FFD21CFB5C1C56CD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	10:29:04
Start date:	23/11/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff66e660000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	10:29:04
Start date:	23/11/2024
Path:	C:\Windows\SysWOW64\taskkill.exe
Wow64 process (32bit):	true
Commandline:	taskkill /F /IM opera.exe /T
Imagebase:	0xdf0000
File size:	74'240 bytes
MD5 hash:	CA313FD7E6C2A778FFD21CFB5C1C56CD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	9
Start time:	10:29:04
Start date:	23/11/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff66e660000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	10
Start time:	10:29:04
Start date:	23/11/2024
Path:	C:\Windows\SysWOW64\taskkill.exe
Wow64 process (32bit):	true
Commandline:	taskkill /F /IM brave.exe /T
Imagebase:	0xdf0000
File size:	74'240 bytes
MD5 hash:	CA313FD7E6C2A778FFD21CFB5C1C56CD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	11
Start time:	10:29:04
Start date:	23/11/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff66e660000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	12
Start time:	10:29:05
Start date:	23/11/2024
Path:	C:\Program Files\Mozilla Firefox\firefox.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking
Imagebase:	0x7ff728280000
File size:	676'768 bytes
MD5 hash:	C86B1BE9ED6496FE0E0CBE73F81D8045
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	13
Start time:	10:29:05
Start date:	23/11/2024
Path:	C:\Program Files\Mozilla Firefox\firefox.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking --attempting-deelevation
Imagebase:	0x7ff728280000
File size:	676'768 bytes
MD5 hash:	C86B1BE9ED6496FE0E0CBE73F81D8045
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	14
Start time:	10:29:05
Start date:	23/11/2024
Path:	C:\Program Files\Mozilla Firefox\firefox.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking
Imagebase:	0x7ff728280000
File size:	676'768 bytes
MD5 hash:	C86B1BE9ED6496FE0E0CBE73F81D8045
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	16
Start time:	10:29:06
Start date:	23/11/2024
Path:	C:\Program Files\Mozilla Firefox\firefox.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2292 -parentBuildID 20230927232528 -prefsHandle 2228 -prefMapHandle 2212 -prefsLen 25250 -prefMapSize 238690 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {b3d3592d-2a7f-4998-ad9d-25d2e559128e} 5776 "\\.\pipe\gecko-crash-server-pipe.5776" 1804376f510 socket
Imagebase:	0x7ff728280000
File size:	676'768 bytes
MD5 hash:	C86B1BE9ED6496FE0E0CBE73F81D8045
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	18
Start time:	10:29:07
Start date:	23/11/2024
Path:	C:\Program Files\Mozilla Firefox\firefox.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3300 -parentBuildID 20230927232528 -prefsHandle 3408 -prefMapHandle 3640 -prefsLen 26099 -prefMapSize 238690 -appDir "C:\Program Files\Mozilla Firefox\browser" - {b8716ed0-fba8-43a6-bdf8-f0c97c379a93} 5776 "\\.\pipe\gecko-crash-server-pipe.5776" 180536d6b10 rdd
Imagebase:	0x7ff728280000
File size:	676'768 bytes
MD5 hash:	C86B1BE9ED6496FE0E0CBE73F81D8045
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	19
Start time:	10:29:11
Start date:	23/11/2024
Path:	C:\Program Files\Mozilla Firefox\firefox.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4860 -parentBuildID 20230927232528 -sandboxingKind 0 -prefsHandle 4840 -prefMapHandle 4748 -prefsLen 33076 -prefMapSize 238690 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {35a3a37c-b193-447c-aca0-ac37bcd14058} 5776 "\\.\pipe\gecko-crash-server-pipe.5776" 1805622f710 utility
Imagebase:	0x7ff728280000
File size:	676'768 bytes
MD5 hash:	C86B1BE9ED6496FE0E0CBE73F81D8045
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	2%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	7.2%
Total number of Nodes:	1475
Total number of Limit Nodes:	54

Executed Functions

Function 004442DE Relevance: 21.2, APIs: 9, Strings: 3, Instructions: 235
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetVersionExW.KERNEL32(?), ref: 0044430D

Part of subcall function 00446B57: _wcslen.LIBCMT ref: 00446B6A

GetCurrentProcess.KERNEL32(?,004DCB64,00000000,?,?), ref: 00444422
IsWow64Process.KERNEL32(00000000,?,?), ref: 00444429
LoadLibraryA.KERNEL32(kernel32.dll,?,?), ref: 00444454
GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo), ref: 00444466
GetNativeSystemInfo.KERNELBASE(?,?,?), ref: 00444474
FreeLibrary.KERNEL32(00000000,?,?), ref: 0044447B
GetSystemInfo.KERNEL32(?,?,?), ref: 004444A0

Strings

GetNativeSystemInfo, xrefs: 00444460
|O, xrefs: 004836F8
kernel32.dll, xrefs: 0044444F

Memory Dump Source

Source File: 00000000.00000002.2199307839.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.2199224556.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2199891659.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2199891659.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200033822.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200076254.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: InfoLibraryProcessSystem$AddressCurrentFreeLoadNativeProcVersionWow64_wcslen
String ID: GetNativeSystemInfo$kernel32.dll$|O
API String ID: 3290436268-3101561225
Opcode ID: 4ef7942196d7337a5939c998f8fed81f8d91892789e47b1bf5b647dc335596ab
Instruction ID: 5d12485ffadc2bbbddb2dbccfe402c205ffdfcbb40f98335773eb5014b5bbb06
Opcode Fuzzy Hash: 4ef7942196d7337a5939c998f8fed81f8d91892789e47b1bf5b647dc335596ab
Instruction Fuzzy Hash: 76A1176590AAD0CFDB11DB687C843D97FA46B72741B18CCDBD26093729D228450DEB2E

Function 004442A2 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 61
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateStreamOnHGlobal.COMBASE(00000000,00000001,?), ref: 004442B2
FindResourceExW.KERNEL32(?,0000000A,SCRIPT,00000000,?,?,004450AA,?,?,00000000,00000000), ref: 004442C9
LoadResource.KERNEL32(?,00000000,?,?,004450AA,?,?,00000000,00000000,?,?,?,?,?,?,00444F20), ref: 004835BE
SizeofResource.KERNEL32(?,00000000,?,?,004450AA,?,?,00000000,00000000,?,?,?,?,?,?,00444F20), ref: 004835D3
LockResource.KERNEL32(004450AA,?,?,004450AA,?,?,00000000,00000000,?,?,?,?,?,?,00444F20,?), ref: 004835E6

Strings

SCRIPT, xrefs: 004442BF

Memory Dump Source

Source File: 00000000.00000002.2199307839.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.2199224556.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2199891659.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2199891659.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200033822.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200076254.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: Resource$CreateFindGlobalLoadLockSizeofStream
String ID: SCRIPT
API String ID: 3051347437-3967369404
Opcode ID: 7d917ffa8e76a866c36b33ae6c9143210a2908c62eae9224c22ca7ba7dc73ad9
Instruction ID: 93847e93ddc6f856a7afd4b3e2fd9f4d346232565c8d811aced674530c585a88
Opcode Fuzzy Hash: 7d917ffa8e76a866c36b33ae6c9143210a2908c62eae9224c22ca7ba7dc73ad9
Instruction Fuzzy Hash: C4117CB0601701BFEB218BA5DC88F277BB9EBC5B91F2045AEF40296290DBB1D800C665

Function 00482BA5 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 62
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetCurrentDirectoryW.KERNEL32(?), ref: 00442B6B

Part of subcall function 00443A5A: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,00511418,?,00442E7F,?,?,?,00000000), ref: 00443A78

Part of subcall function 00449CB3: _wcslen.LIBCMT ref: 00449CBD

GetForegroundWindow.USER32(runas,?,?,?,?,?,00502224), ref: 00482C10
ShellExecuteW.SHELL32(00000000,?,?,00502224), ref: 00482C17

Strings

runas, xrefs: 00482C0B

Memory Dump Source

Source File: 00000000.00000002.2199307839.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.2199224556.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2199891659.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2199891659.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200033822.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200076254.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: CurrentDirectoryExecuteFileForegroundModuleNameShellWindow_wcslen
String ID: runas
API String ID: 448630720-4000483414
Opcode ID: b8224c5565467e18f2a0fe8b57ad6a5595dd17793ad4d5ed0e1db55367d3283e
Instruction ID: ba0f5df53f78948406967863b67ed676f51a78ffcf95cc7d178816576d78ac10
Opcode Fuzzy Hash: b8224c5565467e18f2a0fe8b57ad6a5595dd17793ad4d5ed0e1db55367d3283e
Instruction Fuzzy Hash: 7A113A311083416AF704FF21D8859BFBBA4AF90B49F44042FF542020A2CFB89949D71E

Function 004AD4DC Relevance: 6.1, APIs: 4, Instructions: 86
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 004AD501
Process32FirstW.KERNEL32(00000000,?), ref: 004AD50F
Process32NextW.KERNEL32(00000000,?), ref: 004AD52F
CloseHandle.KERNELBASE(00000000), ref: 004AD5DC

Memory Dump Source

Source File: 00000000.00000002.2199307839.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.2199224556.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2199891659.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2199891659.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200033822.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200076254.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32
String ID:
API String ID: 420147892-0
Opcode ID: ff840efcbeb0dc118537223f3c1671bf89fa990e74cd3f7cf2b32a6d68bb35b9
Instruction ID: c5d8c0786fe27042e6e1e3104109ed61e8f91e8bcce322bf982566cdb594eb60
Opcode Fuzzy Hash: ff840efcbeb0dc118537223f3c1671bf89fa990e74cd3f7cf2b32a6d68bb35b9
Instruction Fuzzy Hash: 6C31C471508301AFD300EF54C881AAFBBF8EF99348F14092EF582861A2EB759944CB97

Function 004ADBBE Relevance: 6.0, APIs: 4, Instructions: 29filestringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,00485222), ref: 004ADBCE
GetFileAttributesW.KERNELBASE(?), ref: 004ADBDD
FindFirstFileW.KERNEL32(?,?), ref: 004ADBEE
FindClose.KERNEL32(00000000), ref: 004ADBFA

Memory Dump Source

Source File: 00000000.00000002.2199307839.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.2199224556.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2199891659.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2199891659.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200033822.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200076254.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: FileFind$AttributesCloseFirstlstrlen
String ID:
API String ID: 2695905019-0
Opcode ID: 4194f9766e15aba1ccb2284da3ad15dc4c3a87d076ad1aa54b765c46f9626e26
Instruction ID: ab069b7c5fb0ae612a213032e04c17cc5d37f6e8b8301f22da4724f41e5ef17a
Opcode Fuzzy Hash: 4194f9766e15aba1ccb2284da3ad15dc4c3a87d076ad1aa54b765c46f9626e26
Instruction Fuzzy Hash: 72F0A030C119215792206B78AC4D8AB376C9E02334B944763F876C25E0EBB85D55C69E

Function 00464CE8 Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(004728E9,?,00464CBE,004728E9,005088B8,0000000C,00464E15,004728E9,00000002,00000000,?,004728E9), ref: 00464D09
TerminateProcess.KERNEL32(00000000,?,00464CBE,004728E9,005088B8,0000000C,00464E15,004728E9,00000002,00000000,?,004728E9), ref: 00464D10
ExitProcess.KERNEL32 ref: 00464D22

Memory Dump Source

Source File: 00000000.00000002.2199307839.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.2199224556.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2199891659.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2199891659.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200033822.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200076254.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: Process$CurrentExitTerminate
String ID:
API String ID: 1703294689-0
Opcode ID: f8261537ad3431f6e4c1b0e6918fef14662c7ba5aa06ea1e40c46ca0e7c3aa76
Instruction ID: a5b42991390f8a271986e92c55c8af9d320883932a3247fd4caf56aa5c67da61
Opcode Fuzzy Hash: f8261537ad3431f6e4c1b0e6918fef14662c7ba5aa06ea1e40c46ca0e7c3aa76
Instruction Fuzzy Hash: C9E0B631401149ABCF21AF55DD49A593B69EB82785F10842AFC098B222DB39DD42DA89

Function 0044BF40 Relevance: 2.4, Strings: 1, Instructions: 1178COMMON

Download Yara Rule

Strings

8!, xrefs: 004907CE

Memory Dump Source

Source File: 00000000.00000002.2199307839.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.2199224556.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2199891659.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2199891659.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200033822.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200076254.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: BuffCharUpper
String ID: 8!
API String ID: 3964851224-1003366106
Opcode ID: d6526e9904ccda0ac225e97809560f1fec6483b9495ec88575fd08da5ee921e7
Instruction ID: fe5a39c86181f9cf79d1ae2702ea72aeee18ef6cedea6009e2a1c64598f83df7
Opcode Fuzzy Hash: d6526e9904ccda0ac225e97809560f1fec6483b9495ec88575fd08da5ee921e7
Instruction Fuzzy Hash: F9A26E706083019FDB50DF15C480B2BBBE1BF99304F18896EE9998B352D779EC45CB9A

Function 004CAFF9 Relevance: 24.4, APIs: 16, Instructions: 418
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_wcslen.LIBCMT ref: 004CB198
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 004CB1B0
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 004CB1D4
_wcslen.LIBCMT ref: 004CB200
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 004CB214
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 004CB236
_wcslen.LIBCMT ref: 004CB332

Part of subcall function 004B05A7: GetStdHandle.KERNEL32(000000F6), ref: 004B05C6

_wcslen.LIBCMT ref: 004CB34B
_wcslen.LIBCMT ref: 004CB366
CreateProcessW.KERNELBASE(00000000,?,00000000,00000000,?,?,00000000,?,?,?), ref: 004CB3B6
GetLastError.KERNEL32(00000000), ref: 004CB407
CloseHandle.KERNEL32(?), ref: 004CB439
CloseHandle.KERNEL32(00000000), ref: 004CB44A
CloseHandle.KERNEL32(00000000), ref: 004CB45C
CloseHandle.KERNEL32(00000000), ref: 004CB46E
CloseHandle.KERNEL32(?), ref: 004CB4E3

Memory Dump Source

Source File: 00000000.00000002.2199307839.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.2199224556.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2199891659.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2199891659.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200033822.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200076254.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: Handle$Close_wcslen$Directory$CurrentSystem$CreateErrorLastProcess
String ID:
API String ID: 2178637699-0
Opcode ID: a7036073d845c5ab7b047c2dd7b5499c7e3991d04e9e69929556a9dd837edcdf
Instruction ID: a71c4b20f001fb8cc1a96b29c4d0441904f2a1757faa604840f5b10b314359c5
Opcode Fuzzy Hash: a7036073d845c5ab7b047c2dd7b5499c7e3991d04e9e69929556a9dd837edcdf
Instruction Fuzzy Hash: 4CF19C356082409FD754EF25C882B2BBBE5EF85318F14855EF8854B2A2CB39DC05CB9A

Function 0044D730 Relevance: 21.6, APIs: 14, Instructions: 625windowsleeptimeCOMMON

Download Yara Rule

APIs

GetInputState.USER32 ref: 0044D807
timeGetTime.WINMM ref: 0044DA07
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 0044DB28
TranslateMessage.USER32(?), ref: 0044DB7B
DispatchMessageW.USER32(?), ref: 0044DB89
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 0044DB9F
Sleep.KERNELBASE(0000000A), ref: 0044DBB1

Memory Dump Source

Source File: 00000000.00000002.2199307839.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.2199224556.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2199891659.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2199891659.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200033822.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200076254.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: Message$Peek$DispatchInputSleepStateTimeTranslatetime
String ID:
API String ID: 2189390790-0
Opcode ID: de6b5fedf78f98d53e09d9fb9f4b404f42b3283d0d40b7ba0a1057bc8142e288
Instruction ID: 6460be988781d31e70a8c26148c01bcd580e65ccf735d09a405225ea97a92ac0
Opcode Fuzzy Hash: de6b5fedf78f98d53e09d9fb9f4b404f42b3283d0d40b7ba0a1057bc8142e288
Instruction Fuzzy Hash: 3B42D470A04642EFEB24CF25C884BAABBE1FF45304F14856FE45587391D778E849CB8A

Function 00442CD4 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 53
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 00442D07
RegisterClassExW.USER32(00000030), ref: 00442D31
RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00442D42
InitCommonControlsEx.COMCTL32(?), ref: 00442D5F
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00442D6F
LoadIconW.USER32(000000A9), ref: 00442D85
ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00442D94

Strings

0, xrefs: 00442CE9
AutoIt v3 GUI, xrefs: 00442D23
TaskbarCreated, xrefs: 00442D37
+, xrefs: 00442CF0

Memory Dump Source

Source File: 00000000.00000002.2199307839.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.2199224556.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2199891659.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2199891659.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200033822.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200076254.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
String ID: +$0$AutoIt v3 GUI$TaskbarCreated
API String ID: 2914291525-1005189915
Opcode ID: cbe30313d8f4974dd3f2640c3549f5bd5da602ce5e1f22c09f51cdca33ac5707
Instruction ID: 3688adc7738a65c30cb61ed8d04c8e52c5ce0fde6eb1b0a8c4716bd4db3bc1cb
Opcode Fuzzy Hash: cbe30313d8f4974dd3f2640c3549f5bd5da602ce5e1f22c09f51cdca33ac5707
Instruction Fuzzy Hash: F421C8B590221AAFDB00DFA4E889BDDBBB4FB08701F10816BF621A6290D7B54544DF99

Function 0048065B Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 272
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0048039A: CreateFileW.KERNELBASE(00000000,00000000,?,00480704,?,?,00000000,?,00480704,00000000,0000000C), ref: 004803B7

GetLastError.KERNEL32 ref: 0048076F
__dosmaperr.LIBCMT ref: 00480776
GetFileType.KERNELBASE(00000000), ref: 00480782
GetLastError.KERNEL32 ref: 0048078C
__dosmaperr.LIBCMT ref: 00480795
CloseHandle.KERNEL32(00000000), ref: 004807B5
CloseHandle.KERNEL32(?), ref: 004808FF
GetLastError.KERNEL32 ref: 00480931
__dosmaperr.LIBCMT ref: 00480938

Strings

H, xrefs: 004808BD

Memory Dump Source

Source File: 00000000.00000002.2199307839.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.2199224556.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2199891659.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2199891659.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200033822.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200076254.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: ErrorLast__dosmaperr$CloseFileHandle$CreateType
String ID: H
API String ID: 4237864984-2852464175
Opcode ID: 4d7002a36a8f9c9eaff585fe0e558cb6234ae5c82fefcc32e3c6fdcf31deca99
Instruction ID: b6584fb4f980b995ec135db1300442721fd88bd319fa200a0e3e384be7f49296
Opcode Fuzzy Hash: 4d7002a36a8f9c9eaff585fe0e558cb6234ae5c82fefcc32e3c6fdcf31deca99
Instruction Fuzzy Hash: 7CA13732A101048FDF19AF68D852BAE7BA0AB06324F14415FF8159B3D1D7399C5BCB99

Function 0044344D Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 201
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00443A5A: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,00511418,?,00442E7F,?,?,?,00000000), ref: 00443A78

Part of subcall function 00443357: GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 00443379

RegOpenKeyExW.KERNELBASE(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?,?,\Include\), ref: 0044356A
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,00000000,?), ref: 0048318D
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,?,?,00000000), ref: 004831CE
RegCloseKey.ADVAPI32(?), ref: 00483210
_wcslen.LIBCMT ref: 00483277
_wcslen.LIBCMT ref: 00483286

Strings

\, xrefs: 0048328C
Include, xrefs: 00483184, 004831C5
Software\AutoIt v3\AutoIt, xrefs: 00443560
\Include\, xrefs: 00443527

Memory Dump Source

Source File: 00000000.00000002.2199307839.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.2199224556.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2199891659.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2199891659.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200033822.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200076254.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: NameQueryValue_wcslen$CloseFileFullModuleOpenPath
String ID: Include$Software\AutoIt v3\AutoIt$\$\Include\
API String ID: 98802146-2727554177
Opcode ID: a54d746046b0bccad989aced17f17985cf75762db636722291c9f21366256abc
Instruction ID: 7981a67b3e4dd62e03b4ba9a4a056cfaec4e7c20a8f67dc323da5edcb5ab6a5b
Opcode Fuzzy Hash: a54d746046b0bccad989aced17f17985cf75762db636722291c9f21366256abc
Instruction Fuzzy Hash: 6371AD714043019ED704EF2AEC8299BBBE8FF94744F404C2FF45583261EB389A58CB5A

Function 00442B83 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 63
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 00442B8E
LoadCursorW.USER32(00000000,00007F00), ref: 00442B9D
LoadIconW.USER32(00000063), ref: 00442BB3
LoadIconW.USER32(000000A4), ref: 00442BC5
LoadIconW.USER32(000000A2), ref: 00442BD7
LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 00442BEF
RegisterClassExW.USER32(?), ref: 00442C40

Part of subcall function 00442CD4: GetSysColorBrush.USER32(0000000F), ref: 00442D07
Part of subcall function 00442CD4: RegisterClassExW.USER32(00000030), ref: 00442D31
Part of subcall function 00442CD4: RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00442D42
Part of subcall function 00442CD4: InitCommonControlsEx.COMCTL32(?), ref: 00442D5F
Part of subcall function 00442CD4: ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00442D6F
Part of subcall function 00442CD4: LoadIconW.USER32(000000A9), ref: 00442D85
Part of subcall function 00442CD4: ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00442D94

Strings

#, xrefs: 00442C16
AutoIt v3, xrefs: 00442C2F
0, xrefs: 00442C0F

Memory Dump Source

Source File: 00000000.00000002.2199307839.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.2199224556.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2199891659.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2199891659.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200033822.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200076254.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: Load$Icon$ImageRegister$BrushClassColorList_$CommonControlsCreateCursorInitMessageReplaceWindow
String ID: #$0$AutoIt v3
API String ID: 423443420-4155596026
Opcode ID: e5d7f7fef5fd9553c70609173965a10001edaaee81e95b612099916d588b9fb0
Instruction ID: 237fa8df1809e38391637b9791aec449ff132ea14e4639a5549f9fdaf604947c
Opcode Fuzzy Hash: e5d7f7fef5fd9553c70609173965a10001edaaee81e95b612099916d588b9fb0
Instruction Fuzzy Hash: 5B217F70E02315ABDB109F95EC94AD97FB4FB18B40F0084ABF610A22A4D3B10544EF8C

Function 00443170 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 145
windowtimeregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DefWindowProcW.USER32(?,?,?,?,?,?,?,?,?,0044316A,?,?), ref: 004431D8
KillTimer.USER32(?,00000001,?,?,?,?,?,0044316A,?,?), ref: 00443204
SetTimer.USER32(?,00000001,000002EE,00000000), ref: 00443227
RegisterWindowMessageW.USER32(TaskbarCreated,?,?,?,?,?,0044316A,?,?), ref: 00443232
CreatePopupMenu.USER32 ref: 00443246
PostQuitMessage.USER32(00000000), ref: 00443267

Strings

TaskbarCreated, xrefs: 0044322D

Memory Dump Source

Source File: 00000000.00000002.2199307839.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.2199224556.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2199891659.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2199891659.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200033822.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200076254.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: MessageTimerWindow$CreateKillMenuPopupPostProcQuitRegister
String ID: TaskbarCreated
API String ID: 129472671-2362178303
Opcode ID: 65b5b24d10935c6804b1b3ac78f624f5dfc4ea7fd117cdc3be86d063a120020f
Instruction ID: 88a98ec6f47ea700d45017a46820788515ed862844a84f1f7b454c99a80dbf36
Opcode Fuzzy Hash: 65b5b24d10935c6804b1b3ac78f624f5dfc4ea7fd117cdc3be86d063a120020f
Instruction Fuzzy Hash: 7D415930200205A7FF142F789D49BBE3A55F711B06F04416BFA12853A5CBEC9E41D76E

Function 00441410 Relevance: 14.3, APIs: 7, Strings: 1, Instructions: 332
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

mciSendStringW.WINMM(close all,00000000,00000000,00000000), ref: 00441459
CoUninitialize.COMBASE ref: 004414F8
UnregisterHotKey.USER32(?), ref: 004416DD
DestroyWindow.USER32(?), ref: 004824B9
FreeLibrary.KERNEL32(?), ref: 0048251E
VirtualFree.KERNEL32(?,00000000,00008000), ref: 0048254B

Strings

close all, xrefs: 00441454

Memory Dump Source

Source File: 00000000.00000002.2199307839.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.2199224556.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2199891659.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2199891659.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200033822.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200076254.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: Free$DestroyLibrarySendStringUninitializeUnregisterVirtualWindow
String ID: close all
API String ID: 469580280-3243417748
Opcode ID: 3415ec1d5b954ddb43fdbe5ad6938586661ffd7da5257ceddd14c3cbc8a5b160
Instruction ID: c8d898f5a9d5b771e562e646e678dfc106df17fb9795d8bd62a0d24e1d170d83
Opcode Fuzzy Hash: 3415ec1d5b954ddb43fdbe5ad6938586661ffd7da5257ceddd14c3cbc8a5b160
Instruction Fuzzy Hash: CED1CC307012129FDB19EF15C599A2AF7A0BF05704F1446AFE80A6B362DB38EC56CF59

Function 00442C63 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 00442C91
CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00442CB2
ShowWindow.USER32(00000000,?,?,?,?,?,?,00441CAD,?), ref: 00442CC6
ShowWindow.USER32(00000000,?,?,?,?,?,?,00441CAD,?), ref: 00442CCF

Strings

AutoIt v3, xrefs: 00442C89, 00442C8E, 00442C8F
edit, xrefs: 00442CAC

Memory Dump Source

Source File: 00000000.00000002.2199307839.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.2199224556.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2199891659.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2199891659.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200033822.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200076254.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: Window$CreateShow
String ID: AutoIt v3$edit
API String ID: 1584632944-3779509399
Opcode ID: d32a85d86ea65a7c6f344e4a920457c59d5d0581aaf6d97724501567e39d8169
Instruction ID: e0e4be680c0f3d73271899106ebe627805ae4d432946068f4c247df8486a4ba5
Opcode Fuzzy Hash: d32a85d86ea65a7c6f344e4a920457c59d5d0581aaf6d97724501567e39d8169
Instruction Fuzzy Hash: 74F05E755402917AEB300713AC58EB77FBDD7D6F50F0085AFFA10A32A4C6750844EAB8

Function 004410F3 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 153
comCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00441BC3: MapVirtualKeyW.USER32(0000005B,00000000), ref: 00441BF4
Part of subcall function 00441BC3: MapVirtualKeyW.USER32(00000010,00000000), ref: 00441BFC
Part of subcall function 00441BC3: MapVirtualKeyW.USER32(000000A0,00000000), ref: 00441C07
Part of subcall function 00441BC3: MapVirtualKeyW.USER32(000000A1,00000000), ref: 00441C12
Part of subcall function 00441BC3: MapVirtualKeyW.USER32(00000011,00000000), ref: 00441C1A
Part of subcall function 00441BC3: MapVirtualKeyW.USER32(00000012,00000000), ref: 00441C22

Part of subcall function 00441B4A: RegisterWindowMessageW.USER32(00000004,?,004412C4), ref: 00441BA2

GetStdHandle.KERNEL32(000000F6,00000000,00000000), ref: 0044136A
OleInitialize.OLE32 ref: 00441388
CloseHandle.KERNEL32(00000000,00000000), ref: 004824AB

Strings

P', xrefs: 004412AD

Memory Dump Source

Source File: 00000000.00000002.2199307839.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.2199224556.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2199891659.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2199891659.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200033822.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200076254.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: Virtual$Handle$CloseInitializeMessageRegisterWindow
String ID: P'
API String ID: 1986988660-3085387146
Opcode ID: 754d603915766dd8d84f66169f3de82500345a24a135c3ded65e049bf177ae37
Instruction ID: 22e58ddbca1de210421c7eccae6c58f18a5c25a069507955b39722413b5965e7
Opcode Fuzzy Hash: 754d603915766dd8d84f66169f3de82500345a24a135c3ded65e049bf177ae37
Instruction Fuzzy Hash: 5F71E1B4911A018ED784EF7AA8956D53AE2FBA8344306C1EFD60AC7371E7744449EF4C

Function 00443B1C Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 58
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegOpenKeyExW.KERNELBASE(80000001,Control Panel\Mouse,00000000,00000001,00000000,?,?,80000001,80000001,?,00443B0F,SwapMouseButtons,00000004,?), ref: 00443B40
RegQueryValueExW.KERNELBASE(00000000,00000000,00000000,00000000,?,?,?,?,?,80000001,80000001,?,00443B0F,SwapMouseButtons,00000004,?), ref: 00443B61
RegCloseKey.KERNELBASE(00000000,?,?,?,80000001,80000001,?,00443B0F,SwapMouseButtons,00000004,?), ref: 00443B83

Strings

Control Panel\Mouse, xrefs: 00443B3E

Memory Dump Source

Source File: 00000000.00000002.2199307839.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.2199224556.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2199891659.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2199891659.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200033822.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200076254.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: CloseOpenQueryValue
String ID: Control Panel\Mouse
API String ID: 3677997916-824357125
Opcode ID: 49a19f1299adb8b6fa28f023fba4b5c2d6e253fbdf3302028acfac40fb6d5313
Instruction ID: 678ba80e24ca60733b9712cf00d8095b733fc32482e1b25b46adf43a17b556bd
Opcode Fuzzy Hash: 49a19f1299adb8b6fa28f023fba4b5c2d6e253fbdf3302028acfac40fb6d5313
Instruction Fuzzy Hash: BB115AB1511208FFEB218FA4DC84AAFB7B8EF00B45B10846AA801D7211D231AE409768

Function 00443923 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 94windowCOMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000065,?,0000007F,00000104), ref: 004833A2

Part of subcall function 00446B57: _wcslen.LIBCMT ref: 00446B6A

Shell_NotifyIconW.SHELL32(00000001,?), ref: 00443A04

Strings

Line: , xrefs: 004833EB

Memory Dump Source

Source File: 00000000.00000002.2199307839.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.2199224556.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2199891659.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2199891659.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200033822.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200076254.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: IconLoadNotifyShell_String_wcslen
String ID: Line:
API String ID: 2289894680-1585850449
Opcode ID: 2633230c90580a693d6ceae46ecb618f10c38eb50f95d4e142d6004ee3ca02bf
Instruction ID: b95435872d310a28332a661fcebcd7064a787f6eb1dee93a5503e43b1dc3f063
Opcode Fuzzy Hash: 2633230c90580a693d6ceae46ecb618f10c38eb50f95d4e142d6004ee3ca02bf
Instruction Fuzzy Hash: FA31E471408300AAE721EF20DC45BDFB7D8AF40B19F10496FF59992191EB789A49C7CB

Function 00442DE3 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 64COMMON

Download Yara Rule

APIs

GetOpenFileNameW.COMDLG32(?), ref: 00482C8C

Part of subcall function 00443AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00443A97,?,?,00442E7F,?,?,?,00000000), ref: 00443AC2

Part of subcall function 00442DA5: GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 00442DC4

Strings

X, xrefs: 00482C5A
`eP, xrefs: 00482C85

Memory Dump Source

Source File: 00000000.00000002.2199307839.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.2199224556.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2199891659.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2199891659.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200033822.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200076254.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: Name$Path$FileFullLongOpen
String ID: X$`eP
API String ID: 779396738-3660009032
Opcode ID: a2215ff22072f86fb6b07b0e56e862c1e3872afb3ea1fb75ea60a743bd482838
Instruction ID: a59732b2ccb16d04998dcc926d5f05f74336f62bd392b5f9699f22d6849eae3c
Opcode Fuzzy Hash: a2215ff22072f86fb6b07b0e56e862c1e3872afb3ea1fb75ea60a743bd482838
Instruction Fuzzy Hash: DD21A470A002589ADB01AF95C8457EE7BF8AF48308F00405AE505A7281DBF85649CB69

Function 004AC161 Relevance: 4.6, APIs: 3, Instructions: 74timewindowCOMMON

Download Yara Rule

APIs

Part of subcall function 00443923: Shell_NotifyIconW.SHELL32(00000001,?), ref: 00443A04

Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 004AC259
KillTimer.USER32(?,00000001,?,?), ref: 004AC261
SetTimer.USER32(?,00000001,000002EE,00000000), ref: 004AC270

Memory Dump Source

Source File: 00000000.00000002.2199307839.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.2199224556.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2199891659.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2199891659.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200033822.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200076254.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: IconNotifyShell_Timer$Kill
String ID:
API String ID: 3500052701-0
Opcode ID: 804697fb0e80e462812e29affb712fb1916e12d5f31b5044f0fcef72a0466761
Instruction ID: 67f7fad469b43c80694a5d9e333056d7c87bb2d524338f0e10f029916512b86b
Opcode Fuzzy Hash: 804697fb0e80e462812e29affb712fb1916e12d5f31b5044f0fcef72a0466761
Instruction Fuzzy Hash: 7D31E571900744AFEB628F648885BE7BBEC9B27308F0004DFD2DA97241C3785A85CB5A

Function 004786AE Relevance: 4.6, APIs: 3, Instructions: 61COMMONLIBRARYCODE

Download Yara Rule

APIs

CloseHandle.KERNELBASE(00000000,00000000,?,?,004785CC,?,00508CC8,0000000C), ref: 00478704
GetLastError.KERNEL32(?,004785CC,?,00508CC8,0000000C), ref: 0047870E
__dosmaperr.LIBCMT ref: 00478739

Memory Dump Source

Source File: 00000000.00000002.2199307839.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.2199224556.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2199891659.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2199891659.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200033822.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200076254.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: CloseErrorHandleLast__dosmaperr
String ID:
API String ID: 2583163307-0
Opcode ID: 68fafc01d62619cf775a0ce33a2146a4d575abab5333fb1c823a5a03ec58c108
Instruction ID: a176f63e4f6848a08e98e94dbc5e7d9ef1bdaad79741544376c3281a58fb960a
Opcode Fuzzy Hash: 68fafc01d62619cf775a0ce33a2146a4d575abab5333fb1c823a5a03ec58c108
Instruction Fuzzy Hash: 37014832A4522036D6246334684E7EF275A4B91778F29C11FEC0C8F2E2DEEC8C85819C

Function 0044DB38 Relevance: 4.5, APIs: 3, Instructions: 29windowsleepCOMMON

Download Yara Rule

APIs

TranslateMessage.USER32(?), ref: 0044DB7B
DispatchMessageW.USER32(?), ref: 0044DB89
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 0044DB9F
Sleep.KERNELBASE(0000000A), ref: 0044DBB1
TranslateAcceleratorW.USER32(?,?,?), ref: 00491CC9

Memory Dump Source

Source File: 00000000.00000002.2199307839.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.2199224556.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2199891659.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2199891659.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200033822.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200076254.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: Message$Translate$AcceleratorDispatchPeekSleep
String ID:
API String ID: 3288985973-0
Opcode ID: e5c3d535d54f63531f5cbbfa56a26653fe05875aca18914c663bfefe22c7a0c8
Instruction ID: cfd0ed14e6f131edfb9f2a6ea8d284e46b5ddb0c21d854380380a4cb6d119c40
Opcode Fuzzy Hash: e5c3d535d54f63531f5cbbfa56a26653fe05875aca18914c663bfefe22c7a0c8
Instruction Fuzzy Hash: EAF054306053429BFB30C7608C89FEB77A8EB44311F10452BE61A831D0DB34A449CB1D

Function 00451310 Relevance: 4.0, APIs: 1, Strings: 1, Instructions: 531COMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 004517F6

Strings

CALL, xrefs: 004517C6

Memory Dump Source

Source File: 00000000.00000002.2199307839.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.2199224556.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2199891659.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2199891659.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200033822.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200076254.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: Init_thread_footer
String ID: CALL
API String ID: 1385522511-4196123274
Opcode ID: aa8084973e92ed060941e583e0da445d368b033aa755c69d5f103c9da03efdf3
Instruction ID: dfc3be6f01bc5547f9f2665d21aa4e351b8fd0173a5582bba5d250e6f87cc3d3
Opcode Fuzzy Hash: aa8084973e92ed060941e583e0da445d368b033aa755c69d5f103c9da03efdf3
Instruction Fuzzy Hash: 21229E70608301AFC714DF15C480B2ABBF1BF85319F15892EF8968B362D779E949CB5A

Function 00443837 Relevance: 3.1, APIs: 2, Instructions: 77windowCOMMON

Download Yara Rule

APIs

Shell_NotifyIconW.SHELL32(00000000,?), ref: 00443908

Memory Dump Source

Source File: 00000000.00000002.2199307839.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.2199224556.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2199891659.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2199891659.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200033822.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200076254.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: IconNotifyShell_
String ID:
API String ID: 1144537725-0
Opcode ID: 8d121da5f316c3cc7c9f15b85cbaf8fda1d19f3870773850659b5ce2f5739047
Instruction ID: 6a5272416407c61594ce4e1b61ee7bf71155e163c2d4ec114ea42c156a1881be
Opcode Fuzzy Hash: 8d121da5f316c3cc7c9f15b85cbaf8fda1d19f3870773850659b5ce2f5739047
Instruction Fuzzy Hash: 6231B4B05047019FE720EF25D885797B7E4FB59709F00096FF69983340E775AA44CB5A

Function 0045F645 Relevance: 3.0, APIs: 2, Instructions: 29sleeptimeCOMMON

Download Yara Rule

APIs

timeGetTime.WINMM ref: 0045F661

Part of subcall function 0044D730: GetInputState.USER32 ref: 0044D807

Sleep.KERNEL32(00000000), ref: 0049F2DE

Memory Dump Source

Source File: 00000000.00000002.2199307839.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.2199224556.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2199891659.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2199891659.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200033822.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200076254.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: InputSleepStateTimetime
String ID:
API String ID: 4149333218-0
Opcode ID: a2f112a28c72df399222c4c7ce488db0f2161aa16da71d6caa59f08405c2f1d9
Instruction ID: 046b90dd77b3c8a1991ab6647de9b5a97f0014bc5edaa945b6f5fcd89b057e31
Opcode Fuzzy Hash: a2f112a28c72df399222c4c7ce488db0f2161aa16da71d6caa59f08405c2f1d9
Instruction Fuzzy Hash: E8F08231240205AFD310EF65D545B5AB7E4FF45765F00003BE85DC72A1DB70A804CF99

Function 00444ECB Relevance: 1.6, APIs: 1, Instructions: 65libraryCOMMON

Download Yara Rule

APIs

Part of subcall function 00444E90: LoadLibraryA.KERNEL32(kernel32.dll,?,?,00444EDD,?,00511418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00444E9C
Part of subcall function 00444E90: GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 00444EAE
Part of subcall function 00444E90: FreeLibrary.KERNEL32(00000000,?,?,00444EDD,?,00511418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00444EC0

LoadLibraryExW.KERNEL32(?,00000000,00000002,?,00511418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00444EFD

Part of subcall function 00444E59: LoadLibraryA.KERNEL32(kernel32.dll,?,?,00483CDE,?,00511418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00444E62
Part of subcall function 00444E59: GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 00444E74
Part of subcall function 00444E59: FreeLibrary.KERNEL32(00000000,?,?,00483CDE,?,00511418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00444E87

Memory Dump Source

Source File: 00000000.00000002.2199307839.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.2199224556.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2199891659.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2199891659.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200033822.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200076254.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: Library$Load$AddressFreeProc
String ID:
API String ID: 2632591731-0
Opcode ID: d2759056268196ef8dd648dc5e39be1d682ed96ff9738ac6e7eb2ef9ba956f8d
Instruction ID: 1ac20374369c95a2c179ff2503c517e0b98821f2c5e98f46d5b2f5142ff55c90
Opcode Fuzzy Hash: d2759056268196ef8dd648dc5e39be1d682ed96ff9738ac6e7eb2ef9ba956f8d
Instruction Fuzzy Hash: D011E732600205ABEF14BF62DC02FAD77A5AF80B15F20842FF542A61C1EE78DA099758

Function 00478402 Relevance: 1.6, APIs: 1, Instructions: 54COMMON

Download Yara Rule

APIs

__wsopen_s.LIBCMT ref: 00478440

Memory Dump Source

Source File: 00000000.00000002.2199307839.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.2199224556.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2199891659.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2199891659.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200033822.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200076254.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: __wsopen_s
String ID:
API String ID: 3347428461-0
Opcode ID: f7478605330f636079734377b23e766588ccd56946aea595ec9d647d2b6f3128
Instruction ID: ca23906fe42ddb8fd6e72907e6ec3752bf3922d84abfb95cc8b53a5d9b00cc0f
Opcode Fuzzy Hash: f7478605330f636079734377b23e766588ccd56946aea595ec9d647d2b6f3128
Instruction Fuzzy Hash: 2611487190410AAFCB05DF58E9449DF7BF4EF48314F10805AF808AB312EA70DA11CBA9

Function 0046E602 Relevance: 1.5, APIs: 1, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2199307839.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.2199224556.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2199891659.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2199891659.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200033822.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200076254.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d6c69ec2a70ac845cc05b5f137181c3f07394ab8b33ef369e8c7ef627d5c9574
Instruction ID: c89fc231e16683e5bccdf3b5de19f8a38a7c69877adb2de49b58396d05492a16
Opcode Fuzzy Hash: d6c69ec2a70ac845cc05b5f137181c3f07394ab8b33ef369e8c7ef627d5c9574
Instruction Fuzzy Hash: 25F0F936A11A1496C6313A77DD05B9733D89F62338F10471FF424922D2EB7C980685AF

Function 00444F39 Relevance: 1.5, APIs: 1, Instructions: 28COMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32(?,?,00511418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00444F6D

Memory Dump Source

Source File: 00000000.00000002.2199307839.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.2199224556.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2199891659.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2199891659.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200033822.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200076254.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: FreeLibrary
String ID:
API String ID: 3664257935-0
Opcode ID: 4a51b09c90e80300a39d67c94bcc87ef567e4a1dfd175023572e15410ea7d7ed
Instruction ID: 60956efa9e85b2767f189e24d89fc8693c78886c379a32c813f66f4a295abd23
Opcode Fuzzy Hash: 4a51b09c90e80300a39d67c94bcc87ef567e4a1dfd175023572e15410ea7d7ed
Instruction Fuzzy Hash: D4F03071105752CFEB349F65D490A16B7E4AF54319310897FE1EA82621C7359848DF19

Function 004D2A55 Relevance: 1.5, APIs: 1, Instructions: 25COMMON

Download Yara Rule

APIs

IsWindow.USER32(00000000), ref: 004D2A66

Memory Dump Source

Source File: 00000000.00000002.2199307839.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.2199224556.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2199891659.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2199891659.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200033822.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200076254.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: Window
String ID:
API String ID: 2353593579-0
Opcode ID: 597d2b9e4aaef9fe849cccaa309722b735a294a93d579703c36ff3dff3d61ba8
Instruction ID: 9ca4c5b0746be3e6257d793f9a3a237f37086a239c0a82ba1d45e034b6a28d91
Opcode Fuzzy Hash: 597d2b9e4aaef9fe849cccaa309722b735a294a93d579703c36ff3dff3d61ba8
Instruction Fuzzy Hash: 8FE04F76350116AAC714EA31DC948FEB35CEBB5399710453BFC16C2310EBB8D99686A8

Function 004430F2 Relevance: 1.5, APIs: 1, Instructions: 24windowCOMMON

Download Yara Rule

APIs

Shell_NotifyIconW.SHELL32(00000002,?), ref: 0044314E

Memory Dump Source

Source File: 00000000.00000002.2199307839.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.2199224556.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2199891659.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2199891659.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200033822.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200076254.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: IconNotifyShell_
String ID:
API String ID: 1144537725-0
Opcode ID: 041810799e7b7f5aebfb87e94ef345fc1c4122bb0d0dd61dc7b5c4b0ee283bbf
Instruction ID: 8eedf0b421fe1b2724b01a266ad8ffa95d93d7065a706e475f2ba061da5b2cf0
Opcode Fuzzy Hash: 041810799e7b7f5aebfb87e94ef345fc1c4122bb0d0dd61dc7b5c4b0ee283bbf
Instruction Fuzzy Hash: 21F0A7709003149FE7529F24DC457D67BBCA70170CF0000EAA64896285DB744788CF45

Function 00442DA5 Relevance: 1.5, APIs: 1, Instructions: 23COMMON

Download Yara Rule

APIs

GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 00442DC4

Part of subcall function 00446B57: _wcslen.LIBCMT ref: 00446B6A

Memory Dump Source

Source File: 00000000.00000002.2199307839.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.2199224556.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2199891659.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2199891659.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200033822.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200076254.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: LongNamePath_wcslen
String ID:
API String ID: 541455249-0
Opcode ID: e4a915579dc9778be1b1216905954671bf3110e05f748ed4868d3f83ea642fb0
Instruction ID: 84f0dda81e19cd48690b8a30029a7f8b90fcf59e321822fefcf665de6199973f
Opcode Fuzzy Hash: e4a915579dc9778be1b1216905954671bf3110e05f748ed4868d3f83ea642fb0
Instruction Fuzzy Hash: 1FE0CD72A001245BCB10A2599C05FDA77DDDFC8794F0500B7FD09D7258D964AD80C659

Function 00442B3D Relevance: 1.5, APIs: 1, Instructions: 22COMMON

Download Yara Rule

APIs

Part of subcall function 00443837: Shell_NotifyIconW.SHELL32(00000000,?), ref: 00443908

Part of subcall function 0044D730: GetInputState.USER32 ref: 0044D807

SetCurrentDirectoryW.KERNEL32(?), ref: 00442B6B

Part of subcall function 004430F2: Shell_NotifyIconW.SHELL32(00000002,?), ref: 0044314E

Memory Dump Source

Source File: 00000000.00000002.2199307839.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.2199224556.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2199891659.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2199891659.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200033822.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200076254.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: IconNotifyShell_$CurrentDirectoryInputState
String ID:
API String ID: 3667716007-0
Opcode ID: 80f0ae5c40132efa3f4b77c3f9c46f5106b3db31974d7d93ddd8a1520dd41889
Instruction ID: 754d3e65709aec7bebf1bba0160d51c9852577c875ab93fc1d2c46f40df4ba7d
Opcode Fuzzy Hash: 80f0ae5c40132efa3f4b77c3f9c46f5106b3db31974d7d93ddd8a1520dd41889
Instruction Fuzzy Hash: 83E0262170024403EA04BF3698524AEB7899BD1B5AF40153FF14243163CEAC4989821D

Function 0048039A Relevance: 1.5, APIs: 1, Instructions: 15fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

CreateFileW.KERNELBASE(00000000,00000000,?,00480704,?,?,00000000,?,00480704,00000000,0000000C), ref: 004803B7

Memory Dump Source

Source File: 00000000.00000002.2199307839.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.2199224556.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2199891659.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2199891659.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200033822.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200076254.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 502f2d8cce2891071c5753cb3bafaed66d414ea3d60f239f120b54e14f1a9a56
Instruction ID: 3b735f5a1c87884d852f9dfe2427ed504f707095d9e9503effc7daeaf1261fe2
Opcode Fuzzy Hash: 502f2d8cce2891071c5753cb3bafaed66d414ea3d60f239f120b54e14f1a9a56
Instruction Fuzzy Hash: 97D06C3204010DBBDF028F84DD46EDA3BAAFB48714F014010BE1856020C732E821EB94

Function 00441CAD Relevance: 1.5, APIs: 1, Instructions: 8COMMON

Download Yara Rule

APIs

SystemParametersInfoW.USER32(00002001,00000000,00000002), ref: 00441CBC

Memory Dump Source

Source File: 00000000.00000002.2199307839.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.2199224556.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2199891659.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2199891659.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200033822.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200076254.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: InfoParametersSystem
String ID:
API String ID: 3098949447-0
Opcode ID: 56260797d8a6a4bf3053153abd436c5f3ab50f37b416353d22972aa936901174
Instruction ID: cb07b859eaa7480e199b012bf077c1defa4faea4d6a3cf5c27192feed63508c7
Opcode Fuzzy Hash: 56260797d8a6a4bf3053153abd436c5f3ab50f37b416353d22972aa936901174
Instruction Fuzzy Hash: B9C09236280305AFF6148B80BC9AF907B65E368B01F04C502F709A95E3C3A22824FA58

Non-executed Functions

Function 004D9576 Relevance: 74.1, APIs: 39, Strings: 3, Instructions: 625windowkeyboardCOMMON

Download Yara Rule

APIs

Part of subcall function 00459BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00459BB2

DefDlgProcW.USER32(?,0000004E,?,?,?,?,?,?), ref: 004D961A
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 004D965B
GetWindowLongW.USER32(FFFFFDD9,000000F0), ref: 004D969F
SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 004D96C9
SendMessageW.USER32 ref: 004D96F2
GetKeyState.USER32(00000011), ref: 004D978B
GetKeyState.USER32(00000009), ref: 004D9798
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 004D97AE
GetKeyState.USER32(00000010), ref: 004D97B8
SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 004D97E9
SendMessageW.USER32 ref: 004D9810
SendMessageW.USER32(?,00001030,?,004D7E95), ref: 004D9918
ImageList_SetDragCursorImage.COMCTL32(00000000,00000000,00000000,?,?,?), ref: 004D992E
ImageList_BeginDrag.COMCTL32(00000000,000000F8,000000F0), ref: 004D9941
SetCapture.USER32(?), ref: 004D994A
ClientToScreen.USER32(?,?), ref: 004D99AF
ImageList_DragEnter.COMCTL32(00000000,?,?), ref: 004D99BC
InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 004D99D6
ReleaseCapture.USER32 ref: 004D99E1
GetCursorPos.USER32(?), ref: 004D9A19
ScreenToClient.USER32(?,?), ref: 004D9A26
SendMessageW.USER32(?,00001012,00000000,?), ref: 004D9A80
SendMessageW.USER32 ref: 004D9AAE
SendMessageW.USER32(?,00001111,00000000,?), ref: 004D9AEB
SendMessageW.USER32 ref: 004D9B1A
SendMessageW.USER32(?,0000110B,00000009,00000000), ref: 004D9B3B
SendMessageW.USER32(?,0000110B,00000009,?), ref: 004D9B4A
GetCursorPos.USER32(?), ref: 004D9B68
ScreenToClient.USER32(?,?), ref: 004D9B75
GetParent.USER32(?), ref: 004D9B93
SendMessageW.USER32(?,00001012,00000000,?), ref: 004D9BFA
SendMessageW.USER32 ref: 004D9C2B
ClientToScreen.USER32(?,?), ref: 004D9C84
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000), ref: 004D9CB4
SendMessageW.USER32(?,00001111,00000000,?), ref: 004D9CDE
SendMessageW.USER32 ref: 004D9D01
ClientToScreen.USER32(?,?), ref: 004D9D4E
TrackPopupMenuEx.USER32(?,00000080,?,?,?,00000000), ref: 004D9D82

Part of subcall function 00459944: GetWindowLongW.USER32(?,000000EB), ref: 00459952

GetWindowLongW.USER32(?,000000F0), ref: 004D9E05

Strings

@GUI_DRAGID, xrefs: 004D997D
8!, xrefs: 004D9990
F, xrefs: 004D9D07

Memory Dump Source

Source File: 00000000.00000002.2199307839.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.2199224556.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2199891659.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2199891659.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200033822.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200076254.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: MessageSend$ClientScreen$ImageLongWindow$CursorDragList_State$CaptureMenuPopupTrack$BeginEnterInvalidateParentProcRectRelease
String ID: 8!$@GUI_DRAGID$F
API String ID: 3429851547-623927632
Opcode ID: af580b95b5b5de2486d563454b5c155ffe71697efddc00b5738b3a2f97fd4bef
Instruction ID: 64daf8ab0eedf3fe3ba9a20979cc46aad404fb0de3c89662afcc3d7d5f808a3f
Opcode Fuzzy Hash: af580b95b5b5de2486d563454b5c155ffe71697efddc00b5738b3a2f97fd4bef
Instruction Fuzzy Hash: 1B429830204201AFDB24CF24C8A4AAABBE5FF49314F144A5BF699D73A1D735EC54CB4A

Function 004D4873 Relevance: 60.1, APIs: 33, Strings: 1, Instructions: 566windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000408,00000000,00000000), ref: 004D48F3
SendMessageW.USER32(00000000,00000188,00000000,00000000), ref: 004D4908
SendMessageW.USER32(00000000,0000018A,00000000,00000000), ref: 004D4927
SendMessageW.USER32(?,00000148,00000000,00000000), ref: 004D494B
SendMessageW.USER32(00000000,00000147,00000000,00000000), ref: 004D495C
SendMessageW.USER32(00000000,00000149,00000000,00000000), ref: 004D497B
SendMessageW.USER32(00000000,0000130B,00000000,00000000), ref: 004D49AE
SendMessageW.USER32(00000000,0000133C,00000000,?), ref: 004D49D4
SendMessageW.USER32(00000000,0000110A,00000009,00000000), ref: 004D4A0F
SendMessageW.USER32(00000000,0000113E,00000000,00000004), ref: 004D4A56
SendMessageW.USER32(00000000,0000113E,00000000,00000004), ref: 004D4A7E
IsMenu.USER32(?), ref: 004D4A97
GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 004D4AF2
GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 004D4B20
GetWindowLongW.USER32(?,000000F0), ref: 004D4B94
SendMessageW.USER32(?,0000113E,00000000,00000008), ref: 004D4BE3
SendMessageW.USER32(00000000,00001001,00000000,?), ref: 004D4C82
wsprintfW.USER32 ref: 004D4CAE
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 004D4CC9
GetWindowTextW.USER32(?,00000000,00000001), ref: 004D4CF1
SendMessageW.USER32(00000000,000000F0,00000000,00000000), ref: 004D4D13
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 004D4D33
GetWindowTextW.USER32(?,00000000,00000001), ref: 004D4D5A

Strings

%d/%02d/%02d, xrefs: 004D4CA8

Memory Dump Source

Source File: 00000000.00000002.2199307839.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.2199224556.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2199891659.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2199891659.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200033822.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200076254.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: MessageSend$MenuWindow$InfoItemText$Longwsprintf
String ID: %d/%02d/%02d
API String ID: 4054740463-328681919
Opcode ID: 2342c82ebbf9f1dd4604972225813b717caf24bd44f4269de2706e0a585d246a
Instruction ID: 052eb20d477470106696892d35da51bc4539191c3dd0a870e5859e0e746cc518
Opcode Fuzzy Hash: 2342c82ebbf9f1dd4604972225813b717caf24bd44f4269de2706e0a585d246a
Instruction Fuzzy Hash: 7412EE71600215ABEB248F29CC59FAF7BE8EF85710F10412BF915EA3E1DB789941CB58

Function 0045F98E Relevance: 43.9, APIs: 24, Strings: 1, Instructions: 130keyboardthreadwindowCOMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(00000000,00000000,00000000), ref: 0045F998
FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 0049F474
IsIconic.USER32(00000000), ref: 0049F47D
ShowWindow.USER32(00000000,00000009), ref: 0049F48A
SetForegroundWindow.USER32(00000000), ref: 0049F494
GetWindowThreadProcessId.USER32(00000000,00000000), ref: 0049F4AA
GetCurrentThreadId.KERNEL32 ref: 0049F4B1
GetWindowThreadProcessId.USER32(00000000,00000000), ref: 0049F4BD
AttachThreadInput.USER32(?,00000000,00000001), ref: 0049F4CE
AttachThreadInput.USER32(?,00000000,00000001), ref: 0049F4D6
AttachThreadInput.USER32(00000000,000000FF,00000001), ref: 0049F4DE
SetForegroundWindow.USER32(00000000), ref: 0049F4E1
MapVirtualKeyW.USER32(00000012,00000000), ref: 0049F4F6
keybd_event.USER32(00000012,00000000), ref: 0049F501
MapVirtualKeyW.USER32(00000012,00000000), ref: 0049F50B
keybd_event.USER32(00000012,00000000), ref: 0049F510
MapVirtualKeyW.USER32(00000012,00000000), ref: 0049F519
keybd_event.USER32(00000012,00000000), ref: 0049F51E
MapVirtualKeyW.USER32(00000012,00000000), ref: 0049F528
keybd_event.USER32(00000012,00000000), ref: 0049F52D
SetForegroundWindow.USER32(00000000), ref: 0049F530
AttachThreadInput.USER32(?,000000FF,00000000), ref: 0049F557

Strings

Shell_TrayWnd, xrefs: 0049F46F

Memory Dump Source

Source File: 00000000.00000002.2199307839.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.2199224556.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2199891659.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2199891659.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200033822.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200076254.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: Window$Thread$AttachForegroundInputVirtualkeybd_event$Process$CurrentFindIconicShow
String ID: Shell_TrayWnd
API String ID: 4125248594-2988720461
Opcode ID: 2c96c3419501d951e3867f08c1930c1c294acd9f6cb125ce3d937806228bc049
Instruction ID: f88722f835e954db8571fdb4e4787251df1f13bcfd49dbcdf8bb5af67dd6f2c6
Opcode Fuzzy Hash: 2c96c3419501d951e3867f08c1930c1c294acd9f6cb125ce3d937806228bc049
Instruction Fuzzy Hash: D9315271A41229BBEF206BB55C89FBF7F6CEB44B50F110077F600E61D1C6B45900EA69

Function 004A1201 Relevance: 40.5, APIs: 19, Strings: 4, Instructions: 241COMMON

Download Yara Rule

APIs

Part of subcall function 004A16C3: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 004A170D
Part of subcall function 004A16C3: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 004A173A
Part of subcall function 004A16C3: GetLastError.KERNEL32 ref: 004A174A

LogonUserW.ADVAPI32(?,?,?,00000000,00000000,?), ref: 004A1286
DuplicateTokenEx.ADVAPI32(?,00000000,00000000,00000002,00000001,?), ref: 004A12A8
CloseHandle.KERNEL32(?), ref: 004A12B9
OpenWindowStationW.USER32(winsta0,00000000,00060000), ref: 004A12D1
GetProcessWindowStation.USER32 ref: 004A12EA
SetProcessWindowStation.USER32(00000000), ref: 004A12F4
OpenDesktopW.USER32(default,00000000,00000000,00060081), ref: 004A1310

Part of subcall function 004A10BF: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,004A11FC), ref: 004A10D4
Part of subcall function 004A10BF: CloseHandle.KERNEL32(?,?,004A11FC), ref: 004A10E9

Strings

default, xrefs: 004A130B
winsta0, xrefs: 004A12CC
, xrefs: 004A125A
ZP, xrefs: 004A1392

Memory Dump Source

Source File: 00000000.00000002.2199307839.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.2199224556.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2199891659.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2199891659.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200033822.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200076254.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: StationTokenWindow$AdjustCloseHandleOpenPrivilegesProcess$DesktopDuplicateErrorLastLogonLookupPrivilegeUserValue
String ID: $default$winsta0$ZP
API String ID: 22674027-2560706152
Opcode ID: a31d3b09e587b9a6eb81028d01f35b394fc350cce0c2f9c212bba3b207635af0
Instruction ID: 4ef6bd66daae39113fe0447dab13b4eeb5c047484ae28d41d9fa5bf4e65c3333
Opcode Fuzzy Hash: a31d3b09e587b9a6eb81028d01f35b394fc350cce0c2f9c212bba3b207635af0
Instruction Fuzzy Hash: 41818F71900209AFDF119FA8DC89FEF7BB9EF19704F14412BF911A62A0D7798944CB29

Function 004A0B62 Relevance: 31.7, APIs: 21, Instructions: 202memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 004A10F9: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 004A1114
Part of subcall function 004A10F9: GetLastError.KERNEL32(?,00000000,00000000,?,?,004A0B9B,?,?,?), ref: 004A1120
Part of subcall function 004A10F9: GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,004A0B9B,?,?,?), ref: 004A112F
Part of subcall function 004A10F9: HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,004A0B9B,?,?,?), ref: 004A1136
Part of subcall function 004A10F9: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 004A114D

GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 004A0BCC
GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 004A0C00
GetLengthSid.ADVAPI32(?), ref: 004A0C17
GetAce.ADVAPI32(?,00000000,?), ref: 004A0C51
AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 004A0C6D
GetLengthSid.ADVAPI32(?), ref: 004A0C84
GetProcessHeap.KERNEL32(00000008,00000008), ref: 004A0C8C
HeapAlloc.KERNEL32(00000000), ref: 004A0C93
GetLengthSid.ADVAPI32(?,00000008,?), ref: 004A0CB4
CopySid.ADVAPI32(00000000), ref: 004A0CBB
AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 004A0CEA
SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 004A0D0C
SetUserObjectSecurity.USER32(?,00000004,?), ref: 004A0D1E
GetProcessHeap.KERNEL32(00000000,00000000), ref: 004A0D45
HeapFree.KERNEL32(00000000), ref: 004A0D4C
GetProcessHeap.KERNEL32(00000000,00000000), ref: 004A0D55
HeapFree.KERNEL32(00000000), ref: 004A0D5C
GetProcessHeap.KERNEL32(00000000,00000000), ref: 004A0D65
HeapFree.KERNEL32(00000000), ref: 004A0D6C
GetProcessHeap.KERNEL32(00000000,?), ref: 004A0D78
HeapFree.KERNEL32(00000000), ref: 004A0D7F

Part of subcall function 004A1193: GetProcessHeap.KERNEL32(00000008,004A0BB1,?,00000000,?,004A0BB1,?), ref: 004A11A1
Part of subcall function 004A1193: HeapAlloc.KERNEL32(00000000,?,00000000,?,004A0BB1,?), ref: 004A11A8
Part of subcall function 004A1193: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00000000,?,004A0BB1,?), ref: 004A11B7

Memory Dump Source

Source File: 00000000.00000002.2199307839.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.2199224556.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2199891659.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2199891659.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200033822.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200076254.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: Heap$Process$Security$Free$AllocDescriptorLengthObjectUser$Dacl$CopyErrorInformationInitializeLast
String ID:
API String ID: 4175595110-0
Opcode ID: f4a92d76fbc759de3943edaad951cff41aaef5a99afe4b6ef80c2443c6f8eadb
Instruction ID: 50ff4d7a3227e6681004e9d3dde28ae4e2668233599b94589bb9fcbdea25bb78
Opcode Fuzzy Hash: f4a92d76fbc759de3943edaad951cff41aaef5a99afe4b6ef80c2443c6f8eadb
Instruction Fuzzy Hash: 68717C7290121AABDF10DFE4DC84BEFBBB8BF15310F04452AE914A7291D779A905CBA4

Function 004BEAFF Relevance: 30.2, APIs: 20, Instructions: 191clipboardfileCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32(004DCC08), ref: 004BEB29
IsClipboardFormatAvailable.USER32(0000000D), ref: 004BEB37
GetClipboardData.USER32(0000000D), ref: 004BEB43
CloseClipboard.USER32 ref: 004BEB4F
GlobalLock.KERNEL32(00000000), ref: 004BEB87
CloseClipboard.USER32 ref: 004BEB91
GlobalUnlock.KERNEL32(00000000), ref: 004BEBBC
IsClipboardFormatAvailable.USER32(00000001), ref: 004BEBC9
GetClipboardData.USER32(00000001), ref: 004BEBD1
GlobalLock.KERNEL32(00000000), ref: 004BEBE2
GlobalUnlock.KERNEL32(00000000), ref: 004BEC22
IsClipboardFormatAvailable.USER32(0000000F), ref: 004BEC38
GetClipboardData.USER32(0000000F), ref: 004BEC44
GlobalLock.KERNEL32(00000000), ref: 004BEC55
DragQueryFileW.SHELL32(00000000,000000FF,00000000,00000000), ref: 004BEC77
DragQueryFileW.SHELL32(00000000,?,?,00000104), ref: 004BEC94
DragQueryFileW.SHELL32(00000000,?,?,00000104), ref: 004BECD2
GlobalUnlock.KERNEL32(00000000), ref: 004BECF3
CountClipboardFormats.USER32 ref: 004BED14
CloseClipboard.USER32 ref: 004BED59

Memory Dump Source

Source File: 00000000.00000002.2199307839.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.2199224556.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2199891659.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2199891659.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200033822.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200076254.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: Clipboard$Global$AvailableCloseDataDragFileFormatLockQueryUnlock$CountFormatsOpen
String ID:
API String ID: 420908878-0
Opcode ID: 61b65656fe9696539818400f24102ec99e4b267dd2efb1c6acf7686926919075
Instruction ID: cb9edb0f9d8dfdc24c5f90adcaf93bc3293a8e5a8e16f1bb39003e092e0c1037
Opcode Fuzzy Hash: 61b65656fe9696539818400f24102ec99e4b267dd2efb1c6acf7686926919075
Instruction Fuzzy Hash: 2161D5352042029FD300EF26D884FAA77E8EF84714F14456FF456972A2DB79ED05CB6A

Function 004B698F Relevance: 21.4, APIs: 7, Strings: 5, Instructions: 363timefileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 004B69BE
FindClose.KERNEL32(00000000), ref: 004B6A12
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 004B6A4E
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 004B6A75

Part of subcall function 00449CB3: _wcslen.LIBCMT ref: 00449CBD

FileTimeToSystemTime.KERNEL32(?,?), ref: 004B6AB2
FileTimeToSystemTime.KERNEL32(?,?), ref: 004B6ADF

Strings

%4d%02d%02d%02d%02d%02d, xrefs: 004B6B6A
%4d%02d%02d%02d%02d%02d%03d, xrefs: 004B6B32
%02d, xrefs: 004B6C00, 004B6C0A, 004B6C5A, 004B6CAA, 004B6CFA, 004B6D4A
%4d, xrefs: 004B6BB1
%03d, xrefs: 004B6DA2

Memory Dump Source

Source File: 00000000.00000002.2199307839.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.2199224556.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2199891659.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2199891659.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200033822.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200076254.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: Time$File$FindLocalSystem$CloseFirst_wcslen
String ID: %02d$%03d$%4d$%4d%02d%02d%02d%02d%02d$%4d%02d%02d%02d%02d%02d%03d
API String ID: 3830820486-3289030164
Opcode ID: c363c0295849bf0c4cc9e946a3f6eb4b0a435f6f621e41de5190166f7abc3747
Instruction ID: 08d9f92056e9e0ff60ebf324fe8bfea3ae7a30b2a900b7b186a840d04246ee1f
Opcode Fuzzy Hash: c363c0295849bf0c4cc9e946a3f6eb4b0a435f6f621e41de5190166f7abc3747
Instruction Fuzzy Hash: 32D15471508300AFD710EBA5C881EAFB7ECAF89708F44491EF585D7191EB78DA48CB66

Function 004B9642 Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 118fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,76228FB0,?,00000000), ref: 004B9663
GetFileAttributesW.KERNEL32(?), ref: 004B96A1
SetFileAttributesW.KERNEL32(?,?), ref: 004B96BB
FindNextFileW.KERNEL32(00000000,?), ref: 004B96D3
FindClose.KERNEL32(00000000), ref: 004B96DE
FindFirstFileW.KERNEL32(*.*,?), ref: 004B96FA
SetCurrentDirectoryW.KERNEL32(?), ref: 004B974A
SetCurrentDirectoryW.KERNEL32(00506B7C), ref: 004B9768
FindNextFileW.KERNEL32(00000000,00000010), ref: 004B9772
FindClose.KERNEL32(00000000), ref: 004B977F
FindClose.KERNEL32(00000000), ref: 004B978F

Strings

*.*, xrefs: 004B96F5

Memory Dump Source

Source File: 00000000.00000002.2199307839.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.2199224556.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2199891659.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2199891659.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200033822.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200076254.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: Find$File$Close$AttributesCurrentDirectoryFirstNext
String ID: *.*
API String ID: 1409584000-438819550
Opcode ID: 64a08403ef35100dab001cb16dbb1042f888e69fedc40c3c510dd849d0fdbfcd
Instruction ID: 2d6e3261b5430d0b1c313adfd123b2d9035d52d21d7e8120e843c4a1a53ee86f
Opcode Fuzzy Hash: 64a08403ef35100dab001cb16dbb1042f888e69fedc40c3c510dd849d0fdbfcd
Instruction Fuzzy Hash: 3031D67254121AAADF10AFB5DC48ADF77ECAF09320F1041A7FA05E2190EB38DD40CE69

Function 004B979D Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 111fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,76228FB0,?,00000000), ref: 004B97BE
FindNextFileW.KERNEL32(00000000,?), ref: 004B9819
FindClose.KERNEL32(00000000), ref: 004B9824
FindFirstFileW.KERNEL32(*.*,?), ref: 004B9840
SetCurrentDirectoryW.KERNEL32(?), ref: 004B9890
SetCurrentDirectoryW.KERNEL32(00506B7C), ref: 004B98AE
FindNextFileW.KERNEL32(00000000,00000010), ref: 004B98B8
FindClose.KERNEL32(00000000), ref: 004B98C5
FindClose.KERNEL32(00000000), ref: 004B98D5

Part of subcall function 004ADAE5: CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000003,02000080,00000000), ref: 004ADB00

Strings

*.*, xrefs: 004B983B

Memory Dump Source

Source File: 00000000.00000002.2199307839.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.2199224556.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2199891659.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2199891659.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200033822.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200076254.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: Find$File$Close$CurrentDirectoryFirstNext$Create
String ID: *.*
API String ID: 2640511053-438819550
Opcode ID: 25effaada09f2cf79f6f4a0730f9be0d7f9764c10dcef74d6b921f94fff6a11e
Instruction ID: c46a0bd9bec82e8933d01c2e9f88e7df786e2040ccb854cf229b1396e62fcd36
Opcode Fuzzy Hash: 25effaada09f2cf79f6f4a0730f9be0d7f9764c10dcef74d6b921f94fff6a11e
Instruction Fuzzy Hash: 6531F63150121A6ADF10EFB4DC88ADF77BCAF06324F1441ABEA14A22D0DB39DD44CA79

Function 004CBE44 Relevance: 17.0, APIs: 11, Instructions: 456registryCOMMON

Download Yara Rule

APIs

Part of subcall function 004CC998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,004CB6AE,?,?), ref: 004CC9B5
Part of subcall function 004CC998: _wcslen.LIBCMT ref: 004CC9F1
Part of subcall function 004CC998: _wcslen.LIBCMT ref: 004CCA68
Part of subcall function 004CC998: _wcslen.LIBCMT ref: 004CCA9E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 004CBF3E
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?,?,?), ref: 004CBFA9
RegCloseKey.ADVAPI32(00000000), ref: 004CBFCD
RegQueryValueExW.ADVAPI32(?,?,00000000,?,00000000,?), ref: 004CC02C
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,00000008), ref: 004CC0E7
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,?,?,00000000), ref: 004CC154
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,?,?,00000000), ref: 004CC1E9
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,00000000,?,?,?,00000000), ref: 004CC23A
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,?,?,00000000), ref: 004CC2E3
RegCloseKey.ADVAPI32(?,?,00000000), ref: 004CC382
RegCloseKey.ADVAPI32(00000000), ref: 004CC38F

Memory Dump Source

Source File: 00000000.00000002.2199307839.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.2199224556.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2199891659.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2199891659.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200033822.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200076254.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: QueryValue$Close_wcslen$BuffCharConnectOpenRegistryUpper
String ID:
API String ID: 3102970594-0
Opcode ID: 92ac590b22761aee4a43a32d6c5ca9969d6dab51f3a9d2a08543f6dc380e1736
Instruction ID: 9b4b10aa3403bdef2ce5843f4c6320f15fc1f54032cd940aee0a37be66c19f10
Opcode Fuzzy Hash: 92ac590b22761aee4a43a32d6c5ca9969d6dab51f3a9d2a08543f6dc380e1736
Instruction Fuzzy Hash: 69024B74604200AFD754CF24C8D5E2ABBE5EF49308F18849EE84ACB2A2D735EC46CB56

Function 004B8195 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 186timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?), ref: 004B8257
SystemTimeToFileTime.KERNEL32(?,?), ref: 004B8267
LocalFileTimeToFileTime.KERNEL32(?,?), ref: 004B8273
GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 004B8310
SetCurrentDirectoryW.KERNEL32(?), ref: 004B8324
SetCurrentDirectoryW.KERNEL32(?), ref: 004B8356
SetCurrentDirectoryW.KERNEL32(?,?,?,?,?), ref: 004B838C
SetCurrentDirectoryW.KERNEL32(?), ref: 004B8395

Strings

*.*, xrefs: 004B839B

Memory Dump Source

Source File: 00000000.00000002.2199307839.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.2199224556.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2199891659.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2199891659.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200033822.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200076254.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: CurrentDirectoryTime$File$Local$System
String ID: *.*
API String ID: 1464919966-438819550
Opcode ID: 0a60b571e0bbea3369c1555a5b2c9198bbe78efb7f9586a4378139a33742a6c0
Instruction ID: d5f81797e4bb26360013deb8661023b07000ddcabf7647305d98c7a434bf5c53
Opcode Fuzzy Hash: 0a60b571e0bbea3369c1555a5b2c9198bbe78efb7f9586a4378139a33742a6c0
Instruction Fuzzy Hash: 456159715042059FDB10EF65C88099FB3E8FF89318F04492EF99987251EB39E905CBAA

Function 004AD076 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 172fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00443AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00443A97,?,?,00442E7F,?,?,?,00000000), ref: 00443AC2

Part of subcall function 004AE199: GetFileAttributesW.KERNEL32(?,004ACF95), ref: 004AE19A

FindFirstFileW.KERNEL32(?,?), ref: 004AD122
DeleteFileW.KERNEL32(?,?,?,?,?,00000000,?,?,?), ref: 004AD1DD
MoveFileW.KERNEL32(?,?), ref: 004AD1F0
DeleteFileW.KERNEL32(?,?,?,?), ref: 004AD20D
FindNextFileW.KERNEL32(00000000,00000010), ref: 004AD237

Part of subcall function 004AD29C: CopyFileExW.KERNEL32(?,?,00000000,00000000,00000000,00000008,?,?,004AD21C,?,?), ref: 004AD2B2

FindClose.KERNEL32(00000000,?,?,?), ref: 004AD253
FindClose.KERNEL32(00000000), ref: 004AD264

Strings

\*.*, xrefs: 004AD0CD, 004AD0D6, 004AD0EB

Memory Dump Source

Source File: 00000000.00000002.2199307839.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.2199224556.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2199891659.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2199891659.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200033822.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200076254.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: File$Find$CloseDelete$AttributesCopyFirstFullMoveNameNextPath
String ID: \*.*
API String ID: 1946585618-1173974218
Opcode ID: 5cb9d35a859dec2acf2bcccefaeb065b12b660aa668669ab1fa237393b075905
Instruction ID: cff0d65d32c91f37052c70ad8ffb8b1b9073b07fd83be28c0a996b957a53fdec
Opcode Fuzzy Hash: 5cb9d35a859dec2acf2bcccefaeb065b12b660aa668669ab1fa237393b075905
Instruction Fuzzy Hash: 63616E31C0110D9ADF05EFE1D9929EEB7B5AF26304F2441ABE40277192EB385F09DB69

Function 004BED6A Relevance: 13.6, APIs: 9, Instructions: 102clipboardmemoryCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32 ref: 004BED91
EmptyClipboard.USER32 ref: 004BED97
GlobalAlloc.KERNEL32(00000002,?), ref: 004BEDAC
CloseClipboard.USER32 ref: 004BEEA3

Memory Dump Source

Source File: 00000000.00000002.2199307839.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.2199224556.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2199891659.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2199891659.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200033822.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200076254.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: Clipboard$AllocCloseEmptyGlobalOpen
String ID:
API String ID: 1737998785-0
Opcode ID: cb31124a94256a937254f6cb9291daaa3e726c6fe8e85539d1ac54643ab72c6a
Instruction ID: 9a8808c59838e27519d9a6a13f6fe0483ef079ae26af87374b834764228263e2
Opcode Fuzzy Hash: cb31124a94256a937254f6cb9291daaa3e726c6fe8e85539d1ac54643ab72c6a
Instruction Fuzzy Hash: C441B335605612DFE710CF16D488B9ABBE5EF84318F14C49EE4158B762C779EC42CB98

Function 004AE8F6 Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 57shutdownCOMMON

Download Yara Rule

APIs

Part of subcall function 004A16C3: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 004A170D
Part of subcall function 004A16C3: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 004A173A
Part of subcall function 004A16C3: GetLastError.KERNEL32 ref: 004A174A

ExitWindowsEx.USER32(?,00000000), ref: 004AE932

Strings

, xrefs: 004AE920
@, xrefs: 004AE925
SeShutdownPrivilege, xrefs: 004AE902
, xrefs: 004AE95C

Memory Dump Source

Source File: 00000000.00000002.2199307839.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.2199224556.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2199891659.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2199891659.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200033822.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200076254.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: AdjustErrorExitLastLookupPrivilegePrivilegesTokenValueWindows
String ID: $ $@$SeShutdownPrivilege
API String ID: 2234035333-3163812486
Opcode ID: 050975a779c5ebe80bcdeea3695fbf811a11be5d26198dde3b3934f90b6eeb40
Instruction ID: ca0aa5977972a2945417739287e0a2b33b7b509814f77121c523c5e66c9cfea7
Opcode Fuzzy Hash: 050975a779c5ebe80bcdeea3695fbf811a11be5d26198dde3b3934f90b6eeb40
Instruction Fuzzy Hash: BA0149B2610311ABEB5422B69CC6FFF735CAB36744F140827FC23E21E2D5A85C4081AC

Function 004C1204 Relevance: 12.1, APIs: 8, Instructions: 113networkCOMMON

Download Yara Rule

APIs

socket.WSOCK32(00000002,00000001,00000006,?,00000002,00000000), ref: 004C1276
WSAGetLastError.WSOCK32 ref: 004C1283
bind.WSOCK32(00000000,?,00000010), ref: 004C12BA
WSAGetLastError.WSOCK32 ref: 004C12C5
closesocket.WSOCK32(00000000), ref: 004C12F4
listen.WSOCK32(00000000,00000005), ref: 004C1303
WSAGetLastError.WSOCK32 ref: 004C130D
closesocket.WSOCK32(00000000), ref: 004C133C

Memory Dump Source

Source File: 00000000.00000002.2199307839.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.2199224556.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2199891659.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2199891659.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200033822.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200076254.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: ErrorLast$closesocket$bindlistensocket
String ID:
API String ID: 540024437-0
Opcode ID: 6182f361b3cd93ad6dc1b74a03d1f51efe6f48379c13b6a4be2312af0319150f
Instruction ID: f49ccbe191fca1e620a128b104f316d41cb35b39cb7e37abce409d4f2c0fda02
Opcode Fuzzy Hash: 6182f361b3cd93ad6dc1b74a03d1f51efe6f48379c13b6a4be2312af0319150f
Instruction Fuzzy Hash: F9418F396001419FD710EF24C484F2ABBE5AF46318F18819EE8569F3A3C775EC82CBA5

Function 0047B952 Relevance: 10.9, APIs: 7, Instructions: 370timeCOMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 0047B9D4
_free.LIBCMT ref: 0047B9F8
_free.LIBCMT ref: 0047BB7F
GetTimeZoneInformation.KERNEL32(?,00000000,00000000,00000000,?,004E3700), ref: 0047BB91
WideCharToMultiByte.KERNEL32(00000000,00000000,0051121C,000000FF,00000000,0000003F,00000000,?,?), ref: 0047BC09
WideCharToMultiByte.KERNEL32(00000000,00000000,00511270,000000FF,?,0000003F,00000000,?), ref: 0047BC36
_free.LIBCMT ref: 0047BD4B

Memory Dump Source

Source File: 00000000.00000002.2199307839.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.2199224556.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2199891659.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2199891659.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200033822.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200076254.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: _free$ByteCharMultiWide$InformationTimeZone
String ID:
API String ID: 314583886-0
Opcode ID: 8e1db44aba4dbd8a39b652bdd44a59f188194efdb802ec48d1e023534d86e4a1
Instruction ID: e2b1b7bce0aef71e798de697c13b33754dc6b644440be7dc1f211a688b6738ba
Opcode Fuzzy Hash: 8e1db44aba4dbd8a39b652bdd44a59f188194efdb802ec48d1e023534d86e4a1
Instruction Fuzzy Hash: 90C126719002059ECB21AF7A8841BEE7BA8EF41314F14C19FE998D7355E7389E45C7D8

Function 004AD3A9 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 91fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00443AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00443A97,?,?,00442E7F,?,?,?,00000000), ref: 00443AC2

Part of subcall function 004AE199: GetFileAttributesW.KERNEL32(?,004ACF95), ref: 004AE19A

FindFirstFileW.KERNEL32(?,?), ref: 004AD420
DeleteFileW.KERNEL32(?,?,?,?), ref: 004AD470
FindNextFileW.KERNEL32(00000000,00000010), ref: 004AD481
FindClose.KERNEL32(00000000), ref: 004AD498
FindClose.KERNEL32(00000000), ref: 004AD4A1

Strings

\*.*, xrefs: 004AD3F2

Memory Dump Source

Source File: 00000000.00000002.2199307839.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.2199224556.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2199891659.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2199891659.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200033822.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200076254.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: FileFind$Close$AttributesDeleteFirstFullNameNextPath
String ID: \*.*
API String ID: 2649000838-1173974218
Opcode ID: 746e1e5927926c2131ea953aab68af40e5337e15fabf934bd40d95607d3d286a
Instruction ID: 145dcb8f270e433ba245c478ff2e4763219597943d0ec8071836fb5b320bd47f
Opcode Fuzzy Hash: 746e1e5927926c2131ea953aab68af40e5337e15fabf934bd40d95607d3d286a
Instruction Fuzzy Hash: A23170714093459FD300EF65C8958AF77E8BEA6308F444A2FF4D252191EB38AA09D76B

Function 0047E4FF Relevance: 10.1, APIs: 1, Strings: 4, Instructions: 1381COMMON

Download Yara Rule

APIs

__floor_pentium4.LIBCMT ref: 0047E645

Strings

1#QNAN, xrefs: 0047F84B
1#INF, xrefs: 0047F852
1#SNAN, xrefs: 0047F844
1#IND, xrefs: 0047F83D

Memory Dump Source

Source File: 00000000.00000002.2199307839.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.2199224556.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2199891659.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2199891659.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200033822.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200076254.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: __floor_pentium4
String ID: 1#IND$1#INF$1#QNAN$1#SNAN
API String ID: 4168288129-2761157908
Opcode ID: a0de21213f5cf7abcf65a7a2bda5058181ae3d5bc3ddbff23fed64a013242043
Instruction ID: 8dcbe4e9207542078225243c03963ee1ae5ae4f73a0883c59df728faff92c267
Opcode Fuzzy Hash: a0de21213f5cf7abcf65a7a2bda5058181ae3d5bc3ddbff23fed64a013242043
Instruction Fuzzy Hash: AFC26B71E086288FDB25CE29DD407EAB7B5EB48304F1482EBD44DE7241E778AE858F45

Function 004B648E Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 367comCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 004B64DC
CoInitialize.OLE32(00000000), ref: 004B6639
CoCreateInstance.OLE32(004DFCF8,00000000,00000001,004DFB68,?), ref: 004B6650
CoUninitialize.OLE32 ref: 004B68D4

Strings

.lnk, xrefs: 004B64BA, 004B6524, 004B65E0

Memory Dump Source

Source File: 00000000.00000002.2199307839.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.2199224556.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2199891659.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2199891659.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200033822.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200076254.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: CreateInitializeInstanceUninitialize_wcslen
String ID: .lnk
API String ID: 886957087-24824748
Opcode ID: 213772d98bd8d1be93f2b1bf7ea7574ca3ac51f3d883f1a3fbd67f12e19a2b04
Instruction ID: 6c9e46e7acd14678c83d22e1199419d016a42d448032a77a247b83ba3f525706
Opcode Fuzzy Hash: 213772d98bd8d1be93f2b1bf7ea7574ca3ac51f3d883f1a3fbd67f12e19a2b04
Instruction Fuzzy Hash: 2ED15B71508201AFD314EF25C881DABB7E8FF94708F04496EF5958B291DB39ED09CBA6

Function 004C22DA Relevance: 9.1, APIs: 6, Instructions: 103COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(?,?,00000000), ref: 004C22E8

Part of subcall function 004BE4EC: GetWindowRect.USER32(?,?), ref: 004BE504

GetDesktopWindow.USER32 ref: 004C2312
GetWindowRect.USER32(00000000), ref: 004C2319
mouse_event.USER32(00008001,?,?,00000002,00000002), ref: 004C2355
GetCursorPos.USER32(?), ref: 004C2381
mouse_event.USER32(00008001,?,?,00000000,00000000), ref: 004C23DF

Memory Dump Source

Source File: 00000000.00000002.2199307839.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.2199224556.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2199891659.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2199891659.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200033822.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200076254.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: Window$Rectmouse_event$CursorDesktopForeground
String ID:
API String ID: 2387181109-0
Opcode ID: 620644b46a6a235571655573603c2e2a31f4b6c7beb1b1eba2b3c983fbac519a
Instruction ID: 6f5dc6e87b7da2aba1958237f372b1b0007947b8f0c2d529896f0d2f3889a826
Opcode Fuzzy Hash: 620644b46a6a235571655573603c2e2a31f4b6c7beb1b1eba2b3c983fbac519a
Instruction Fuzzy Hash: FB31E172105356ABC720DF25D944F5BB7A9FF84714F00091EF88497191DBB8EA08CB9A

Function 004B9B2B Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 119filesleepCOMMON

Download Yara Rule

APIs

Part of subcall function 00449CB3: _wcslen.LIBCMT ref: 00449CBD

FindFirstFileW.KERNEL32(00000001,?,*.*,?,?,00000000,00000000), ref: 004B9B78
FindClose.KERNEL32(00000000,?,00000000,00000000), ref: 004B9C8B

Part of subcall function 004B3874: GetInputState.USER32 ref: 004B38CB
Part of subcall function 004B3874: PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 004B3966

Sleep.KERNEL32(0000000A,?,00000000,00000000), ref: 004B9BA8
FindNextFileW.KERNEL32(?,?,?,00000000,00000000), ref: 004B9C75

Strings

*.*, xrefs: 004B9B5D

Memory Dump Source

Source File: 00000000.00000002.2199307839.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.2199224556.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2199891659.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2199891659.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200033822.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200076254.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: Find$File$CloseFirstInputMessageNextPeekSleepState_wcslen
String ID: *.*
API String ID: 1972594611-438819550
Opcode ID: 7c68bea77686cb95ad6c508d2c173a8bbff9e98e7c198c8fbd89777181547d06
Instruction ID: 4b7053a2198dd30107d63513f9a4b389f9583375d4870dda12204cc50f3378a1
Opcode Fuzzy Hash: 7c68bea77686cb95ad6c508d2c173a8bbff9e98e7c198c8fbd89777181547d06
Instruction Fuzzy Hash: E841927194420A9FDF14DFA5C889AEE7BB4FF05304F20415BE905A3291EB349E44CF69

Function 00448060 Relevance: 8.7, Strings: 6, Instructions: 1151COMMON

Download Yara Rule

Strings

_______________________________________________________________________________________________________________________________abccccccccdeefghijklmnopqrstuvwxrstuvwxrstuvwxrstuvwxrstuvwxrstuvwxrstuvwxrstuvwxrstuvwxrstuvwxrstuvwxrstuvwxrstyzzzzzzzzzzzzzzzz{{{{, xrefs: 00485DB2
VUUU, xrefs: 0044843C
VUUU, xrefs: 00485DF0
ERCP, xrefs: 0044813C
VUUU, xrefs: 004483E8
VUUU, xrefs: 004483FA

Memory Dump Source

Source File: 00000000.00000002.2199307839.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.2199224556.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2199891659.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2199891659.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200033822.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200076254.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID:
String ID: ERCP$VUUU$VUUU$VUUU$VUUU$_______________________________________________________________________________________________________________________________abccccccccdeefghijklmnopqrstuvwxrstuvwxrstuvwxrstuvwxrstuvwxrstuvwxrstuvwxrstuvwxrstuvwxrstuvwxrstuvwxrstuvwxrstyzzzzzzzzzzzzzzzz{{{{
API String ID: 0-2009957334
Opcode ID: cb6adf192747e53a505bdfa5e1557018285033fe579242bfe96d776d19a274ba
Instruction ID: f10700c030a0d8f6ca489324b740d40c7d5060f82b49e24b6534beaa3f25f472
Opcode Fuzzy Hash: cb6adf192747e53a505bdfa5e1557018285033fe579242bfe96d776d19a274ba
Instruction Fuzzy Hash: E7A29E70E0021ACBEF24DF58C9407AEB7B1BB54314F2585ABD815A7385EB389D81CF99

Function 0045997D Relevance: 7.9, APIs: 5, Instructions: 375COMMON

Download Yara Rule

APIs

Part of subcall function 00459BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00459BB2

DefDlgProcW.USER32(?,?,?,?,?), ref: 00459A4E
GetSysColor.USER32(0000000F), ref: 00459B23
SetBkColor.GDI32(?,00000000), ref: 00459B36

Memory Dump Source

Source File: 00000000.00000002.2199307839.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.2199224556.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2199891659.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2199891659.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200033822.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200076254.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: Color$LongProcWindow
String ID:
API String ID: 3131106179-0
Opcode ID: c8e1d9bb8896fe0a29252374b0c5388dea8bb646f2ae51cda68421c5da6451e8
Instruction ID: a769b2526b0f3423d8617dcbd3c25ae1f206f6a67a00637a5ce6b4860b2511a2
Opcode Fuzzy Hash: c8e1d9bb8896fe0a29252374b0c5388dea8bb646f2ae51cda68421c5da6451e8
Instruction Fuzzy Hash: 21A10CB0118584FEEB249B3D8C58D7B2A9DEB42315B14415FF902C6793CA2D9D0AD37E

Function 004C1806 Relevance: 7.7, APIs: 5, Instructions: 153networkCOMMON

Download Yara Rule

APIs

Part of subcall function 004C304E: inet_addr.WSOCK32(?,?,?,?,?,00000000), ref: 004C307A
Part of subcall function 004C304E: _wcslen.LIBCMT ref: 004C309B

socket.WSOCK32(00000002,00000002,00000011,?,?,00000000), ref: 004C185D
WSAGetLastError.WSOCK32 ref: 004C1884
bind.WSOCK32(00000000,?,00000010), ref: 004C18DB
WSAGetLastError.WSOCK32 ref: 004C18E6
closesocket.WSOCK32(00000000), ref: 004C1915

Memory Dump Source

Source File: 00000000.00000002.2199307839.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.2199224556.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2199891659.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2199891659.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200033822.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200076254.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: ErrorLast$_wcslenbindclosesocketinet_addrsocket
String ID:
API String ID: 1601658205-0
Opcode ID: cba365f0952fa2a33da7fd7fdb862550f40bbab53b3251aea053aeb02d622f2c
Instruction ID: 79161794ab389f961765496263c9464a40fbc2d36891ce4822dcb9f83d2803a7
Opcode Fuzzy Hash: cba365f0952fa2a33da7fd7fdb862550f40bbab53b3251aea053aeb02d622f2c
Instruction Fuzzy Hash: 5151D475A00210AFEB10AF25C886F2AB7E5AB45718F08849EF9055F3D3C779AD41CBA5

Function 004D1C41 Relevance: 7.6, APIs: 5, Instructions: 83windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32 ref: 004D1CC0
IsWindowEnabled.USER32 ref: 004D1CCE
GetForegroundWindow.USER32(?,?,00000001,?), ref: 004D1CDB
IsIconic.USER32 ref: 004D1CE9
IsZoomed.USER32 ref: 004D1CF7

Memory Dump Source

Source File: 00000000.00000002.2199307839.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.2199224556.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2199891659.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2199891659.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200033822.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200076254.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: Window$EnabledForegroundIconicVisibleZoomed
String ID:
API String ID: 292994002-0
Opcode ID: 4a28e2003497474c65e7cb1cb4467127c1f0e37e68ece04905e6b9fc34f83e8e
Instruction ID: 86388c739614773bb25f5934ce8a216e1e35d63ebd2a414dd1bd4011350cc9d1
Opcode Fuzzy Hash: 4a28e2003497474c65e7cb1cb4467127c1f0e37e68ece04905e6b9fc34f83e8e
Instruction Fuzzy Hash: D821E1317512016FE7208F1AC8A4B2B7BA5EF95714B18806FEC468B361C779EC42CB98

Function 004A8298 Relevance: 6.6, APIs: 1, Strings: 3, Instructions: 568stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,?,?,00000000), ref: 004A82AA

Strings

|, xrefs: 004A82DA
(, xrefs: 004A82F0
tbP, xrefs: 004A84F4

Memory Dump Source

Source File: 00000000.00000002.2199307839.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.2199224556.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2199891659.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2199891659.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200033822.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200076254.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: lstrlen
String ID: ($tbP$|
API String ID: 1659193697-2761516067
Opcode ID: 436ce9da3e2f6bf67eed9bb3c701b175d9c4cbf061ff96f443046b0edede5a5f
Instruction ID: 69d7f5566fb06c8a5ab7c1fbaf37613f4551fb94c5e7aaeca647bcc025975ec4
Opcode Fuzzy Hash: 436ce9da3e2f6bf67eed9bb3c701b175d9c4cbf061ff96f443046b0edede5a5f
Instruction Fuzzy Hash: D0323575A007059FCB28CF19C481AAAB7F0FF58710B15C46EE89ADB7A1EB74E941CB44

Function 004AAA57 Relevance: 6.1, APIs: 4, Instructions: 107keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,00000001,00000040,00000000), ref: 004AAAAC
SetKeyboardState.USER32(00000080), ref: 004AAAC8
PostMessageW.USER32(?,00000102,00000001,00000001), ref: 004AAB36
SendInput.USER32(00000001,?,0000001C,00000001,00000040,00000000), ref: 004AAB88

Memory Dump Source

Source File: 00000000.00000002.2199307839.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.2199224556.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2199891659.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2199891659.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200033822.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200076254.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: 393f763a0f08acccd2a654ed62987e57158ee0a165acc84aeada6961e13328b9
Instruction ID: 8e7d1b8e525c319f95547b8536ad6cd9e77904bf4ed525cd6533020fca1ada7a
Opcode Fuzzy Hash: 393f763a0f08acccd2a654ed62987e57158ee0a165acc84aeada6961e13328b9
Instruction Fuzzy Hash: 55311A30A40208AEFF35CA65CC05BFB77A6AB66310F04421BF281562D1D37DA9A1C77B

Function 004BCE44 Relevance: 6.1, APIs: 4, Instructions: 75filenetworkCOMMON

Download Yara Rule

APIs

InternetReadFile.WININET(?,?,00000400,?), ref: 004BCE89
GetLastError.KERNEL32(?,00000000), ref: 004BCEEA
SetEvent.KERNEL32(?,?,00000000), ref: 004BCEFE

Memory Dump Source

Source File: 00000000.00000002.2199307839.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.2199224556.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2199891659.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2199891659.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200033822.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200076254.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: ErrorEventFileInternetLastRead
String ID:
API String ID: 234945975-0
Opcode ID: c0bdeb0c09f95187de3a5cb4977af6287fc788917690e76739e7e6d7b2771ea5
Instruction ID: f70a88988bee3ec56d67319b1ae0f0a43165593dbd1c17a93eda1c1a78fb3b62
Opcode Fuzzy Hash: c0bdeb0c09f95187de3a5cb4977af6287fc788917690e76739e7e6d7b2771ea5
Instruction Fuzzy Hash: D0219071900306DBDB20DFA5C9C4BA777F8EB50358F10446FE64692291E778EE05CBA8

Function 004B5C97 Relevance: 4.6, APIs: 3, Instructions: 138fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 004B5CC1
FindNextFileW.KERNEL32(00000000,?), ref: 004B5D17
FindClose.KERNEL32(?), ref: 004B5D5F

Memory Dump Source

Source File: 00000000.00000002.2199307839.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.2199224556.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2199891659.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2199891659.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200033822.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200076254.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: Find$File$CloseFirstNext
String ID:
API String ID: 3541575487-0
Opcode ID: b63c7d37f5b286415ee9b9ee0d7bcc3329cf157656812be59343d0b9da2a6435
Instruction ID: ccc54f9bf8c37d61d82734e949b1d6b8d3daecfe0a3c20b09bce5c7a415deb5d
Opcode Fuzzy Hash: b63c7d37f5b286415ee9b9ee0d7bcc3329cf157656812be59343d0b9da2a6435
Instruction Fuzzy Hash: C85199746046019FC714CF28C494A9AF7E8FF49318F14865EE95A8B3A1CB38E805CFA5

Function 00472622 Relevance: 4.6, APIs: 3, Instructions: 78COMMONLIBRARYCODE

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32 ref: 0047271A
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00472724
UnhandledExceptionFilter.KERNEL32(?), ref: 00472731

Memory Dump Source

Source File: 00000000.00000002.2199307839.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.2199224556.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2199891659.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2199891659.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200033822.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200076254.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: ExceptionFilterUnhandled$DebuggerPresent
String ID:
API String ID: 3906539128-0
Opcode ID: 7d4e3d22d90d11a4ee2985b7d334f5c23de2facf79ce3387ed4ea10d1cb66eb1
Instruction ID: 28f071ad4f1babb1f099a063dc92ea61c6072b39347d3cfc56bbc9250eb4787e
Opcode Fuzzy Hash: 7d4e3d22d90d11a4ee2985b7d334f5c23de2facf79ce3387ed4ea10d1cb66eb1
Instruction Fuzzy Hash: 1631D774911218ABCB21DF65DD887DDB7B8AF18310F5042EAE80CA7260E7749F818F49

Function 004B51CD Relevance: 4.6, APIs: 3, Instructions: 76COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 004B51DA
GetDiskFreeSpaceExW.KERNEL32(?,?,?,?), ref: 004B5238
SetErrorMode.KERNEL32(00000000), ref: 004B52A1

Memory Dump Source

Source File: 00000000.00000002.2199307839.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.2199224556.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2199891659.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2199891659.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200033822.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200076254.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: ErrorMode$DiskFreeSpace
String ID:
API String ID: 1682464887-0
Opcode ID: cdbd693e74c7232cb2102cfb070e97a9cfcf4d97414355a63665a87f50e70595
Instruction ID: 940baa1ac59d749553be5c5b50a2ea5c27eca56093f50f6013228dc2fd246cd3
Opcode Fuzzy Hash: cdbd693e74c7232cb2102cfb070e97a9cfcf4d97414355a63665a87f50e70595
Instruction Fuzzy Hash: AF314D75A005189FDB00DF55D8C4EAEBBB4FF49318F0880AAE8059B392DB35E856CB64

Function 004A16C3 Relevance: 4.6, APIs: 3, Instructions: 68COMMON

Download Yara Rule

APIs

Part of subcall function 0045FDDB: __CxxThrowException@8.LIBVCRUNTIME ref: 00460668
Part of subcall function 0045FDDB: __CxxThrowException@8.LIBVCRUNTIME ref: 00460685

LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 004A170D
AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 004A173A
GetLastError.KERNEL32 ref: 004A174A

Memory Dump Source

Source File: 00000000.00000002.2199307839.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.2199224556.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2199891659.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2199891659.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200033822.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200076254.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: Exception@8Throw$AdjustErrorLastLookupPrivilegePrivilegesTokenValue
String ID:
API String ID: 577356006-0
Opcode ID: 8f21857c50784b4f8450d999bd6e325d4b5f2bbaf775c520636ac26b7951420e
Instruction ID: 18756058707eb33a4139721e211ff357e0f21e1e2187966009e77c0f41b01df8
Opcode Fuzzy Hash: 8f21857c50784b4f8450d999bd6e325d4b5f2bbaf775c520636ac26b7951420e
Instruction Fuzzy Hash: B1110EB2400305BFDB18AF54DCC6D6BB7B8EB04714B20802FE44697251EB74BC49CA68

Function 004AD5EB Relevance: 4.6, APIs: 3, Instructions: 58fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 004AD608
DeviceIoControl.KERNEL32(00000000,002D1400,?,0000000C,?,00000028,?,00000000), ref: 004AD645
CloseHandle.KERNEL32(?,?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 004AD650

Memory Dump Source

Source File: 00000000.00000002.2199307839.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.2199224556.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2199891659.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2199891659.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200033822.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200076254.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: CloseControlCreateDeviceFileHandle
String ID:
API String ID: 33631002-0
Opcode ID: 063c19c5fe73ecc65e753ff446bd1c8eaeef757a7c66cde7e75fe5170240318a
Instruction ID: 1b06602acabd91302bb7a19b2fa79abae2ef08d1ac39c317b042863b07e3cfa6
Opcode Fuzzy Hash: 063c19c5fe73ecc65e753ff446bd1c8eaeef757a7c66cde7e75fe5170240318a
Instruction Fuzzy Hash: 9B118E71E05228BFDB108F94DC84FAFBBBCEB45B50F108122F904E7290C2704A018BA5

Function 004A1663 Relevance: 4.5, APIs: 3, Instructions: 40memoryCOMMON

Download Yara Rule

APIs

AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?,?), ref: 004A168C
CheckTokenMembership.ADVAPI32(00000000,?,?), ref: 004A16A1
FreeSid.ADVAPI32(?), ref: 004A16B1

Memory Dump Source

Source File: 00000000.00000002.2199307839.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.2199224556.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2199891659.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2199891659.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200033822.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200076254.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: AllocateCheckFreeInitializeMembershipToken
String ID:
API String ID: 3429775523-0
Opcode ID: 1713f0045b3441dfef9c97bec3945816b432b11155af7f3a979fc71d8bd7ad34
Instruction ID: efb30fc0a20b45eed527dd684e767c35939fcd3f2204346ed93ee6cb300e5277
Opcode Fuzzy Hash: 1713f0045b3441dfef9c97bec3945816b432b11155af7f3a979fc71d8bd7ad34
Instruction Fuzzy Hash: F5F0F471951309FBDF00DFE49C89EAEBBBCEB08604F504566E501E2191E774AA448A54

Function 0047C2A2 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 127COMMON

Download Yara Rule

Strings

/, xrefs: 0047C36C

Memory Dump Source

Source File: 00000000.00000002.2199307839.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.2199224556.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2199891659.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2199891659.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200033822.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200076254.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID:
String ID: /
API String ID: 0-2043925204
Opcode ID: 4d19661c64cfca9642b3714377944d2204324318cc929b8099c65d6174c68a1c
Instruction ID: 425a93638850e31272153f82599cf4ef9329110947935952f2981655d4b2256e
Opcode Fuzzy Hash: 4d19661c64cfca9642b3714377944d2204324318cc929b8099c65d6174c68a1c
Instruction Fuzzy Hash: 9B4128729006196BCB209FB9CC88DFB7778EB84314F1082AEF909D7280E6749D418B58

Function 0049D27A Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON

Download Yara Rule

APIs

GetUserNameW.ADVAPI32(?,?), ref: 0049D28C

Strings

X64, xrefs: 0049D2A8

Memory Dump Source

Source File: 00000000.00000002.2199307839.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.2199224556.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2199891659.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2199891659.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200033822.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200076254.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: NameUser
String ID: X64
API String ID: 2645101109-893830106
Opcode ID: d6dc960ca8bcb437f1ff6db050a11f8e1edffbf385c6d79b1f03a21f73e3b455
Instruction ID: 734f1a1bde815913a2b2a7cc941b9f8216ad4db7586b15f7583691761827c3a3
Opcode Fuzzy Hash: d6dc960ca8bcb437f1ff6db050a11f8e1edffbf385c6d79b1f03a21f73e3b455
Instruction Fuzzy Hash: C2D0C9B480111DEACF90CB90DCC8DD9B77CBB04305F1001A2F506A2080D73495498F14

Function 0046CAA0 Relevance: 3.5, APIs: 2, Instructions: 464COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2199307839.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.2199224556.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2199891659.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2199891659.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200033822.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200076254.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2fbdbeface8d474e65e3d830227d731b015bc4fe83c76ff0107a9da6199ccf29
Instruction ID: a49604b0a8cf665cd8463bd6c77995f2e619b4941bd74f44c5c4f825e86613b3
Opcode Fuzzy Hash: 2fbdbeface8d474e65e3d830227d731b015bc4fe83c76ff0107a9da6199ccf29
Instruction Fuzzy Hash: A7023C71E002199BDF14CFA9C9C06AEBBF1EF48314F25816AD859E7380E735AA418B95

Function 0044CAF0 Relevance: 3.2, Strings: 2, Instructions: 659COMMON

Download Yara Rule

Strings

8!, xrefs: 0044CF7F
Variable is not of type 'Object'., xrefs: 00490C40

Memory Dump Source

Source File: 00000000.00000002.2199307839.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.2199224556.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2199891659.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2199891659.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200033822.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200076254.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID:
String ID: 8!$Variable is not of type 'Object'.
API String ID: 0-449359737
Opcode ID: 72653585e873e706e7c88c44d5dea577cfcde5421ddb59ad650f663b90954c7a
Instruction ID: 4955907399058fe4d64edbb02d34fbc17f64c634521836ccf98309f09a2f46af
Opcode Fuzzy Hash: 72653585e873e706e7c88c44d5dea577cfcde5421ddb59ad650f663b90954c7a
Instruction Fuzzy Hash: E1326F74901218DFEF54DF90C8C5AEEBBB5BF14308F14406AE8066B392D739AD4ACB59

Function 004B68EE Relevance: 3.1, APIs: 2, Instructions: 57fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 004B6918
FindClose.KERNEL32(00000000), ref: 004B6961

Memory Dump Source

Source File: 00000000.00000002.2199307839.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.2199224556.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2199891659.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2199891659.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200033822.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200076254.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID:
API String ID: 2295610775-0
Opcode ID: af92655b3322d1b5549dcb8228fc9764045ac3413b019154beefe881e7c7bbba
Instruction ID: d5ec47cf6335c2765dda0dd5d156a17e05789ea9ca22c3413d45d5f0878e129f
Opcode Fuzzy Hash: af92655b3322d1b5549dcb8228fc9764045ac3413b019154beefe881e7c7bbba
Instruction Fuzzy Hash: 8811B1716042019FD710CF29C4C4A16BBE1EF84328F05C6AEE8698F3A2C738EC05CB95

Function 004B37B5 Relevance: 3.0, APIs: 2, Instructions: 33windowCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(00000000,?,00000FFF,00000000,?,?,?,004C4891,?,?,00000035,?), ref: 004B37E4
FormatMessageW.KERNEL32(00001000,00000000,?,00000000,?,00000FFF,00000000,?,?,?,004C4891,?,?,00000035,?), ref: 004B37F4

Memory Dump Source

Source File: 00000000.00000002.2199307839.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.2199224556.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2199891659.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2199891659.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200033822.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200076254.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: ErrorFormatLastMessage
String ID:
API String ID: 3479602957-0
Opcode ID: 0892ca4af0aa6a53fc10d59b5f68f3d420aaaa24f4efa768e619d84cfbbc5cd2
Instruction ID: 81dfd3efca53ddf08967eff486ac09601e485db0ee064c2cf052da5bbdd0c69f
Opcode Fuzzy Hash: 0892ca4af0aa6a53fc10d59b5f68f3d420aaaa24f4efa768e619d84cfbbc5cd2
Instruction Fuzzy Hash: 3FF0EC706052256AE71017675C8DFDB775DDFC4765F000577F509D2291D9605D04C7F4

Function 004AB226 Relevance: 3.0, APIs: 2, Instructions: 29keyboardCOMMON

Download Yara Rule

APIs

SendInput.USER32(00000001,?,0000001C,?,?,00000002), ref: 004AB25D
keybd_event.USER32(?,7694C0D0,?,00000000), ref: 004AB270

Memory Dump Source

Source File: 00000000.00000002.2199307839.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.2199224556.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2199891659.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2199891659.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200033822.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200076254.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: InputSendkeybd_event
String ID:
API String ID: 3536248340-0
Opcode ID: 5abf8465ea6a1a11bde4c4e0748bbef99b66824f34951d6cf3147f2e208533e4
Instruction ID: fba9bd707d67451d49d0367afa86847768372b964fff45d4700d97e3dfce5943
Opcode Fuzzy Hash: 5abf8465ea6a1a11bde4c4e0748bbef99b66824f34951d6cf3147f2e208533e4
Instruction Fuzzy Hash: A6F01D7180424EABDB059FA0C809BAE7BB4FF05305F00805AF955A5192C3798611DF98

Function 004A10BF Relevance: 3.0, APIs: 2, Instructions: 24COMMON

Download Yara Rule

APIs

AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,004A11FC), ref: 004A10D4
CloseHandle.KERNEL32(?,?,004A11FC), ref: 004A10E9

Memory Dump Source

Source File: 00000000.00000002.2199307839.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.2199224556.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2199891659.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2199891659.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200033822.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200076254.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: AdjustCloseHandlePrivilegesToken
String ID:
API String ID: 81990902-0
Opcode ID: 715ccaca991968d342fe3e4e72f33bdfa390b1c4cd9cc25e565d5993ec6d19bf
Instruction ID: 7e87f6b1aaf0d90fb2dfc146f92f1287e2f8313f7cb78d2a704a0ff2f28c7937
Opcode Fuzzy Hash: 715ccaca991968d342fe3e4e72f33bdfa390b1c4cd9cc25e565d5993ec6d19bf
Instruction Fuzzy Hash: 28E04F32008601AEE7252B51FC06E7377A9EB04311F10882FF8A6804B1DB626C94DB58

Function 0047676B Relevance: 1.8, APIs: 1, Instructions: 269COMMONLIBRARYCODE

Download Yara Rule

APIs

RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,00476766,?,?,00000008,?,?,0047FEFE,00000000), ref: 00476998

Memory Dump Source

Source File: 00000000.00000002.2199307839.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.2199224556.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2199891659.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2199891659.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200033822.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200076254.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: ExceptionRaise
String ID:
API String ID: 3997070919-0
Opcode ID: f2d0a9e7514656bcdf37d7beef9a264231cc127ae6c6b84a58fff82df2ee4af7
Instruction ID: 0378190187dc7540a1275503067bb9a54484b0a429184b369f2932314014023a
Opcode Fuzzy Hash: f2d0a9e7514656bcdf37d7beef9a264231cc127ae6c6b84a58fff82df2ee4af7
Instruction Fuzzy Hash: 13B16B71510A089FD718CF28C486BA57BA1FF05364F26C659E89DCF2A2C339D986CB45

Function 0045B119 Relevance: 1.8, Strings: 1, Instructions: 511COMMON

Download Yara Rule

Strings

, xrefs: 0049851F

Memory Dump Source

Source File: 00000000.00000002.2199307839.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.2199224556.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2199891659.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2199891659.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200033822.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200076254.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: 06aeeffad057c82e5f8018c2af3c97d9e30c15b5c5716d1716248d577b0f74cd
Instruction ID: ad2cf314a3b34f329804843ce6f97904ddb43e39242f8db7c5060f0fc8213c2d
Opcode Fuzzy Hash: 06aeeffad057c82e5f8018c2af3c97d9e30c15b5c5716d1716248d577b0f74cd
Instruction Fuzzy Hash: 581251719002199BDF24CF58C8806EEB7B5FF49710F1481ABE849EB252DB389A85CF95

Function 004BEAA2 Relevance: 1.5, APIs: 1, Instructions: 25keyboardCOMMON

Download Yara Rule

APIs

BlockInput.USER32(00000001), ref: 004BEABD

Memory Dump Source

Source File: 00000000.00000002.2199307839.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.2199224556.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2199891659.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2199891659.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200033822.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200076254.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: BlockInput
String ID:
API String ID: 3456056419-0
Opcode ID: a031c8407f6b3e76bb3b2c616f91292d481c70bf7d3cb68f28ce2bbd866a8027
Instruction ID: baf6dfd076fc7403a12d4b4a14966c8bb1ccb9d47327505adec3b2de9af79efe
Opcode Fuzzy Hash: a031c8407f6b3e76bb3b2c616f91292d481c70bf7d3cb68f28ce2bbd866a8027
Instruction Fuzzy Hash: E0E01A31200204AFD710EF6AD844E9AF7EDAF98764F00842BFC49C7391DA78E8418BA5

Function 004609D5 Relevance: 1.5, APIs: 1, Instructions: 3COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(Function_000209E1,004603EE), ref: 004609DA

Memory Dump Source

Source File: 00000000.00000002.2199307839.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.2199224556.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2199891659.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2199891659.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200033822.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200076254.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: f12016c38cd83bc85ca92b9f46b1829e9d0f31041dade312c7c54414380f6ff3
Instruction ID: 8769f1eebe6eedeba84163d246e6da1af2c11fc35e9b854ab28933c19d62ad36
Opcode Fuzzy Hash: f12016c38cd83bc85ca92b9f46b1829e9d0f31041dade312c7c54414380f6ff3
Instruction Fuzzy Hash:

Function 0046781B Relevance: 1.5, Strings: 1, Instructions: 214COMMON

Download Yara Rule

Strings

0, xrefs: 0046798B

Memory Dump Source

Source File: 00000000.00000002.2199307839.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.2199224556.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2199891659.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2199891659.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200033822.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200076254.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID:
String ID: 0
API String ID: 0-4108050209
Opcode ID: 9084b4e029052128895840c3c28e948f6724b1d83b91d22a18243ac96ad56844
Instruction ID: 53903b253fd0543935c4c6df2e76f2c87a8f1ce5777cb161b363507de66416eb
Opcode Fuzzy Hash: 9084b4e029052128895840c3c28e948f6724b1d83b91d22a18243ac96ad56844
Instruction Fuzzy Hash: E25137A160C70556EB38A67988997BF27D59B0234CF180A0FD882D7382F61DDE4AD35F

Function 004B2046 Relevance: 1.3, Strings: 1, Instructions: 72COMMON

Download Yara Rule

Strings

0&Q, xrefs: 004B2053

Memory Dump Source

Source File: 00000000.00000002.2199307839.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.2199224556.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2199891659.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2199891659.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200033822.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200076254.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID:
String ID: 0&Q
API String ID: 0-77127364
Opcode ID: 57d0dc16a6607aa39f716888c42bb00535cda9f6029d3bb7e4ce430f868e2549
Instruction ID: 1b50203392b4f2da0cd0a0bd67a3b99b7fbd7eefba1e9b7c4f6edad1624c2e9c
Opcode Fuzzy Hash: 57d0dc16a6607aa39f716888c42bb00535cda9f6029d3bb7e4ce430f868e2549
Instruction Fuzzy Hash: 69210A323206118BD728CF79C9236BE73E5A764310F148A2EE4A7C33D0DE79A904DB94

Function 00476DD9 Relevance: .6, Instructions: 637COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2199307839.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.2199224556.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2199891659.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2199891659.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200033822.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200076254.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1a7e30eba3cd2d7fdf627b3e64d4042bd8ed711840f516f1fcf975a0ac8fe123
Instruction ID: 4637db1ee3c7294b1be8df48d5a901ef34a8a28ce6b9cf6155db6647c8bcba82
Opcode Fuzzy Hash: 1a7e30eba3cd2d7fdf627b3e64d4042bd8ed711840f516f1fcf975a0ac8fe123
Instruction Fuzzy Hash: 7F326522D29F414DD7239638CD62336A64DAFB33C4F55C737E81AB9EA6EB68C4834104

Function 0045CC39 Relevance: .6, Instructions: 635COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2199307839.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.2199224556.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2199891659.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2199891659.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200033822.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200076254.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4be3cd205b16f4bcd6f25a78db92e6547c60c4971a0def328187b086d953b474
Instruction ID: d74e644c32553d6df23c73f437fdfad0e03b64778444c32f5175f0e27aa1f299
Opcode Fuzzy Hash: 4be3cd205b16f4bcd6f25a78db92e6547c60c4971a0def328187b086d953b474
Instruction Fuzzy Hash: 0232F132A002458FDF29CE29C4D467E7FA1EB45305F28857BD85A8B392D23CDD86DB49

Function 00447920 Relevance: .6, Instructions: 563COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2199307839.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.2199224556.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2199891659.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2199891659.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200033822.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200076254.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ea36390ee0f63e0d38c08e2a114e4ebc24aaf079f407203a691bbdf10a759a31
Instruction ID: ff10ccb107c76f1cb4ed4dfef90ef5e0256d7fbb2f51c2addd56fa35d9cc58ac
Opcode Fuzzy Hash: ea36390ee0f63e0d38c08e2a114e4ebc24aaf079f407203a691bbdf10a759a31
Instruction Fuzzy Hash: 2D22D2B0A00609DFEF14DF65C881AAEB3F5FF44304F14452AE816E7291EB39AD16CB59

Function 004491C0 Relevance: .5, Instructions: 475COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2199307839.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.2199224556.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2199891659.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2199891659.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200033822.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200076254.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2ab0c9c59854bb2344c5883ee671e76927a21a1c2814010b48f6db7e4c137354
Instruction ID: 5a4fb86a5b3acd1c285fc18b7411f9743ac50aadd3a1c678aa753ea5cede3d0f
Opcode Fuzzy Hash: 2ab0c9c59854bb2344c5883ee671e76927a21a1c2814010b48f6db7e4c137354
Instruction Fuzzy Hash: ED02D6B0E00105EBDB04EF55D881AAEB7B5FF44304F10856AE806DB391EB39EE15DB89

Function 00479EEE Relevance: .3, Instructions: 294COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2199307839.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.2199224556.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2199891659.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2199891659.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200033822.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200076254.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5f9855cd8d10b4e70cde71cbc9636ea55ecfe4763fdc24702db31d1a750de13e
Instruction ID: d8996e45673a419eaa9a08446e3d471eae6bdf47ee7dada0f54b1a1ad81ce26e
Opcode Fuzzy Hash: 5f9855cd8d10b4e70cde71cbc9636ea55ecfe4763fdc24702db31d1a750de13e
Instruction Fuzzy Hash: B4B12630D2AF804DD3239A398875336B65CAFBB6C6F51D72BFC1679D62EB2185834144

Function 00467A4A Relevance: .2, Instructions: 237COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2199307839.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.2199224556.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2199891659.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2199891659.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200033822.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200076254.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e9a935f6750f7082111288e6c91574ec828df002cf409219750c78b3cd325f24
Instruction ID: f9b0e94c949542d76cdd522a58dae2fd0269ae6099d9eb58a6f4f594febf9451
Opcode Fuzzy Hash: e9a935f6750f7082111288e6c91574ec828df002cf409219750c78b3cd325f24
Instruction Fuzzy Hash: 4D61697120870956DA349A6888A5BBF3394DF41B4CF140A1FE842DB382FA5DAE42C71F

Function 00467CA7 Relevance: .2, Instructions: 237COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2199307839.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.2199224556.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2199891659.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2199891659.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200033822.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200076254.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 59cb14924b63c72a23d706e4c502b4b8e40a787c1a035894fe8435258c080ee7
Instruction ID: 5b7482d8300e428b0e347fc3a4e5288de62faedfa84c3b2d05207cf2a7c48649
Opcode Fuzzy Hash: 59cb14924b63c72a23d706e4c502b4b8e40a787c1a035894fe8435258c080ee7
Instruction Fuzzy Hash: B261797160870966DB388A289891BBF23849F4274CF100D5FE943DB381FA1E9D46835F

Function 004C2ADE Relevance: 77.5, APIs: 40, Strings: 4, Instructions: 486filecommemoryCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 004C2B30
DeleteObject.GDI32(00000000), ref: 004C2B43
DestroyWindow.USER32 ref: 004C2B52
GetDesktopWindow.USER32 ref: 004C2B6D
GetWindowRect.USER32(00000000), ref: 004C2B74
SetRect.USER32(?,00000000,00000000,00000007,00000002), ref: 004C2CA3
AdjustWindowRectEx.USER32(?,88C00000,00000000,?), ref: 004C2CB1
CreateWindowExW.USER32(?,AutoIt v3,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 004C2CF8
GetClientRect.USER32(00000000,?), ref: 004C2D04
CreateWindowExW.USER32(00000000,static,00000000,5000000E,00000000,00000000,?,?,00000000,00000000,00000000), ref: 004C2D40
CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 004C2D62
GetFileSize.KERNEL32(00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 004C2D75
GlobalAlloc.KERNEL32(00000002,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 004C2D80
GlobalLock.KERNEL32(00000000), ref: 004C2D89
ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 004C2D98
GlobalUnlock.KERNEL32(00000000), ref: 004C2DA1
CloseHandle.KERNEL32(00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 004C2DA8
GlobalFree.KERNEL32(00000000), ref: 004C2DB3
CreateStreamOnHGlobal.OLE32(00000000,00000001,?), ref: 004C2DC5
OleLoadPicture.OLEAUT32(?,00000000,00000000,004DFC38,00000000), ref: 004C2DDB
GlobalFree.KERNEL32(00000000), ref: 004C2DEB
CopyImage.USER32(00000007,00000000,00000000,00000000,00002000), ref: 004C2E11
SendMessageW.USER32(00000000,00000172,00000000,00000007), ref: 004C2E30
SetWindowPos.USER32(00000000,00000000,00000000,00000000,?,?,00000020,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 004C2E52
ShowWindow.USER32(00000004,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 004C303F

Strings

static, xrefs: 004C2D3A, 004C2E91
AutoIt v3, xrefs: 004C2CF2
, xrefs: 004C2FC5
DISPLAY, xrefs: 004C2EA2

Memory Dump Source

Source File: 00000000.00000002.2199307839.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.2199224556.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2199891659.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2199891659.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200033822.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200076254.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: Window$Global$CreateRect$File$DeleteFreeObject$AdjustAllocClientCloseCopyDesktopDestroyHandleImageLoadLockMessagePictureReadSendShowSizeStreamUnlock
String ID: $AutoIt v3$DISPLAY$static
API String ID: 2211948467-2373415609
Opcode ID: ede97e680ecaacca52f5cf8b772ef30215e1e7789bf0afde78fc4f918de1e6f0
Instruction ID: b113b5b381bce7ef4e4d4482505129303358bef4fef47705c3c1614cf89de3ab
Opcode Fuzzy Hash: ede97e680ecaacca52f5cf8b772ef30215e1e7789bf0afde78fc4f918de1e6f0
Instruction Fuzzy Hash: 6202AD75900219AFDB14DF64CD89EAE7BB9EB48314F00855EF915AB2A0CB74ED01CB68

Function 004D70D5 Relevance: 49.8, APIs: 33, Instructions: 273COMMON

Download Yara Rule

APIs

SetTextColor.GDI32(?,00000000), ref: 004D712F
GetSysColorBrush.USER32(0000000F), ref: 004D7160
GetSysColor.USER32(0000000F), ref: 004D716C
SetBkColor.GDI32(?,000000FF), ref: 004D7186
SelectObject.GDI32(?,?), ref: 004D7195
InflateRect.USER32(?,000000FF,000000FF), ref: 004D71C0
GetSysColor.USER32(00000010), ref: 004D71C8
CreateSolidBrush.GDI32(00000000), ref: 004D71CF
FrameRect.USER32(?,?,00000000), ref: 004D71DE
DeleteObject.GDI32(00000000), ref: 004D71E5
InflateRect.USER32(?,000000FE,000000FE), ref: 004D7230
FillRect.USER32(?,?,?), ref: 004D7262
GetWindowLongW.USER32(?,000000F0), ref: 004D7284

Part of subcall function 004D73E8: GetSysColor.USER32(00000012), ref: 004D7421
Part of subcall function 004D73E8: SetTextColor.GDI32(?,?), ref: 004D7425
Part of subcall function 004D73E8: GetSysColorBrush.USER32(0000000F), ref: 004D743B
Part of subcall function 004D73E8: GetSysColor.USER32(0000000F), ref: 004D7446
Part of subcall function 004D73E8: GetSysColor.USER32(00000011), ref: 004D7463
Part of subcall function 004D73E8: CreatePen.GDI32(00000000,00000001,00743C00), ref: 004D7471
Part of subcall function 004D73E8: SelectObject.GDI32(?,00000000), ref: 004D7482
Part of subcall function 004D73E8: SetBkColor.GDI32(?,00000000), ref: 004D748B
Part of subcall function 004D73E8: SelectObject.GDI32(?,?), ref: 004D7498
Part of subcall function 004D73E8: InflateRect.USER32(?,000000FF,000000FF), ref: 004D74B7
Part of subcall function 004D73E8: RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 004D74CE
Part of subcall function 004D73E8: GetWindowLongW.USER32(00000000,000000F0), ref: 004D74DB

Memory Dump Source

Source File: 00000000.00000002.2199307839.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.2199224556.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2199891659.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2199891659.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200033822.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200076254.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: Color$Rect$Object$BrushInflateSelect$CreateLongTextWindow$DeleteFillFrameRoundSolid
String ID:
API String ID: 4124339563-0
Opcode ID: 4969c1564b45507c968be77c99672955c8269877033e94623d8e30d75c85e821
Instruction ID: bc57eb5a331f874e6a3c7fb9b84825649343014f27a923318a245a8af5d93b3c
Opcode Fuzzy Hash: 4969c1564b45507c968be77c99672955c8269877033e94623d8e30d75c85e821
Instruction Fuzzy Hash: 60A1A372009312BFDB019F60DC98A5FBBA9FB49320F100B2BF962962E1D734D945CB56

Function 004C2711 Relevance: 45.8, APIs: 22, Strings: 4, Instructions: 330windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(00000000), ref: 004C273E
SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 004C286A
SetRect.USER32(?,00000000,00000000,0000012C,?), ref: 004C28A9
AdjustWindowRectEx.USER32(?,88C00000,00000000,00000008), ref: 004C28B9
CreateWindowExW.USER32(00000008,AutoIt v3,?,88C00000,000000FF,?,?,?,00000000,00000000,00000000), ref: 004C2900
GetClientRect.USER32(00000000,?), ref: 004C290C
CreateWindowExW.USER32(00000000,static,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000), ref: 004C2955
CreateDCW.GDI32(DISPLAY,00000000,00000000,00000000), ref: 004C2964
GetStockObject.GDI32(00000011), ref: 004C2974
SelectObject.GDI32(00000000,00000000), ref: 004C2978
GetTextFaceW.GDI32(00000000,00000040,?,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000,?,88C00000,000000FF,?), ref: 004C2988
GetDeviceCaps.GDI32(00000000,0000005A), ref: 004C2991
DeleteDC.GDI32(00000000), ref: 004C299A
CreateFontW.GDI32(00000000,00000000,00000000,00000000,00000258,00000000,00000000,00000000,00000001,00000004,00000000,00000002,00000000,?), ref: 004C29C6
SendMessageW.USER32(00000030,00000000,00000001), ref: 004C29DD
CreateWindowExW.USER32(00000200,msctls_progress32,00000000,50000001,?,-0000001D,00000104,00000014,00000000,00000000,00000000), ref: 004C2A1D
SendMessageW.USER32(00000000,00000401,00000000,00640000), ref: 004C2A31
SendMessageW.USER32(00000404,00000001,00000000), ref: 004C2A42
CreateWindowExW.USER32(00000000,static,?,50000000,?,00000041,00000500,-00000027,00000000,00000000,00000000), ref: 004C2A77
GetStockObject.GDI32(00000011), ref: 004C2A82
SendMessageW.USER32(00000030,00000000,?,50000000), ref: 004C2A8D
ShowWindow.USER32(00000004,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000,?,88C00000,000000FF,?,?,?), ref: 004C2A97

Strings

static, xrefs: 004C294F, 004C2A71
AutoIt v3, xrefs: 004C28F8
msctls_progress32, xrefs: 004C2A13
DISPLAY, xrefs: 004C295A

Memory Dump Source

Source File: 00000000.00000002.2199307839.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.2199224556.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2199891659.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2199891659.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200033822.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200076254.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: Window$Create$MessageSend$ObjectRect$Stock$AdjustCapsClientDeleteDestroyDeviceFaceFontInfoParametersSelectShowSystemText
String ID: AutoIt v3$DISPLAY$msctls_progress32$static
API String ID: 2910397461-517079104
Opcode ID: a0570d5f210081e0a53705d712b3d3169aa01c6b20dd9ce8ab68fff318a7d4af
Instruction ID: abfd03025e7fd1e7acbd8d4a2ba50739fbb682fe9c819363f75a4a247877d31e
Opcode Fuzzy Hash: a0570d5f210081e0a53705d712b3d3169aa01c6b20dd9ce8ab68fff318a7d4af
Instruction Fuzzy Hash: C1B16F75A00615BFEB14DF68CD85FAE7BA9EB04714F00855AFA14E7290D7B4ED00CBA8

Function 004B4ADF Relevance: 45.7, APIs: 3, Strings: 23, Instructions: 191COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 004B4AED
GetDriveTypeW.KERNEL32(?,004DCB68,?,\\.\,004DCC08), ref: 004B4BCA
SetErrorMode.KERNEL32(00000000,004DCB68,?,\\.\,004DCC08), ref: 004B4D36

Strings

Network, xrefs: 004B4C02
ATA, xrefs: 004B4C98
ATAPI, xrefs: 004B4C91
CDROM, xrefs: 004B4BFB
Fixed, xrefs: 004B4C09
SSD, xrefs: 004B4C4A
Virtual, xrefs: 004B4CE5
SSA, xrefs: 004B4CA6
RAID, xrefs: 004B4CBB
Unknown, xrefs: 004B4BED, 004B4C83
MMC, xrefs: 004B4CDE
FileBackedVirtual, xrefs: 004B4CEC
RAMDisk, xrefs: 004B4BF4
USB, xrefs: 004B4CB4
\\.\, xrefs: 004B4B3F
PhysicalDrive, xrefs: 004B4B76
1394, xrefs: 004B4C9F
iSCSI, xrefs: 004B4CC2
Fibre, xrefs: 004B4CAD
Removable, xrefs: 004B4C10, 004B4C15
SCSI, xrefs: 004B4C8A
SATA, xrefs: 004B4CD0
SAS, xrefs: 004B4CC9

Memory Dump Source

Source File: 00000000.00000002.2199307839.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.2199224556.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2199891659.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2199891659.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200033822.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200076254.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: ErrorMode$DriveType
String ID: 1394$ATA$ATAPI$CDROM$Fibre$FileBackedVirtual$Fixed$MMC$Network$PhysicalDrive$RAID$RAMDisk$Removable$SAS$SATA$SCSI$SSA$SSD$USB$Unknown$Virtual$\\.\$iSCSI
API String ID: 2907320926-4222207086
Opcode ID: bbc78320d4c7a8e51213a92bd792d9330ca6aff3336bb933a31dc2945f1f87ee
Instruction ID: 27b65e6b2ab6cfef94a938956f02251ba264796e8b788333bb70e32f7af41407
Opcode Fuzzy Hash: bbc78320d4c7a8e51213a92bd792d9330ca6aff3336bb933a31dc2945f1f87ee
Instruction Fuzzy Hash: 5B61C2316051069BDB04DF24C9829BD7FB0BB84B04B21401BF806AB693DB3DED56DB7A

Function 004D73E8 Relevance: 39.2, APIs: 26, Instructions: 201windowCOMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000012), ref: 004D7421
SetTextColor.GDI32(?,?), ref: 004D7425
GetSysColorBrush.USER32(0000000F), ref: 004D743B
GetSysColor.USER32(0000000F), ref: 004D7446
CreateSolidBrush.GDI32(?), ref: 004D744B
GetSysColor.USER32(00000011), ref: 004D7463
CreatePen.GDI32(00000000,00000001,00743C00), ref: 004D7471
SelectObject.GDI32(?,00000000), ref: 004D7482
SetBkColor.GDI32(?,00000000), ref: 004D748B
SelectObject.GDI32(?,?), ref: 004D7498
InflateRect.USER32(?,000000FF,000000FF), ref: 004D74B7
RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 004D74CE
GetWindowLongW.USER32(00000000,000000F0), ref: 004D74DB
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 004D752A
GetWindowTextW.USER32(00000000,00000000,00000001), ref: 004D7554
InflateRect.USER32(?,000000FD,000000FD), ref: 004D7572
DrawFocusRect.USER32(?,?), ref: 004D757D
GetSysColor.USER32(00000011), ref: 004D758E
SetTextColor.GDI32(?,00000000), ref: 004D7596
DrawTextW.USER32(?,004D70F5,000000FF,?,00000000), ref: 004D75A8
SelectObject.GDI32(?,?), ref: 004D75BF
DeleteObject.GDI32(?), ref: 004D75CA
SelectObject.GDI32(?,?), ref: 004D75D0
DeleteObject.GDI32(?), ref: 004D75D5
SetTextColor.GDI32(?,?), ref: 004D75DB
SetBkColor.GDI32(?,?), ref: 004D75E5

Memory Dump Source

Source File: 00000000.00000002.2199307839.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.2199224556.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2199891659.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2199891659.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200033822.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200076254.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: Color$Object$Text$RectSelect$BrushCreateDeleteDrawInflateWindow$FocusLongMessageRoundSendSolid
String ID:
API String ID: 1996641542-0
Opcode ID: 15924496c9cab8caf77607fef31583beeca8f04e0a2a9b4fe17ab91f9cdc202c
Instruction ID: dacbb7c5bf845b16eafbb12b5df97f7bd8f2982f2583530a527fa50dd12e6602
Opcode Fuzzy Hash: 15924496c9cab8caf77607fef31583beeca8f04e0a2a9b4fe17ab91f9cdc202c
Instruction Fuzzy Hash: B1616F72901219BFDF019FA4DC99EEEBFB9EB08320F114126F915AB2A1D7749940CF94

Function 004D0FF3 Relevance: 37.0, APIs: 18, Strings: 3, Instructions: 284windowCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 004D1128
GetDesktopWindow.USER32 ref: 004D113D
GetWindowRect.USER32(00000000), ref: 004D1144
GetWindowLongW.USER32(?,000000F0), ref: 004D1199
DestroyWindow.USER32(?), ref: 004D11B9
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,7FFFFFFD,80000000,80000000,80000000,80000000,00000000,00000000,00000000,00000000), ref: 004D11ED
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 004D120B
SendMessageW.USER32(00000000,00000418,00000000,?), ref: 004D121D
SendMessageW.USER32(00000000,00000421,?,?), ref: 004D1232
SendMessageW.USER32(00000000,0000041D,00000000,00000000), ref: 004D1245
IsWindowVisible.USER32(00000000), ref: 004D12A1
SendMessageW.USER32(00000000,00000412,00000000,D8F0D8F0), ref: 004D12BC
SendMessageW.USER32(00000000,00000411,00000001,00000030), ref: 004D12D0
GetWindowRect.USER32(00000000,?), ref: 004D12E8
MonitorFromPoint.USER32(?,?,00000002), ref: 004D130E
GetMonitorInfoW.USER32(00000000,?), ref: 004D1328
CopyRect.USER32(?,?), ref: 004D133F
SendMessageW.USER32(00000000,00000412,00000000), ref: 004D13AA

Strings

tooltips_class32, xrefs: 004D11E6
0, xrefs: 004D10D3
(, xrefs: 004D131B

Memory Dump Source

Source File: 00000000.00000002.2199307839.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.2199224556.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2199891659.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2199891659.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200033822.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200076254.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: MessageSendWindow$Rect$Monitor$CopyCreateCursorDesktopDestroyFromInfoLongPointVisible
String ID: ($0$tooltips_class32
API String ID: 698492251-4156429822
Opcode ID: a9edb41c2462ea658ddfca60e94f65d1b6b29dad5bb5a9788305c7c4c7bd5fed
Instruction ID: 2b911623660c9ddfee3a924f2aa64887f479ab1a51c19e5966284ee3d1b22407
Opcode Fuzzy Hash: a9edb41c2462ea658ddfca60e94f65d1b6b29dad5bb5a9788305c7c4c7bd5fed
Instruction Fuzzy Hash: 48B18C71604341AFE700DF65C885B6BBBE4FF88354F00891EF9999B2A1C735E845CB9A

Function 004D0241 Relevance: 35.4, APIs: 7, Strings: 13, Instructions: 391windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 004D02E5
_wcslen.LIBCMT ref: 004D031F
_wcslen.LIBCMT ref: 004D0389
_wcslen.LIBCMT ref: 004D03F1
_wcslen.LIBCMT ref: 004D0475
SendMessageW.USER32(?,00001032,00000000,00000000), ref: 004D04C5
SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 004D0504

Part of subcall function 0045F9F2: _wcslen.LIBCMT ref: 0045F9FD

Part of subcall function 004A223F: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 004A2258
Part of subcall function 004A223F: SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 004A228A

Strings

GETITEMCOUNT, xrefs: 004D0316, 004D0337
FINDITEM, xrefs: 004D0627
GETSUBITEMCOUNT, xrefs: 004D0384, 004D039F
SELECT, xrefs: 004D0548
SELECTCLEAR, xrefs: 004D052D
GETSELECTED, xrefs: 004D05E1
ISSELECTED, xrefs: 004D04DD
GETTEXT, xrefs: 004D03EC, 004D0407
SELECTALL, xrefs: 004D0515
SELECTINVERT, xrefs: 004D057E
GETSELECTEDCOUNT, xrefs: 004D0470, 004D048B
DESELECT, xrefs: 004D059C
VIEWCHANGE, xrefs: 004D0675

Memory Dump Source

Source File: 00000000.00000002.2199307839.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.2199224556.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2199891659.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2199891659.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200033822.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200076254.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: _wcslen$MessageSend$BuffCharUpper
String ID: DESELECT$FINDITEM$GETITEMCOUNT$GETSELECTED$GETSELECTEDCOUNT$GETSUBITEMCOUNT$GETTEXT$ISSELECTED$SELECT$SELECTALL$SELECTCLEAR$SELECTINVERT$VIEWCHANGE
API String ID: 1103490817-719923060
Opcode ID: 78999eae74419f55d85e842ab1bb10ba5ba3dea9048d02f7ca3ce009b277b9ef
Instruction ID: d9e978e7c8fbc020724c47a68ae4223f0ba829fa1700940f76be8ccd99a42f38
Opcode Fuzzy Hash: 78999eae74419f55d85e842ab1bb10ba5ba3dea9048d02f7ca3ce009b277b9ef
Instruction Fuzzy Hash: FBE1AE312082019BC714DF25C560A2FB7E5BF98318F14495FF8969B3A1DB38ED46CB9A

Function 00458891 Relevance: 33.5, APIs: 18, Strings: 1, Instructions: 282windowtimeCOMMON

Download Yara Rule

APIs

SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 00458968
GetSystemMetrics.USER32(00000007), ref: 00458970
SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 0045899B
GetSystemMetrics.USER32(00000008), ref: 004589A3
GetSystemMetrics.USER32(00000004), ref: 004589C8
SetRect.USER32(000000FF,00000000,00000000,000000FF,000000FF), ref: 004589E5
AdjustWindowRectEx.USER32(000000FF,?,00000000,?), ref: 004589F5
CreateWindowExW.USER32(?,AutoIt v3 GUI,?,?,?,000000FF,000000FF,000000FF,?,00000000,00000000), ref: 00458A28
SetWindowLongW.USER32(00000000,000000EB,00000000), ref: 00458A3C
GetClientRect.USER32(00000000,000000FF), ref: 00458A5A
GetStockObject.GDI32(00000011), ref: 00458A76
SendMessageW.USER32(00000000,00000030,00000000), ref: 00458A81

Part of subcall function 0045912D: GetCursorPos.USER32(?), ref: 00459141
Part of subcall function 0045912D: ScreenToClient.USER32(00000000,?), ref: 0045915E
Part of subcall function 0045912D: GetAsyncKeyState.USER32(00000001), ref: 00459183
Part of subcall function 0045912D: GetAsyncKeyState.USER32(00000002), ref: 0045919D

SetTimer.USER32(00000000,00000000,00000028,004590FC), ref: 00458AA8

Strings

AutoIt v3 GUI, xrefs: 00458A20

Memory Dump Source

Source File: 00000000.00000002.2199307839.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.2199224556.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2199891659.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2199891659.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200033822.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200076254.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: System$MetricsRectWindow$AsyncClientInfoParametersState$AdjustCreateCursorLongMessageObjectScreenSendStockTimer
String ID: AutoIt v3 GUI
API String ID: 1458621304-248962490
Opcode ID: c4bf074d2f09ba9d82cbeda1e1283f6e3c257f422aef2fd0a7060d40495d87cf
Instruction ID: f4c780a6d50e5c692f42af5c7bd3db35a16bc03e5d882472c14e0e4a60cba9e0
Opcode Fuzzy Hash: c4bf074d2f09ba9d82cbeda1e1283f6e3c257f422aef2fd0a7060d40495d87cf
Instruction Fuzzy Hash: 1AB19E7160020AAFDF04DFA8DC85BAE3BB4FB48315F11416AFA15A7290DB38E845CB59

Function 004A0D8B Relevance: 31.7, APIs: 21, Instructions: 202memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 004A10F9: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 004A1114
Part of subcall function 004A10F9: GetLastError.KERNEL32(?,00000000,00000000,?,?,004A0B9B,?,?,?), ref: 004A1120
Part of subcall function 004A10F9: GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,004A0B9B,?,?,?), ref: 004A112F
Part of subcall function 004A10F9: HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,004A0B9B,?,?,?), ref: 004A1136
Part of subcall function 004A10F9: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 004A114D

GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 004A0DF5
GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 004A0E29
GetLengthSid.ADVAPI32(?), ref: 004A0E40
GetAce.ADVAPI32(?,00000000,?), ref: 004A0E7A
AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 004A0E96
GetLengthSid.ADVAPI32(?), ref: 004A0EAD
GetProcessHeap.KERNEL32(00000008,00000008), ref: 004A0EB5
HeapAlloc.KERNEL32(00000000), ref: 004A0EBC
GetLengthSid.ADVAPI32(?,00000008,?), ref: 004A0EDD
CopySid.ADVAPI32(00000000), ref: 004A0EE4
AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 004A0F13
SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 004A0F35
SetUserObjectSecurity.USER32(?,00000004,?), ref: 004A0F47
GetProcessHeap.KERNEL32(00000000,00000000), ref: 004A0F6E
HeapFree.KERNEL32(00000000), ref: 004A0F75
GetProcessHeap.KERNEL32(00000000,00000000), ref: 004A0F7E
HeapFree.KERNEL32(00000000), ref: 004A0F85
GetProcessHeap.KERNEL32(00000000,00000000), ref: 004A0F8E
HeapFree.KERNEL32(00000000), ref: 004A0F95
GetProcessHeap.KERNEL32(00000000,?), ref: 004A0FA1
HeapFree.KERNEL32(00000000), ref: 004A0FA8

Part of subcall function 004A1193: GetProcessHeap.KERNEL32(00000008,004A0BB1,?,00000000,?,004A0BB1,?), ref: 004A11A1
Part of subcall function 004A1193: HeapAlloc.KERNEL32(00000000,?,00000000,?,004A0BB1,?), ref: 004A11A8
Part of subcall function 004A1193: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00000000,?,004A0BB1,?), ref: 004A11B7

Memory Dump Source

Source File: 00000000.00000002.2199307839.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.2199224556.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2199891659.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2199891659.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200033822.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200076254.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: Heap$Process$Security$Free$AllocDescriptorLengthObjectUser$Dacl$CopyErrorInformationInitializeLast
String ID:
API String ID: 4175595110-0
Opcode ID: 1d41564a20210025e70ec91b017aed7caadca1e24377628fd8fe91faf292f1d0
Instruction ID: 74a062688efe43c25306db39c933e223afc6a4dba787d852820be6e4701bb3b3
Opcode Fuzzy Hash: 1d41564a20210025e70ec91b017aed7caadca1e24377628fd8fe91faf292f1d0
Instruction Fuzzy Hash: F0716D7190121AEFDF209FA4DC84BAFBBB8BF1A301F044126F919B6291D775D905CB68

Function 004CC3B7 Relevance: 30.2, APIs: 11, Strings: 6, Instructions: 495registryCOMMON

Download Yara Rule

APIs

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 004CC4BD
RegCreateKeyExW.ADVAPI32(?,?,00000000,004DCC08,00000000,?,00000000,?,?), ref: 004CC544
RegCloseKey.ADVAPI32(00000000,00000000,00000000), ref: 004CC5A4
_wcslen.LIBCMT ref: 004CC5F4
_wcslen.LIBCMT ref: 004CC66F
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000001,?,?), ref: 004CC6B2
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000007,?,?), ref: 004CC7C1
RegSetValueExW.ADVAPI32(00000001,?,00000000,0000000B,?,00000008), ref: 004CC84D
RegCloseKey.ADVAPI32(?), ref: 004CC881
RegCloseKey.ADVAPI32(00000000), ref: 004CC88E
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000003,00000000,00000000), ref: 004CC960

Strings

REG_QWORD, xrefs: 004CC8C3
REG_EXPAND_SZ, xrefs: 004CC5CD
REG_SZ, xrefs: 004CC644
REG_BINARY, xrefs: 004CC913
REG_MULTI_SZ, xrefs: 004CC6F5
REG_DWORD, xrefs: 004CC804

Memory Dump Source

Source File: 00000000.00000002.2199307839.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.2199224556.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2199891659.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2199891659.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200033822.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200076254.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: Value$Close$_wcslen$ConnectCreateRegistry
String ID: REG_BINARY$REG_DWORD$REG_EXPAND_SZ$REG_MULTI_SZ$REG_QWORD$REG_SZ
API String ID: 9721498-966354055
Opcode ID: 7aa596854ef76ae758340aadb259c49f0251ea1fc4387994f59e435c867c188a
Instruction ID: 47c3bcd7b1295367621c62b4be0f2a43f1b597097f1946c23e88bb1145838f63
Opcode Fuzzy Hash: 7aa596854ef76ae758340aadb259c49f0251ea1fc4387994f59e435c867c188a
Instruction Fuzzy Hash: 51127C35604211AFDB14DF15C481F2AB7E5EF88758F04885EF84A9B3A2DB39EC41CB99

Function 004D091E Relevance: 30.1, APIs: 6, Strings: 11, Instructions: 372windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 004D09C6
_wcslen.LIBCMT ref: 004D0A01
SendMessageW.USER32(?,00001105,00000000,00000000), ref: 004D0A54
_wcslen.LIBCMT ref: 004D0A8A
_wcslen.LIBCMT ref: 004D0B06
_wcslen.LIBCMT ref: 004D0B81

Part of subcall function 0045F9F2: _wcslen.LIBCMT ref: 0045F9FD

Part of subcall function 004A2BE8: SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 004A2BFA

Strings

GETITEMCOUNT, xrefs: 004D0C1E
ISCHECKED, xrefs: 004D0CE1
UNCHECK, xrefs: 004D0D3E
EXISTS, xrefs: 004D0B7C, 004D0B97
COLLAPSE, xrefs: 004D0B01, 004D0B1C
SELECT, xrefs: 004D0D11
GETSELECTED, xrefs: 004D0C4E
EXPAND, xrefs: 004D0BF8
GETTEXT, xrefs: 004D0C97
CHECK, xrefs: 004D0A85, 004D0AA0
GETTOTALCOUNT, xrefs: 004D09F2, 004D0A17

Memory Dump Source

Source File: 00000000.00000002.2199307839.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.2199224556.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2199891659.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2199891659.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200033822.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200076254.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: _wcslen$MessageSend$BuffCharUpper
String ID: CHECK$COLLAPSE$EXISTS$EXPAND$GETITEMCOUNT$GETSELECTED$GETTEXT$GETTOTALCOUNT$ISCHECKED$SELECT$UNCHECK
API String ID: 1103490817-4258414348
Opcode ID: 9cbce4118ddbecbb2492ef258fe206cbd69778df5518d2241bac77eff38db762
Instruction ID: d8d6a5fd7b41486e3cc6cd57e964e7b1eeac48dfdee597c5830f92ba6392fa2b
Opcode Fuzzy Hash: 9cbce4118ddbecbb2492ef258fe206cbd69778df5518d2241bac77eff38db762
Instruction Fuzzy Hash: 04E17C316087019FC714DF25C460A2AB7E1BF98318F14495FF8965B3A2D739ED4ACB8A

Function 004CC998 Relevance: 30.0, APIs: 7, Strings: 10, Instructions: 242COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,?,?,?,?,?,004CB6AE,?,?), ref: 004CC9B5
_wcslen.LIBCMT ref: 004CC9F1
_wcslen.LIBCMT ref: 004CCA68
_wcslen.LIBCMT ref: 004CCA9E
_wcslen.LIBCMT ref: 004CCAF9
_wcslen.LIBCMT ref: 004CCB2F
_wcslen.LIBCMT ref: 004CCB7F

Strings

HKLM, xrefs: 004CCA98, 004CCA9D
HKCC, xrefs: 004CCBAC
HKEY_USERS, xrefs: 004CCBDF
HKCU, xrefs: 004CCBCE
HKEY_LOCAL_MACHINE, xrefs: 004CCA62, 004CCA67
HKEY_CURRENT_CONFIG, xrefs: 004CCB79, 004CCB7E
HKEY_CLASSES_ROOT, xrefs: 004CCAF3, 004CCAF8
HKCR, xrefs: 004CCB29, 004CCB2E
HKEY_CURRENT_USER, xrefs: 004CCBBD
HKU, xrefs: 004CCBF0

Memory Dump Source

Source File: 00000000.00000002.2199307839.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.2199224556.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2199891659.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2199891659.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200033822.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200076254.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: _wcslen$BuffCharUpper
String ID: HKCC$HKCR$HKCU$HKEY_CLASSES_ROOT$HKEY_CURRENT_CONFIG$HKEY_CURRENT_USER$HKEY_LOCAL_MACHINE$HKEY_USERS$HKLM$HKU
API String ID: 1256254125-909552448
Opcode ID: 978e368687f166b8eb26426a429886eec5b74cb70635607f846c8584e021b9b7
Instruction ID: e0d0e9f7f9e9d9e2d5ca14b48231ab727a9f62f603bac46fa804e75069288831
Opcode Fuzzy Hash: 978e368687f166b8eb26426a429886eec5b74cb70635607f846c8584e021b9b7
Instruction Fuzzy Hash: 5871073AA0052A8BCB50DE799881FBF3391AB64754B10012EF85A97384F639DD45C359

Function 004D833C Relevance: 29.9, APIs: 14, Strings: 3, Instructions: 196windowlibraryCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 004D835A
_wcslen.LIBCMT ref: 004D836E
_wcslen.LIBCMT ref: 004D8391
_wcslen.LIBCMT ref: 004D83B4
LoadImageW.USER32(00000000,?,00000001,?,?,00002010), ref: 004D83F2
LoadLibraryExW.KERNEL32(?,00000000,00000032,00000000,?,?,?,?,?,004D5BF2), ref: 004D844E
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 004D8487
LoadImageW.USER32(00000000,?,00000001,?,?,00000000), ref: 004D84CA
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 004D8501
FreeLibrary.KERNEL32(?), ref: 004D850D
ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 004D851D
DestroyIcon.USER32(?,?,?,?,?,004D5BF2), ref: 004D852C
SendMessageW.USER32(?,00000170,00000000,00000000), ref: 004D8549
SendMessageW.USER32(?,00000064,00000172,00000001), ref: 004D8555

Strings

.dll, xrefs: 004D83AB
.exe, xrefs: 004D8388
.icl, xrefs: 004D8368

Memory Dump Source

Source File: 00000000.00000002.2199307839.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.2199224556.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2199891659.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2199891659.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200033822.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200076254.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: Load$Image_wcslen$IconLibraryMessageSend$DestroyExtractFree
String ID: .dll$.exe$.icl
API String ID: 799131459-1154884017
Opcode ID: 739a6bcffcfe10ec01f9c4c178212ab3bc48bd0b8b4bffdd62d2852785b8ee23
Instruction ID: 59b780dae6f6179a7f88121e31e1c5ba122b7f3154a9001b7b207d5aae5a4591
Opcode Fuzzy Hash: 739a6bcffcfe10ec01f9c4c178212ab3bc48bd0b8b4bffdd62d2852785b8ee23
Instruction Fuzzy Hash: 1C611371A00215BAEB14CF64DC91BBF77A8FB04711F10460FF815D62D1EB78A940C7A8

Function 00447778 Relevance: 28.3, APIs: 1, Strings: 15, Instructions: 273COMMON

Download Yara Rule

Strings

#pragma compile, xrefs: 004477D3
#requireadmin, xrefs: 004477FF
#include, xrefs: 00447847
Cannot parse #include, xrefs: 00485279
Bad directive syntax error, xrefs: 0048519A
#ce, xrefs: 004478ED
#include-once, xrefs: 0044782F
", xrefs: 00485153
#OnAutoItStartRegister, xrefs: 00447817
#comments-start, xrefs: 0044785F, 004478B1
#comments-end, xrefs: 004478D9
Unterminated group of comments, xrefs: 0048528C
', xrefs: 00485169
#cs, xrefs: 00447873, 004478C5
#notrayicon, xrefs: 004477E7

Memory Dump Source

Source File: 00000000.00000002.2199307839.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.2199224556.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2199891659.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2199891659.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200033822.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200076254.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID:
String ID: "$#OnAutoItStartRegister$#ce$#comments-end$#comments-start$#cs$#include$#include-once$#notrayicon$#pragma compile$#requireadmin$'$Bad directive syntax error$Cannot parse #include$Unterminated group of comments
API String ID: 0-1645009161
Opcode ID: 779b2ea98ec719d0b8ade34161beb598115f3ca4fa0e25d751e17c86fa27f9f9
Instruction ID: 4281426903323de7a0a1442354c89715cd5a66f6238ab3ba75e102bdac81254b
Opcode Fuzzy Hash: 779b2ea98ec719d0b8ade34161beb598115f3ca4fa0e25d751e17c86fa27f9f9
Instruction Fuzzy Hash: 88811871A00605BBEB21BF61DC42FAF3764AF15304F04442BF905AA292EB7DD916C79E

Function 004B3E79 Relevance: 28.2, APIs: 8, Strings: 8, Instructions: 205COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?), ref: 004B3EF8
_wcslen.LIBCMT ref: 004B3F03
_wcslen.LIBCMT ref: 004B3F5A
_wcslen.LIBCMT ref: 004B3F98
GetDriveTypeW.KERNEL32(?), ref: 004B3FD6
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 004B401E
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 004B4059
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 004B4087

Strings

close cd wait, xrefs: 004B4072
type cdaudio alias cd wait, xrefs: 004B4001
set cd door , xrefs: 004B4028
open , xrefs: 004B3FE5
open, xrefs: 004B3F54, 004B3F59
wait, xrefs: 004B4044
close, xrefs: 004B3EFE, 004B3F18
closed, xrefs: 004B3F08, 004B3F2D, 004B3F46, 004B3F7E, 004B3F97

Memory Dump Source

Source File: 00000000.00000002.2199307839.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.2199224556.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2199891659.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2199891659.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200033822.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200076254.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: SendString_wcslen$BuffCharDriveLowerType
String ID: type cdaudio alias cd wait$ wait$close$close cd wait$closed$open$open $set cd door
API String ID: 1839972693-4113822522
Opcode ID: 6debee4f223e03b4b8e66e87cc24bf1cab1041a313128be00df258e744c44dbc
Instruction ID: 1ce07d22fa5b8af40b0a5523f7563b236c5d83b20cfdb3214e198a8f53734751
Opcode Fuzzy Hash: 6debee4f223e03b4b8e66e87cc24bf1cab1041a313128be00df258e744c44dbc
Instruction Fuzzy Hash: DD71DF326042129FD310EF25C8818ABB7F4FF94758F00492EF89597291EB38ED49CB66

Function 004A5A1B Relevance: 27.2, APIs: 18, Instructions: 198windowtimeCOMMON

Download Yara Rule

APIs

LoadIconW.USER32(00000063), ref: 004A5A2E
SendMessageW.USER32(?,00000080,00000000,00000000), ref: 004A5A40
SetWindowTextW.USER32(?,?), ref: 004A5A57
GetDlgItem.USER32(?,000003EA), ref: 004A5A6C
SetWindowTextW.USER32(00000000,?), ref: 004A5A72
GetDlgItem.USER32(?,000003E9), ref: 004A5A82
SetWindowTextW.USER32(00000000,?), ref: 004A5A88
SendDlgItemMessageW.USER32(?,000003E9,000000CC,?,00000000), ref: 004A5AA9
SendDlgItemMessageW.USER32(?,000003E9,000000C5,00000000,00000000), ref: 004A5AC3
GetWindowRect.USER32(?,?), ref: 004A5ACC
_wcslen.LIBCMT ref: 004A5B33
SetWindowTextW.USER32(?,?), ref: 004A5B6F
GetDesktopWindow.USER32 ref: 004A5B75
GetWindowRect.USER32(00000000), ref: 004A5B7C
MoveWindow.USER32(?,?,00000080,00000000,?,00000000), ref: 004A5BD3
GetClientRect.USER32(?,?), ref: 004A5BE0
PostMessageW.USER32(?,00000005,00000000,?), ref: 004A5C05
SetTimer.USER32(?,0000040A,00000000,00000000), ref: 004A5C2F

Memory Dump Source

Source File: 00000000.00000002.2199307839.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.2199224556.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2199891659.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2199891659.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200033822.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200076254.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: Window$ItemMessageText$RectSend$ClientDesktopIconLoadMovePostTimer_wcslen
String ID:
API String ID: 895679908-0
Opcode ID: 8827e5c40be29343979ee832e74576b43d5f0ba24c3524c40d74d96de9a47105
Instruction ID: 772117a802ce897a0c165fbbbe222417f8abbcdc8da9b174d58084b0a8bb672f
Opcode Fuzzy Hash: 8827e5c40be29343979ee832e74576b43d5f0ba24c3524c40d74d96de9a47105
Instruction Fuzzy Hash: 14719271A00B059FDB20DFA8CE85A6FBBF5FF58705F10452AE142A26A0D778F904CB18

Function 004BFE0E Relevance: 27.1, APIs: 18, Instructions: 128COMMON

Download Yara Rule

APIs

LoadCursorW.USER32(00000000,00007F89), ref: 004BFE27
LoadCursorW.USER32(00000000,00007F8A), ref: 004BFE32
LoadCursorW.USER32(00000000,00007F00), ref: 004BFE3D
LoadCursorW.USER32(00000000,00007F03), ref: 004BFE48
LoadCursorW.USER32(00000000,00007F8B), ref: 004BFE53
LoadCursorW.USER32(00000000,00007F01), ref: 004BFE5E
LoadCursorW.USER32(00000000,00007F81), ref: 004BFE69
LoadCursorW.USER32(00000000,00007F88), ref: 004BFE74
LoadCursorW.USER32(00000000,00007F80), ref: 004BFE7F
LoadCursorW.USER32(00000000,00007F86), ref: 004BFE8A
LoadCursorW.USER32(00000000,00007F83), ref: 004BFE95
LoadCursorW.USER32(00000000,00007F85), ref: 004BFEA0
LoadCursorW.USER32(00000000,00007F82), ref: 004BFEAB
LoadCursorW.USER32(00000000,00007F84), ref: 004BFEB6
LoadCursorW.USER32(00000000,00007F04), ref: 004BFEC1
LoadCursorW.USER32(00000000,00007F02), ref: 004BFECC
GetCursorInfo.USER32(?), ref: 004BFEDC
GetLastError.KERNEL32 ref: 004BFF1E

Memory Dump Source

Source File: 00000000.00000002.2199307839.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.2199224556.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2199891659.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2199891659.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200033822.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200076254.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: Cursor$Load$ErrorInfoLast
String ID:
API String ID: 3215588206-0
Opcode ID: d9c03ab3ebaf14a2e977f94620d176fa017aaca6a7df5cdc247cd6af124b87db
Instruction ID: 9060a4fffcfc5d26cdec9ba8a755cf2864339faa3ff17f561eb5e660a3edcd0c
Opcode Fuzzy Hash: d9c03ab3ebaf14a2e977f94620d176fa017aaca6a7df5cdc247cd6af124b87db
Instruction Fuzzy Hash: 034161B0D053196ADB10DFBA8C8986EBFE8FF04754B50452BE11DE7281DB78A901CEA5

Function 004A30F7 Relevance: 26.6, APIs: 8, Strings: 7, Instructions: 400COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 004A318D
_wcslen.LIBCMT ref: 004A31F8

Strings

CLASS, xrefs: 004A3188, 004A31A5
NAME, xrefs: 004A3335, 004A3346
[P, xrefs: 004A339A
CLASSNN, xrefs: 004A31F3, 004A3204
INSTANCE, xrefs: 004A3453
TEXT, xrefs: 004A347C
REGEXPCLASS, xrefs: 004A3255, 004A3266

Memory Dump Source

Source File: 00000000.00000002.2199307839.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.2199224556.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2199891659.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2199891659.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200033822.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200076254.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: _wcslen
String ID: CLASS$CLASSNN$INSTANCE$NAME$REGEXPCLASS$TEXT$[P
API String ID: 176396367-2337605258
Opcode ID: e15e1f239f9caeb71d35492d96d3578b4b4b424917d33e0974703c78c1bdebea
Instruction ID: 4202695980e25f4050cf88744d508a44e7a3126b48cae055a743837596620743
Opcode Fuzzy Hash: e15e1f239f9caeb71d35492d96d3578b4b4b424917d33e0974703c78c1bdebea
Instruction Fuzzy Hash: 48E1E532A00516ABCB14DF78C4517EFFBA0BF66715F14811BF456A7280FB38AE858B94

Function 004600C6 Relevance: 26.3, APIs: 10, Strings: 5, Instructions: 81COMMON

Download Yara Rule

APIs

__scrt_initialize_thread_safe_statics_platform_specific.LIBCMT ref: 004600C6

Part of subcall function 004600ED: InitializeCriticalSectionAndSpinCount.KERNEL32(0051070C,00000FA0,860FB56B,?,?,?,?,004823B3,000000FF), ref: 0046011C
Part of subcall function 004600ED: GetModuleHandleW.KERNEL32(api-ms-win-core-synch-l1-2-0.dll,?,?,?,?,004823B3,000000FF), ref: 00460127
Part of subcall function 004600ED: GetModuleHandleW.KERNEL32(kernel32.dll,?,?,?,?,004823B3,000000FF), ref: 00460138
Part of subcall function 004600ED: GetProcAddress.KERNEL32(00000000,InitializeConditionVariable), ref: 0046014E
Part of subcall function 004600ED: GetProcAddress.KERNEL32(00000000,SleepConditionVariableCS), ref: 0046015C
Part of subcall function 004600ED: GetProcAddress.KERNEL32(00000000,WakeAllConditionVariable), ref: 0046016A
Part of subcall function 004600ED: __crt_fast_encode_pointer.LIBVCRUNTIME ref: 00460195
Part of subcall function 004600ED: __crt_fast_encode_pointer.LIBVCRUNTIME ref: 004601A0

___scrt_fastfail.LIBCMT ref: 004600E7

Part of subcall function 004600A3: __onexit.LIBCMT ref: 004600A9

Strings

kernel32.dll, xrefs: 00460133
WakeAllConditionVariable, xrefs: 00460162
InitializeConditionVariable, xrefs: 00460148
api-ms-win-core-synch-l1-2-0.dll, xrefs: 00460122
SleepConditionVariableCS, xrefs: 00460154

Memory Dump Source

Source File: 00000000.00000002.2199307839.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.2199224556.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2199891659.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2199891659.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200033822.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200076254.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: AddressProc$HandleModule__crt_fast_encode_pointer$CountCriticalInitializeSectionSpin___scrt_fastfail__onexit__scrt_initialize_thread_safe_statics_platform_specific
String ID: InitializeConditionVariable$SleepConditionVariableCS$WakeAllConditionVariable$api-ms-win-core-synch-l1-2-0.dll$kernel32.dll
API String ID: 66158676-1714406822
Opcode ID: b4d6da1cc7fb0b7603400242dfd4480df2b898b6227e5797e54bb940ef144ae5
Instruction ID: 0cb4fae7b5c52e93b0157d1dac7299b2a4f4ca9feb39c943511fc883ab3646b3
Opcode Fuzzy Hash: b4d6da1cc7fb0b7603400242dfd4480df2b898b6227e5797e54bb940ef144ae5
Instruction Fuzzy Hash: 33212C326417116BE7205B64AC46B9F3794DB06B51F10023BFC02D23D1EBAC5804CA9E

Function 004B44C0 Relevance: 24.8, APIs: 7, Strings: 7, Instructions: 309COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(00000000,00000000,004DCC08), ref: 004B4527
_wcslen.LIBCMT ref: 004B453B
_wcslen.LIBCMT ref: 004B4599
_wcslen.LIBCMT ref: 004B45F4
_wcslen.LIBCMT ref: 004B463F
_wcslen.LIBCMT ref: 004B46A7

Part of subcall function 0045F9F2: _wcslen.LIBCMT ref: 0045F9FD

GetDriveTypeW.KERNEL32(?,00506BF0,00000061), ref: 004B4743

Strings

unknown, xrefs: 004B4708
cdrom, xrefs: 004B458F, 004B4594
fixed, xrefs: 004B4635, 004B463A
ramdisk, xrefs: 004B46F1
network, xrefs: 004B469D, 004B46A2
removable, xrefs: 004B45EA, 004B45EF
all, xrefs: 004B4531, 004B4536

Memory Dump Source

Source File: 00000000.00000002.2199307839.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.2199224556.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2199891659.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2199891659.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200033822.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200076254.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: _wcslen$BuffCharDriveLowerType
String ID: all$cdrom$fixed$network$ramdisk$removable$unknown
API String ID: 2055661098-1000479233
Opcode ID: 183c4efda26571965d748204d2719285dd46cbdb63939346c2cdf65716c3452d
Instruction ID: 9e63dadc3888284e2c75a1c04aa69ff4858260facebb9894a86cfaf445a65aae
Opcode Fuzzy Hash: 183c4efda26571965d748204d2719285dd46cbdb63939346c2cdf65716c3452d
Instruction Fuzzy Hash: 61B102716083029BC710DF29C890AABB7E5AFE5724F10491EF496C7392EB38D845CA66

Function 004D911E Relevance: 24.7, APIs: 10, Strings: 4, Instructions: 181windowfileCOMMON

Download Yara Rule

APIs

Part of subcall function 00459BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00459BB2

DragQueryPoint.SHELL32(?,?), ref: 004D9147

Part of subcall function 004D7674: ClientToScreen.USER32(?,?), ref: 004D769A
Part of subcall function 004D7674: GetWindowRect.USER32(?,?), ref: 004D7710
Part of subcall function 004D7674: PtInRect.USER32(?,?,004D8B89), ref: 004D7720

SendMessageW.USER32(?,000000B0,?,?), ref: 004D91B0
DragQueryFileW.SHELL32(?,000000FF,00000000,00000000), ref: 004D91BB
DragQueryFileW.SHELL32(?,00000000,?,00000104), ref: 004D91DE
SendMessageW.USER32(?,000000C2,00000001,?), ref: 004D9225
SendMessageW.USER32(?,000000B0,?,?), ref: 004D923E
SendMessageW.USER32(?,000000B1,?,?), ref: 004D9255
SendMessageW.USER32(?,000000B1,?,?), ref: 004D9277
DragFinish.SHELL32(?), ref: 004D927E
DefDlgProcW.USER32(?,00000233,?,00000000,?,?,?), ref: 004D9371

Strings

@GUI_DRAGID, xrefs: 004D92E9
8!, xrefs: 004D92BB
@GUI_DRAGFILE, xrefs: 004D9320
@GUI_DROPID, xrefs: 004D929E

Memory Dump Source

Source File: 00000000.00000002.2199307839.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.2199224556.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2199891659.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2199891659.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200033822.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200076254.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: MessageSend$Drag$Query$FileRectWindow$ClientFinishLongPointProcScreen
String ID: 8!$@GUI_DRAGFILE$@GUI_DRAGID$@GUI_DROPID
API String ID: 221274066-1119928880
Opcode ID: fb1e94609065481e173d4aaef74c4a3f719e40abc3b7d1a0b13ed747ba35f4f8
Instruction ID: 6d3425b93d7e6b11737a42ab6cd0816991145cc34951e4b4185837d3ad10f331
Opcode Fuzzy Hash: fb1e94609065481e173d4aaef74c4a3f719e40abc3b7d1a0b13ed747ba35f4f8
Instruction Fuzzy Hash: 82617971108301AFD701EF65DC85DAFBBE8EF89354F00092FF595922A1DB349A49CB5A

Function 004C3FE9 Relevance: 23.2, APIs: 11, Strings: 2, Instructions: 478libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,004DCC08), ref: 004C40BB
GetProcAddress.KERNEL32(00000000,GetModuleHandleExW), ref: 004C40CD
GetModuleFileNameW.KERNEL32(?,?,00000104,?,?,?,004DCC08), ref: 004C40F2
FreeLibrary.KERNEL32(00000000,?,004DCC08), ref: 004C413E
StringFromGUID2.OLE32(?,?,00000028), ref: 004C41A8
SysFreeString.OLEAUT32(00000009), ref: 004C4262
QueryPathOfRegTypeLib.OLEAUT32(?,?,?,?,?), ref: 004C42C8
SysFreeString.OLEAUT32(?), ref: 004C42F2

Strings

kernel32.dll, xrefs: 004C40B6
GetModuleHandleExW, xrefs: 004C40C7

Memory Dump Source

Source File: 00000000.00000002.2199307839.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.2199224556.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2199891659.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2199891659.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200033822.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200076254.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: FreeString$Library$AddressFileFromLoadModuleNamePathProcQueryType
String ID: GetModuleHandleExW$kernel32.dll
API String ID: 354098117-199464113
Opcode ID: db00c5f71bcb1cb87fcfb2d6c49d7afb10271b7f8ec90f9d914bade49a58d7b9
Instruction ID: 0ec28213cbabaf7658e11af4170e8776df5d22797ab0fe4e8905a283d7057238
Opcode Fuzzy Hash: db00c5f71bcb1cb87fcfb2d6c49d7afb10271b7f8ec90f9d914bade49a58d7b9
Instruction Fuzzy Hash: 71126A79A00105EFDB54CF94C998FAEB7B5BF84318F24809EE9059B251CB35ED42CBA4

Function 0044326F Relevance: 23.0, APIs: 12, Strings: 1, Instructions: 214windowCOMMON

Download Yara Rule

APIs

GetMenuItemCount.USER32(00511990), ref: 00482F8D
GetMenuItemCount.USER32(00511990), ref: 0048303D
GetCursorPos.USER32(?), ref: 00483081
SetForegroundWindow.USER32(00000000), ref: 0048308A
TrackPopupMenuEx.USER32(00511990,00000000,?,00000000,00000000,00000000), ref: 0048309D
PostMessageW.USER32(00000000,00000000,00000000,00000000), ref: 004830A9

Strings

0, xrefs: 0044327D

Memory Dump Source

Source File: 00000000.00000002.2199307839.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.2199224556.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2199891659.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2199891659.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200033822.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200076254.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: Menu$CountItem$CursorForegroundMessagePopupPostTrackWindow
String ID: 0
API String ID: 36266755-4108050209
Opcode ID: 2c04e84bce4b41f03e3466344f75e9745e9226c9bc2cf37a50700351e9c0cb27
Instruction ID: 40eb11ddb95f34d65565841547660b33d72519578a65b558450ec61545f3adea
Opcode Fuzzy Hash: 2c04e84bce4b41f03e3466344f75e9745e9226c9bc2cf37a50700351e9c0cb27
Instruction Fuzzy Hash: 64711630640216BAFB219F25CD89FAEBF64FF05724F204257F614662E0C7F9A910DB99

Function 004D6CD9 Relevance: 22.9, APIs: 11, Strings: 2, Instructions: 194windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(00000000,?), ref: 004D6DEB

Part of subcall function 00446B57: _wcslen.LIBCMT ref: 00446B6A

CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00000000,?), ref: 004D6E5F
SendMessageW.USER32(00000000,00000433,00000000,00000030), ref: 004D6E81
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 004D6E94
DestroyWindow.USER32(?), ref: 004D6EB5
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00440000,00000000), ref: 004D6EE4
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 004D6EFD
GetDesktopWindow.USER32 ref: 004D6F16
GetWindowRect.USER32(00000000), ref: 004D6F1D
SendMessageW.USER32(00000000,00000418,00000000,?), ref: 004D6F35
SendMessageW.USER32(00000000,00000421,?,00000000), ref: 004D6F4D

Part of subcall function 00459944: GetWindowLongW.USER32(?,000000EB), ref: 00459952

Strings

0, xrefs: 004D6D98
tooltips_class32, xrefs: 004D6E58, 004D6EDD

Memory Dump Source

Source File: 00000000.00000002.2199307839.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.2199224556.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2199891659.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2199891659.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200033822.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200076254.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: Window$MessageSend$CreateDestroy$DesktopLongRect_wcslen
String ID: 0$tooltips_class32
API String ID: 2429346358-3619404913
Opcode ID: 03687c9bb53a2adfdcd7bca4e564fd03f774026d884ad1db69932916e2dae32d
Instruction ID: ab110c9c65ac116654aaf94f118da227ad4eb751781689f20c36eb2d8d67042a
Opcode Fuzzy Hash: 03687c9bb53a2adfdcd7bca4e564fd03f774026d884ad1db69932916e2dae32d
Instruction Fuzzy Hash: CB717970104645AFDB21CF18D898AABBBFAFB89304F05441FF99987361C774E909DB1A

Function 004BC476 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 143networkCOMMON

Download Yara Rule

APIs

InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 004BC4B0
GetLastError.KERNEL32(?,00000003,?,?,?,?,?,?), ref: 004BC4C3
SetEvent.KERNEL32(?,?,00000003,?,?,?,?,?,?), ref: 004BC4D7
HttpOpenRequestW.WININET(00000000,00000000,?,00000000,00000000,00000000,?,00000000), ref: 004BC4F0
InternetQueryOptionW.WININET(00000000,0000001F,?,?), ref: 004BC533
InternetSetOptionW.WININET(00000000,0000001F,00000100,00000004), ref: 004BC549
HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 004BC554
HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 004BC584
GetLastError.KERNEL32(?,00000003,?,?,?,?,?,?), ref: 004BC5DC
SetEvent.KERNEL32(?,?,00000003,?,?,?,?,?,?), ref: 004BC5F0
InternetCloseHandle.WININET(00000000), ref: 004BC5FB

Strings

, xrefs: 004BC575

Memory Dump Source

Source File: 00000000.00000002.2199307839.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.2199224556.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2199891659.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2199891659.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200033822.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200076254.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: Internet$Http$ErrorEventLastOptionQueryRequest$CloseConnectHandleInfoOpenSend
String ID:
API String ID: 3800310941-3916222277
Opcode ID: d44767b5704b07270319c0a7d3dc21a39540a95b7fd43b416a00924c953c8daf
Instruction ID: 8b5ee0e386a7dee170b546b570e7c1aeec5ee908da8c5b19d2f3fd95f559766d
Opcode Fuzzy Hash: d44767b5704b07270319c0a7d3dc21a39540a95b7fd43b416a00924c953c8daf
Instruction Fuzzy Hash: B1513BB1501209BFDB219F65C9C8AAB7BBCEF08754F00442BF945D6250DB38EA44DBB9

Function 004D856F Relevance: 22.6, APIs: 15, Instructions: 131filecommemoryCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,00000000,?,?,?,?,?,00000000,?,000000EC), ref: 004D8592
GetFileSize.KERNEL32(00000000,00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 004D85A2
GlobalAlloc.KERNEL32(00000002,00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 004D85AD
CloseHandle.KERNEL32(00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 004D85BA
GlobalLock.KERNEL32(00000000), ref: 004D85C8
ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 004D85D7
GlobalUnlock.KERNEL32(00000000), ref: 004D85E0
CloseHandle.KERNEL32(00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 004D85E7
CreateStreamOnHGlobal.OLE32(00000000,00000001,000000F0), ref: 004D85F8
OleLoadPicture.OLEAUT32(000000F0,00000000,00000000,004DFC38,?), ref: 004D8611
GlobalFree.KERNEL32(00000000), ref: 004D8621
GetObjectW.GDI32(?,00000018,?), ref: 004D8641
CopyImage.USER32(?,00000000,00000000,?,00002000), ref: 004D8671
DeleteObject.GDI32(?), ref: 004D8699
SendMessageW.USER32(?,00000172,00000000,00000000), ref: 004D86AF

Memory Dump Source

Source File: 00000000.00000002.2199307839.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.2199224556.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2199891659.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2199891659.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200033822.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200076254.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: Global$File$CloseCreateHandleObject$AllocCopyDeleteFreeImageLoadLockMessagePictureReadSendSizeStreamUnlock
String ID:
API String ID: 3840717409-0
Opcode ID: 631c4d19d378fa699d54cb8ac3c6ba5e572a9809071cc1e4afdfc7f12063c690
Instruction ID: 34e5e88000cd8989c920addd1f1e9efa5710274dde80d5013b5116a9112b4fe0
Opcode Fuzzy Hash: 631c4d19d378fa699d54cb8ac3c6ba5e572a9809071cc1e4afdfc7f12063c690
Instruction Fuzzy Hash: E6411875601209AFDB119FA5DC98EAF7BBCEF89B11F10416AF905E7260DB349901CB28

Function 004B14BD Relevance: 21.4, APIs: 10, Strings: 2, Instructions: 360timeCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(00000000), ref: 004B1502
VariantCopy.OLEAUT32(?,?), ref: 004B150B
VariantClear.OLEAUT32(?), ref: 004B1517
VariantTimeToSystemTime.OLEAUT32(?,?,?), ref: 004B15FB
VarR8FromDec.OLEAUT32(?,?), ref: 004B1657
VariantInit.OLEAUT32(?), ref: 004B1708
SysFreeString.OLEAUT32(?), ref: 004B178C
VariantClear.OLEAUT32(?), ref: 004B17D8
VariantClear.OLEAUT32(?), ref: 004B17E7
VariantInit.OLEAUT32(00000000), ref: 004B1823

Strings

%4d%02d%02d%02d%02d%02d, xrefs: 004B1625
Default, xrefs: 004B16AF

Memory Dump Source

Source File: 00000000.00000002.2199307839.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.2199224556.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2199891659.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2199891659.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200033822.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200076254.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: Variant$ClearInit$Time$CopyFreeFromStringSystem
String ID: %4d%02d%02d%02d%02d%02d$Default
API String ID: 1234038744-3931177956
Opcode ID: fc76fc084901407ad0d20f55bc1d6e46a58b89789424c668795bc952b2f48c49
Instruction ID: fa72a18a57bf4829436b30c01ea69df76f23a9b0913c8c471c9adaddefe3561e
Opcode Fuzzy Hash: fc76fc084901407ad0d20f55bc1d6e46a58b89789424c668795bc952b2f48c49
Instruction Fuzzy Hash: E9D12571600105EBDB209F65E894BBEB7B5BF44700F94405BF8079B2A1DB38DC49DB6A

Function 004CB60E Relevance: 21.3, APIs: 10, Strings: 2, Instructions: 285registrylibraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 00449CB3: _wcslen.LIBCMT ref: 00449CBD

Part of subcall function 004CC998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,004CB6AE,?,?), ref: 004CC9B5
Part of subcall function 004CC998: _wcslen.LIBCMT ref: 004CC9F1
Part of subcall function 004CC998: _wcslen.LIBCMT ref: 004CCA68
Part of subcall function 004CC998: _wcslen.LIBCMT ref: 004CCA9E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 004CB6F4
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 004CB772
RegDeleteValueW.ADVAPI32(?,?), ref: 004CB80A
RegCloseKey.ADVAPI32(?), ref: 004CB87E
RegCloseKey.ADVAPI32(?), ref: 004CB89C
LoadLibraryA.KERNEL32(advapi32.dll), ref: 004CB8F2
GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 004CB904
RegDeleteKeyW.ADVAPI32(?,?), ref: 004CB922
FreeLibrary.KERNEL32(00000000), ref: 004CB983
RegCloseKey.ADVAPI32(00000000), ref: 004CB994

Strings

advapi32.dll, xrefs: 004CB8ED
RegDeleteKeyExW, xrefs: 004CB8FE

Memory Dump Source

Source File: 00000000.00000002.2199307839.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.2199224556.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2199891659.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2199891659.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200033822.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200076254.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: _wcslen$Close$DeleteLibrary$AddressBuffCharConnectFreeLoadOpenProcRegistryUpperValue
String ID: RegDeleteKeyExW$advapi32.dll
API String ID: 146587525-4033151799
Opcode ID: 0a5e25966153a36ffed49910cbb8d83cbd049bd4879ee0e4cd3e5dec755772d7
Instruction ID: 347e06d35d53e4381452192e9f0146ddbdc994d2d4b015ed39e777a79e9d7f5f
Opcode Fuzzy Hash: 0a5e25966153a36ffed49910cbb8d83cbd049bd4879ee0e4cd3e5dec755772d7
Instruction Fuzzy Hash: A5C17D74205201AFD750DF15C495F2ABBE5FF84308F14855EE49A8B3A2CB39EC45CB96

Function 004C255C Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 169windowCOMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 004C25D8
CreateCompatibleBitmap.GDI32(00000000,?,?), ref: 004C25E8
CreateCompatibleDC.GDI32(?), ref: 004C25F4
SelectObject.GDI32(00000000,?), ref: 004C2601
StretchBlt.GDI32(?,00000000,00000000,?,?,?,00000006,?,?,?,00CC0020), ref: 004C266D
GetDIBits.GDI32(?,?,00000000,00000000,00000000,00000028,00000000), ref: 004C26AC
GetDIBits.GDI32(?,?,00000000,?,00000000,00000028,00000000), ref: 004C26D0
SelectObject.GDI32(?,?), ref: 004C26D8
DeleteObject.GDI32(?), ref: 004C26E1
DeleteDC.GDI32(?), ref: 004C26E8
ReleaseDC.USER32(00000000,?), ref: 004C26F3

Strings

(, xrefs: 004C268D

Memory Dump Source

Source File: 00000000.00000002.2199307839.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.2199224556.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2199891659.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2199891659.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200033822.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200076254.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: Object$BitsCompatibleCreateDeleteSelect$BitmapReleaseStretch
String ID: (
API String ID: 2598888154-3887548279
Opcode ID: ab89571133d69d30293ff49957a870ecda28babbf68ae5f93a74a6491f2409d3
Instruction ID: e6b935ce2dee1fbee1f7bcf5ef5f191660b016e06d10394a9b79d406cb03973e
Opcode Fuzzy Hash: ab89571133d69d30293ff49957a870ecda28babbf68ae5f93a74a6491f2409d3
Instruction Fuzzy Hash: E261E275D01219EFCF04CFA4D984EAEBBB5FF48310F20852AE955A7250D774A941CF64

Function 0047DA5D Relevance: 19.6, APIs: 13, Instructions: 114COMMONLIBRARYCODE

Download Yara Rule

APIs

___free_lconv_mon.LIBCMT ref: 0047DAA1

Part of subcall function 0047D63C: _free.LIBCMT ref: 0047D659
Part of subcall function 0047D63C: _free.LIBCMT ref: 0047D66B
Part of subcall function 0047D63C: _free.LIBCMT ref: 0047D67D
Part of subcall function 0047D63C: _free.LIBCMT ref: 0047D68F
Part of subcall function 0047D63C: _free.LIBCMT ref: 0047D6A1
Part of subcall function 0047D63C: _free.LIBCMT ref: 0047D6B3
Part of subcall function 0047D63C: _free.LIBCMT ref: 0047D6C5
Part of subcall function 0047D63C: _free.LIBCMT ref: 0047D6D7
Part of subcall function 0047D63C: _free.LIBCMT ref: 0047D6E9
Part of subcall function 0047D63C: _free.LIBCMT ref: 0047D6FB
Part of subcall function 0047D63C: _free.LIBCMT ref: 0047D70D
Part of subcall function 0047D63C: _free.LIBCMT ref: 0047D71F
Part of subcall function 0047D63C: _free.LIBCMT ref: 0047D731

_free.LIBCMT ref: 0047DA96

Part of subcall function 004729C8: RtlFreeHeap.NTDLL(00000000,00000000,?,0047D7D1,00000000,00000000,00000000,00000000,?,0047D7F8,00000000,00000007,00000000,?,0047DBF5,00000000), ref: 004729DE
Part of subcall function 004729C8: GetLastError.KERNEL32(00000000,?,0047D7D1,00000000,00000000,00000000,00000000,?,0047D7F8,00000000,00000007,00000000,?,0047DBF5,00000000,00000000), ref: 004729F0

_free.LIBCMT ref: 0047DAB8
_free.LIBCMT ref: 0047DACD
_free.LIBCMT ref: 0047DAD8
_free.LIBCMT ref: 0047DAFA
_free.LIBCMT ref: 0047DB0D
_free.LIBCMT ref: 0047DB1B
_free.LIBCMT ref: 0047DB26
_free.LIBCMT ref: 0047DB5E
_free.LIBCMT ref: 0047DB65
_free.LIBCMT ref: 0047DB82
_free.LIBCMT ref: 0047DB9A

Memory Dump Source

Source File: 00000000.00000002.2199307839.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.2199224556.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2199891659.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2199891659.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200033822.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200076254.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast___free_lconv_mon
String ID:
API String ID: 161543041-0
Opcode ID: 9193a334a387b1161d04325ab83c226262d7405d35c72517ddfa759dc7c7393f
Instruction ID: 4c41409aafb36992286527732a4f043fb73985f6c2a3f42bcf1f351109b273ff
Opcode Fuzzy Hash: 9193a334a387b1161d04325ab83c226262d7405d35c72517ddfa759dc7c7393f
Instruction Fuzzy Hash: D5316CB1A042059FDB21AA3AD941B9BB7E8FF00314F14842BE14DD7291DA78BC848728

Function 004A365B Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 267windowtimeCOMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000100), ref: 004A369C
_wcslen.LIBCMT ref: 004A36A7
SendMessageTimeoutW.USER32(?,?,00000101,00000000,00000002,00001388,?), ref: 004A3797
GetClassNameW.USER32(?,?,00000400), ref: 004A380C
GetDlgCtrlID.USER32(?), ref: 004A385D
GetWindowRect.USER32(?,?), ref: 004A3882
GetParent.USER32(?), ref: 004A38A0
ScreenToClient.USER32(00000000), ref: 004A38A7
GetClassNameW.USER32(?,?,00000100), ref: 004A3921
GetWindowTextW.USER32(?,?,00000400), ref: 004A395D

Strings

%s%u, xrefs: 004A3734

Memory Dump Source

Source File: 00000000.00000002.2199307839.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.2199224556.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2199891659.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2199891659.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200033822.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200076254.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: ClassName$Window$ClientCtrlMessageParentRectScreenSendTextTimeout_wcslen
String ID: %s%u
API String ID: 4010501982-679674701
Opcode ID: 3bd87daaaf7d3257d69a4e0b575527f7456787709e392c0f64a1e62e2f5f8ba4
Instruction ID: 6ae17f8b9273ea31abe864e4f8453969fec46dcd7010c81b482319f29a0e3132
Opcode Fuzzy Hash: 3bd87daaaf7d3257d69a4e0b575527f7456787709e392c0f64a1e62e2f5f8ba4
Instruction Fuzzy Hash: E891D5B1204606AFD714DF24C885BABF7E8FF55345F00852EF999C2290EB38EA45CB95

Function 004A4954 Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 253COMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000400), ref: 004A4994
GetWindowTextW.USER32(?,?,00000400), ref: 004A49DA
_wcslen.LIBCMT ref: 004A49EB
CharUpperBuffW.USER32(?,00000000), ref: 004A49F7
_wcsstr.LIBVCRUNTIME ref: 004A4A2C
GetClassNameW.USER32(00000018,?,00000400), ref: 004A4A64
GetWindowTextW.USER32(?,?,00000400), ref: 004A4A9D
GetClassNameW.USER32(00000018,?,00000400), ref: 004A4AE6
GetClassNameW.USER32(?,?,00000400), ref: 004A4B20
GetWindowRect.USER32(?,?), ref: 004A4B8B

Strings

ThumbnailClass, xrefs: 004A4A6F, 004A4AF1

Memory Dump Source

Source File: 00000000.00000002.2199307839.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.2199224556.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2199891659.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2199891659.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200033822.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200076254.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: ClassName$Window$Text$BuffCharRectUpper_wcslen_wcsstr
String ID: ThumbnailClass
API String ID: 1311036022-1241985126
Opcode ID: 8571b750164d61a668c6133b6d7b2a0490af9e18972d0e81458c7f42958dd753
Instruction ID: e405c71147f15f57a50106348d82258b32d6fc5d6d600da3ebef284a3c4d3ffd
Opcode Fuzzy Hash: 8571b750164d61a668c6133b6d7b2a0490af9e18972d0e81458c7f42958dd753
Instruction Fuzzy Hash: C391BE710042059FDB04CF14C981BAB77A8FFE5314F04846BFD859A296EB78ED45CBAA

Function 004D8D0E Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 221windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00459BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00459BB2

PostMessageW.USER32(?,00000111,00000000,00000000), ref: 004D8D5A
GetFocus.USER32 ref: 004D8D6A
GetDlgCtrlID.USER32(00000000), ref: 004D8D75
DefDlgProcW.USER32(?,00000111,?,?,00000000,?,?,?,?,?,?,?), ref: 004D8E1D
GetMenuItemInfoW.USER32(?,00000000,00000000,?), ref: 004D8ECF
GetMenuItemCount.USER32(?), ref: 004D8EEC
GetMenuItemID.USER32(?,00000000), ref: 004D8EFC
GetMenuItemInfoW.USER32(?,-00000001,00000001,?), ref: 004D8F2E
GetMenuItemInfoW.USER32(?,?,00000001,?), ref: 004D8F70
CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 004D8FA1

Strings

0, xrefs: 004D8E9F

Memory Dump Source

Source File: 00000000.00000002.2199307839.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.2199224556.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2199891659.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2199891659.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200033822.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200076254.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: ItemMenu$Info$CheckCountCtrlFocusLongMessagePostProcRadioWindow
String ID: 0
API String ID: 1026556194-4108050209
Opcode ID: 9435baa3fd69f507dd656811e819ee6573a63250dd7d593feae68a93525ee226
Instruction ID: 7148e5e39af316cdacef0adb8b3e8721fd15933655fd0e65d8be876b11bd1df3
Opcode Fuzzy Hash: 9435baa3fd69f507dd656811e819ee6573a63250dd7d593feae68a93525ee226
Instruction Fuzzy Hash: 2E816A71504311ABD710CF24D894ABB7BEAAB88714F040A6FF994D7392DB38D905CB6A

Function 004ABF30 Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 190windowsleepCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(00511990,000000FF,00000000,00000030), ref: 004ABFAC
SetMenuItemInfoW.USER32(00511990,00000004,00000000,00000030), ref: 004ABFE1
Sleep.KERNEL32(000001F4), ref: 004ABFF3
GetMenuItemCount.USER32(?), ref: 004AC039
GetMenuItemID.USER32(?,00000000), ref: 004AC056
GetMenuItemID.USER32(?,-00000001), ref: 004AC082
GetMenuItemID.USER32(?,?), ref: 004AC0C9
CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 004AC10F
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 004AC124
SetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 004AC145

Strings

0, xrefs: 004ABF3D

Memory Dump Source

Source File: 00000000.00000002.2199307839.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.2199224556.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2199891659.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2199891659.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200033822.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200076254.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: ItemMenu$Info$CheckCountRadioSleep
String ID: 0
API String ID: 1460738036-4108050209
Opcode ID: 382ea8949d54b2590382ec782b0de2f5e8d4d6dba2082fde063f235edd780010
Instruction ID: 5a1c92a5367c4342cc356fec4353f73c17e921a9eeec36160ae1ce8c0fd065fb
Opcode Fuzzy Hash: 382ea8949d54b2590382ec782b0de2f5e8d4d6dba2082fde063f235edd780010
Instruction Fuzzy Hash: 3361A3B0A0025AAFDF11CF64DDC8AEF7BB9EB16344F04415AF811A3292D739AD05CB65

Function 004ADC0E Relevance: 19.4, APIs: 6, Strings: 5, Instructions: 178COMMON

Download Yara Rule

APIs

GetFileVersionInfoSizeW.VERSION(?,?), ref: 004ADC20
GetFileVersionInfoW.VERSION(?,00000000,00000000,00000000,?,?), ref: 004ADC46
_wcslen.LIBCMT ref: 004ADC50
_wcsstr.LIBVCRUNTIME ref: 004ADCA0
VerQueryValueW.VERSION(?,\VarFileInfo\Translation,?,?,?,?,?,?,00000000,?,?), ref: 004ADCBC

Strings

StringFileInfo\, xrefs: 004ADC8F
04090000, xrefs: 004ADCF2
DefaultLangCodepage, xrefs: 004ADD1F
\VarFileInfo\Translation, xrefs: 004ADCB4
%u.%u.%u.%u, xrefs: 004ADD9A

Memory Dump Source

Source File: 00000000.00000002.2199307839.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.2199224556.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2199891659.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2199891659.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200033822.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200076254.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: FileInfoVersion$QuerySizeValue_wcslen_wcsstr
String ID: %u.%u.%u.%u$04090000$DefaultLangCodepage$StringFileInfo\$\VarFileInfo\Translation
API String ID: 1939486746-1459072770
Opcode ID: c2988817f636be564592a73b8b4c6b2ae037db8d0b1cc96abf6984b2700c8424
Instruction ID: c4b1c1161ba51b9fe528f5ec1c370e2c09bdd5a067ea77adb11911d7052ec06b
Opcode Fuzzy Hash: c2988817f636be564592a73b8b4c6b2ae037db8d0b1cc96abf6984b2700c8424
Instruction Fuzzy Hash: 3F410572E402027ADB10A7759C47EBF77ACEF56714F10006FF901A6182FA7C990586AE

Function 004CCC34 Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 104registryCOMMON

Download Yara Rule

APIs

RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?,00000000), ref: 004CCC64
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?,?,?,00000000), ref: 004CCC8D
FreeLibrary.KERNEL32(00000000,?,?,00000000), ref: 004CCD48

Part of subcall function 004CCC34: RegCloseKey.ADVAPI32(?,?,?,00000000), ref: 004CCCAA
Part of subcall function 004CCC34: LoadLibraryA.KERNEL32(advapi32.dll,?,?,00000000), ref: 004CCCBD
Part of subcall function 004CCC34: GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 004CCCCF
Part of subcall function 004CCC34: FreeLibrary.KERNEL32(00000000,?,?,00000000), ref: 004CCD05
Part of subcall function 004CCC34: RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?,00000000), ref: 004CCD28

RegDeleteKeyW.ADVAPI32(?,?), ref: 004CCCF3

Strings

advapi32.dll, xrefs: 004CCCB8
RegDeleteKeyExW, xrefs: 004CCCC9

Memory Dump Source

Source File: 00000000.00000002.2199307839.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.2199224556.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2199891659.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2199891659.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200033822.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200076254.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: Library$EnumFree$AddressCloseDeleteLoadOpenProc
String ID: RegDeleteKeyExW$advapi32.dll
API String ID: 2734957052-4033151799
Opcode ID: b27e478580137acf602751f1b19ac36a39dd7c2248366946845c235c75f1664e
Instruction ID: ffb223e39b25785f03960c2c364a4313e60c98bedd8421c9e1cf57b3ed978cf4
Opcode Fuzzy Hash: b27e478580137acf602751f1b19ac36a39dd7c2248366946845c235c75f1664e
Instruction Fuzzy Hash: 4A318575901129BBDB218B90DCC8EFFBB7CEF15740F00417AF90AE2240DB385A45DAA4

Function 004B3D1E Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 101fileCOMMON

Download Yara Rule

APIs

GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 004B3D40
_wcslen.LIBCMT ref: 004B3D6D
CreateDirectoryW.KERNEL32(?,00000000), ref: 004B3D9D
CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000003,02200000,00000000), ref: 004B3DBE
RemoveDirectoryW.KERNEL32(?), ref: 004B3DCE
DeviceIoControl.KERNEL32(00000000,000900A4,?,?,00000000,00000000,?,00000000), ref: 004B3E55
CloseHandle.KERNEL32(00000000), ref: 004B3E60
CloseHandle.KERNEL32(00000000), ref: 004B3E6B

Strings

\, xrefs: 004B3D77
:, xrefs: 004B3D82
\??\%s, xrefs: 004B3D5B

Memory Dump Source

Source File: 00000000.00000002.2199307839.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.2199224556.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2199891659.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2199891659.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200033822.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200076254.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: CloseCreateDirectoryHandle$ControlDeviceFileFullNamePathRemove_wcslen
String ID: :$\$\??\%s
API String ID: 1149970189-3457252023
Opcode ID: 4eb4424bfdec42798a934fc026f8639219b02c3bd99be1c65370c3f6d9b6cfef
Instruction ID: 08754eaa7001a7b4817f019c95b6c6d061dab0965e505b8c5f3f2c677e07ed88
Opcode Fuzzy Hash: 4eb4424bfdec42798a934fc026f8639219b02c3bd99be1c65370c3f6d9b6cfef
Instruction Fuzzy Hash: C231817194021AAADB209FA1DC89FEF37BCAF88705F5041B6F50596160E7749744CB28

Function 004AE6B0 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 72sleepwindowtimeCOMMON

Download Yara Rule

APIs

timeGetTime.WINMM ref: 004AE6B4

Part of subcall function 0045E551: timeGetTime.WINMM(?,?,004AE6D4), ref: 0045E555

Sleep.KERNEL32(0000000A), ref: 004AE6E1
EnumThreadWindows.USER32(?,Function_0006E665,00000000), ref: 004AE705
FindWindowExW.USER32(00000000,00000000,BUTTON,00000000), ref: 004AE727
SetActiveWindow.USER32 ref: 004AE746
SendMessageW.USER32(00000000,000000F5,00000000,00000000), ref: 004AE754
SendMessageW.USER32(00000010,00000000,00000000), ref: 004AE773
Sleep.KERNEL32(000000FA), ref: 004AE77E
IsWindow.USER32 ref: 004AE78A
EndDialog.USER32(00000000), ref: 004AE79B

Strings

BUTTON, xrefs: 004AE719

Memory Dump Source

Source File: 00000000.00000002.2199307839.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.2199224556.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2199891659.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2199891659.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200033822.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200076254.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: Window$MessageSendSleepTimetime$ActiveDialogEnumFindThreadWindows
String ID: BUTTON
API String ID: 1194449130-3405671355
Opcode ID: 766bc5d19e7fb57c2676f35befec53a9a354c04decee0c4a21eb0906a10e5a8e
Instruction ID: f6da4834670e6d2ea9f03893ad32c68fc7e4e825dbcac4906026d6d3edbb2c7a
Opcode Fuzzy Hash: 766bc5d19e7fb57c2676f35befec53a9a354c04decee0c4a21eb0906a10e5a8e
Instruction Fuzzy Hash: A8215074201206AFEF005F62ECC9B663B69E7B6349F504827F521822E1DF65AC14EA2C

Function 004AE9FC Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 71COMMON

Download Yara Rule

APIs

Part of subcall function 00449CB3: _wcslen.LIBCMT ref: 00449CBD

mciSendStringW.WINMM(status PlayMe mode,?,00000100,00000000), ref: 004AEA5D
mciSendStringW.WINMM(close PlayMe,00000000,00000000,00000000), ref: 004AEA73
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 004AEA84
mciSendStringW.WINMM(play PlayMe wait,00000000,00000000,00000000), ref: 004AEA96
mciSendStringW.WINMM(play PlayMe,00000000,00000000,00000000), ref: 004AEAA7

Strings

play PlayMe, xrefs: 004AEAA2
open , xrefs: 004AEA0C
close PlayMe, xrefs: 004AEA6E, 004AEA9B
status PlayMe mode, xrefs: 004AEA58
play PlayMe wait, xrefs: 004AEA91
alias PlayMe, xrefs: 004AEA36

Memory Dump Source

Source File: 00000000.00000002.2199307839.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.2199224556.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2199891659.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2199891659.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200033822.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200076254.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: SendString$_wcslen
String ID: alias PlayMe$close PlayMe$open $play PlayMe$play PlayMe wait$status PlayMe mode
API String ID: 2420728520-1007645807
Opcode ID: 6b54a5211cb4e78ba977c7629484372726e93554c7a9fd18034ebe0f12c2a222
Instruction ID: 1e0731cb1aef30cd31610be7b8619a7985704d62c5d5167a954ba3ad015adf7f
Opcode Fuzzy Hash: 6b54a5211cb4e78ba977c7629484372726e93554c7a9fd18034ebe0f12c2a222
Instruction Fuzzy Hash: 6D117371A9025979E720A7A6DC4AEFF6EBCFBD2F04F44082B7811A20D1EE740D15C5B4

Function 004A9F91 Relevance: 18.2, APIs: 12, Instructions: 188keyboardCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?), ref: 004AA012
SetKeyboardState.USER32(?), ref: 004AA07D
GetAsyncKeyState.USER32(000000A0), ref: 004AA09D
GetKeyState.USER32(000000A0), ref: 004AA0B4
GetAsyncKeyState.USER32(000000A1), ref: 004AA0E3
GetKeyState.USER32(000000A1), ref: 004AA0F4
GetAsyncKeyState.USER32(00000011), ref: 004AA120
GetKeyState.USER32(00000011), ref: 004AA12E
GetAsyncKeyState.USER32(00000012), ref: 004AA157
GetKeyState.USER32(00000012), ref: 004AA165
GetAsyncKeyState.USER32(0000005B), ref: 004AA18E
GetKeyState.USER32(0000005B), ref: 004AA19C

Memory Dump Source

Source File: 00000000.00000002.2199307839.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.2199224556.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2199891659.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2199891659.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200033822.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200076254.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: State$Async$Keyboard
String ID:
API String ID: 541375521-0
Opcode ID: 7717ce1d31547010b73e25883d2f3a1ff92b94f1936535c337c9e117d8b9800c
Instruction ID: 888e498f177244229adcff1bad1907d694d3273b5a6ec35380bdf2aedd9d704a
Opcode Fuzzy Hash: 7717ce1d31547010b73e25883d2f3a1ff92b94f1936535c337c9e117d8b9800c
Instruction Fuzzy Hash: B251973050478429FB35DB6084157ABAFB59F23344F08459FD5C2562C3DB58AE4CC76A

Function 004A5CC6 Relevance: 18.2, APIs: 12, Instructions: 173COMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,00000001), ref: 004A5CE2
GetWindowRect.USER32(00000000,?), ref: 004A5CFB
MoveWindow.USER32(?,0000000A,00000004,?,?,00000004,00000000), ref: 004A5D59
GetDlgItem.USER32(?,00000002), ref: 004A5D69
GetWindowRect.USER32(00000000,?), ref: 004A5D7B
MoveWindow.USER32(?,?,00000004,00000000,?,00000004,00000000), ref: 004A5DCF
GetDlgItem.USER32(?,000003E9), ref: 004A5DDD
GetWindowRect.USER32(00000000,?), ref: 004A5DEF
MoveWindow.USER32(?,0000000A,00000000,?,00000004,00000000), ref: 004A5E31
GetDlgItem.USER32(?,000003EA), ref: 004A5E44
MoveWindow.USER32(00000000,0000000A,0000000A,?,-00000005,00000000), ref: 004A5E5A
InvalidateRect.USER32(?,00000000,00000001), ref: 004A5E67

Memory Dump Source

Source File: 00000000.00000002.2199307839.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.2199224556.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2199891659.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2199891659.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200033822.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200076254.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: Window$ItemMoveRect$Invalidate
String ID:
API String ID: 3096461208-0
Opcode ID: d8ab6eac564c28ed43bd315e52fd17e53c8f5216d38b4bbaa8824c9ea2df4af2
Instruction ID: 8025beead35433bcbfa894cf3b113f742572bf09ba15338ab6817d2b57ff4699
Opcode Fuzzy Hash: d8ab6eac564c28ed43bd315e52fd17e53c8f5216d38b4bbaa8824c9ea2df4af2
Instruction Fuzzy Hash: 12511071B00606AFDF18CFA8DD89AAEBBB5FB59310F14812AF515E7290D7749E00CB54

Function 00458BCD Relevance: 18.2, APIs: 12, Instructions: 168timeCOMMON

Download Yara Rule

APIs

Part of subcall function 00458F62: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00458BE8,?,00000000,?,?,?,?,00458BBA,00000000,?), ref: 00458FC5

DestroyWindow.USER32(?), ref: 00458C81
KillTimer.USER32(00000000,?,?,?,?,00458BBA,00000000,?), ref: 00458D1B
DestroyAcceleratorTable.USER32(00000000), ref: 00496973
ImageList_Destroy.COMCTL32(00000000,?,?,?,?,?,?,00000000,?,?,?,?,00458BBA,00000000,?), ref: 004969A1
ImageList_Destroy.COMCTL32(?,?,?,?,?,?,?,00000000,?,?,?,?,00458BBA,00000000,?), ref: 004969B8
ImageList_Destroy.COMCTL32(00000000,?,?,?,?,?,?,?,?,00000000,?,?,?,?,00458BBA,00000000), ref: 004969D4
DeleteObject.GDI32(00000000), ref: 004969E6

Memory Dump Source

Source File: 00000000.00000002.2199307839.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.2199224556.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2199891659.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2199891659.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200033822.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200076254.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: Destroy$ImageList_$AcceleratorDeleteInvalidateKillObjectRectTableTimerWindow
String ID:
API String ID: 641708696-0
Opcode ID: 01e2c28634c45e215f6a264d7ebe29cc524f6c3c153fc55f2abb909c3d2379df
Instruction ID: fac06a0071a65afe4b302710c687a75a5e5b44d627ce91bde6b78f4f3b106c70
Opcode Fuzzy Hash: 01e2c28634c45e215f6a264d7ebe29cc524f6c3c153fc55f2abb909c3d2379df
Instruction Fuzzy Hash: 5361CD30102A01DFCF229F15D948B6A7BF1FB50316F10856FE542AA661CB39AC89DF9D

Function 00459838 Relevance: 18.1, APIs: 12, Instructions: 137COMMON

Download Yara Rule

APIs

Part of subcall function 00459944: GetWindowLongW.USER32(?,000000EB), ref: 00459952

GetSysColor.USER32(0000000F), ref: 00459862

Memory Dump Source

Source File: 00000000.00000002.2199307839.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.2199224556.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2199891659.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2199891659.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200033822.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200076254.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: ColorLongWindow
String ID:
API String ID: 259745315-0
Opcode ID: d6d585fdf9025992d3808c85545f581a4f4045d0cca6dff49c4dff52eb98e95f
Instruction ID: 8a02076f2f5f77d2a994f8750f7b42d9ca51fd81e508833349f74abd47b5310b
Opcode Fuzzy Hash: d6d585fdf9025992d3808c85545f581a4f4045d0cca6dff49c4dff52eb98e95f
Instruction Fuzzy Hash: D141B531115610EFDF206F389C84BBA3BA5AB06331F144627FDA28B2E2D7359C46DB19

Function 00478D45 Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 300COMMONLIBRARYCODE

Download Yara Rule

Strings

.F, xrefs: 0047903A, 00478FD0, 00478FF2

Memory Dump Source

Source File: 00000000.00000002.2199307839.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.2199224556.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2199891659.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2199891659.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200033822.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200076254.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID:
String ID: .F
API String ID: 0-907655787
Opcode ID: 37e621771cf8e4cbb77e109ff4421e1903e7816c78f9b0a2cee663be812a2184
Instruction ID: 560dff50c83d399baf38652766be966e7e62b981ef7fd5e6b8ab28a65cd7b694
Opcode Fuzzy Hash: 37e621771cf8e4cbb77e109ff4421e1903e7816c78f9b0a2cee663be812a2184
Instruction Fuzzy Hash: 89C10874904285AFCF11DFA9D845BEEBBB0AF09314F04809FE55897392C7798D41CB69

Function 004B3388 Relevance: 17.6, APIs: 3, Strings: 7, Instructions: 149COMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000066,?,00000FFF,?), ref: 004B33CF

Part of subcall function 00449CB3: _wcslen.LIBCMT ref: 00449CBD

LoadStringW.USER32(00000072,?,00000FFF,?), ref: 004B33F0

Strings

Error: , xrefs: 004B34D1
"%s" (%d) : ==> %s:, xrefs: 004B3522
G8!, xrefs: 004B3388
^ ERROR , xrefs: 004B349E
"%s" (%d) : ==> %s:%s%s, xrefs: 004B3504
Line %d (File "%s"):, xrefs: 004B3443, 004B345C
Incorrect parameters to object property !, xrefs: 004B34AB

Memory Dump Source

Source File: 00000000.00000002.2199307839.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.2199224556.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2199891659.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2199891659.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200033822.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200076254.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: LoadString$_wcslen
String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$G8!$Incorrect parameters to object property !$Line %d (File "%s"):$^ ERROR
API String ID: 4099089115-229133034
Opcode ID: 8f7a553dbca46bf7f13a731cdd00b211175b9dfcfa9435f393b5e6860a677f70
Instruction ID: 289b72da7b3a03d791f328ffb47dd04cfda2d24b2202c8020d0dbdd737c5f328
Opcode Fuzzy Hash: 8f7a553dbca46bf7f13a731cdd00b211175b9dfcfa9435f393b5e6860a677f70
Instruction Fuzzy Hash: B651D231900109BAEF14EFA1CD46EEEB778AF14749F10406AF50572092DB392F58DB69

Function 004A96E2 Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 137windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,00000FFF,00000001,00000000,?,?,0048F7F8,00000001,0000138C,00000001,?,00000001,00000000,?,?), ref: 004A9717
LoadStringW.USER32(00000000,?,0048F7F8,00000001), ref: 004A9720

Part of subcall function 00449CB3: _wcslen.LIBCMT ref: 00449CBD

GetModuleHandleW.KERNEL32(00000000,00000001,?,00000FFF,?,?,0048F7F8,00000001,0000138C,00000001,?,00000001,00000000,?,?,00000000), ref: 004A9742
LoadStringW.USER32(00000000,?,0048F7F8,00000001), ref: 004A9745
MessageBoxW.USER32(00000000,00000000,?,00011010), ref: 004A9866

Strings

^ ERROR, xrefs: 004A97FB
Error: , xrefs: 004A981D
Line %d:, xrefs: 004A97A0
%s (%d) : ==> %s: %s %s, xrefs: 004A984A
Line %d (File "%s"):, xrefs: 004A978F

Memory Dump Source

Source File: 00000000.00000002.2199307839.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.2199224556.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2199891659.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2199891659.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200033822.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200076254.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: HandleLoadModuleString$Message_wcslen
String ID: Error: $%s (%d) : ==> %s: %s %s$Line %d (File "%s"):$Line %d:$^ ERROR
API String ID: 747408836-2268648507
Opcode ID: 290971066111bf094c26d0303308038a2c122ef348f2470aeef74d581d1ef5f0
Instruction ID: a4824d9b8aee4c59057fdb22b96538c762001f0df5a483f9f4ca1ee98f82a3e6
Opcode Fuzzy Hash: 290971066111bf094c26d0303308038a2c122ef348f2470aeef74d581d1ef5f0
Instruction Fuzzy Hash: 91415E72800209AAEF04FFE1DD86DEE7778AF15744F50042AB60172092EB396F58DB69

Function 004A06DE Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 127registryshareCOMMON

Download Yara Rule

APIs

Part of subcall function 00446B57: _wcslen.LIBCMT ref: 00446B6A

WNetAddConnection2W.MPR(?,?,?,00000000), ref: 004A07A2
RegConnectRegistryW.ADVAPI32(?,80000002,?), ref: 004A07BE
RegOpenKeyExW.ADVAPI32(?,?,00000000,00020019,?,?,SOFTWARE\Classes\), ref: 004A07DA
RegQueryValueExW.ADVAPI32(?,00000000,00000000,00000000,?,?,?,SOFTWARE\Classes\), ref: 004A0804
CLSIDFromString.OLE32(?,000001FE), ref: 004A082C
RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 004A0837
RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 004A083C

Strings

\CLSID, xrefs: 004A0724
\IPC$, xrefs: 004A0784
SOFTWARE\Classes\, xrefs: 004A070E

Memory Dump Source

Source File: 00000000.00000002.2199307839.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.2199224556.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2199891659.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2199891659.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200033822.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200076254.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: Close$ConnectConnection2FromOpenQueryRegistryStringValue_wcslen
String ID: SOFTWARE\Classes\$\CLSID$\IPC$
API String ID: 323675364-22481851
Opcode ID: a5452e32f522ba3c326aa17525912da9c4f3d417924510653561d018e6082925
Instruction ID: 6f3d916566a41965418ff5cec671c48d440b8f3260e7acd3b4bb56df12e57766
Opcode Fuzzy Hash: a5452e32f522ba3c326aa17525912da9c4f3d417924510653561d018e6082925
Instruction Fuzzy Hash: B3410A72C10229ABDF11EFA5DC95CEEB778FF14754F04452AE901A31A1EB385E14CB94

Function 004D3F98 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 101windowCOMMON

Download Yara Rule

APIs

MoveWindow.USER32(?,?,?,000000FF,000000FF,00000000,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?), ref: 004D403B
CreateCompatibleDC.GDI32(00000000), ref: 004D4042
SendMessageW.USER32(?,00000173,00000000,00000000), ref: 004D4055
SelectObject.GDI32(00000000,00000000), ref: 004D405D
GetPixel.GDI32(00000000,00000000,00000000), ref: 004D4068
DeleteDC.GDI32(00000000), ref: 004D4072
GetWindowLongW.USER32(?,000000EC), ref: 004D407C
SetLayeredWindowAttributes.USER32(?,?,00000000,00000001,?,00000000,?), ref: 004D4092
DestroyWindow.USER32(?,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?,?,00000000,00000000,?), ref: 004D409E

Strings

static, xrefs: 004D3FD3

Memory Dump Source

Source File: 00000000.00000002.2199307839.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.2199224556.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2199891659.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2199891659.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200033822.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200076254.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: Window$AttributesCompatibleCreateDeleteDestroyLayeredLongMessageMoveObjectPixelSelectSend
String ID: static
API String ID: 2559357485-2160076837
Opcode ID: ec7714d729aae544752d93e53ac3842d03682d5f1faad57b0ebce7f2261d9cdb
Instruction ID: 184b94081744e4e8e14fffdd51b6af00b645b1a4af0f8e15163465ac451052be
Opcode Fuzzy Hash: ec7714d729aae544752d93e53ac3842d03682d5f1faad57b0ebce7f2261d9cdb
Instruction Fuzzy Hash: 44315E32501216BBDF229FA4DC45FDB3BA8EF0D324F110227FA14A62A0C779D811DB58

Function 004C3C30 Relevance: 16.8, APIs: 11, Instructions: 344fileCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 004C3C5C
CoInitialize.OLE32(00000000), ref: 004C3C8A
CoUninitialize.OLE32 ref: 004C3C94
_wcslen.LIBCMT ref: 004C3D2D
GetRunningObjectTable.OLE32(00000000,?), ref: 004C3DB1
SetErrorMode.KERNEL32(00000001,00000029), ref: 004C3ED5
CoGetInstanceFromFile.OLE32(00000000,?,00000000,00000015,00000002,?,00000001,?), ref: 004C3F0E
CoGetObject.OLE32(?,00000000,004DFB98,?), ref: 004C3F2D
SetErrorMode.KERNEL32(00000000), ref: 004C3F40
SetErrorMode.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 004C3FC4
VariantClear.OLEAUT32(?), ref: 004C3FD8

Memory Dump Source

Source File: 00000000.00000002.2199307839.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.2199224556.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2199891659.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2199891659.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200033822.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200076254.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: ErrorMode$ObjectVariant$ClearFileFromInitInitializeInstanceRunningTableUninitialize_wcslen
String ID:
API String ID: 429561992-0
Opcode ID: e672205afc5c5b2066de14a6f4d69df865e21aea9470df745c006064c14dd603
Instruction ID: a84987989226c92a782a6340020b9c0f8592ea422a3ab4dd241326cf1d4e666d
Opcode Fuzzy Hash: e672205afc5c5b2066de14a6f4d69df865e21aea9470df745c006064c14dd603
Instruction Fuzzy Hash: 75C135756082019FD740DF69C884E2BB7E9FF89749F00892EF98A9B250D734ED06CB56

Function 004B7A96 Relevance: 16.8, APIs: 11, Instructions: 298comCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 004B7AF3
SHGetSpecialFolderLocation.SHELL32(00000000,00000000,?), ref: 004B7B8F
SHGetDesktopFolder.SHELL32(?), ref: 004B7BA3
CoCreateInstance.OLE32(004DFD08,00000000,00000001,00506E6C,?), ref: 004B7BEF
SHCreateShellItem.SHELL32(00000000,00000000,?,00000003), ref: 004B7C74
CoTaskMemFree.OLE32(?), ref: 004B7CCC
SHBrowseForFolderW.SHELL32(?), ref: 004B7D57
SHGetPathFromIDListW.SHELL32(00000000,?), ref: 004B7D7A
CoTaskMemFree.OLE32(00000000), ref: 004B7D81
CoTaskMemFree.OLE32(00000000), ref: 004B7DD6
CoUninitialize.OLE32 ref: 004B7DDC

Memory Dump Source

Source File: 00000000.00000002.2199307839.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.2199224556.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2199891659.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2199891659.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200033822.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200076254.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: FolderFreeTask$Create$BrowseDesktopFromInitializeInstanceItemListLocationPathShellSpecialUninitialize
String ID:
API String ID: 2762341140-0
Opcode ID: 389b4baa0de6cf4b4d5ea12ab0cf0db045a85537506bdfb4204b1b97763f181d
Instruction ID: cc6026e57c6da63cc7bb305a9e306f3638dd18adce957f56392dec946a98acfc
Opcode Fuzzy Hash: 389b4baa0de6cf4b4d5ea12ab0cf0db045a85537506bdfb4204b1b97763f181d
Instruction Fuzzy Hash: CCC12B75A04105AFDB14DF64C888DAEBBB9FF48308B1484AAF81A9B361D734ED45CB94

Function 004D541D Relevance: 16.7, APIs: 11, Instructions: 191windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000158,000000FF,00000158), ref: 004D5504
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 004D5515
CharNextW.USER32(00000158), ref: 004D5544
SendMessageW.USER32(?,0000014B,00000000,00000000), ref: 004D5585
SendMessageW.USER32(?,00000158,000000FF,0000014E), ref: 004D559B
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 004D55AC

Memory Dump Source

Source File: 00000000.00000002.2199307839.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.2199224556.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2199891659.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2199891659.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200033822.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200076254.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: MessageSend$CharNext
String ID:
API String ID: 1350042424-0
Opcode ID: 175b97ef5795904b7d2201453a2249b6d87b3988ba6b2761488239fdf5edb42d
Instruction ID: dc48f658b94238dd445c9a0c68d609948e60eebcf3f12584cefca3247aed5bf2
Opcode Fuzzy Hash: 175b97ef5795904b7d2201453a2249b6d87b3988ba6b2761488239fdf5edb42d
Instruction Fuzzy Hash: CD61AF70900609ABDF10DF54CCA4AFF7BB9EB06360F10415BF925A6390DB788A81DB69

Function 0049FA88 Relevance: 16.6, APIs: 11, Instructions: 122memoryCOMMON

Download Yara Rule

APIs

SafeArrayAllocDescriptorEx.OLEAUT32(0000000C,?,?), ref: 0049FAAF
SafeArrayAllocData.OLEAUT32(?), ref: 0049FB08
VariantInit.OLEAUT32(?), ref: 0049FB1A
SafeArrayAccessData.OLEAUT32(?,?), ref: 0049FB3A
VariantCopy.OLEAUT32(?,?), ref: 0049FB8D
SafeArrayUnaccessData.OLEAUT32(?), ref: 0049FBA1
VariantClear.OLEAUT32(?), ref: 0049FBB6
SafeArrayDestroyData.OLEAUT32(?), ref: 0049FBC3
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 0049FBCC
VariantClear.OLEAUT32(?), ref: 0049FBDE
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 0049FBE9

Memory Dump Source

Source File: 00000000.00000002.2199307839.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.2199224556.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2199891659.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2199891659.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200033822.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200076254.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: ArraySafe$DataVariant$DescriptorDestroy$AllocClear$AccessCopyInitUnaccess
String ID:
API String ID: 2706829360-0
Opcode ID: 0b25bbb83c11fe5cb213a46b5b50e83bff1be6c81844fc5d39fe85896c1fbeed
Instruction ID: 86e55309b752d91e3dfeba8b2cec71db397338d54a7fc3cafeacdb9cc508c34a
Opcode Fuzzy Hash: 0b25bbb83c11fe5cb213a46b5b50e83bff1be6c81844fc5d39fe85896c1fbeed
Instruction Fuzzy Hash: AB415135A002199FCF00DF64C8989AEBFB9EF48344F00807AE915E7261D734A949CF94

Function 004A9C79 Relevance: 16.6, APIs: 11, Instructions: 119keyboardCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?), ref: 004A9CA1
GetAsyncKeyState.USER32(000000A0), ref: 004A9D22
GetKeyState.USER32(000000A0), ref: 004A9D3D
GetAsyncKeyState.USER32(000000A1), ref: 004A9D57
GetKeyState.USER32(000000A1), ref: 004A9D6C
GetAsyncKeyState.USER32(00000011), ref: 004A9D84
GetKeyState.USER32(00000011), ref: 004A9D96
GetAsyncKeyState.USER32(00000012), ref: 004A9DAE
GetKeyState.USER32(00000012), ref: 004A9DC0
GetAsyncKeyState.USER32(0000005B), ref: 004A9DD8
GetKeyState.USER32(0000005B), ref: 004A9DEA

Memory Dump Source

Source File: 00000000.00000002.2199307839.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.2199224556.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2199891659.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2199891659.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200033822.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200076254.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: State$Async$Keyboard
String ID:
API String ID: 541375521-0
Opcode ID: 47d7bead955a7e9b417ecd2702975da6fd474f86bb0d7188eb9bcd51438afca1
Instruction ID: 5c872d40948fecb9f7c062da0168a56dfb62cf8d837d3524ffaca164c31445d6
Opcode Fuzzy Hash: 47d7bead955a7e9b417ecd2702975da6fd474f86bb0d7188eb9bcd51438afca1
Instruction Fuzzy Hash: 4141B834504BCA69FF31966084443B7BEA06F33354F48805BD6C6567C2D7AD9DC4C79A

Function 004C055B Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 207networkfileCOMMON

Download Yara Rule

APIs

WSAStartup.WSOCK32(00000101,?), ref: 004C05BC
inet_addr.WSOCK32(?), ref: 004C061C
gethostbyname.WSOCK32(?), ref: 004C0628
IcmpCreateFile.IPHLPAPI ref: 004C0636
IcmpSendEcho.IPHLPAPI(?,?,?,00000005,00000000,?,00000029,00000FA0), ref: 004C06C6
IcmpSendEcho.IPHLPAPI(00000000,00000000,?,00000005,00000000,?,00000029,00000FA0), ref: 004C06E5
IcmpCloseHandle.IPHLPAPI(?), ref: 004C07B9
WSACleanup.WSOCK32 ref: 004C07BF

Strings

Ping, xrefs: 004C0676

Memory Dump Source

Source File: 00000000.00000002.2199307839.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.2199224556.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2199891659.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2199891659.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200033822.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200076254.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: Icmp$EchoSend$CleanupCloseCreateFileHandleStartupgethostbynameinet_addr
String ID: Ping
API String ID: 1028309954-2246546115
Opcode ID: 1faadd96b2b20d8aff9b935636f12929482c98b375f9f58f1f0cf52f3f093f2c
Instruction ID: 3cfc1af65c91c085351036befba3304f97affb0b364a81715ee517bbc7e92d1b
Opcode Fuzzy Hash: 1faadd96b2b20d8aff9b935636f12929482c98b375f9f58f1f0cf52f3f093f2c
Instruction Fuzzy Hash: 51919B38609201EFD764DF15C489F1ABBE0AF44318F1485AEE4698B7A2C738ED45CF86

Function 004C8CD3 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 193COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?,00000000,?), ref: 004C8CF3

Part of subcall function 004A8E54: _wcslen.LIBCMT ref: 004A8E77

_wcslen.LIBCMT ref: 004C8D4E
_wcslen.LIBCMT ref: 004C8D9C
_wcslen.LIBCMT ref: 004C8DDC
_wcslen.LIBCMT ref: 004C8E6E

Strings

none, xrefs: 004C8E65, 004C8E6A
winapi, xrefs: 004C8D96, 004C8D9B
cdecl, xrefs: 004C8D48, 004C8D4D
stdcall, xrefs: 004C8DD6, 004C8DDB

Memory Dump Source

Source File: 00000000.00000002.2199307839.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.2199224556.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2199891659.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2199891659.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200033822.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200076254.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: _wcslen$BuffCharLower
String ID: cdecl$none$stdcall$winapi
API String ID: 707087890-567219261
Opcode ID: 743d0407417a60069d8372ca2217ae10a54a83cbf03a3790d9f2a73b324dc4d9
Instruction ID: a4c4cc91180ebd4aee95765531939b8e34d929b53150667649cbcfe8f671f405
Opcode Fuzzy Hash: 743d0407417a60069d8372ca2217ae10a54a83cbf03a3790d9f2a73b324dc4d9
Instruction Fuzzy Hash: EE519D35A001169BCB54DF68C940ABFB7A5BF65324B20422FE826E73C5EB39DD40C798

Function 004C372C Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 187comCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32 ref: 004C3774
CoUninitialize.OLE32 ref: 004C377F
CoCreateInstance.OLE32(?,00000000,00000017,004DFB78,?), ref: 004C37D9
IIDFromString.OLE32(?,?), ref: 004C384C
VariantInit.OLEAUT32(?), ref: 004C38E4
VariantClear.OLEAUT32(?), ref: 004C3936

Strings

Invalid parameter, xrefs: 004C3865
Failed to create object, xrefs: 004C37E4, 004C389A
NULL Pointer assignment, xrefs: 004C381E

Memory Dump Source

Source File: 00000000.00000002.2199307839.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.2199224556.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2199891659.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2199891659.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200033822.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200076254.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: Variant$ClearCreateFromInitInitializeInstanceStringUninitialize
String ID: Failed to create object$Invalid parameter$NULL Pointer assignment
API String ID: 636576611-1287834457
Opcode ID: 31e0269cde4e8ad24dd7347f3b5408e362a04fe097866eaae3eb9076652757d1
Instruction ID: 51e5c8953608f785d01f228cb0cb84cbfdfbed3f063603b7ce6c74e9fb0b8530
Opcode Fuzzy Hash: 31e0269cde4e8ad24dd7347f3b5408e362a04fe097866eaae3eb9076652757d1
Instruction Fuzzy Hash: 7C618274608301AFD310EF55C849F5AB7E4EF49716F00881EF54597291C778EE49CBAA

Function 004D8B02 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 149windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00459BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00459BB2

Part of subcall function 0045912D: GetCursorPos.USER32(?), ref: 00459141
Part of subcall function 0045912D: ScreenToClient.USER32(00000000,?), ref: 0045915E
Part of subcall function 0045912D: GetAsyncKeyState.USER32(00000001), ref: 00459183
Part of subcall function 0045912D: GetAsyncKeyState.USER32(00000002), ref: 0045919D

ImageList_DragLeave.COMCTL32(00000000,00000000,00000001,?,?,?,?), ref: 004D8B6B
ImageList_EndDrag.COMCTL32 ref: 004D8B71
ReleaseCapture.USER32 ref: 004D8B77
SetWindowTextW.USER32(?,00000000), ref: 004D8C12
SendMessageW.USER32(?,000000B1,00000000,000000FF), ref: 004D8C25
DefDlgProcW.USER32(?,00000202,?,?,00000000,00000001,?,?,?,?), ref: 004D8CFF

Strings

8!, xrefs: 004D8C71
@GUI_DRAGFILE, xrefs: 004D8C9A
@GUI_DROPID, xrefs: 004D8C51

Memory Dump Source

Source File: 00000000.00000002.2199307839.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.2199224556.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2199891659.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2199891659.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200033822.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200076254.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: AsyncDragImageList_StateWindow$CaptureClientCursorLeaveLongMessageProcReleaseScreenSendText
String ID: 8!$@GUI_DRAGFILE$@GUI_DROPID
API String ID: 1924731296-1166219895
Opcode ID: a0ca7230934107c96390899ea8ad54bd70d1cf427141af1dfab4e37bac5d64a6
Instruction ID: 28eac5eef2c41ef5e6c08d61097aecc90af9ffb86457c594b6eb6483159ad2fb
Opcode Fuzzy Hash: a0ca7230934107c96390899ea8ad54bd70d1cf427141af1dfab4e37bac5d64a6
Instruction Fuzzy Hash: BD518D70105204AFE700EF15DCA5BAA77E4FB88754F00066EF952572E1DB749D08CB6A

Function 004AB5C8 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 142COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 004AB5FC
_wcslen.LIBCMT ref: 004AB608
_wcslen.LIBCMT ref: 004AB64D
_wcslen.LIBCMT ref: 004AB68C
_wcslen.LIBCMT ref: 004AB6C7

Strings

REMOVE, xrefs: 004AB602, 004AB607
KEYS, xrefs: 004AB647, 004AB64C
APPEND, xrefs: 004AB6C1, 004AB6C6
EXISTS, xrefs: 004AB686, 004AB68B

Memory Dump Source

Source File: 00000000.00000002.2199307839.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.2199224556.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2199891659.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2199891659.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200033822.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200076254.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: _wcslen$BuffCharUpper
String ID: APPEND$EXISTS$KEYS$REMOVE
API String ID: 1256254125-769500911
Opcode ID: 963dfe7c3bdc461b1a5192b9690d10f65212161070cf5b056dd4801f6197d378
Instruction ID: ed6aac5e941582bd447c76a36e75cdba909cc26188b70ef77df02fba8728d88d
Opcode Fuzzy Hash: 963dfe7c3bdc461b1a5192b9690d10f65212161070cf5b056dd4801f6197d378
Instruction Fuzzy Hash: 2441D432A001269ACB105F7D88905BF77A5EBB2758B24412BE461DB386E739CD81C7D5

Function 004B5393 Relevance: 15.9, APIs: 4, Strings: 5, Instructions: 103COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 004B53A0
GetDiskFreeSpaceW.KERNEL32(?,?,?,?,?,00000002,00000001), ref: 004B5416
GetLastError.KERNEL32 ref: 004B5420
SetErrorMode.KERNEL32(00000000,READY), ref: 004B54A7

Strings

NOTREADY, xrefs: 004B544B
UNKNOWN, xrefs: 004B5444
INVALID, xrefs: 004B5459
READY, xrefs: 004B5460, 004B5468
READONLY, xrefs: 004B5452

Memory Dump Source

Source File: 00000000.00000002.2199307839.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.2199224556.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2199891659.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2199891659.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200033822.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200076254.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: Error$Mode$DiskFreeLastSpace
String ID: INVALID$NOTREADY$READONLY$READY$UNKNOWN
API String ID: 4194297153-14809454
Opcode ID: 46bc3ea60578710bb73a459ebf58068e19fb0861446c15b4a1728fba2d9fe0f4
Instruction ID: a361114cabaeffe2bd6bf3cbdc9f1ab1a491e4915d9ae7350a166f2db07b9c0d
Opcode Fuzzy Hash: 46bc3ea60578710bb73a459ebf58068e19fb0861446c15b4a1728fba2d9fe0f4
Instruction Fuzzy Hash: BF318F35A006059FDB10DF68D488BEABBB4FB45309F14806BE405CB392D779DD86CBA5

Function 004D3C46 Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 101windowCOMMON

Download Yara Rule

APIs

CreateMenu.USER32 ref: 004D3C79
SetMenu.USER32(?,00000000), ref: 004D3C88
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 004D3D10
IsMenu.USER32(?), ref: 004D3D24
CreatePopupMenu.USER32 ref: 004D3D2E
InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 004D3D5B
DrawMenuBar.USER32 ref: 004D3D63

Strings

0, xrefs: 004D3C54
F, xrefs: 004D3D4E

Memory Dump Source

Source File: 00000000.00000002.2199307839.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.2199224556.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2199891659.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2199891659.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200033822.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200076254.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: Menu$CreateItem$DrawInfoInsertPopup
String ID: 0$F
API String ID: 161812096-3044882817
Opcode ID: 614e15d0731964440c1ed621d85bce6f004090904a01c051c4d384726ccbebb9
Instruction ID: 45b9bb1d052f631ac3cf69eba3b1afcdba3fbbeb082fb1fee560747cae313cdb
Opcode Fuzzy Hash: 614e15d0731964440c1ed621d85bce6f004090904a01c051c4d384726ccbebb9
Instruction Fuzzy Hash: 80417E75A0120AEFDF14CF64E8A4ADA77B6FF49351F14002AF94697360D734AA10CF59

Function 004A1EDF Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 78windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00449CB3: _wcslen.LIBCMT ref: 00449CBD

Part of subcall function 004A3CA7: GetClassNameW.USER32(?,?,000000FF), ref: 004A3CCA

SendMessageW.USER32(?,0000018C,000000FF,00020000), ref: 004A1F64
GetDlgCtrlID.USER32 ref: 004A1F6F
GetParent.USER32 ref: 004A1F8B
SendMessageW.USER32(00000000,?,00000111,?), ref: 004A1F8E
GetDlgCtrlID.USER32(?), ref: 004A1F97
GetParent.USER32(?), ref: 004A1FAB
SendMessageW.USER32(00000000,?,00000111,?), ref: 004A1FAE

Strings

ComboBox, xrefs: 004A1EEC
ListBox, xrefs: 004A1F21

Memory Dump Source

Source File: 00000000.00000002.2199307839.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.2199224556.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2199891659.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2199891659.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200033822.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200076254.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: MessageSend$CtrlParent$ClassName_wcslen
String ID: ComboBox$ListBox
API String ID: 711023334-1403004172
Opcode ID: 9fa1709b8a8b0dc904c7928f284967eeee461447e0a2ca6b7e00a48f437da276
Instruction ID: f5c7be50a931bf27c86910526ec7639202ce470d87a3b807a6d1f0486944582c
Opcode Fuzzy Hash: 9fa1709b8a8b0dc904c7928f284967eeee461447e0a2ca6b7e00a48f437da276
Instruction Fuzzy Hash: 9121B075900214BFDF04AFA0DC85DEEBBB8EF26354F00011BB961672E1DB389904DB68

Function 004A1FC0 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 77windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00449CB3: _wcslen.LIBCMT ref: 00449CBD

Part of subcall function 004A3CA7: GetClassNameW.USER32(?,?,000000FF), ref: 004A3CCA

SendMessageW.USER32(?,00000186,00020000,00000000), ref: 004A2043
GetDlgCtrlID.USER32 ref: 004A204E
GetParent.USER32 ref: 004A206A
SendMessageW.USER32(00000000,?,00000111,?), ref: 004A206D
GetDlgCtrlID.USER32(?), ref: 004A2076
GetParent.USER32(?), ref: 004A208A
SendMessageW.USER32(00000000,?,00000111,?), ref: 004A208D

Strings

ComboBox, xrefs: 004A1FCD
ListBox, xrefs: 004A2002

Memory Dump Source

Source File: 00000000.00000002.2199307839.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.2199224556.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2199891659.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2199891659.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200033822.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200076254.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: MessageSend$CtrlParent$ClassName_wcslen
String ID: ComboBox$ListBox
API String ID: 711023334-1403004172
Opcode ID: 971d5ede5c9fde8da13e69f7927e621dabf1bf9405b4205e876d6b2646b10c17
Instruction ID: 675c691d53afa790d77dcce7d8ee2ba19b9af5ce0010caea81e07894d3b04ead
Opcode Fuzzy Hash: 971d5ede5c9fde8da13e69f7927e621dabf1bf9405b4205e876d6b2646b10c17
Instruction Fuzzy Hash: 0721C275900214BBDF10AFA4CC85EEFBFB8EF16344F000017BA51A72A1DA799914EB68

Function 004D3A23 Relevance: 15.2, APIs: 10, Instructions: 182windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000101F,00000000,00000000), ref: 004D3A9D
SendMessageW.USER32(00000000,?,0000101F,00000000), ref: 004D3AA0
GetWindowLongW.USER32(?,000000F0), ref: 004D3AC7
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 004D3AEA
SendMessageW.USER32(?,0000104D,00000000,00000007), ref: 004D3B62
SendMessageW.USER32(?,00001074,00000000,00000007), ref: 004D3BAC
SendMessageW.USER32(?,00001057,00000000,00000000), ref: 004D3BC7
SendMessageW.USER32(?,0000101D,00001004,00000000), ref: 004D3BE2
SendMessageW.USER32(?,0000101E,00001004,00000000), ref: 004D3BF6
SendMessageW.USER32(?,00001008,00000000,00000007), ref: 004D3C13

Memory Dump Source

Source File: 00000000.00000002.2199307839.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.2199224556.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2199891659.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2199891659.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200033822.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200076254.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: MessageSend$LongWindow
String ID:
API String ID: 312131281-0
Opcode ID: 49a514794b7ebca6d930d070e56aa01e774dc6c93a0e0c60509f15441701a7c4
Instruction ID: ef94fb0efb48d4861ed8a2e6318f36124b4d066f59b6d755ade031678a1fbff2
Opcode Fuzzy Hash: 49a514794b7ebca6d930d070e56aa01e774dc6c93a0e0c60509f15441701a7c4
Instruction Fuzzy Hash: D1617975A00208AFDB10DFA8CC91EEE77B8EB09704F10419BFA15A73A2D774AE45DB54

Function 00472C80 Relevance: 15.1, APIs: 10, Instructions: 54COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00472C94

Part of subcall function 004729C8: RtlFreeHeap.NTDLL(00000000,00000000,?,0047D7D1,00000000,00000000,00000000,00000000,?,0047D7F8,00000000,00000007,00000000,?,0047DBF5,00000000), ref: 004729DE
Part of subcall function 004729C8: GetLastError.KERNEL32(00000000,?,0047D7D1,00000000,00000000,00000000,00000000,?,0047D7F8,00000000,00000007,00000000,?,0047DBF5,00000000,00000000), ref: 004729F0

_free.LIBCMT ref: 00472CA0
_free.LIBCMT ref: 00472CAB
_free.LIBCMT ref: 00472CB6
_free.LIBCMT ref: 00472CC1
_free.LIBCMT ref: 00472CCC
_free.LIBCMT ref: 00472CD7
_free.LIBCMT ref: 00472CE2
_free.LIBCMT ref: 00472CED
_free.LIBCMT ref: 00472CFB

Memory Dump Source

Source File: 00000000.00000002.2199307839.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.2199224556.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2199891659.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2199891659.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200033822.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200076254.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: aebb17aa106131ab861c1e68e5ea04c1e22dbb2af2e4a09f87f3d58975d57af0
Instruction ID: 0ba3b8f7b91fd406bf8d2d1919e05e77fa0f5982a4ff7400bf81e1149e669720
Opcode Fuzzy Hash: aebb17aa106131ab861c1e68e5ea04c1e22dbb2af2e4a09f87f3d58975d57af0
Instruction Fuzzy Hash: 52110AF5200008AFCB02EF65DA42CDD7B65FF05344F44809AFA4C5F222D675EE949B94

Function 004B7DF0 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 230COMMON

Download Yara Rule

APIs

GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 004B7FAD
SetCurrentDirectoryW.KERNEL32(?), ref: 004B7FC1
GetFileAttributesW.KERNEL32(?), ref: 004B7FEB
SetFileAttributesW.KERNEL32(?,00000000), ref: 004B8005
SetCurrentDirectoryW.KERNEL32(?), ref: 004B8017
SetCurrentDirectoryW.KERNEL32(?), ref: 004B8060
SetCurrentDirectoryW.KERNEL32(?,?,?,?,?), ref: 004B80B0

Strings

*.*, xrefs: 004B8066

Memory Dump Source

Source File: 00000000.00000002.2199307839.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.2199224556.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2199891659.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2199891659.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200033822.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200076254.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: CurrentDirectory$AttributesFile
String ID: *.*
API String ID: 769691225-438819550
Opcode ID: 7d3b40505bf7d096850dcaf84dfd87411f6d563d969e6fe2cbd9fb05242adb09
Instruction ID: 56d5c8a5a28bd6807d202643043f4ca5e4a9652bd61248bcd9569d178b81017f
Opcode Fuzzy Hash: 7d3b40505bf7d096850dcaf84dfd87411f6d563d969e6fe2cbd9fb05242adb09
Instruction Fuzzy Hash: C5817E715082419BDB20EF15C4849ABB3E8AFC9354F144C6FF885D7250EB39DD49CB6A

Function 00445BEA Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 184windowCOMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(?,000000EB), ref: 00445C7A

Part of subcall function 00445D0A: GetClientRect.USER32(?,?), ref: 00445D30
Part of subcall function 00445D0A: GetWindowRect.USER32(?,?), ref: 00445D71
Part of subcall function 00445D0A: ScreenToClient.USER32(?,?), ref: 00445D99

GetDC.USER32 ref: 004846F5
SendMessageW.USER32(?,00000031,00000000,00000000), ref: 00484708
SelectObject.GDI32(00000000,00000000), ref: 00484716
SelectObject.GDI32(00000000,00000000), ref: 0048472B
ReleaseDC.USER32(?,00000000), ref: 00484733
MoveWindow.USER32(?,?,?,?,?,?,?,00000031,00000000,00000000), ref: 004847C4

Strings

U, xrefs: 00484693

Memory Dump Source

Source File: 00000000.00000002.2199307839.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.2199224556.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2199891659.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2199891659.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200033822.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200076254.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: Window$ClientObjectRectSelect$LongMessageMoveReleaseScreenSend
String ID: U
API String ID: 4009187628-3372436214
Opcode ID: 7f382ea5cb6f26f31b4c7808c94b90fe8f32831674c9443cd76927ef03ec3865
Instruction ID: b6243a5f60f5ac163331f7952c2bda72984b2bd8d9ebeee4d4f63d540300dd59
Opcode Fuzzy Hash: 7f382ea5cb6f26f31b4c7808c94b90fe8f32831674c9443cd76927ef03ec3865
Instruction Fuzzy Hash: 7F71F330400206DFDF21AF64C984ABE7BB1FF86324F14466BED515A2A6D7398842DF59

Function 004B359C Relevance: 14.2, APIs: 3, Strings: 5, Instructions: 150COMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000066,?,00000FFF,00000000), ref: 004B35E4

Part of subcall function 00449CB3: _wcslen.LIBCMT ref: 00449CBD

LoadStringW.USER32(00512390,?,00000FFF,?), ref: 004B360A

Strings

^ ERROR, xrefs: 004B36C9
Error: , xrefs: 004B36EF
"%s" (%d) : ==> %s:, xrefs: 004B3742
"%s" (%d) : ==> %s:%s%s, xrefs: 004B3724
Line %d (File "%s"):, xrefs: 004B366B

Memory Dump Source

Source File: 00000000.00000002.2199307839.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.2199224556.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2199891659.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2199891659.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200033822.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200076254.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: LoadString$_wcslen
String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Line %d (File "%s"):$^ ERROR
API String ID: 4099089115-2391861430
Opcode ID: 0ed085f5c5e6595c87a2183925352561f9d0a3d805b520be27ae2c0e3a15642d
Instruction ID: 89feca932b25eb1934f002c45981a3138d9e7feaa22e967ad3dd4ccbd8e43e3e
Opcode Fuzzy Hash: 0ed085f5c5e6595c87a2183925352561f9d0a3d805b520be27ae2c0e3a15642d
Instruction Fuzzy Hash: FC519471800509BAEF14EFA1CC81EEEBB74AF14705F14416AF50572191DB381B99DF69

Function 004BC253 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 94networkCOMMON

Download Yara Rule

APIs

InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 004BC272
HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 004BC29A
HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 004BC2CA
GetLastError.KERNEL32 ref: 004BC322
SetEvent.KERNEL32(?), ref: 004BC336
InternetCloseHandle.WININET(00000000), ref: 004BC341

Strings

, xrefs: 004BC2BB

Memory Dump Source

Source File: 00000000.00000002.2199307839.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.2199224556.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2199891659.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2199891659.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200033822.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200076254.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: HttpInternet$CloseErrorEventHandleInfoLastOpenQueryRequestSend
String ID:
API String ID: 3113390036-3916222277
Opcode ID: 15b851f1451f0355dff9657068b37e56859aeabed1a0a91bddc0234ee3789367
Instruction ID: d12884eb4a65cfe9831250f70e7a97f93005dc25e37f68aefdc3630dda6740db
Opcode Fuzzy Hash: 15b851f1451f0355dff9657068b37e56859aeabed1a0a91bddc0234ee3789367
Instruction Fuzzy Hash: 2D317171601205AFD7219F658CC4AEB7BFCEB49744B54852FF886D2200DB38DD059BB9

Function 004A989B Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 74windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000FFF,00000000,?,00483AAF,?,?,Bad directive syntax error,004DCC08,00000000,00000010,?,?,>>>AUTOIT SCRIPT<<<), ref: 004A98BC
LoadStringW.USER32(00000000,?,00483AAF,?), ref: 004A98C3

Part of subcall function 00449CB3: _wcslen.LIBCMT ref: 00449CBD

MessageBoxW.USER32(00000000,00000001,00000001,00011010), ref: 004A9987

Strings

Line %d:, xrefs: 004A9912
., xrefs: 004A996D
Error: , xrefs: 004A9955
Line %d (File "%s"):, xrefs: 004A992D
%s (%d) : ==> %s.: %s %s, xrefs: 004A98F1

Memory Dump Source

Source File: 00000000.00000002.2199307839.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.2199224556.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2199891659.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2199891659.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200033822.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200076254.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: HandleLoadMessageModuleString_wcslen
String ID: Error: $%s (%d) : ==> %s.: %s %s$.$Line %d (File "%s"):$Line %d:
API String ID: 858772685-4153970271
Opcode ID: 2bdf4f05aa46bbe259827325a9d760e62a0e2e52d37d72f743b3548720c5ce72
Instruction ID: db3fadc2fa801c09b6b034043833da2a96834c0cff69deed8c4cfc9b732ae71c
Opcode Fuzzy Hash: 2bdf4f05aa46bbe259827325a9d760e62a0e2e52d37d72f743b3548720c5ce72
Instruction Fuzzy Hash: 6821D23280020AFBDF11AF90CC4AEEE3739BF14704F04042BF515220A2EB389A28DB55

Function 004A209F Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 71windowCOMMON

Download Yara Rule

APIs

GetParent.USER32 ref: 004A20AB
GetClassNameW.USER32(00000000,?,00000100), ref: 004A20C0
SendMessageW.USER32(00000000,00000111,0000702B,00000000), ref: 004A214D

Strings

SHELLDLL_DefView, xrefs: 004A20CC
largeicons, xrefs: 004A20E1
details, xrefs: 004A20FB
smallicons, xrefs: 004A2115
list, xrefs: 004A212F

Memory Dump Source

Source File: 00000000.00000002.2199307839.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.2199224556.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2199891659.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2199891659.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200033822.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200076254.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: ClassMessageNameParentSend
String ID: SHELLDLL_DefView$details$largeicons$list$smallicons
API String ID: 1290815626-3381328864
Opcode ID: b8198aa6e0ca5c09d75d16426c9aab8d22ac6b084da093975505dfaea1cbf71f
Instruction ID: 60df70ff62491273c9fff2d1bdf62acfe89a4f5d0518ed9aaacdb005b56aa79b
Opcode Fuzzy Hash: b8198aa6e0ca5c09d75d16426c9aab8d22ac6b084da093975505dfaea1cbf71f
Instruction Fuzzy Hash: 8A11207668470775FA012625DD07DAB379CDF16314F20012BF705A51D1FEE9AC42691D

Function 0047CE90 Relevance: 13.7, APIs: 9, Instructions: 209COMMON

Download Yara Rule

APIs

___from_strstr_to_strchr.LIBCMT ref: 0047CEB7
_free.LIBCMT ref: 0047CF22
_free.LIBCMT ref: 0047CF48
_free.LIBCMT ref: 0047CF71
_free.LIBCMT ref: 0047CFA9
_free.LIBCMT ref: 0047CFDA
_free.LIBCMT ref: 0047D01B
SetEnvironmentVariableA.KERNEL32(00000000,00000000), ref: 0047D09C
_free.LIBCMT ref: 0047D0B5

Memory Dump Source

Source File: 00000000.00000002.2199307839.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.2199224556.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2199891659.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2199891659.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200033822.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200076254.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: _free$EnvironmentVariable___from_strstr_to_strchr
String ID:
API String ID: 1282221369-0
Opcode ID: 66429308e860ce036eb1cc6f2229209c41f0cac7d107cf5e13843135bb30b00c
Instruction ID: 8998aa18cf2f96a98cc445552d8a12f738e25ffa69d6fb7e681a71822c40bc0c
Opcode Fuzzy Hash: 66429308e860ce036eb1cc6f2229209c41f0cac7d107cf5e13843135bb30b00c
Instruction Fuzzy Hash: EB6167B1A04200AFCB21AFB5A8C1AEE7BA5AF01324F04C16FF94C973C1D67D99458798

Function 004D50D4 Relevance: 13.7, APIs: 9, Instructions: 162windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00002001,00000000,00000000), ref: 004D5186
ShowWindow.USER32(?,00000000), ref: 004D51C7
ShowWindow.USER32(?,00000005,?,00000000), ref: 004D51CD
SetFocus.USER32(?,?,00000005,?,00000000), ref: 004D51D1

Part of subcall function 004D6FBA: DeleteObject.GDI32(00000000), ref: 004D6FE6

GetWindowLongW.USER32(?,000000F0), ref: 004D520D
SetWindowLongW.USER32(?,000000F0,00000000), ref: 004D521A
InvalidateRect.USER32(?,00000000,00000001,?,00000001), ref: 004D524D
SendMessageW.USER32(?,00001001,00000000,000000FE), ref: 004D5287
SendMessageW.USER32(?,00001026,00000000,000000FE), ref: 004D5296

Memory Dump Source

Source File: 00000000.00000002.2199307839.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.2199224556.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2199891659.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2199891659.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200033822.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200076254.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: Window$MessageSend$LongShow$DeleteFocusInvalidateObjectRect
String ID:
API String ID: 3210457359-0
Opcode ID: ca64b5ae814ac157c5aff9d3b0caf43bb4ef10106ae2fc658fdc62e2b1188733
Instruction ID: 271e8283f0750d73b841dcb81508e3844a960d5895b893f6e4f70c3c0d6d9416
Opcode Fuzzy Hash: ca64b5ae814ac157c5aff9d3b0caf43bb4ef10106ae2fc658fdc62e2b1188733
Instruction Fuzzy Hash: 1751B030A40A09FEEF209F25CC69BD93B71EB05365F144057FA24963E1CB79A988DF49

Function 00458B06 Relevance: 13.7, APIs: 9, Instructions: 155windowCOMMON

Download Yara Rule

APIs

LoadImageW.USER32(00000000,?,?,00000010,00000010,00000010), ref: 00496890
ExtractIconExW.SHELL32(?,?,00000000,00000000,00000001), ref: 004968A9
LoadImageW.USER32(00000000,?,00000001,00000000,00000000,00000050), ref: 004968B9
ExtractIconExW.SHELL32(?,?,?,00000000,00000001), ref: 004968D1
SendMessageW.USER32(00000000,00000080,00000000,00000000), ref: 004968F2
DestroyIcon.USER32(00000000,?,00000010,00000010,00000010,?,?,?,?,?,00458874,00000000,00000000,00000000,000000FF,00000000), ref: 00496901
SendMessageW.USER32(00000000,00000080,00000001,00000000), ref: 0049691E
DestroyIcon.USER32(00000000,?,00000010,00000010,00000010,?,?,?,?,?,00458874,00000000,00000000,00000000,000000FF,00000000), ref: 0049692D

Memory Dump Source

Source File: 00000000.00000002.2199307839.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.2199224556.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2199891659.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2199891659.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200033822.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200076254.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: Icon$DestroyExtractImageLoadMessageSend
String ID:
API String ID: 1268354404-0
Opcode ID: d26b87c3ec0cc63a5604e2c480ad1b71e1ec560614691cb08f5f59c00dc797f1
Instruction ID: 3d9d252fd6670256bf7d472955d5b17426a994a3c40cb45c316a390f91522449
Opcode Fuzzy Hash: d26b87c3ec0cc63a5604e2c480ad1b71e1ec560614691cb08f5f59c00dc797f1
Instruction Fuzzy Hash: 7A518B70600209EFDB20CF25CC91FAA7BB9FB54351F10452EF952A72A0DB78E955DB48

Function 004BC143 Relevance: 13.6, APIs: 9, Instructions: 95networkCOMMON

Download Yara Rule

APIs

InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 004BC182
GetLastError.KERNEL32 ref: 004BC195
SetEvent.KERNEL32(?), ref: 004BC1A9

Part of subcall function 004BC253: InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 004BC272
Part of subcall function 004BC253: GetLastError.KERNEL32 ref: 004BC322
Part of subcall function 004BC253: SetEvent.KERNEL32(?), ref: 004BC336
Part of subcall function 004BC253: InternetCloseHandle.WININET(00000000), ref: 004BC341

Memory Dump Source

Source File: 00000000.00000002.2199307839.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.2199224556.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2199891659.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2199891659.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200033822.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200076254.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: Internet$ErrorEventLast$CloseConnectHandleOpen
String ID:
API String ID: 337547030-0
Opcode ID: 3d222d4571ad41a43c9b383e354691c142bd969bfc41157a36649bf9fcc2c101
Instruction ID: f9df2617791211eb2f39e988012895d8db24782670b1aa82498a0df620bffa4b
Opcode Fuzzy Hash: 3d222d4571ad41a43c9b383e354691c142bd969bfc41157a36649bf9fcc2c101
Instruction Fuzzy Hash: A5318D71A01602AFDB259FA59CC4AA7BBE9FF58300B00446FF95686610C734E810DBB8

Function 004A25A2 Relevance: 13.6, APIs: 9, Instructions: 60sleepkeyboardwindowCOMMON

Download Yara Rule

APIs

Part of subcall function 004A3A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 004A3A57
Part of subcall function 004A3A3D: GetCurrentThreadId.KERNEL32 ref: 004A3A5E
Part of subcall function 004A3A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,004A25B3), ref: 004A3A65

MapVirtualKeyW.USER32(00000025,00000000), ref: 004A25BD
PostMessageW.USER32(?,00000100,00000025,00000000), ref: 004A25DB
Sleep.KERNEL32(00000000,?,00000100,00000025,00000000), ref: 004A25DF
MapVirtualKeyW.USER32(00000025,00000000), ref: 004A25E9
PostMessageW.USER32(?,00000100,00000027,00000000), ref: 004A2601
Sleep.KERNEL32(00000000,?,00000100,00000027,00000000), ref: 004A2605
MapVirtualKeyW.USER32(00000025,00000000), ref: 004A260F
PostMessageW.USER32(?,00000101,00000027,00000000), ref: 004A2623
Sleep.KERNEL32(00000000,?,00000101,00000027,00000000,?,00000100,00000027,00000000), ref: 004A2627

Memory Dump Source

Source File: 00000000.00000002.2199307839.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.2199224556.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2199891659.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2199891659.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200033822.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200076254.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: MessagePostSleepThreadVirtual$AttachCurrentInputProcessWindow
String ID:
API String ID: 2014098862-0
Opcode ID: 909944f577f2669676cef74bab3037bcc196fcc7eb2671ba074d5b9379709817
Instruction ID: 8631db7f7a30711a9c15e0dc5eb50f0979069d6aaad4fe4558ce54345911e352
Opcode Fuzzy Hash: 909944f577f2669676cef74bab3037bcc196fcc7eb2671ba074d5b9379709817
Instruction Fuzzy Hash: 2E01B130691220BBFB106B699CCAF593F59EB5AB12F100016F318AE0D1C9E26444DA6E

Function 004A1803 Relevance: 13.5, APIs: 9, Instructions: 49memorythreadCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000008,0000000C,?,00000000,?,004A1449,?,?,00000000), ref: 004A180C
HeapAlloc.KERNEL32(00000000,?,004A1449,?,?,00000000), ref: 004A1813
GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,004A1449,?,?,00000000), ref: 004A1828
GetCurrentProcess.KERNEL32(?,00000000,?,004A1449,?,?,00000000), ref: 004A1830
DuplicateHandle.KERNEL32(00000000,?,004A1449,?,?,00000000), ref: 004A1833
GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,004A1449,?,?,00000000), ref: 004A1843
GetCurrentProcess.KERNEL32(004A1449,00000000,?,004A1449,?,?,00000000), ref: 004A184B
DuplicateHandle.KERNEL32(00000000,?,004A1449,?,?,00000000), ref: 004A184E
CreateThread.KERNEL32(00000000,00000000,004A1874,00000000,00000000,00000000), ref: 004A1868

Memory Dump Source

Source File: 00000000.00000002.2199307839.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.2199224556.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2199891659.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2199891659.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200033822.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200076254.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: Process$Current$DuplicateHandleHeap$AllocCreateThread
String ID:
API String ID: 1957940570-0
Opcode ID: dc6495899f31bcdcdf009a46f695579bca38253cfd411dd27686dacfdbf80979
Instruction ID: bdf6b4eaa9eeae5254ed24fe74737f8e8b07cfa4fa553a3be1d1247a8ecd04ae
Opcode Fuzzy Hash: dc6495899f31bcdcdf009a46f695579bca38253cfd411dd27686dacfdbf80979
Instruction Fuzzy Hash: 4C01BFB5281315BFE710AB65DC8DF5B3B6CEB89B11F004421FA05DB1A1C6749C00CF24

Function 00473E80 Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 305COMMON

Download Yara Rule

APIs

_strrchr.LIBCMT ref: 00473F0B
__alldvrm.LIBCMT ref: 0047410C
__alldvrm.LIBCMT ref: 0047412E

Strings

}}F, xrefs: 00473E8A
}}F, xrefs: 004740CD
}}F, xrefs: 00473E96, 00473EF1, 00473F0A, 00474090

Memory Dump Source

Source File: 00000000.00000002.2199307839.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.2199224556.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2199891659.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2199891659.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200033822.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200076254.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: __alldvrm$_strrchr
String ID: }}F$}}F$}}F
API String ID: 1036877536-383095928
Opcode ID: 190bec492484a18a97fe5f025dcdb3e473ceac46589bc02d4dbe4f94f5be8f6e
Instruction ID: f3e6061c1718ba565ccc466e0c020b4cab50d8d097cf18c0bee654123dbbbaf0
Opcode Fuzzy Hash: 190bec492484a18a97fe5f025dcdb3e473ceac46589bc02d4dbe4f94f5be8f6e
Instruction Fuzzy Hash: BCA13771A002869FDB11DE18C8917FEBBE4EFA1354F14816FE5999B381C33C9982C759

Function 0044BBE0 Relevance: 12.5, APIs: 1, Strings: 6, Instructions: 232COMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 0044BEB3

Strings

8!, xrefs: 0044BC10
D%Q, xrefs: 0044BDED, 0044BD91, 0044BD1B
D%Q, xrefs: 0044BE9A
D%QD%Q, xrefs: 0044BCA5
X$, xrefs: 0044BC1B, 0044BCC7
D%Q, xrefs: 0044BCA2

Memory Dump Source

Source File: 00000000.00000002.2199307839.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.2199224556.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2199891659.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2199891659.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200033822.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200076254.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: Init_thread_footer
String ID: 8!$D%Q$D%Q$D%Q$D%QD%Q$X$
API String ID: 1385522511-1544116721
Opcode ID: 4fcf8aa9873ddece55a3007e5e5147d209f0f3208898c7caed342ab8f5210622
Instruction ID: 0ba7a8de2bb56d4c2ff83a37bdd18722cfed48367b30cee661fb2c7182108769
Opcode Fuzzy Hash: 4fcf8aa9873ddece55a3007e5e5147d209f0f3208898c7caed342ab8f5210622
Instruction Fuzzy Hash: 3D9128B5A002068FDB18CF59C0D06AABBF2FB58314F24816ED945AB350E735E982DBD4

Function 004C7B7E Relevance: 12.5, APIs: 1, Strings: 6, Instructions: 230COMMON

Download Yara Rule

APIs

Part of subcall function 00460242: EnterCriticalSection.KERNEL32(0051070C,00511884,?,?,0045198B,00512518,?,?,?,004412F9,00000000), ref: 0046024D
Part of subcall function 00460242: LeaveCriticalSection.KERNEL32(0051070C,?,0045198B,00512518,?,?,?,004412F9,00000000), ref: 0046028A

Part of subcall function 00449CB3: _wcslen.LIBCMT ref: 00449CBD

Part of subcall function 004600A3: __onexit.LIBCMT ref: 004600A9

__Init_thread_footer.LIBCMT ref: 004C7BFB

Part of subcall function 004601F8: EnterCriticalSection.KERNEL32(0051070C,?,?,00458747,00512514), ref: 00460202
Part of subcall function 004601F8: LeaveCriticalSection.KERNEL32(0051070C,?,00458747,00512514), ref: 00460235

Strings

Variable must be of type 'Object'., xrefs: 004C7C3A
+TI, xrefs: 004C7E2E
G8!, xrefs: 004C7CD4, 004C7D73, 004C7D05, 004C7E05
G8!, xrefs: 004C7C96
5, xrefs: 004C7C78
8!, xrefs: 004C7D5C, 004C7C50

Memory Dump Source

Source File: 00000000.00000002.2199307839.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.2199224556.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2199891659.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2199891659.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200033822.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200076254.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: CriticalSection$EnterLeave$Init_thread_footer__onexit_wcslen
String ID: +TI$5$8!$G8!$G8!$Variable must be of type 'Object'.
API String ID: 535116098-1410104274
Opcode ID: 74b76dc187437e59a13d33c549e262b98d14738056c9113a6b3db423fc01a31c
Instruction ID: d814add8410bfd73be9f32f71b532d404978eff9d7fa82c2419d420fa5cb2141
Opcode Fuzzy Hash: 74b76dc187437e59a13d33c549e262b98d14738056c9113a6b3db423fc01a31c
Instruction Fuzzy Hash: 2F918E78604209AFCB54EF55D891EAEB7B1BF48304F10805EF8065B392DB39AE45CF59

Function 004CA0E2 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 160COMMON

Download Yara Rule

APIs

Part of subcall function 004AD4DC: CreateToolhelp32Snapshot.KERNEL32 ref: 004AD501
Part of subcall function 004AD4DC: Process32FirstW.KERNEL32(00000000,?), ref: 004AD50F
Part of subcall function 004AD4DC: CloseHandle.KERNELBASE(00000000), ref: 004AD5DC

OpenProcess.KERNEL32(00000001,00000000,?), ref: 004CA16D
GetLastError.KERNEL32 ref: 004CA180
OpenProcess.KERNEL32(00000001,00000000,?), ref: 004CA1B3
TerminateProcess.KERNEL32(00000000,00000000), ref: 004CA268
GetLastError.KERNEL32(00000000), ref: 004CA273
CloseHandle.KERNEL32(00000000), ref: 004CA2C4

Strings

SeDebugPrivilege, xrefs: 004CA18F

Memory Dump Source

Source File: 00000000.00000002.2199307839.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.2199224556.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2199891659.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2199891659.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200033822.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200076254.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: Process$CloseErrorHandleLastOpen$CreateFirstProcess32SnapshotTerminateToolhelp32
String ID: SeDebugPrivilege
API String ID: 2533919879-2896544425
Opcode ID: 32bc00c4b239634de8ebd2e346d0508e513fd0a226e27a484f93fa4f809ed43c
Instruction ID: 2ff1938ce34f780f0a64fd94d7596f15b2ee2de312a4735abe33709841a61638
Opcode Fuzzy Hash: 32bc00c4b239634de8ebd2e346d0508e513fd0a226e27a484f93fa4f809ed43c
Instruction Fuzzy Hash: 2561BF342052429FE720DF15C494F16BBE1AF4431CF18849EE4568B7A3C77AEC49CB8A

Function 004D3886 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 141windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00001036,00000010,00000010), ref: 004D3925
SendMessageW.USER32(00000000,00001036,00000000,?), ref: 004D393A
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000013), ref: 004D3954
_wcslen.LIBCMT ref: 004D3999
SendMessageW.USER32(?,00001057,00000000,?), ref: 004D39C6
SendMessageW.USER32(?,00001061,?,0000000F), ref: 004D39F4

Strings

SysListView32, xrefs: 004D38F7

Memory Dump Source

Source File: 00000000.00000002.2199307839.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.2199224556.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2199891659.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2199891659.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200033822.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200076254.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: MessageSend$Window_wcslen
String ID: SysListView32
API String ID: 2147712094-78025650
Opcode ID: c9e292629c104426d97e19e0eff4e73fe987805318f3b8a725e09d4cab64ef0a
Instruction ID: 25a7ecb3745f3a40b8832d9d99d8b10ec833bf11532d6485dc218388bc3bb7af
Opcode Fuzzy Hash: c9e292629c104426d97e19e0eff4e73fe987805318f3b8a725e09d4cab64ef0a
Instruction Fuzzy Hash: D941C171A00209ABEF219F64CC55BEB7BA9EF08354F10056BF948E7381D7759D84CB98

Function 004ABC5E Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 137windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 004ABCFD
IsMenu.USER32(00000000), ref: 004ABD1D
CreatePopupMenu.USER32 ref: 004ABD53
GetMenuItemCount.USER32(00DC4A58), ref: 004ABDA4
InsertMenuItemW.USER32(00DC4A58,?,00000001,00000030), ref: 004ABDCC

Strings

2, xrefs: 004ABD37
0, xrefs: 004ABCA8

Memory Dump Source

Source File: 00000000.00000002.2199307839.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.2199224556.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2199891659.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2199891659.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200033822.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200076254.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: Menu$Item$CountCreateInfoInsertPopup
String ID: 0$2
API String ID: 93392585-3793063076
Opcode ID: f6ff5cf6039889734dc2f11559b9f4903c15cbe3c2e2bb6b09886ecc51f77f5f
Instruction ID: 3c5c0361c0a5841879fd5d04493612cb6da1e4210aa0e88315f0744e42ee0d3f
Opcode Fuzzy Hash: f6ff5cf6039889734dc2f11559b9f4903c15cbe3c2e2bb6b09886ecc51f77f5f
Instruction Fuzzy Hash: 2E51CD70A00205ABDF11CFB9D8C4BAEBBF5EF66314F14422BE4419B392D7789941CB99

Function 00462D20 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 117COMMON

Download Yara Rule

APIs

_ValidateLocalCookies.LIBCMT ref: 00462D4B
___except_validate_context_record.LIBVCRUNTIME ref: 00462D53
_ValidateLocalCookies.LIBCMT ref: 00462DE1
__IsNonwritableInCurrentImage.LIBCMT ref: 00462E0C
_ValidateLocalCookies.LIBCMT ref: 00462E61

Strings

csm, xrefs: 00462DF6
&HF, xrefs: 00462DFE, 00462E07, 00462E18

Memory Dump Source

Source File: 00000000.00000002.2199307839.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.2199224556.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2199891659.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2199891659.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200033822.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200076254.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
String ID: &HF$csm
API String ID: 1170836740-2649640693
Opcode ID: a1c496db19a748f7fecd5b7b189eaaf0d6d7c34c0b55bf4f9e38e2a780a85360
Instruction ID: 875ed444d15d527e8af61c4012b13fae0218efa7271b61c8fe7120f7e3cf08dd
Opcode Fuzzy Hash: a1c496db19a748f7fecd5b7b189eaaf0d6d7c34c0b55bf4f9e38e2a780a85360
Instruction Fuzzy Hash: 7E41F834A00609BBCF10DF69C944ADFBBB4BF45319F14816BE8146B352E7B99A01CBD6

Function 004AC874 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 81windowCOMMON

Download Yara Rule

APIs

LoadIconW.USER32(00000000,00007F03), ref: 004AC913

Strings

question, xrefs: 004AC8CC
stop, xrefs: 004AC8E4
warning, xrefs: 004AC8FC
blank, xrefs: 004AC895
info, xrefs: 004AC8B4

Memory Dump Source

Source File: 00000000.00000002.2199307839.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.2199224556.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2199891659.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2199891659.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200033822.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200076254.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: IconLoad
String ID: blank$info$question$stop$warning
API String ID: 2457776203-404129466
Opcode ID: 8f263f146b2c9e421d376799c5979851b965187df7f7fe4b3fdf0cf41e874e18
Instruction ID: 16b6ea95b1709cc9724e4b5dfe8e55fb97f2da5c576e3d4bc793332f902448f8
Opcode Fuzzy Hash: 8f263f146b2c9e421d376799c5979851b965187df7f7fe4b3fdf0cf41e874e18
Instruction Fuzzy Hash: D3112B75789307BAEB416B549CC2CAF27DCEF26319B10002FF500A63C2E7AC5D0052AE

Function 004ADE27 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 70networkCOMMON

Download Yara Rule

APIs

WSAStartup.WSOCK32(00000101,?), ref: 004ADE42
gethostname.WSOCK32(?,00000100), ref: 004ADE5C
gethostbyname.WSOCK32(?), ref: 004ADE69
inet_ntoa.WSOCK32(?), ref: 004ADEAB
_strcat.LIBCMT ref: 004ADEB9
WSACleanup.WSOCK32 ref: 004ADEDE

Strings

0.0.0.0, xrefs: 004ADE87

Memory Dump Source

Source File: 00000000.00000002.2199307839.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.2199224556.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2199891659.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2199891659.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200033822.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200076254.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: CleanupStartup_strcatgethostbynamegethostnameinet_ntoa
String ID: 0.0.0.0
API String ID: 642191829-3771769585
Opcode ID: 0ca228bd3151af3bd1f4f82d48fb1e4312a97fd19ca782068144863a3b63cc3e
Instruction ID: f3af1f278199b6cc1cbf7ac1cea5a57b0e4e061a83707dda274950cd125067ac
Opcode Fuzzy Hash: 0ca228bd3151af3bd1f4f82d48fb1e4312a97fd19ca782068144863a3b63cc3e
Instruction Fuzzy Hash: B9112471900106AFCB24AB319C4AEEF77ACDF22715F00017BF40696191FF788A81CA69

Function 004D9F86 Relevance: 12.3, APIs: 8, Instructions: 260windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00459BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00459BB2

GetSystemMetrics.USER32(0000000F), ref: 004D9FC7
GetSystemMetrics.USER32(0000000F), ref: 004D9FE7
MoveWindow.USER32(00000003,?,?,?,?,00000000,?,?,?), ref: 004DA224
SendMessageW.USER32(00000003,00000142,00000000,0000FFFF), ref: 004DA242
SendMessageW.USER32(00000003,00000469,?,00000000), ref: 004DA263
ShowWindow.USER32(00000003,00000000), ref: 004DA282
InvalidateRect.USER32(?,00000000,00000001), ref: 004DA2A7
DefDlgProcW.USER32(?,00000005,?,?), ref: 004DA2CA

Memory Dump Source

Source File: 00000000.00000002.2199307839.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.2199224556.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2199891659.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2199891659.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200033822.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200076254.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: Window$MessageMetricsSendSystem$InvalidateLongMoveProcRectShow
String ID:
API String ID: 1211466189-0
Opcode ID: fbd755e1ab466d482bf0847fc694c41c649ca48ce43c343490ed376af1944b1f
Instruction ID: 440ce6ad8c40993317254c2d2818feecd50e0ba8c4dcb544fccd95fe798cbbd2
Opcode Fuzzy Hash: fbd755e1ab466d482bf0847fc694c41c649ca48ce43c343490ed376af1944b1f
Instruction Fuzzy Hash: 68B1BA31600215EBDF14CF69C9A57AE3BB2FF44701F0880ABEC459B395D739A950CB5A

Function 004AED19 Relevance: 12.1, APIs: 8, Instructions: 137timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32 ref: 004AED2A
_wcslen.LIBCMT ref: 004AED3B
_wcslen.LIBCMT ref: 004AED79
_wcslen.LIBCMT ref: 004AEDAF
_wcslen.LIBCMT ref: 004AEDDF
_wcslen.LIBCMT ref: 004AEDEF
_wcslen.LIBCMT ref: 004AEE2B
_wcslen.LIBCMT ref: 004AEE5A

Memory Dump Source

Source File: 00000000.00000002.2199307839.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.2199224556.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2199891659.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2199891659.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200033822.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200076254.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: _wcslen$LocalTime
String ID:
API String ID: 952045576-0
Opcode ID: 03030b42329bdb120f1bf557848a0e08b7066b4cd98f0166303a6c46383f3569
Instruction ID: 61089c29621f4c03c018c975eff2bf5c02497322de218c5e031bb2b1b370a7aa
Opcode Fuzzy Hash: 03030b42329bdb120f1bf557848a0e08b7066b4cd98f0166303a6c46383f3569
Instruction Fuzzy Hash: 8C41B365D1021875DB11EBF6888A9CFB7A8AF46310F50846BE524E3161FB38E245C3AE

Function 0045F8D8 Relevance: 12.1, APIs: 8, Instructions: 124COMMON

Download Yara Rule

APIs

ShowWindow.USER32(FFFFFFFF,000000FF,?,00000000,?,0049682C,00000004,00000000,00000000), ref: 0045F953
ShowWindow.USER32(FFFFFFFF,00000006,?,00000000,?,0049682C,00000004,00000000,00000000), ref: 0049F3D1
ShowWindow.USER32(FFFFFFFF,000000FF,?,00000000,?,0049682C,00000004,00000000,00000000), ref: 0049F454

Memory Dump Source

Source File: 00000000.00000002.2199307839.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.2199224556.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2199891659.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2199891659.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200033822.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200076254.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: ShowWindow
String ID:
API String ID: 1268545403-0
Opcode ID: 294d681eb5e4823b955328d1a3d09878e618d51fa5731f021491e0bcb6994c19
Instruction ID: a783f981f3eab997c494d709bb14b585c4ee7a8dcfc3491be260b677bcaca31f
Opcode Fuzzy Hash: 294d681eb5e4823b955328d1a3d09878e618d51fa5731f021491e0bcb6994c19
Instruction Fuzzy Hash: 1D412D71104E40BACB348B29888876B7F91AB56316F54403FE84792762C63DA88DCB1F

Function 004D2D03 Relevance: 12.1, APIs: 8, Instructions: 95windowCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 004D2D1B
GetDC.USER32(00000000), ref: 004D2D23
GetDeviceCaps.GDI32(00000000,0000005A), ref: 004D2D2E
ReleaseDC.USER32(00000000,00000000), ref: 004D2D3A
CreateFontW.GDI32(?,00000000,00000000,00000000,?,00000000,00000000,00000000,00000001,00000004,00000000,?,00000000,?), ref: 004D2D76
SendMessageW.USER32(?,00000030,00000000,00000001), ref: 004D2D87
MoveWindow.USER32(?,?,?,?,?,00000000,?,?,004D5A65,?,?,000000FF,00000000,?,000000FF,?), ref: 004D2DC2
SendMessageW.USER32(?,00000142,00000000,00000000), ref: 004D2DE1

Memory Dump Source

Source File: 00000000.00000002.2199307839.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.2199224556.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2199891659.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2199891659.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200033822.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200076254.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: MessageSend$CapsCreateDeleteDeviceFontMoveObjectReleaseWindow
String ID:
API String ID: 3864802216-0
Opcode ID: 8b82b2016ee0037bd65550d53c20b18dc26e805112ac20d2e2f631e31d5602ab
Instruction ID: da022ccd91059b4e424e5eb17b663db704d484db4083f15bb9dd614cd121231b
Opcode Fuzzy Hash: 8b82b2016ee0037bd65550d53c20b18dc26e805112ac20d2e2f631e31d5602ab
Instruction Fuzzy Hash: 15319F72202214BFEF114F50CC89FEB3BA9EF19715F044066FE089A291C6B59C41CBA8

Function 004A5622 Relevance: 12.1, APIs: 8, Instructions: 92COMMON

Download Yara Rule

APIs

_memcmp.LIBVCRUNTIME ref: 004A5637
_memcmp.LIBVCRUNTIME ref: 004A5659
_memcmp.LIBVCRUNTIME ref: 004A5671
_memcmp.LIBVCRUNTIME ref: 004A5684
_memcmp.LIBVCRUNTIME ref: 004A569E
_memcmp.LIBVCRUNTIME ref: 004A56B1
_memcmp.LIBVCRUNTIME ref: 004A56C9
_memcmp.LIBVCRUNTIME ref: 004A56E4

Memory Dump Source

Source File: 00000000.00000002.2199307839.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.2199224556.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2199891659.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2199891659.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200033822.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200076254.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: _memcmp
String ID:
API String ID: 2931989736-0
Opcode ID: f722c7d1b621303366fab038fbb9ebe1397cba75fa7434abe2b346d8916bbd3b
Instruction ID: 005ae5f3177a376e18ccb004f5961deebc0fcb23072fc9ad72d40bf1aea8fc31
Opcode Fuzzy Hash: f722c7d1b621303366fab038fbb9ebe1397cba75fa7434abe2b346d8916bbd3b
Instruction Fuzzy Hash: 4521AA61641A0577E22455114F92FFB335CAF32788F544027FD1A5AB41F72CED1581AE

Function 004C4FAE Relevance: 10.9, APIs: 4, Strings: 2, Instructions: 359COMMON

Download Yara Rule

Strings

Not an Object type, xrefs: 004C5007
NULL Pointer assignment, xrefs: 004C502E, 004C5383

Memory Dump Source

Source File: 00000000.00000002.2199307839.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.2199224556.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2199891659.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2199891659.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200033822.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200076254.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID:
String ID: NULL Pointer assignment$Not an Object type
API String ID: 0-572801152
Opcode ID: 1bd7d6800020957aab9a7591fb60b1393181417224b3378dad40143ef9540d6e
Instruction ID: a9f2bec09532a0655e3794246d5f6830b869d37bbe4be8ca48634e73a6e8b997
Opcode Fuzzy Hash: 1bd7d6800020957aab9a7591fb60b1393181417224b3378dad40143ef9540d6e
Instruction Fuzzy Hash: D0D1BF79A0060A9FDF50CF98C884FAEB7B5BF48344F14806EE915AB281D774ED81CB54

Function 00481522 Relevance: 10.8, APIs: 7, Instructions: 268COMMON

Download Yara Rule

APIs

GetCPInfo.KERNEL32(00000000,00000000,?,7FFFFFFF,?,?,004817FB,00000000,00000000,?,00000000,?,?,?,?,00000000), ref: 004815CE
MultiByteToWideChar.KERNEL32(00000000,00000009,00000000,00000000,00000000,00000000,?,004817FB,00000000,00000000,?,00000000,?,?,?,?), ref: 00481651
MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00000000,00000000,004817FB,?,004817FB,00000000,00000000,?,00000000,?,?,?,?), ref: 004816E4
MultiByteToWideChar.KERNEL32(00000000,00000009,00000000,00000000,00000000,00000000,?,004817FB,00000000,00000000,?,00000000,?,?,?,?), ref: 004816FB

Part of subcall function 00473820: HeapAlloc.KERNEL32(00000000,?,00511444,?,0045FDF5,?,?,0044A976,00000010,00511440,004413FC,?,004413C6,?,00441129), ref: 00473852

MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00000000,00000000,00000000,?,004817FB,00000000,00000000,?,00000000,?,?,?,?), ref: 00481777
__freea.LIBCMT ref: 004817A2
__freea.LIBCMT ref: 004817AE

Memory Dump Source

Source File: 00000000.00000002.2199307839.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.2199224556.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2199891659.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2199891659.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200033822.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200076254.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: ByteCharMultiWide$__freea$AllocHeapInfo
String ID:
API String ID: 2171645-0
Opcode ID: 9415c29822a50cf534b2c9ea2886be18ee35378679dbc8ba913e585e4bb60fe9
Instruction ID: fa4dccd8204f5dd146a8e28286fc9d4ce49fa7fdfc297254b883d7c7c22685ff
Opcode Fuzzy Hash: 9415c29822a50cf534b2c9ea2886be18ee35378679dbc8ba913e585e4bb60fe9
Instruction Fuzzy Hash: 6791B771E00216ABDB20AE64C881EEF7BB99F45314F184A5FE805E7261D73DCC42CB69

Function 004C4523 Relevance: 10.8, APIs: 4, Strings: 2, Instructions: 262COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 004C4648
VariantInit.OLEAUT32(?), ref: 004C4749
VariantClear.OLEAUT32(?), ref: 004C4753
VariantClear.OLEAUT32(?), ref: 004C47B0

Strings

Null Object assignment in FOR..IN loop, xrefs: 004C45D8, 004C4706, 004C47BE
Incorrect Object type in FOR..IN loop, xrefs: 004C472C

Memory Dump Source

Source File: 00000000.00000002.2199307839.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.2199224556.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2199891659.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2199891659.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200033822.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200076254.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: Variant$ClearInit
String ID: Incorrect Object type in FOR..IN loop$Null Object assignment in FOR..IN loop
API String ID: 2610073882-625585964
Opcode ID: 94737b2148c702a8f0c67b4a274cfe31ea2ca0d74d13d49ba6413c6cdec80769
Instruction ID: 29f19847784d5d7a4d6f60b1afed354ba41887118bc72cf56a9dce0de3877e74
Opcode Fuzzy Hash: 94737b2148c702a8f0c67b4a274cfe31ea2ca0d74d13d49ba6413c6cdec80769
Instruction Fuzzy Hash: AD91D234A00219ABDF60CFA5C994FAFBBB8EF85714F10815EF505AB280D7789945CFA4

Function 004B1187 Relevance: 10.8, APIs: 7, Instructions: 254COMMON

Download Yara Rule

APIs

SafeArrayGetVartype.OLEAUT32(00000001,?), ref: 004B125C
SafeArrayAccessData.OLEAUT32(00000000,?), ref: 004B1284
SafeArrayUnaccessData.OLEAUT32(00000001), ref: 004B12A8
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 004B12D8
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 004B135F
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 004B13C4
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 004B1430

Memory Dump Source

Source File: 00000000.00000002.2199307839.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.2199224556.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2199891659.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2199891659.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200033822.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200076254.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: ArraySafe$Data$Access$UnaccessVartype
String ID:
API String ID: 2550207440-0
Opcode ID: cd22fbec725aee156c16e021021bf750f6382cf49d0238e32c128bf489128d04
Instruction ID: 3e29a73caaf2e29e2d8acd1ae114a487005196be0bc1ebb59270d384b97273b0
Opcode Fuzzy Hash: cd22fbec725aee156c16e021021bf750f6382cf49d0238e32c128bf489128d04
Instruction Fuzzy Hash: 22910371900219AFEB04DF95C8A4BFE77B5FF05315F10402BE900E72A1D778A946CBA9

Function 0045948A Relevance: 10.8, APIs: 7, Instructions: 254COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2199307839.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.2199224556.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2199891659.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2199891659.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200033822.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200076254.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: ObjectSelect$BeginCreatePath
String ID:
API String ID: 3225163088-0
Opcode ID: 944fb01354e0aaa822c6cc881e25c4ea0fb431730f0b050111b99771300e0e6a
Instruction ID: 74a8645b6ca3a0ca72b9aa6377109f8c0fc6ff87eb950cdc2085871ce9f207c8
Opcode Fuzzy Hash: 944fb01354e0aaa822c6cc881e25c4ea0fb431730f0b050111b99771300e0e6a
Instruction Fuzzy Hash: 16912771900219EFCB11CFA9C884AEEBBB8FF49320F14415AE915B7252D378AD56CB64

Function 004C3947 Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 240COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 004C396B
CharUpperBuffW.USER32(?,?), ref: 004C3A7A
_wcslen.LIBCMT ref: 004C3A8A
VariantClear.OLEAUT32(?), ref: 004C3C1F

Part of subcall function 004B0CDF: VariantInit.OLEAUT32(00000000), ref: 004B0D1F
Part of subcall function 004B0CDF: VariantCopy.OLEAUT32(?,?), ref: 004B0D28
Part of subcall function 004B0CDF: VariantClear.OLEAUT32(?), ref: 004B0D34

Strings

AUTOIT.ERROR, xrefs: 004C3A80, 004C3A85
Incorrect Parameter format, xrefs: 004C39A6, 004C3BA1

Memory Dump Source

Source File: 00000000.00000002.2199307839.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.2199224556.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2199891659.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2199891659.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200033822.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200076254.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: Variant$ClearInit$BuffCharCopyUpper_wcslen
String ID: AUTOIT.ERROR$Incorrect Parameter format
API String ID: 4137639002-1221869570
Opcode ID: dcb787bf536ab1b0c03cb0edac8864d8eb9d8c3a5512c244d467ef2648999679
Instruction ID: f81e04b5ae747fc4d50f04f812d9c8d912e0cfc5c3ea3939cfe3068846855698
Opcode Fuzzy Hash: dcb787bf536ab1b0c03cb0edac8864d8eb9d8c3a5512c244d467ef2648999679
Instruction Fuzzy Hash: CF917C796083019FC740DF25C48096AB7E4FF88319F14896EF88997352DB39EE05CB96

Function 004C4BAD Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 236COMMON

Download Yara Rule

APIs

Part of subcall function 004A000E: CLSIDFromProgID.OLE32 ref: 004A002B
Part of subcall function 004A000E: ProgIDFromCLSID.OLE32(?,00000000), ref: 004A0046
Part of subcall function 004A000E: lstrcmpiW.KERNEL32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0049FF41,80070057,?,?), ref: 004A0054
Part of subcall function 004A000E: CoTaskMemFree.OLE32(00000000), ref: 004A0064

CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000002,00000003,00000000,00000000,00000000), ref: 004C4C51
_wcslen.LIBCMT ref: 004C4D59
CoCreateInstanceEx.OLE32(?,00000000,00000015,?,00000001,?), ref: 004C4DCF
CoTaskMemFree.OLE32(?), ref: 004C4DDA

Strings

NULL Pointer assignment, xrefs: 004C4E23, 004C4E52

Memory Dump Source

Source File: 00000000.00000002.2199307839.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.2199224556.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2199891659.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2199891659.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200033822.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200076254.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: FreeFromProgTask$CreateInitializeInstanceSecurity_wcslenlstrcmpi
String ID: NULL Pointer assignment
API String ID: 614568839-2785691316
Opcode ID: 43686361d4b16630570906179251e7a2b99c76102b686e5513720fa404d1aa51
Instruction ID: a92ec6f2eeebdb90253cbe6a5a76e55c58ae88e86a68cdb47fd6447623d2d603
Opcode Fuzzy Hash: 43686361d4b16630570906179251e7a2b99c76102b686e5513720fa404d1aa51
Instruction Fuzzy Hash: 61912671D00219AFDF10EFA5D890EEEB7B8BF48304F10856EE915A7251EB389A45CF64

Function 004D20FD Relevance: 10.7, APIs: 7, Instructions: 196windowCOMMON

Download Yara Rule

APIs

GetMenu.USER32(?), ref: 004D2183
GetMenuItemCount.USER32(00000000), ref: 004D21B5
GetMenuStringW.USER32(00000000,00000000,?,00007FFF,00000400), ref: 004D21DD
_wcslen.LIBCMT ref: 004D2213
GetMenuItemID.USER32(?,?), ref: 004D224D
GetSubMenu.USER32(?,?), ref: 004D225B

Part of subcall function 004A3A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 004A3A57
Part of subcall function 004A3A3D: GetCurrentThreadId.KERNEL32 ref: 004A3A5E
Part of subcall function 004A3A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,004A25B3), ref: 004A3A65

PostMessageW.USER32(?,00000111,00000000,00000000), ref: 004D22E3

Part of subcall function 004AE97B: Sleep.KERNEL32 ref: 004AE9F3

Memory Dump Source

Source File: 00000000.00000002.2199307839.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.2199224556.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2199891659.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2199891659.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200033822.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200076254.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: Menu$Thread$Item$AttachCountCurrentInputMessagePostProcessSleepStringWindow_wcslen
String ID:
API String ID: 4196846111-0
Opcode ID: 4c5cc17a383c97f503dc68821025030fb9aec6c91395e61b9569e494bc1c55b4
Instruction ID: 1eb29127a43270096bd2fc703890d16d1accd9284dae8117433b47397054ab01
Opcode Fuzzy Hash: 4c5cc17a383c97f503dc68821025030fb9aec6c91395e61b9569e494bc1c55b4
Instruction Fuzzy Hash: 8E71BF75A00215AFCB00DF65C991AAEB7F1EF58314F1484ABE816EB341D778EE42CB94

Function 004D7E9E Relevance: 10.7, APIs: 7, Instructions: 193windowCOMMON

Download Yara Rule

APIs

IsWindow.USER32(00DC4A08), ref: 004D7F37
IsWindowEnabled.USER32(00DC4A08), ref: 004D7F43
SendMessageW.USER32(00000000,0000041C,00000000,00000000), ref: 004D801E
SendMessageW.USER32(00DC4A08,000000B0,?,?), ref: 004D8051
IsDlgButtonChecked.USER32(?,?), ref: 004D8089
GetWindowLongW.USER32(00DC4A08,000000EC), ref: 004D80AB
SendMessageW.USER32(?,000000A1,00000002,00000000), ref: 004D80C3

Memory Dump Source

Source File: 00000000.00000002.2199307839.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.2199224556.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2199891659.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2199891659.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200033822.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200076254.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: MessageSendWindow$ButtonCheckedEnabledLong
String ID:
API String ID: 4072528602-0
Opcode ID: 749feb432ad6bfe31d0f0212d12fbe5c9e4a36a275d539fe3f4ddcdb719fcf42
Instruction ID: cfa82f2d9c4b1b4e2f09fb6d85c25dc28d4f4f631e20ee820c381c64dca322b5
Opcode Fuzzy Hash: 749feb432ad6bfe31d0f0212d12fbe5c9e4a36a275d539fe3f4ddcdb719fcf42
Instruction Fuzzy Hash: 6B719E34608204AFEB319F64C8A4FBBBBB5EF19300F14405FE955973A1DB39A845DB18

Function 004AAEBA Relevance: 10.7, APIs: 7, Instructions: 162windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(?), ref: 004AAEF9
GetKeyboardState.USER32(?), ref: 004AAF0E
SetKeyboardState.USER32(?), ref: 004AAF6F
PostMessageW.USER32(?,00000101,00000010,?), ref: 004AAF9D
PostMessageW.USER32(?,00000101,00000011,?), ref: 004AAFBC
PostMessageW.USER32(?,00000101,00000012,?), ref: 004AAFFD
PostMessageW.USER32(?,00000101,0000005B,?), ref: 004AB020

Memory Dump Source

Source File: 00000000.00000002.2199307839.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.2199224556.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2199891659.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2199891659.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200033822.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200076254.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: 8b0b43fddfcb29ea99e8846d443d43ebcbaa136794b4c419bdc0ebb2d816c033
Instruction ID: 34b71844aad9456e71622ac18e9120943deb66be0a4762d1956c92165d82f850
Opcode Fuzzy Hash: 8b0b43fddfcb29ea99e8846d443d43ebcbaa136794b4c419bdc0ebb2d816c033
Instruction Fuzzy Hash: 6751D2A16087D53DFB3642348C45BBBBEA99B17304F08848BF1D5455C3C39CA894D799

Function 004AACDA Relevance: 10.7, APIs: 7, Instructions: 161windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(00000000), ref: 004AAD19
GetKeyboardState.USER32(?), ref: 004AAD2E
SetKeyboardState.USER32(?), ref: 004AAD8F
PostMessageW.USER32(00000000,00000100,00000010,?), ref: 004AADBB
PostMessageW.USER32(00000000,00000100,00000011,?), ref: 004AADD8
PostMessageW.USER32(00000000,00000100,00000012,?), ref: 004AAE17
PostMessageW.USER32(00000000,00000100,0000005B,?), ref: 004AAE38

Memory Dump Source

Source File: 00000000.00000002.2199307839.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.2199224556.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2199891659.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2199891659.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200033822.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200076254.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: 866bf4d70252961e47356eb6ce41eb6091dfb151fa85dc2bf42c92ddca7d7f28
Instruction ID: b1e65f21ce83035a07029bb33c244386b57701b77e56a04236a3f084deb95884
Opcode Fuzzy Hash: 866bf4d70252961e47356eb6ce41eb6091dfb151fa85dc2bf42c92ddca7d7f28
Instruction Fuzzy Hash: 7A51E5A15447D13DFB3382248C85B7BBE995B67304F08848AE1D54A9C2C398ECA8D76A

Function 0047542E Relevance: 10.7, APIs: 7, Instructions: 152fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetConsoleCP.KERNEL32(00483CD6,?,?,?,?,?,?,?,?,00475BA3,?,?,00483CD6,?,?), ref: 00475470
__fassign.LIBCMT ref: 004754EB
__fassign.LIBCMT ref: 00475506
WideCharToMultiByte.KERNEL32(?,00000000,?,00000001,00483CD6,00000005,00000000,00000000), ref: 0047552C
WriteFile.KERNEL32(?,00483CD6,00000000,00475BA3,00000000,?,?,?,?,?,?,?,?,?,00475BA3,?), ref: 0047554B
WriteFile.KERNEL32(?,?,00000001,00475BA3,00000000,?,?,?,?,?,?,?,?,?,00475BA3,?), ref: 00475584

Memory Dump Source

Source File: 00000000.00000002.2199307839.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.2199224556.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2199891659.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2199891659.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200033822.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200076254.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: FileWrite__fassign$ByteCharConsoleMultiWide
String ID:
API String ID: 1324828854-0
Opcode ID: 9549547556f51100c2141d25b0a1bdf8d4073b67f4d06855d02487afbecad6a7
Instruction ID: 40baae7a764fe4dd34d6ed3f700e3c6400a4d56e47c0465d07001c66f1f32300
Opcode Fuzzy Hash: 9549547556f51100c2141d25b0a1bdf8d4073b67f4d06855d02487afbecad6a7
Instruction Fuzzy Hash: 7651E6B0900649AFDB10CFA8D885AEEBBF9EF09300F14811FF959E7291D7749A45CB64

Function 00472051 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 129COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 004720C3
_free.LIBCMT ref: 004720E3

Strings

8!, xrefs: 00472076, 004720B8, 004720D8, 00472158

Memory Dump Source

Source File: 00000000.00000002.2199307839.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.2199224556.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2199891659.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2199891659.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200033822.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200076254.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: _free
String ID: 8!
API String ID: 269201875-1003366106
Opcode ID: d3648ba8661c965503b7f69203103bdb6253d96812a4df49946af4c3f8243354
Instruction ID: 858002681308a3c299a26272eef0e5f8f03e18d26878b291f943175413e649a6
Opcode Fuzzy Hash: d3648ba8661c965503b7f69203103bdb6253d96812a4df49946af4c3f8243354
Instruction Fuzzy Hash: C9410772A002009FCB20DF79C981A9EB7F1FF85314F15816AE609EB351D675AD05C795

Function 004C10B8 Relevance: 10.6, APIs: 7, Instructions: 110networkCOMMON

Download Yara Rule

APIs

Part of subcall function 004C304E: inet_addr.WSOCK32(?,?,?,?,?,00000000), ref: 004C307A
Part of subcall function 004C304E: _wcslen.LIBCMT ref: 004C309B

socket.WSOCK32(00000002,00000001,00000006,?,?,00000000), ref: 004C1112
WSAGetLastError.WSOCK32 ref: 004C1121
WSAGetLastError.WSOCK32 ref: 004C11C9
closesocket.WSOCK32(00000000), ref: 004C11F9

Memory Dump Source

Source File: 00000000.00000002.2199307839.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.2199224556.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2199891659.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2199891659.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200033822.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200076254.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: ErrorLast$_wcslenclosesocketinet_addrsocket
String ID:
API String ID: 2675159561-0
Opcode ID: 4c8cf4fb4acc085cd14a73aad5899841fba0f1a144b370504ba58131a25a8b32
Instruction ID: 47ffa7493e2015f64aa19a83b10b730bdadacdf65b648146cfaff894045f0197
Opcode Fuzzy Hash: 4c8cf4fb4acc085cd14a73aad5899841fba0f1a144b370504ba58131a25a8b32
Instruction Fuzzy Hash: 2B41D535600105AFDB109F14C884FAAB7E9EF46368F18815EFD159B292CB78ED41CBA9

Function 004ACF00 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 108filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 004ADDE0: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,004ACF22,?), ref: 004ADDFD

Part of subcall function 004ADDE0: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,004ACF22,?), ref: 004ADE16

lstrcmpiW.KERNEL32(?,?), ref: 004ACF45
MoveFileW.KERNEL32(?,?), ref: 004ACF7F
_wcslen.LIBCMT ref: 004AD005
_wcslen.LIBCMT ref: 004AD01B
SHFileOperationW.SHELL32(?), ref: 004AD061

Strings

\*.*, xrefs: 004ACFF3

Memory Dump Source

Source File: 00000000.00000002.2199307839.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.2199224556.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2199891659.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2199891659.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200033822.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200076254.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: FileFullNamePath_wcslen$MoveOperationlstrcmpi
String ID: \*.*
API String ID: 3164238972-1173974218
Opcode ID: 5cd05277562859b17dc5cd017436be8e5492e8bbf59e18f1a9adca612e7dda75
Instruction ID: 392ac6026eeb3a22524224528d312c1bc87afe7fc8ef7bf82fcfc7fa6a892a5a
Opcode Fuzzy Hash: 5cd05277562859b17dc5cd017436be8e5492e8bbf59e18f1a9adca612e7dda75
Instruction Fuzzy Hash: B6415871D451195FDF52EBA5C9C1ADEB7B8AF15344F0000EBE505EB141EB38AA44CB54

Function 004D2DFD Relevance: 10.6, APIs: 7, Instructions: 99windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,000000F0,00000000,00000000), ref: 004D2E1C
GetWindowLongW.USER32(?,000000F0), ref: 004D2E4F
GetWindowLongW.USER32(?,000000F0), ref: 004D2E84
SendMessageW.USER32(?,000000F1,00000000,00000000), ref: 004D2EB6
SendMessageW.USER32(?,000000F1,00000001,00000000), ref: 004D2EE0
GetWindowLongW.USER32(?,000000F0), ref: 004D2EF1
SetWindowLongW.USER32(?,000000F0,00000000), ref: 004D2F0B

Memory Dump Source

Source File: 00000000.00000002.2199307839.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.2199224556.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2199891659.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2199891659.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200033822.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200076254.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: LongWindow$MessageSend
String ID:
API String ID: 2178440468-0
Opcode ID: 76477104da214ec9165e06b8005597cff0cac5f047b208d206b1b8f997a40c10
Instruction ID: fcfbbe9f3a7f35c7ee366bc3b880ab5396c1a7dc80de23eddae060bdac864776
Opcode Fuzzy Hash: 76477104da214ec9165e06b8005597cff0cac5f047b208d206b1b8f997a40c10
Instruction Fuzzy Hash: D4311530645151AFDB21CF18DDA4FA637E0EBAA711F1441A6FA108F3B1CBB5E844EB09

Function 004A7726 Relevance: 10.6, APIs: 7, Instructions: 94memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 004A7769
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 004A778F
SysAllocString.OLEAUT32(00000000), ref: 004A7792
SysAllocString.OLEAUT32(?), ref: 004A77B0
SysFreeString.OLEAUT32(?), ref: 004A77B9
StringFromGUID2.OLE32(?,?,00000028), ref: 004A77DE
SysAllocString.OLEAUT32(?), ref: 004A77EC

Memory Dump Source

Source File: 00000000.00000002.2199307839.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.2199224556.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2199891659.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2199891659.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200033822.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200076254.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: String$Alloc$ByteCharMultiWide$FreeFrom
String ID:
API String ID: 3761583154-0
Opcode ID: 3284afa4da20e2a44a0e2830730aa0cacc71447dfbdf42bdf45210035214a175
Instruction ID: d834d9d838939c2bccd77927589367021da2b976bec31c93e0498fbe242491d2
Opcode Fuzzy Hash: 3284afa4da20e2a44a0e2830730aa0cacc71447dfbdf42bdf45210035214a175
Instruction Fuzzy Hash: 7121C77A605219AFDF10DFA8CC84CBB77ACEB1A3647008127F904DB291D674EC45CB68

Function 004A77FD Relevance: 10.6, APIs: 7, Instructions: 89memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 004A7842
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 004A7868
SysAllocString.OLEAUT32(00000000), ref: 004A786B
SysAllocString.OLEAUT32 ref: 004A788C
SysFreeString.OLEAUT32 ref: 004A7895
StringFromGUID2.OLE32(?,?,00000028), ref: 004A78AF
SysAllocString.OLEAUT32(?), ref: 004A78BD

Memory Dump Source

Source File: 00000000.00000002.2199307839.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.2199224556.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2199891659.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2199891659.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200033822.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200076254.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: String$Alloc$ByteCharMultiWide$FreeFrom
String ID:
API String ID: 3761583154-0
Opcode ID: e0b40abde32804f19cb10fe19faa7a6afc1473eb1126c8b3fa244e38d000ef42
Instruction ID: 58574808da0cbfdf40cb8d4d9d1eaa02c9caff67c5b7afd5d902c739162ff6cc
Opcode Fuzzy Hash: e0b40abde32804f19cb10fe19faa7a6afc1473eb1126c8b3fa244e38d000ef42
Instruction Fuzzy Hash: CE21A431609105AFDB20AFA8DC88DAB77ECEF19360710813AF915CB2A5D67CDC45CB68

Function 004B04D2 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 80pipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(0000000C), ref: 004B04F2
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 004B052E

Strings

nul, xrefs: 004B0567

Memory Dump Source

Source File: 00000000.00000002.2199307839.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.2199224556.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2199891659.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2199891659.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200033822.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200076254.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: CreateHandlePipe
String ID: nul
API String ID: 1424370930-2873401336
Opcode ID: 74793bd0e7fb4925b538dfb35c6147ccbabbd2f7963e5a89d4c8a572857888ab
Instruction ID: 94b8e1d95637bcbf618ee58becd51ff788a14973bbe5ec2d16f6b1caa4af6b28
Opcode Fuzzy Hash: 74793bd0e7fb4925b538dfb35c6147ccbabbd2f7963e5a89d4c8a572857888ab
Instruction Fuzzy Hash: B7218DB1500306AFDB309F69DC44ADB7BE4AF54725F204A2AF8A1D62E0D7749941CF38

Function 004B05A7 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 80pipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(000000F6), ref: 004B05C6
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 004B0601

Strings

nul, xrefs: 004B0639

Memory Dump Source

Source File: 00000000.00000002.2199307839.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.2199224556.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2199891659.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2199891659.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200033822.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200076254.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: CreateHandlePipe
String ID: nul
API String ID: 1424370930-2873401336
Opcode ID: d7a2e380bdf39fe4debcd54329ecb37c7a321aa895f093cc24d09092e63fd003
Instruction ID: b18e9eac55d7f52dcf7a31eba5c66707712f81b450b70839d2619d75c6bc7e60
Opcode Fuzzy Hash: d7a2e380bdf39fe4debcd54329ecb37c7a321aa895f093cc24d09092e63fd003
Instruction Fuzzy Hash: 3D217F75500306ABDB209F698C44ADB77E4BF95725F200B1AECA1E72E0D7749861CB28

Function 004D40AD Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 75windowCOMMON

Download Yara Rule

APIs

Part of subcall function 0044600E: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 0044604C
Part of subcall function 0044600E: GetStockObject.GDI32(00000011), ref: 00446060
Part of subcall function 0044600E: SendMessageW.USER32(00000000,00000030,00000000), ref: 0044606A

SendMessageW.USER32(00000000,00002001,00000000,FF000000), ref: 004D4112
SendMessageW.USER32(?,00000409,00000000,FF000000), ref: 004D411F
SendMessageW.USER32(?,00000402,00000000,00000000), ref: 004D412A
SendMessageW.USER32(?,00000401,00000000,00640000), ref: 004D4139
SendMessageW.USER32(?,00000404,00000001,00000000), ref: 004D4145

Strings

Msctls_Progress32, xrefs: 004D40E3

Memory Dump Source

Source File: 00000000.00000002.2199307839.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.2199224556.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2199891659.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2199891659.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200033822.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200076254.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: MessageSend$CreateObjectStockWindow
String ID: Msctls_Progress32
API String ID: 1025951953-3636473452
Opcode ID: 7c2b11f17bca165079468c48876145974ef0b443ba41a51deda4c95b43183e3c
Instruction ID: f69f012502aa063981a989bb5269bf26ec50392998d2356d6141488d885c4c8e
Opcode Fuzzy Hash: 7c2b11f17bca165079468c48876145974ef0b443ba41a51deda4c95b43183e3c
Instruction Fuzzy Hash: 121193B1150119BFEF118F64CC85EEB7F6DEF09798F014112B718A2190C6769C21DBA8

Function 0047D7DF Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 0047D7A3: _free.LIBCMT ref: 0047D7CC

_free.LIBCMT ref: 0047D82D

Part of subcall function 004729C8: RtlFreeHeap.NTDLL(00000000,00000000,?,0047D7D1,00000000,00000000,00000000,00000000,?,0047D7F8,00000000,00000007,00000000,?,0047DBF5,00000000), ref: 004729DE
Part of subcall function 004729C8: GetLastError.KERNEL32(00000000,?,0047D7D1,00000000,00000000,00000000,00000000,?,0047D7F8,00000000,00000007,00000000,?,0047DBF5,00000000,00000000), ref: 004729F0

_free.LIBCMT ref: 0047D838
_free.LIBCMT ref: 0047D843
_free.LIBCMT ref: 0047D897
_free.LIBCMT ref: 0047D8A2
_free.LIBCMT ref: 0047D8AD
_free.LIBCMT ref: 0047D8B8

Memory Dump Source

Source File: 00000000.00000002.2199307839.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.2199224556.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2199891659.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2199891659.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200033822.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200076254.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: d5e9bbcb1dbdafe4c8d3bd98f36014f41f46dc5d4a3df644b036f3c2391e0fc8
Instruction ID: 804389c3e41c50e3092ec096abba039725b34e916578a4ab36863824884e7bd9
Opcode Fuzzy Hash: d5e9bbcb1dbdafe4c8d3bd98f36014f41f46dc5d4a3df644b036f3c2391e0fc8
Instruction Fuzzy Hash: D51181F1A50B04AAD531BFB2CC07FCBBBEC6F40704F44882EB29DA6092DA6CB5494654

Function 004ADA5A Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 46windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000100,00000000), ref: 004ADA74
LoadStringW.USER32(00000000), ref: 004ADA7B
GetModuleHandleW.KERNEL32(00000000,00001389,?,00000100), ref: 004ADA91
LoadStringW.USER32(00000000), ref: 004ADA98
MessageBoxW.USER32(00000000,?,?,00011010), ref: 004ADADC

Strings

%s (%d) : ==> %s: %s %s, xrefs: 004ADAB9

Memory Dump Source

Source File: 00000000.00000002.2199307839.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.2199224556.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2199891659.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2199891659.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200033822.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200076254.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: HandleLoadModuleString$Message
String ID: %s (%d) : ==> %s: %s %s
API String ID: 4072794657-3128320259
Opcode ID: 90f324e552b8d78d3f5ff097c4d5291a76096da663af796a468f67d47592e2d4
Instruction ID: 8c8b13b5b8a3f2233f283526b221920a1c95ab5d42170351b8643db1df47f13f
Opcode Fuzzy Hash: 90f324e552b8d78d3f5ff097c4d5291a76096da663af796a468f67d47592e2d4
Instruction Fuzzy Hash: B80162F29002197FEB109BA09DC9EEB376CE709701F4045A7B706E2041EA749E848F78

Function 004B096B Relevance: 10.5, APIs: 7, Instructions: 35synchronizationthreadCOMMON

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(00DBDDC8,00DBDDC8), ref: 004B097B
EnterCriticalSection.KERNEL32(00DBDDA8,00000000), ref: 004B098D
TerminateThread.KERNEL32(?,000001F6), ref: 004B099B
WaitForSingleObject.KERNEL32(?,000003E8), ref: 004B09A9
CloseHandle.KERNEL32(?), ref: 004B09B8
InterlockedExchange.KERNEL32(00DBDDC8,000001F6), ref: 004B09C8
LeaveCriticalSection.KERNEL32(00DBDDA8), ref: 004B09CF

Memory Dump Source

Source File: 00000000.00000002.2199307839.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.2199224556.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2199891659.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2199891659.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200033822.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200076254.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: CriticalExchangeInterlockedSection$CloseEnterHandleLeaveObjectSingleTerminateThreadWait
String ID:
API String ID: 3495660284-0
Opcode ID: 6c44b8b2652ed3c52ba62c1e75537857bdc89360587007c152d5d510ed2f846a
Instruction ID: 9f7172ae23fb9d0db2e95bf315e97fd0ea21d285f82abf9bc9784e8e49704f22
Opcode Fuzzy Hash: 6c44b8b2652ed3c52ba62c1e75537857bdc89360587007c152d5d510ed2f846a
Instruction Fuzzy Hash: E5F01D71483513ABD7515B94EEC8BD67B25BF01702F401126F101908A0C7749465CFA8

Function 004C1C60 Relevance: 9.3, APIs: 6, Instructions: 298networkCOMMON

Download Yara Rule

APIs

__WSAFDIsSet.WSOCK32(00000000,?,00000000,00000000,?,00000064,00000000), ref: 004C1DC0
#17.WSOCK32(00000000,?,?,00000000,?,00000010), ref: 004C1DE1
WSAGetLastError.WSOCK32 ref: 004C1DF2
htons.WSOCK32(?,?,?,?,?), ref: 004C1EDB
inet_ntoa.WSOCK32(?), ref: 004C1E8C

Part of subcall function 004A39E8: _strlen.LIBCMT ref: 004A39F2

Part of subcall function 004C3224: MultiByteToWideChar.KERNEL32(00000000,00000001,?,?,00000000,00000000,00000000,?,?,?,?,004BEC0C), ref: 004C3240

_strlen.LIBCMT ref: 004C1F35

Memory Dump Source

Source File: 00000000.00000002.2199307839.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.2199224556.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2199891659.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2199891659.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200033822.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200076254.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: _strlen$ByteCharErrorLastMultiWidehtonsinet_ntoa
String ID:
API String ID: 3203458085-0
Opcode ID: a7c9dd22c7bf19124c178beae0497bbc4a103ceffb229ab49a874501e58cb96d
Instruction ID: 6a0fa14d9d8498348cdba801ed78d82152eac6f8a8bebc09dbbc4505b345ef81
Opcode Fuzzy Hash: a7c9dd22c7bf19124c178beae0497bbc4a103ceffb229ab49a874501e58cb96d
Instruction Fuzzy Hash: F2B1CE38204300AFD324EF25C885F2A77A5AF86318F54854EF4565B3A3DB39ED46CB96

Function 00445D0A Relevance: 9.3, APIs: 6, Instructions: 276COMMON

Download Yara Rule

APIs

GetClientRect.USER32(?,?), ref: 00445D30
GetWindowRect.USER32(?,?), ref: 00445D71
ScreenToClient.USER32(?,?), ref: 00445D99
GetClientRect.USER32(?,?), ref: 00445ED7
GetWindowRect.USER32(?,?), ref: 00445EF8

Memory Dump Source

Source File: 00000000.00000002.2199307839.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.2199224556.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2199891659.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2199891659.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200033822.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200076254.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: Rect$Client$Window$Screen
String ID:
API String ID: 1296646539-0
Opcode ID: 62542fb794da41b2ab9ccbd2637820f96d8aeb583f37f453c478466c5bc1f646
Instruction ID: 72480a2ec9acf83b844885cf84cbf01574e8bbcb00171fe7afb2dfbd4f94d667
Opcode Fuzzy Hash: 62542fb794da41b2ab9ccbd2637820f96d8aeb583f37f453c478466c5bc1f646
Instruction Fuzzy Hash: 30B16A78A0064ADBDF10DFA9C4806EEB7F1FF54310F14881AE8A9D7250D738AA51DB59

Function 004701B7 Relevance: 9.3, APIs: 6, Instructions: 269COMMON

Download Yara Rule

APIs

__allrem.LIBCMT ref: 004700BA
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 004700D6
__allrem.LIBCMT ref: 004700ED
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0047010B
__allrem.LIBCMT ref: 00470122
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00470140

Memory Dump Source

Source File: 00000000.00000002.2199307839.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.2199224556.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2199891659.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2199891659.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200033822.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200076254.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@
String ID:
API String ID: 1992179935-0
Opcode ID: 8fbb49ba762f8ece8e29681380aa111ddf72d6c7443a1a5a7b6c612577c50f6c
Instruction ID: 8a8774b65479ff81f8b32aeb959697c4ecd07da5f41e5d7322bf7996e4bbdb77
Opcode Fuzzy Hash: 8fbb49ba762f8ece8e29681380aa111ddf72d6c7443a1a5a7b6c612577c50f6c
Instruction Fuzzy Hash: 62811471A01706DBE724AA29DC41BAB73E8EF41328F24852FF554D7381E7B9D9008B99

Function 004761FE Relevance: 9.2, APIs: 6, Instructions: 216COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000001,00000000,?,?,00000000,00000000,?,004682D9,004682D9,?,?,?,0047644F,00000001,00000001,8BE85006), ref: 00476258
MultiByteToWideChar.KERNEL32(00000001,00000001,?,?,00000000,?,?,?,?,0047644F,00000001,00000001,8BE85006,?,?,?), ref: 004762DE
WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,?,8BE85006,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 004763D8
__freea.LIBCMT ref: 004763E5

Part of subcall function 00473820: HeapAlloc.KERNEL32(00000000,?,00511444,?,0045FDF5,?,?,0044A976,00000010,00511440,004413FC,?,004413C6,?,00441129), ref: 00473852

__freea.LIBCMT ref: 004763EE
__freea.LIBCMT ref: 00476413

Memory Dump Source

Source File: 00000000.00000002.2199307839.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.2199224556.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2199891659.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2199891659.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200033822.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200076254.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: ByteCharMultiWide__freea$AllocHeap
String ID:
API String ID: 3147120248-0
Opcode ID: 3b74c31726adfd5b9e2d7e5b9a8c70b5125f019879bf5c2e6354832ed129786b
Instruction ID: 20addcb45620c3d18e578df516695351e0960e7c310a6fd9a0780419a31d9ded
Opcode Fuzzy Hash: 3b74c31726adfd5b9e2d7e5b9a8c70b5125f019879bf5c2e6354832ed129786b
Instruction Fuzzy Hash: DE510672600616ABDB259F74CC81EEF77AAEF44714F16862AFC09D6241DB38DC44C768

Function 004CBBDB Relevance: 9.2, APIs: 6, Instructions: 191registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00449CB3: _wcslen.LIBCMT ref: 00449CBD

Part of subcall function 004CC998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,004CB6AE,?,?), ref: 004CC9B5
Part of subcall function 004CC998: _wcslen.LIBCMT ref: 004CC9F1
Part of subcall function 004CC998: _wcslen.LIBCMT ref: 004CCA68
Part of subcall function 004CC998: _wcslen.LIBCMT ref: 004CCA9E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 004CBCCA
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 004CBD25
RegCloseKey.ADVAPI32(00000000), ref: 004CBD6A
RegEnumValueW.ADVAPI32(?,-00000001,?,?,00000000,?,00000000,00000000), ref: 004CBD99
RegCloseKey.ADVAPI32(?,?,00000000), ref: 004CBDF3
RegCloseKey.ADVAPI32(?), ref: 004CBDFF

Memory Dump Source

Source File: 00000000.00000002.2199307839.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.2199224556.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2199891659.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2199891659.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200033822.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200076254.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: _wcslen$Close$BuffCharConnectEnumOpenRegistryUpperValue
String ID:
API String ID: 1120388591-0
Opcode ID: bb857fe8a601fc6518fa6bff3cb178f01867e09664ce1a746d359421ee4b4f9c
Instruction ID: 869207f936dda75d7b6bc8b350bcfa863f4f331a00f0e5929e38f6971bbf575f
Opcode Fuzzy Hash: bb857fe8a601fc6518fa6bff3cb178f01867e09664ce1a746d359421ee4b4f9c
Instruction Fuzzy Hash: 4281A174208241AFD754DF24C886E2BBBE5FF84308F14895EF45A4B2A2DB35ED05CB96

Function 0049F7AD Relevance: 9.2, APIs: 6, Instructions: 183memoryCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(00000035), ref: 0049F7B9
SysAllocString.OLEAUT32(00000001), ref: 0049F860
VariantCopy.OLEAUT32(0049FA64,00000000), ref: 0049F889
VariantClear.OLEAUT32(0049FA64), ref: 0049F8AD
VariantCopy.OLEAUT32(0049FA64,00000000), ref: 0049F8B1
VariantClear.OLEAUT32(?), ref: 0049F8BB

Memory Dump Source

Source File: 00000000.00000002.2199307839.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.2199224556.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2199891659.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2199891659.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200033822.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200076254.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: Variant$ClearCopy$AllocInitString
String ID:
API String ID: 3859894641-0
Opcode ID: f037b728decf34ba4bdff9310879a2df0bb7c65dfd1a0af1855e75be9c62c669
Instruction ID: 0e96e7a2286b37358978302b7170fa36509b667e24c9d413439ee043a2ecaa37
Opcode Fuzzy Hash: f037b728decf34ba4bdff9310879a2df0bb7c65dfd1a0af1855e75be9c62c669
Instruction Fuzzy Hash: 4B51E571500310BADF10AB66D895B69BBA4EF45314B24847BE806DF292DB78CC49C7AF

Function 004B910C Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 383COMMON

Download Yara Rule

APIs

Part of subcall function 00447620: _wcslen.LIBCMT ref: 00447625

Part of subcall function 00446B57: _wcslen.LIBCMT ref: 00446B6A

GetOpenFileNameW.COMDLG32(00000058), ref: 004B94E5
_wcslen.LIBCMT ref: 004B9506
_wcslen.LIBCMT ref: 004B952D
GetSaveFileNameW.COMDLG32(00000058), ref: 004B9585

Strings

X, xrefs: 004B9412

Memory Dump Source

Source File: 00000000.00000002.2199307839.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.2199224556.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2199891659.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2199891659.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200033822.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200076254.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: _wcslen$FileName$OpenSave
String ID: X
API String ID: 83654149-3081909835
Opcode ID: 4f9a22d75b9391a044dd0da3248d40ae6de0b06557524159c56fde02e524513f
Instruction ID: fc33dbc26a5e39ec74f57721e8582fc996a6fcaa2d91cacdcaf4c9ab1452db09
Opcode Fuzzy Hash: 4f9a22d75b9391a044dd0da3248d40ae6de0b06557524159c56fde02e524513f
Instruction Fuzzy Hash: D8E194315083409FD724DF25C481A9BB7E0BF85318F14896EF9899B3A2DB35DD05CBA6

Function 0045920C Relevance: 9.1, APIs: 6, Instructions: 113COMMON

Download Yara Rule

APIs

Part of subcall function 00459BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00459BB2

BeginPaint.USER32(?,?,?), ref: 00459241
GetWindowRect.USER32(?,?), ref: 004592A5
ScreenToClient.USER32(?,?), ref: 004592C2
SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 004592D3
EndPaint.USER32(?,?,?,?,?), ref: 00459321
Rectangle.GDI32(00000000,00000000,00000000,?,?), ref: 004971EA

Part of subcall function 00459339: BeginPath.GDI32(00000000), ref: 00459357

Memory Dump Source

Source File: 00000000.00000002.2199307839.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.2199224556.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2199891659.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2199891659.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200033822.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200076254.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: BeginPaintWindow$ClientLongPathRectRectangleScreenViewport
String ID:
API String ID: 3050599898-0
Opcode ID: 875fdfe8782e825b356bc2f9690063502b30fb2f741a747fc86d6d20401cdbab
Instruction ID: dd045b17d98a7e904e7a1406f694cfd32e55d5ef9c8618be4c25c069dd5f42f4
Opcode Fuzzy Hash: 875fdfe8782e825b356bc2f9690063502b30fb2f741a747fc86d6d20401cdbab
Instruction Fuzzy Hash: 7241B030105301EFDB10DF25CC85FBA7BA8EB59325F04066AFE64872A2C7349C49DB6A

Function 004B07EF Relevance: 9.1, APIs: 6, Instructions: 107fileCOMMON

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(?,000001F5), ref: 004B080C
ReadFile.KERNEL32(?,?,0000FFFF,?,00000000), ref: 004B0847
EnterCriticalSection.KERNEL32(?), ref: 004B0863
LeaveCriticalSection.KERNEL32(?), ref: 004B08DC
ReadFile.KERNEL32(?,?,0000FFFF,00000000,00000000), ref: 004B08F3
InterlockedExchange.KERNEL32(?,000001F6), ref: 004B0921

Memory Dump Source

Source File: 00000000.00000002.2199307839.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.2199224556.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2199891659.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2199891659.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200033822.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200076254.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: CriticalExchangeFileInterlockedReadSection$EnterLeave
String ID:
API String ID: 3368777196-0
Opcode ID: 18a7e8f718bbf9e30a0168157bc6578e8704f60557ae24d6d5831e503a694aec
Instruction ID: 7d505282309eacf58b106f1ba9a3a871465df72214dac83a2fcf77a7d95f5d5b
Opcode Fuzzy Hash: 18a7e8f718bbf9e30a0168157bc6578e8704f60557ae24d6d5831e503a694aec
Instruction Fuzzy Hash: A4416871900205EBDF14AF55DC85AAB77B8FF04305F1440AAED00AA297DB34DE68DBA8

Function 004D81DB Relevance: 9.1, APIs: 6, Instructions: 104windowCOMMON

Download Yara Rule

APIs

ShowWindow.USER32(FFFFFFFF,00000000,?,00000000,00000000,?,0049F3AB,00000000,?,?,00000000,?,0049682C,00000004,00000000,00000000), ref: 004D824C
EnableWindow.USER32(?,00000000), ref: 004D8272
ShowWindow.USER32(FFFFFFFF,00000000), ref: 004D82D1
ShowWindow.USER32(?,00000004), ref: 004D82E5
EnableWindow.USER32(?,00000001), ref: 004D830B
SendMessageW.USER32(?,0000130C,00000000,00000000), ref: 004D832F

Memory Dump Source

Source File: 00000000.00000002.2199307839.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.2199224556.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2199891659.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2199891659.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200033822.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200076254.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: Window$Show$Enable$MessageSend
String ID:
API String ID: 642888154-0
Opcode ID: 6065a3ac7a61e88a810fd0874feb2e188f982ca7bd7243f69f370d6868508921
Instruction ID: 4dda4ff9f4f532e93b2cd8fab35a0e9d0f6a0309a71f9e075957fbe254f11ff0
Opcode Fuzzy Hash: 6065a3ac7a61e88a810fd0874feb2e188f982ca7bd7243f69f370d6868508921
Instruction Fuzzy Hash: E0417134601645AFDB11CF25CCA5BF57BE0BB0A715F1842EFEA184B362CB36A845CB58

Function 004A4C7D Relevance: 9.1, APIs: 6, Instructions: 87windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32(?), ref: 004A4C95
SendMessageW.USER32(?,0000000E,00000000,00000000), ref: 004A4CB2
SendMessageW.USER32(?,0000000D,00000001,00000000), ref: 004A4CEA
_wcslen.LIBCMT ref: 004A4D08
CharUpperBuffW.USER32(00000000,00000000,?,?,?,?), ref: 004A4D10
_wcsstr.LIBVCRUNTIME ref: 004A4D1A

Memory Dump Source

Source File: 00000000.00000002.2199307839.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.2199224556.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2199891659.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2199891659.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200033822.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200076254.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: MessageSend$BuffCharUpperVisibleWindow_wcslen_wcsstr
String ID:
API String ID: 72514467-0
Opcode ID: 0fbb6065c7664e33a3a0145330d6b5e73d7ac85625c41a0feed78f108ae0bda6
Instruction ID: 32d40bad69c6ad71967304679c1cf19ddec969ec7f7944f535f3a84abab70c75
Opcode Fuzzy Hash: 0fbb6065c7664e33a3a0145330d6b5e73d7ac85625c41a0feed78f108ae0bda6
Instruction Fuzzy Hash: B5210A316051017BEB155B359C49E7F7B9CDFD6750F10403FF805CA192EAA9DC01C265

Function 004B581E Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 336comCOMMON

Download Yara Rule

APIs

Part of subcall function 00443AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00443A97,?,?,00442E7F,?,?,?,00000000), ref: 00443AC2

_wcslen.LIBCMT ref: 004B587B
CoInitialize.OLE32(00000000), ref: 004B5995
CoCreateInstance.OLE32(004DFCF8,00000000,00000001,004DFB68,?), ref: 004B59AE
CoUninitialize.OLE32 ref: 004B59CC

Strings

.lnk, xrefs: 004B5876, 004B58C1, 004B5985

Memory Dump Source

Source File: 00000000.00000002.2199307839.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.2199224556.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2199891659.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2199891659.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200033822.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200076254.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: CreateFullInitializeInstanceNamePathUninitialize_wcslen
String ID: .lnk
API String ID: 3172280962-24824748
Opcode ID: 09f44e5ae4eb8db61ebc69197f775f482b1986c5ab27262fc05c29e2fae43e5a
Instruction ID: cf24147f627aa88f744292aa4e359fe15088e3bace29697af8c3078ae3385c9a
Opcode Fuzzy Hash: 09f44e5ae4eb8db61ebc69197f775f482b1986c5ab27262fc05c29e2fae43e5a
Instruction Fuzzy Hash: 74D15471A087019FC714DF25C480A6ABBE1FF89718F14885EF8899B361D739EC45CBA6

Function 004A175D Relevance: 9.1, APIs: 6, Instructions: 68memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 004A0FB4: GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 004A0FCA
Part of subcall function 004A0FB4: GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 004A0FD6
Part of subcall function 004A0FB4: GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 004A0FE5
Part of subcall function 004A0FB4: HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 004A0FEC
Part of subcall function 004A0FB4: GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 004A1002

GetLengthSid.ADVAPI32(?,00000000,004A1335), ref: 004A17AE
GetProcessHeap.KERNEL32(00000008,00000000), ref: 004A17BA
HeapAlloc.KERNEL32(00000000), ref: 004A17C1
CopySid.ADVAPI32(00000000,00000000,?), ref: 004A17DA
GetProcessHeap.KERNEL32(00000000,00000000,004A1335), ref: 004A17EE
HeapFree.KERNEL32(00000000), ref: 004A17F5

Memory Dump Source

Source File: 00000000.00000002.2199307839.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.2199224556.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2199891659.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2199891659.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200033822.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200076254.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: Heap$Process$AllocInformationToken$CopyErrorFreeLastLength
String ID:
API String ID: 3008561057-0
Opcode ID: 6f9f49de300008e69bd10427186cd14bbfb9e7e3f650dbf31626e63c3995f137
Instruction ID: 976d4ca628bef872555c544b1ca0658c17fffc67f5813a53e7043c9163bdf345
Opcode Fuzzy Hash: 6f9f49de300008e69bd10427186cd14bbfb9e7e3f650dbf31626e63c3995f137
Instruction Fuzzy Hash: A211D035501216FFDB109FA4CC89FAFBBB9EF52355F10402AF481A72A0C739A940CB68

Function 004A14CE Relevance: 9.1, APIs: 6, Instructions: 64processCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(0000000A,00000004), ref: 004A14FF
OpenProcessToken.ADVAPI32(00000000), ref: 004A1506
CreateEnvironmentBlock.USERENV(?,00000004,00000001), ref: 004A1515
CloseHandle.KERNEL32(00000004), ref: 004A1520
CreateProcessWithLogonW.ADVAPI32(?,?,?,00000000,00000000,?,?,00000000,?,?,?), ref: 004A154F
DestroyEnvironmentBlock.USERENV(00000000), ref: 004A1563

Memory Dump Source

Source File: 00000000.00000002.2199307839.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.2199224556.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2199891659.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2199891659.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200033822.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200076254.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: Process$BlockCreateEnvironment$CloseCurrentDestroyHandleLogonOpenTokenWith
String ID:
API String ID: 1413079979-0
Opcode ID: 57eeda094e0d5ebaf6ec80180e767e2ac05c0211d024343bad6c57f6895f2e68
Instruction ID: 15ea8d859d0c465671aa0f3140cdcdf6b188f8fe3dbc65c85503299af5234cbc
Opcode Fuzzy Hash: 57eeda094e0d5ebaf6ec80180e767e2ac05c0211d024343bad6c57f6895f2e68
Instruction Fuzzy Hash: 9B11297250120AABDF128F98DE89BDE7BA9EF49744F044126FA05A21A0C375CE61DB64

Function 00463382 Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,00463379,00462FE5), ref: 00463390
___vcrt_FlsGetValue.LIBVCRUNTIME ref: 0046339E
___vcrt_FlsSetValue.LIBVCRUNTIME ref: 004633B7
SetLastError.KERNEL32(00000000,?,00463379,00462FE5), ref: 00463409

Memory Dump Source

Source File: 00000000.00000002.2199307839.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.2199224556.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2199891659.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2199891659.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200033822.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200076254.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: ErrorLastValue___vcrt_
String ID:
API String ID: 3852720340-0
Opcode ID: 6f46e9e5035638292410431de33220795ab12b35bbeba484b99326c1d44c91e4
Instruction ID: 5564d2cd645d4ee8fdadce5634438be60f8a9652e17869fc412d8015dc5ec08c
Opcode Fuzzy Hash: 6f46e9e5035638292410431de33220795ab12b35bbeba484b99326c1d44c91e4
Instruction Fuzzy Hash: 0C01F532609351BEEA242F75AC8956F2E54DB1677B320032FF811803F1FF195D15A14E

Function 00472D74 Relevance: 9.0, APIs: 6, Instructions: 50COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,00475686,00483CD6,?,00000000,?,00475B6A,?,?,?,?,?,0046E6D1,?,00508A48), ref: 00472D78
_free.LIBCMT ref: 00472DAB
_free.LIBCMT ref: 00472DD3
SetLastError.KERNEL32(00000000,?,?,?,?,0046E6D1,?,00508A48,00000010,00444F4A,?,?,00000000,00483CD6), ref: 00472DE0
SetLastError.KERNEL32(00000000,?,?,?,?,0046E6D1,?,00508A48,00000010,00444F4A,?,?,00000000,00483CD6), ref: 00472DEC
_abort.LIBCMT ref: 00472DF2

Memory Dump Source

Source File: 00000000.00000002.2199307839.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.2199224556.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2199891659.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2199891659.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200033822.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200076254.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: ErrorLast$_free$_abort
String ID:
API String ID: 3160817290-0
Opcode ID: c7b83281f33f44de51ed633356533f66327e115e139edabf9274c1445b4173ff
Instruction ID: 29741c454269a0fc804e15d6f851d3e66cb89a8ab89a42e72dced2cc05025eab
Opcode Fuzzy Hash: c7b83281f33f44de51ed633356533f66327e115e139edabf9274c1445b4173ff
Instruction Fuzzy Hash: 2AF0493150150037C63227397E06ADF1619AFC2365F24C51FF82C922D2DEAC8841912C

Function 004D8A24 Relevance: 9.0, APIs: 6, Instructions: 49COMMON

Download Yara Rule

APIs

Part of subcall function 00459639: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00459693
Part of subcall function 00459639: SelectObject.GDI32(?,00000000), ref: 004596A2
Part of subcall function 00459639: BeginPath.GDI32(?), ref: 004596B9
Part of subcall function 00459639: SelectObject.GDI32(?,00000000), ref: 004596E2

MoveToEx.GDI32(?,-00000002,00000000,00000000), ref: 004D8A4E
LineTo.GDI32(?,00000003,00000000), ref: 004D8A62
MoveToEx.GDI32(?,00000000,-00000002,00000000), ref: 004D8A70
LineTo.GDI32(?,00000000,00000003), ref: 004D8A80
EndPath.GDI32(?), ref: 004D8A90
StrokePath.GDI32(?), ref: 004D8AA0

Memory Dump Source

Source File: 00000000.00000002.2199307839.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.2199224556.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2199891659.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2199891659.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200033822.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200076254.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: Path$LineMoveObjectSelect$BeginCreateStroke
String ID:
API String ID: 43455801-0
Opcode ID: 245919cc8688d0b38c734412184057a0c6759b8ef3b73f15e3b89e0c123529c7
Instruction ID: 879d9942a8ef9d6acfb98ed3872ea6ea06db535d15b9b0469ff273e25553ce45
Opcode Fuzzy Hash: 245919cc8688d0b38c734412184057a0c6759b8ef3b73f15e3b89e0c123529c7
Instruction Fuzzy Hash: 0411177600114DFFEF129F90DC88EEA7F6CEB08354F008066BA199A2A1C7719D55DFA4

Function 004A51FD Relevance: 9.0, APIs: 6, Instructions: 49COMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 004A5218
GetDeviceCaps.GDI32(00000000,00000058), ref: 004A5229
GetDeviceCaps.GDI32(00000000,0000005A), ref: 004A5230
ReleaseDC.USER32(00000000,00000000), ref: 004A5238
MulDiv.KERNEL32(000009EC,?,00000000), ref: 004A524F
MulDiv.KERNEL32(000009EC,00000001,?), ref: 004A5261

Memory Dump Source

Source File: 00000000.00000002.2199307839.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.2199224556.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2199891659.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2199891659.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200033822.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200076254.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: CapsDevice$Release
String ID:
API String ID: 1035833867-0
Opcode ID: fdf42a5185e83e33acf756eea995a0baed75cda116181788e125eec15ab0aab5
Instruction ID: 843fc4c000778595a95891ad08ca1764b7578ec82991bca07192dea46f208f45
Opcode Fuzzy Hash: fdf42a5185e83e33acf756eea995a0baed75cda116181788e125eec15ab0aab5
Instruction Fuzzy Hash: DC018F75A01719BBEF109BA69C89B4EBFB8EF48351F044076FA04A7280D6709800CFA4

Function 00441BC3 Relevance: 9.0, APIs: 6, Instructions: 44keyboardCOMMON

Download Yara Rule

APIs

MapVirtualKeyW.USER32(0000005B,00000000), ref: 00441BF4
MapVirtualKeyW.USER32(00000010,00000000), ref: 00441BFC
MapVirtualKeyW.USER32(000000A0,00000000), ref: 00441C07
MapVirtualKeyW.USER32(000000A1,00000000), ref: 00441C12
MapVirtualKeyW.USER32(00000011,00000000), ref: 00441C1A
MapVirtualKeyW.USER32(00000012,00000000), ref: 00441C22

Memory Dump Source

Source File: 00000000.00000002.2199307839.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.2199224556.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2199891659.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2199891659.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200033822.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200076254.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: Virtual
String ID:
API String ID: 4278518827-0
Opcode ID: c83abf816e19fbe678a3d153e99f99e7b88ef4ebd3da3a05734020392ece87c1
Instruction ID: 2fc67f94d43fd28da8e938f7441fca47cbb14ae0c51f724563d231210af2015c
Opcode Fuzzy Hash: c83abf816e19fbe678a3d153e99f99e7b88ef4ebd3da3a05734020392ece87c1
Instruction Fuzzy Hash: 160167B0902B5ABDE3008F6A8C85B52FFA8FF19354F00411BA15C4BA42C7F5A864CBE5

Function 004AEB20 Relevance: 9.0, APIs: 6, Instructions: 42windowtimethreadCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,00000000), ref: 004AEB30
SendMessageTimeoutW.USER32(?,00000010,00000000,00000000,00000002,000001F4,?), ref: 004AEB46
GetWindowThreadProcessId.USER32(?,?), ref: 004AEB55
OpenProcess.KERNEL32(001F0FFF,00000000,?,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 004AEB64
TerminateProcess.KERNEL32(00000000,00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 004AEB6E
CloseHandle.KERNEL32(00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 004AEB75

Memory Dump Source

Source File: 00000000.00000002.2199307839.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.2199224556.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2199891659.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2199891659.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200033822.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200076254.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: Process$Message$CloseHandleOpenPostSendTerminateThreadTimeoutWindow
String ID:
API String ID: 839392675-0
Opcode ID: 77412e03bd695e857d9913174056e9f9331512be6b286cd82ff738a9786ecf35
Instruction ID: 7054845605fcb9c4d7f14d4bd4a228761581e58e61b844e4f67e71ce4ff4a0e9
Opcode Fuzzy Hash: 77412e03bd695e857d9913174056e9f9331512be6b286cd82ff738a9786ecf35
Instruction Fuzzy Hash: 79F05472142169BBEB215B529C4DEEF7F7CEFCBB11F00016AF611D1191DBA05A01CAB9

Function 00497439 Relevance: 9.0, APIs: 6, Instructions: 37windowCOMMON

Download Yara Rule

APIs

GetClientRect.USER32(?), ref: 00497452
SendMessageW.USER32(?,00001328,00000000,?), ref: 00497469
GetWindowDC.USER32(?), ref: 00497475
GetPixel.GDI32(00000000,?,?), ref: 00497484
ReleaseDC.USER32(?,00000000), ref: 00497496
GetSysColor.USER32(00000005), ref: 004974B0

Memory Dump Source

Source File: 00000000.00000002.2199307839.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.2199224556.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2199891659.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2199891659.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200033822.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200076254.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: ClientColorMessagePixelRectReleaseSendWindow
String ID:
API String ID: 272304278-0
Opcode ID: f0dd28f1dea1d8d4c387c3e1d8b667d78e567d94ab241d668091df8176e53693
Instruction ID: f04e4643b0f4c4b5e92895c49a5107594a6ef7fdfe19b53a95548838e2490c6c
Opcode Fuzzy Hash: f0dd28f1dea1d8d4c387c3e1d8b667d78e567d94ab241d668091df8176e53693
Instruction Fuzzy Hash: 8E018B31405216FFDB105FA4DC48BAE7FB5FB04311F100172F916A21A1CB311E42EB59

Function 004A1874 Relevance: 9.0, APIs: 6, Instructions: 23memorysynchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(?,000000FF), ref: 004A187F
UnloadUserProfile.USERENV(?,?), ref: 004A188B
CloseHandle.KERNEL32(?), ref: 004A1894
CloseHandle.KERNEL32(?), ref: 004A189C
GetProcessHeap.KERNEL32(00000000,?), ref: 004A18A5
HeapFree.KERNEL32(00000000), ref: 004A18AC

Memory Dump Source

Source File: 00000000.00000002.2199307839.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.2199224556.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2199891659.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2199891659.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200033822.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200076254.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: CloseHandleHeap$FreeObjectProcessProfileSingleUnloadUserWait
String ID:
API String ID: 146765662-0
Opcode ID: a5845da449ff2005859ee37426824915d896e0d9511d9cc719c3049bca7ad70b
Instruction ID: 3d53e895ff4190afc8237d2857e3676783268a3ab1009ebf35200e3d3ccb2326
Opcode Fuzzy Hash: a5845da449ff2005859ee37426824915d896e0d9511d9cc719c3049bca7ad70b
Instruction Fuzzy Hash: EBE0E536085112FBDB016FA1ED4C90ABF39FF49B22B108232F225810B0CB329420DF58

Function 004AC5D0 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 191windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00447620: _wcslen.LIBCMT ref: 00447625

GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 004AC6EE
_wcslen.LIBCMT ref: 004AC735
SetMenuItemInfoW.USER32(?,?,00000000,?), ref: 004AC79C
SetMenuDefaultItem.USER32(?,000000FF,00000000), ref: 004AC7CA

Strings

0, xrefs: 004AC6AF

Memory Dump Source

Source File: 00000000.00000002.2199307839.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.2199224556.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2199891659.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2199891659.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200033822.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200076254.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: ItemMenu$Info_wcslen$Default
String ID: 0
API String ID: 1227352736-4108050209
Opcode ID: fb02238f335323e48a5a6731f5ca24692a2c050b2e2442b6639f74942c8d6e9e
Instruction ID: e9de0057a82d3101d306c3bf0d885291ea8b28e1133229dc707f52b5993a6edf
Opcode Fuzzy Hash: fb02238f335323e48a5a6731f5ca24692a2c050b2e2442b6639f74942c8d6e9e
Instruction Fuzzy Hash: F751F2756043029BD791DF28C8C5B6B77E4AF6A314F040A2FF991D2291DB68D844CB5E

Function 004CAD64 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 176COMMON

Download Yara Rule

APIs

ShellExecuteExW.SHELL32(0000003C), ref: 004CAEA3

Part of subcall function 00447620: _wcslen.LIBCMT ref: 00447625

GetProcessId.KERNEL32(00000000), ref: 004CAF38
CloseHandle.KERNEL32(00000000), ref: 004CAF67

Strings

@, xrefs: 004CAE72
<, xrefs: 004CAE6B

Memory Dump Source

Source File: 00000000.00000002.2199307839.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.2199224556.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2199891659.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2199891659.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200033822.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200076254.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: CloseExecuteHandleProcessShell_wcslen
String ID: <$@
API String ID: 146682121-1426351568
Opcode ID: decd8510b3a5346767fe3b29c6d8b5733241559eb7d0698ed9ce953485dcd738
Instruction ID: eb3454d2df6e9497d491bec623619317b1cf6e1e54fcbe778e461964d3bec5d4
Opcode Fuzzy Hash: decd8510b3a5346767fe3b29c6d8b5733241559eb7d0698ed9ce953485dcd738
Instruction Fuzzy Hash: 45717774A00619DFDB10EF55C484A9EBBF0EF08318F04849EE816AB392C778ED45CB99

Function 004A719E Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 120comlibraryloaderCOMMON

Download Yara Rule

APIs

CoCreateInstance.OLE32(?,00000000,00000005,?,?), ref: 004A7206
SetErrorMode.KERNEL32(00000001,?,?,?,?,?,?,?,?,?), ref: 004A723C
GetProcAddress.KERNEL32(?,DllGetClassObject), ref: 004A724D
SetErrorMode.KERNEL32(00000000,?,?,?,?,?,?,?,?,?), ref: 004A72CF

Strings

DllGetClassObject, xrefs: 004A7242

Memory Dump Source

Source File: 00000000.00000002.2199307839.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.2199224556.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2199891659.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2199891659.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200033822.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200076254.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: ErrorMode$AddressCreateInstanceProc
String ID: DllGetClassObject
API String ID: 753597075-1075368562
Opcode ID: 428432876d29d91d613f319c34e7018e40604d125267dc3a9253c5e804b657b8
Instruction ID: c6391443badf660c9680812f54962052c7dd08a41da0e738279d96f76e949374
Opcode Fuzzy Hash: 428432876d29d91d613f319c34e7018e40604d125267dc3a9253c5e804b657b8
Instruction Fuzzy Hash: 62418E72604204AFDB25CF54CC84B9A7BA9EF55310F1480AFFD059F24AD7B8D945CBA4

Function 004D3D7C Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 101windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 004D3E35
IsMenu.USER32(?), ref: 004D3E4A
InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 004D3E92
DrawMenuBar.USER32 ref: 004D3EA5

Strings

0, xrefs: 004D3D89

Memory Dump Source

Source File: 00000000.00000002.2199307839.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.2199224556.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2199891659.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2199891659.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200033822.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200076254.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: Menu$Item$DrawInfoInsert
String ID: 0
API String ID: 3076010158-4108050209
Opcode ID: ddf1027fc23c76eaf2cdb71c26b891b3d3037cab7cf9d36f4f0acf8fb0989682
Instruction ID: 6f42d7d2e0be1b43691b42970ae5d8c4c3969089ee4154642ef558c2161ee4d5
Opcode Fuzzy Hash: ddf1027fc23c76eaf2cdb71c26b891b3d3037cab7cf9d36f4f0acf8fb0989682
Instruction Fuzzy Hash: 40418875A01209EFDB10DF50D894AEABBB9FF48351F04412BE901AB390D338AE44CF55

Function 004A1DE2 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 93windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00449CB3: _wcslen.LIBCMT ref: 00449CBD

Part of subcall function 004A3CA7: GetClassNameW.USER32(?,?,000000FF), ref: 004A3CCA

SendMessageW.USER32(?,00000188,00000000,00000000), ref: 004A1E66
SendMessageW.USER32(?,0000018A,00000000,00000000), ref: 004A1E79
SendMessageW.USER32(?,00000189,?,00000000), ref: 004A1EA9

Part of subcall function 00446B57: _wcslen.LIBCMT ref: 00446B6A

Strings

ComboBox, xrefs: 004A1DF0
ListBox, xrefs: 004A1E25

Memory Dump Source

Source File: 00000000.00000002.2199307839.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.2199224556.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2199891659.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2199891659.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200033822.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200076254.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: MessageSend$_wcslen$ClassName
String ID: ComboBox$ListBox
API String ID: 2081771294-1403004172
Opcode ID: 244888ccfc63faed657285dc39a12706668cfcecd267b398e107c46c33a10def
Instruction ID: 8062b52d5b2c8e71e972e48395cd1888bbb04a108106836093ac1577a3ca7879
Opcode Fuzzy Hash: 244888ccfc63faed657285dc39a12706668cfcecd267b398e107c46c33a10def
Instruction Fuzzy Hash: 2921F671A00104AAEB14AB65DC86CFFB7B9DF56364F10412FF815A72E1DB3C4D0A9628

Function 004D2F17 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 78windowlibraryCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000467,00000000,?), ref: 004D2F8D
LoadLibraryW.KERNEL32(?), ref: 004D2F94
SendMessageW.USER32(?,00000467,00000000,00000000), ref: 004D2FA9
DestroyWindow.USER32(?), ref: 004D2FB1

Strings

SysAnimate32, xrefs: 004D2F68

Memory Dump Source

Source File: 00000000.00000002.2199307839.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.2199224556.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2199891659.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2199891659.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200033822.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200076254.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: MessageSend$DestroyLibraryLoadWindow
String ID: SysAnimate32
API String ID: 3529120543-1011021900
Opcode ID: 2e07c8187005f3f5b2dd8b7b8abff6cbb2ca9c14b5ffecc1963abd3e76e293cf
Instruction ID: 69fc5b359d6b0e2a13b62caa9ddc6e2c35d8bf9d31ac1f74028bdf8afb82e4b9
Opcode Fuzzy Hash: 2e07c8187005f3f5b2dd8b7b8abff6cbb2ca9c14b5ffecc1963abd3e76e293cf
Instruction Fuzzy Hash: 3F219D71204205ABEB104F64DD90EBB37B9EB69368F104A2FF950D2390D7B5DC51A768

Function 00464D6D Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,00464D1E,004728E9,?,00464CBE,004728E9,005088B8,0000000C,00464E15,004728E9,00000002), ref: 00464D8D
GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 00464DA0
FreeLibrary.KERNEL32(00000000,?,?,?,00464D1E,004728E9,?,00464CBE,004728E9,005088B8,0000000C,00464E15,004728E9,00000002,00000000), ref: 00464DC3

Strings

CorExitProcess, xrefs: 00464D98
mscoree.dll, xrefs: 00464D86

Memory Dump Source

Source File: 00000000.00000002.2199307839.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.2199224556.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2199891659.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2199891659.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200033822.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200076254.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: 42afb1069db028b076edf69e026581dc4d11917a89267236b1ed0d6a6a8006bb
Instruction ID: b5cccaf866178dff355ca40e95ed31c07f5767f49721edb1756690f199d1f851
Opcode Fuzzy Hash: 42afb1069db028b076edf69e026581dc4d11917a89267236b1ed0d6a6a8006bb
Instruction Fuzzy Hash: E6F0C230A01219FBDB109F91DC49BAEBFB8EF44752F0001AAF805A2260DF745D80DF99

Function 00444E90 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 24libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,?,00444EDD,?,00511418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00444E9C
GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 00444EAE
FreeLibrary.KERNEL32(00000000,?,?,00444EDD,?,00511418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00444EC0

Strings

kernel32.dll, xrefs: 00444E94
Wow64DisableWow64FsRedirection, xrefs: 00444EA8

Memory Dump Source

Source File: 00000000.00000002.2199307839.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.2199224556.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2199891659.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2199891659.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200033822.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200076254.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: Library$AddressFreeLoadProc
String ID: Wow64DisableWow64FsRedirection$kernel32.dll
API String ID: 145871493-3689287502
Opcode ID: a52d7c486517354af01fbd597d2dd8e2094850c149b3bb82e714c66a353d95ee
Instruction ID: 39f81a769c156fd04c0515c632d7469be6a33372fb770abbe9968e9c434623e5
Opcode Fuzzy Hash: a52d7c486517354af01fbd597d2dd8e2094850c149b3bb82e714c66a353d95ee
Instruction Fuzzy Hash: 8DE08635A025339BE22117256C5CB5F6758AFC2B637150127FC00D2354DF68CD01C4A8

Function 00444E59 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 22libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,?,00483CDE,?,00511418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00444E62
GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 00444E74
FreeLibrary.KERNEL32(00000000,?,?,00483CDE,?,00511418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00444E87

Strings

kernel32.dll, xrefs: 00444E5B
Wow64RevertWow64FsRedirection, xrefs: 00444E6E

Memory Dump Source

Source File: 00000000.00000002.2199307839.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.2199224556.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2199891659.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2199891659.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200033822.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200076254.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: Library$AddressFreeLoadProc
String ID: Wow64RevertWow64FsRedirection$kernel32.dll
API String ID: 145871493-1355242751
Opcode ID: 97d88044aaa0a9573afed22ef4006c318c2a5e130005890dad4da1b76f5d56f7
Instruction ID: 032ed8dc186aa5f1ede4550bf8e68155a515bc15e5fa9291530e4bd3d326e81d
Opcode Fuzzy Hash: 97d88044aaa0a9573afed22ef4006c318c2a5e130005890dad4da1b76f5d56f7
Instruction Fuzzy Hash: EAD01235503A3357AA221B257C58F8F6B1CAFC6B613150627B905E7255DF68CD01C9DC

Function 004B2947 Relevance: 7.8, APIs: 5, Instructions: 313fileCOMMON

Download Yara Rule

APIs

DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 004B2C05
DeleteFileW.KERNEL32(?), ref: 004B2C87
CopyFileW.KERNEL32(?,?,00000000,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 004B2C9D
DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 004B2CAE
DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 004B2CC0

Memory Dump Source

Source File: 00000000.00000002.2199307839.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.2199224556.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2199891659.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2199891659.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200033822.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200076254.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: File$Delete$Copy
String ID:
API String ID: 3226157194-0
Opcode ID: e3fbaa4ca9db7880c20dd252943ee3814587d20084a5c30b44092b4089e9980d
Instruction ID: 47793e12897cbf770b1800174fc7eca6335dd580bd72017748ef09ce128b468f
Opcode Fuzzy Hash: e3fbaa4ca9db7880c20dd252943ee3814587d20084a5c30b44092b4089e9980d
Instruction Fuzzy Hash: E5B17F72D00119ABDF11DFA5CD85EDEBBBDEF08344F0040ABF609E6151EA789A448F69

Function 004CA387 Relevance: 7.8, APIs: 5, Instructions: 256COMMON

Download Yara Rule

APIs

GetCurrentProcessId.KERNEL32 ref: 004CA427
OpenProcess.KERNEL32(00000410,00000000,00000000), ref: 004CA435
GetProcessIoCounters.KERNEL32(00000000,?), ref: 004CA468
CloseHandle.KERNEL32(?), ref: 004CA63D

Memory Dump Source

Source File: 00000000.00000002.2199307839.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.2199224556.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2199891659.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2199891659.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200033822.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200076254.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: Process$CloseCountersCurrentHandleOpen
String ID:
API String ID: 3488606520-0
Opcode ID: a538167c27b50ec615eaa3039d440dcfc0403909b86a0eb752af845ef7d02aab
Instruction ID: 9711f706c4519f47684008f72a35ae953cd2308f277f9d694686834f59889f96
Opcode Fuzzy Hash: a538167c27b50ec615eaa3039d440dcfc0403909b86a0eb752af845ef7d02aab
Instruction Fuzzy Hash: 8CA1B275604300AFE760DF15C886F2AB7E1AF44718F14881EF99A9B3D2D778EC058B86

Function 0047BB27 Relevance: 7.7, APIs: 5, Instructions: 171timeCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetTimeZoneInformation.KERNEL32(?,00000000,00000000,00000000,?,004E3700), ref: 0047BB91
WideCharToMultiByte.KERNEL32(00000000,00000000,0051121C,000000FF,00000000,0000003F,00000000,?,?), ref: 0047BC09
WideCharToMultiByte.KERNEL32(00000000,00000000,00511270,000000FF,?,0000003F,00000000,?), ref: 0047BC36
_free.LIBCMT ref: 0047BB7F

Part of subcall function 004729C8: RtlFreeHeap.NTDLL(00000000,00000000,?,0047D7D1,00000000,00000000,00000000,00000000,?,0047D7F8,00000000,00000007,00000000,?,0047DBF5,00000000), ref: 004729DE
Part of subcall function 004729C8: GetLastError.KERNEL32(00000000,?,0047D7D1,00000000,00000000,00000000,00000000,?,0047D7F8,00000000,00000007,00000000,?,0047DBF5,00000000,00000000), ref: 004729F0

_free.LIBCMT ref: 0047BD4B

Memory Dump Source

Source File: 00000000.00000002.2199307839.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.2199224556.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2199891659.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2199891659.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200033822.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200076254.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: ByteCharMultiWide_free$ErrorFreeHeapInformationLastTimeZone
String ID:
API String ID: 1286116820-0
Opcode ID: 276b51e5f38a2010c25b3fd0b5eb7560db9500ab1718391f505ea7aecc38e0b2
Instruction ID: 36abbe61f609a4e358f630cda4bc591fb37c0ed63ca088b1fb67e8a00552de0a
Opcode Fuzzy Hash: 276b51e5f38a2010c25b3fd0b5eb7560db9500ab1718391f505ea7aecc38e0b2
Instruction Fuzzy Hash: 0051E8719002099FCB10DF668C81AEEB7BCEF41314B10C26FE928D7291DB745D459BD8

Function 004AE3FB Relevance: 7.7, APIs: 5, Instructions: 167filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 004ADDE0: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,004ACF22,?), ref: 004ADDFD

Part of subcall function 004ADDE0: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,004ACF22,?), ref: 004ADE16

Part of subcall function 004AE199: GetFileAttributesW.KERNEL32(?,004ACF95), ref: 004AE19A

lstrcmpiW.KERNEL32(?,?), ref: 004AE473
MoveFileW.KERNEL32(?,?), ref: 004AE4AC
_wcslen.LIBCMT ref: 004AE5EB
_wcslen.LIBCMT ref: 004AE603
SHFileOperationW.SHELL32(?,?,?,?,?,?), ref: 004AE650

Memory Dump Source

Source File: 00000000.00000002.2199307839.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.2199224556.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2199891659.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2199891659.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200033822.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200076254.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: File$FullNamePath_wcslen$AttributesMoveOperationlstrcmpi
String ID:
API String ID: 3183298772-0
Opcode ID: 44ebc582039cb7a23a3d5423174b7aeec60bc2a837f9fe273fd51a337e9983c7
Instruction ID: 897d3cd52eb352a1f64d2834dc765b13a8cde13c1b2585ad773e1d4c0173963b
Opcode Fuzzy Hash: 44ebc582039cb7a23a3d5423174b7aeec60bc2a837f9fe273fd51a337e9983c7
Instruction Fuzzy Hash: 6F51A2B24083455BD724EBA1DC819DBB3DCAFA5344F00092FF699C3151EF78A588876E

Function 004CB9C9 Relevance: 7.7, APIs: 5, Instructions: 167registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00449CB3: _wcslen.LIBCMT ref: 00449CBD

Part of subcall function 004CC998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,004CB6AE,?,?), ref: 004CC9B5
Part of subcall function 004CC998: _wcslen.LIBCMT ref: 004CC9F1
Part of subcall function 004CC998: _wcslen.LIBCMT ref: 004CCA68
Part of subcall function 004CC998: _wcslen.LIBCMT ref: 004CCA9E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 004CBAA5
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 004CBB00
RegEnumKeyExW.ADVAPI32(?,-00000001,?,?,00000000,00000000,00000000,?), ref: 004CBB63
RegCloseKey.ADVAPI32(?,?), ref: 004CBBA6
RegCloseKey.ADVAPI32(00000000), ref: 004CBBB3

Memory Dump Source

Source File: 00000000.00000002.2199307839.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.2199224556.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2199891659.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2199891659.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200033822.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200076254.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: _wcslen$Close$BuffCharConnectEnumOpenRegistryUpper
String ID:
API String ID: 826366716-0
Opcode ID: f2bdf343f6aff28bacf839fec2df76dde15904531ce6549f1f9d39a148a0c530
Instruction ID: 2afbe340d09e01684d77cfad7e2fbd045d5f549aaa1c595d5eccc796e0c765a0
Opcode Fuzzy Hash: f2bdf343f6aff28bacf839fec2df76dde15904531ce6549f1f9d39a148a0c530
Instruction Fuzzy Hash: C7618B35208241AFD714DF14C891F2ABBE5FF84308F14896EF4998B2A2DB35ED45CB96

Function 004A8BB0 Relevance: 7.7, APIs: 5, Instructions: 159COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 004A8BCD
VariantClear.OLEAUT32 ref: 004A8C3E
VariantClear.OLEAUT32 ref: 004A8C9D
VariantClear.OLEAUT32(?), ref: 004A8D10
VariantChangeType.OLEAUT32(?,?,00000000,00000013), ref: 004A8D3B

Memory Dump Source

Source File: 00000000.00000002.2199307839.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.2199224556.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2199891659.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2199891659.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200033822.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200076254.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: Variant$Clear$ChangeInitType
String ID:
API String ID: 4136290138-0
Opcode ID: 4b3301414afd89d13dbc46a0a1a8a68ad9608bcba00535aba5b94d5622e6f6b0
Instruction ID: 6928d5b730bd665ad8bd0613602d672ec2b6ef88de7596e7fb3fa46fdc0f1855
Opcode Fuzzy Hash: 4b3301414afd89d13dbc46a0a1a8a68ad9608bcba00535aba5b94d5622e6f6b0
Instruction Fuzzy Hash: 8E518AB1A00219EFDB10CF28C884AAAB7F8FF99310B15856AE905DB350E734E911CF94

Function 004B8AFB Relevance: 7.6, APIs: 5, Instructions: 143COMMON

Download Yara Rule

APIs

GetPrivateProfileSectionW.KERNEL32(00000003,?,00007FFF,?), ref: 004B8BAE
GetPrivateProfileSectionW.KERNEL32(?,00000003,00000003,?), ref: 004B8BDA
WritePrivateProfileSectionW.KERNEL32(?,?,?), ref: 004B8C32
WritePrivateProfileStringW.KERNEL32(00000003,00000000,00000000,?), ref: 004B8C57
WritePrivateProfileStringW.KERNEL32(00000000,00000000,00000000,?), ref: 004B8C5F

Memory Dump Source

Source File: 00000000.00000002.2199307839.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.2199224556.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2199891659.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2199891659.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200033822.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200076254.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: PrivateProfile$SectionWrite$String
String ID:
API String ID: 2832842796-0
Opcode ID: 405cd21dd70ef724c6cf72039f546e0a2447c9ea4ac4e2de6077a09c2faffc89
Instruction ID: 8dbb53c6182c20db45c80b15fb1031720733e16cb25c61f476f20f602aa80a4c
Opcode Fuzzy Hash: 405cd21dd70ef724c6cf72039f546e0a2447c9ea4ac4e2de6077a09c2faffc89
Instruction Fuzzy Hash: DF516135A00215AFDB00DF65C881A6EBBF5FF49318F08845DE8496B362CB35ED51CB94

Function 004C8EE4 Relevance: 7.6, APIs: 5, Instructions: 143libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32(?,00000000,?), ref: 004C8F40
GetProcAddress.KERNEL32(00000000,?), ref: 004C8FD0
GetProcAddress.KERNEL32(00000000,00000000), ref: 004C8FEC
GetProcAddress.KERNEL32(00000000,?), ref: 004C9032
FreeLibrary.KERNEL32(00000000), ref: 004C9052

Part of subcall function 0045F6C9: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,00000000,?,?,?,004B1043,?,7644E610), ref: 0045F6E6
Part of subcall function 0045F6C9: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,0049FA64,00000000,00000000,?,?,004B1043,?,7644E610,?,0049FA64), ref: 0045F70D

Memory Dump Source

Source File: 00000000.00000002.2199307839.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.2199224556.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2199891659.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2199891659.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200033822.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200076254.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: AddressProc$ByteCharLibraryMultiWide$FreeLoad
String ID:
API String ID: 666041331-0
Opcode ID: 3e635d17b80f301c26e3086e5f97fdd57325e570f749e3872301964087f66f78
Instruction ID: b9db350ff910227d584071d7a27b4d34cca7c0eba4d41b9d86996a4a5a08e6c3
Opcode Fuzzy Hash: 3e635d17b80f301c26e3086e5f97fdd57325e570f749e3872301964087f66f78
Instruction Fuzzy Hash: D2514B38601205EFD741DF59C484DAEBBB1FF49318B0480AEE8099B362DB35ED86CB95

Function 004D6B76 Relevance: 7.6, APIs: 5, Instructions: 131windowCOMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(00000002,000000F0,?), ref: 004D6C33
SetWindowLongW.USER32(?,000000EC,?), ref: 004D6C4A
SendMessageW.USER32(00000002,00001036,00000000,?), ref: 004D6C73
ShowWindow.USER32(00000002,00000000,00000002,00000002,?,?,?,?,?,?,?,004BAB79,00000000,00000000), ref: 004D6C98
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000027,00000002,?,00000001,00000002,00000002,?,?,?), ref: 004D6CC7

Memory Dump Source

Source File: 00000000.00000002.2199307839.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.2199224556.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2199891659.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2199891659.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200033822.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200076254.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: Window$Long$MessageSendShow
String ID:
API String ID: 3688381893-0
Opcode ID: c3c6eac817658d178012c59fad58d5ae7f1b4e2f0c9b93d1b63600e06711c036
Instruction ID: beb019e79bc939d542b93bc3b5d33c18c21f86c39bef2c7b1235e94fb8b6d264
Opcode Fuzzy Hash: c3c6eac817658d178012c59fad58d5ae7f1b4e2f0c9b93d1b63600e06711c036
Instruction Fuzzy Hash: C7410635610114AFDB24CF28CCA8FAA7BA5EB09750F16026BF995A73E0C375ED41DA48

Function 0045912D Relevance: 7.6, APIs: 5, Instructions: 121keyboardCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 00459141
ScreenToClient.USER32(00000000,?), ref: 0045915E
GetAsyncKeyState.USER32(00000001), ref: 00459183
GetAsyncKeyState.USER32(00000002), ref: 0045919D

Memory Dump Source

Source File: 00000000.00000002.2199307839.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.2199224556.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2199891659.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2199891659.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200033822.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200076254.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: AsyncState$ClientCursorScreen
String ID:
API String ID: 4210589936-0
Opcode ID: 7f68a62a2e30f354b5f290b99303e9bf316ed89dbfebe0a8be89baa33754da34
Instruction ID: 45d1c7f9555b6bb2a9b00fa1ecb847902e0fb70681f8f061b8de6ede00ba29b5
Opcode Fuzzy Hash: 7f68a62a2e30f354b5f290b99303e9bf316ed89dbfebe0a8be89baa33754da34
Instruction Fuzzy Hash: 9A416E3190861BFBDF059F64C844BEEBB74FB05325F20822BE825A2391C7385D54CB59

Function 004B3874 Relevance: 7.6, APIs: 5, Instructions: 101windowCOMMON

Download Yara Rule

APIs

GetInputState.USER32 ref: 004B38CB
TranslateAcceleratorW.USER32(?,00000000,?), ref: 004B3922
TranslateMessage.USER32(?), ref: 004B394B
DispatchMessageW.USER32(?), ref: 004B3955
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 004B3966

Memory Dump Source

Source File: 00000000.00000002.2199307839.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.2199224556.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2199891659.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2199891659.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200033822.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200076254.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: Message$Translate$AcceleratorDispatchInputPeekState
String ID:
API String ID: 2256411358-0
Opcode ID: d20046e7ee86fbbb63a3752f52df6fe807b1c37c4ed4b7c465be641261e34aea
Instruction ID: 2b84c158a0598ce82062e6dcaef4fbbec360e06a0c1dd47e41d238d7c0f57a14
Opcode Fuzzy Hash: d20046e7ee86fbbb63a3752f52df6fe807b1c37c4ed4b7c465be641261e34aea
Instruction Fuzzy Hash: 4931BDB0504742AEEF35CF369848BF737E49B15305F04456FD562C22A0E7B8A689DB39

Function 004BCF1A Relevance: 7.6, APIs: 5, Instructions: 93networkfileCOMMON

Download Yara Rule

APIs

InternetQueryDataAvailable.WININET(?,?,00000000,00000000,00000000,?,00000000,?,?,?,004BC21E,00000000), ref: 004BCF38
InternetReadFile.WININET(?,00000000,?,?), ref: 004BCF6F
GetLastError.KERNEL32(?,00000000,?,?,?,004BC21E,00000000), ref: 004BCFB4
SetEvent.KERNEL32(?,?,00000000,?,?,?,004BC21E,00000000), ref: 004BCFC8
SetEvent.KERNEL32(?,?,00000000,?,?,?,004BC21E,00000000), ref: 004BCFF2

Memory Dump Source

Source File: 00000000.00000002.2199307839.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.2199224556.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2199891659.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2199891659.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200033822.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200076254.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: EventInternet$AvailableDataErrorFileLastQueryRead
String ID:
API String ID: 3191363074-0
Opcode ID: ee0e51d24d814db839728b1645dd31e5e16c1c9e17ac130f09277e73a39a8345
Instruction ID: 21ead6be47b2dd18e2fea094691d226204665ab19b482cc22d234b4c166bb2f4
Opcode Fuzzy Hash: ee0e51d24d814db839728b1645dd31e5e16c1c9e17ac130f09277e73a39a8345
Instruction Fuzzy Hash: 67314D71A00206AFDB20DFA5C8C49BBBBFAEB14355B1044AFF506D2281D738AD45DB68

Function 004A1901 Relevance: 7.6, APIs: 5, Instructions: 93sleepwindowCOMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 004A1915
PostMessageW.USER32(00000001,00000201,00000001), ref: 004A19C1
Sleep.KERNEL32(00000000,?,?,?), ref: 004A19C9
PostMessageW.USER32(00000001,00000202,00000000), ref: 004A19DA
Sleep.KERNEL32(00000000,?,?,?,?), ref: 004A19E2

Memory Dump Source

Source File: 00000000.00000002.2199307839.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.2199224556.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2199891659.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2199891659.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200033822.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200076254.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: MessagePostSleep$RectWindow
String ID:
API String ID: 3382505437-0
Opcode ID: 5fc6d21c18e30290d7cfeb94d6cafe41987ffbbba381dce5d061e2c710e5bf30
Instruction ID: e95b92b144b017121951110cdc9aa9aa7428a3a27df9a4c4f5f14f9b4e859331
Opcode Fuzzy Hash: 5fc6d21c18e30290d7cfeb94d6cafe41987ffbbba381dce5d061e2c710e5bf30
Instruction Fuzzy Hash: 1031C2B1900219EFCB00CFA8CD99ADF3BB9EB15315F10422AF921AB2E1C7749954CB94

Function 004D5706 Relevance: 7.6, APIs: 5, Instructions: 82windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001053,000000FF,?), ref: 004D5745
SendMessageW.USER32(?,00001074,?,00000001), ref: 004D579D
_wcslen.LIBCMT ref: 004D57AF
_wcslen.LIBCMT ref: 004D57BA
SendMessageW.USER32(?,00001002,00000000,?), ref: 004D5816

Memory Dump Source

Source File: 00000000.00000002.2199307839.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.2199224556.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2199891659.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2199891659.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200033822.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200076254.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: MessageSend$_wcslen
String ID:
API String ID: 763830540-0
Opcode ID: ee75dc562211cbd6a355595cb3664f73768dc73572e02ab2cc90eae4c8deb618
Instruction ID: 58cf9e6dc0495556f3c8e2c04c24169b0ba0f34aab9745ee4d30e30f7155c49d
Opcode Fuzzy Hash: ee75dc562211cbd6a355595cb3664f73768dc73572e02ab2cc90eae4c8deb618
Instruction Fuzzy Hash: 6F21A771904618DADB20DF64CC94AEE77B8FF05324F10815BF919DA380DB748985CF59

Function 004C0930 Relevance: 7.6, APIs: 5, Instructions: 69COMMON

Download Yara Rule

APIs

IsWindow.USER32(00000000), ref: 004C0951
GetForegroundWindow.USER32 ref: 004C0968
GetDC.USER32(00000000), ref: 004C09A4
GetPixel.GDI32(00000000,?,00000003), ref: 004C09B0
ReleaseDC.USER32(00000000,00000003), ref: 004C09E8

Memory Dump Source

Source File: 00000000.00000002.2199307839.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.2199224556.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2199891659.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2199891659.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200033822.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200076254.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: Window$ForegroundPixelRelease
String ID:
API String ID: 4156661090-0
Opcode ID: f111ac8955c0b07280508b4195262271887ac254f883208041b0bef1da7a9c55
Instruction ID: e21860a37239595613a8fd74549e2308db0496ef641bf6ec70afca60ad345206
Opcode Fuzzy Hash: f111ac8955c0b07280508b4195262271887ac254f883208041b0bef1da7a9c55
Instruction Fuzzy Hash: 3B215E75600214AFD744EF65C984AAEBBE5EF44744F04846EE84A97362CA34EC04CB94

Function 0047CDBD Relevance: 7.6, APIs: 5, Instructions: 68COMMON

Download Yara Rule

APIs

GetEnvironmentStringsW.KERNEL32 ref: 0047CDC6
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0047CDE9

Part of subcall function 00473820: HeapAlloc.KERNEL32(00000000,?,00511444,?,0045FDF5,?,?,0044A976,00000010,00511440,004413FC,?,004413C6,?,00441129), ref: 00473852

WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 0047CE0F
_free.LIBCMT ref: 0047CE22
FreeEnvironmentStringsW.KERNEL32(00000000), ref: 0047CE31

Memory Dump Source

Source File: 00000000.00000002.2199307839.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.2199224556.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2199891659.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2199891659.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200033822.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200076254.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: ByteCharEnvironmentMultiStringsWide$AllocFreeHeap_free
String ID:
API String ID: 2278895681-0
Opcode ID: 29ac7683cbbf886fcc471cb1927c73d65fde28721c0c1d4d6cbe04cfdbc91d6a
Instruction ID: 7ec8fcaa3ff830aec889c0649b52ebb2e5422a3d7949cb89c80289662a25ad5c
Opcode Fuzzy Hash: 29ac7683cbbf886fcc471cb1927c73d65fde28721c0c1d4d6cbe04cfdbc91d6a
Instruction Fuzzy Hash: C501D8726026157F272116B66CC8CBF6A6DDFC6BA1315812FFD09C7200DA688D0281B9

Function 00459639 Relevance: 7.6, APIs: 5, Instructions: 66COMMON

Download Yara Rule

APIs

ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00459693
SelectObject.GDI32(?,00000000), ref: 004596A2
BeginPath.GDI32(?), ref: 004596B9
SelectObject.GDI32(?,00000000), ref: 004596E2

Memory Dump Source

Source File: 00000000.00000002.2199307839.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.2199224556.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2199891659.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2199891659.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200033822.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200076254.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: ObjectSelect$BeginCreatePath
String ID:
API String ID: 3225163088-0
Opcode ID: db7da3f69bc1959f95ef1732383d6e5ccfb89d8b5cd4f6c8944f5b726d7bc670
Instruction ID: eda12c50c749bd8939734da0ce962ed544f2cae061badbff61760bded230865c
Opcode Fuzzy Hash: db7da3f69bc1959f95ef1732383d6e5ccfb89d8b5cd4f6c8944f5b726d7bc670
Instruction Fuzzy Hash: C2217130802706EBDB119F64DC557EE7BA5BB20316F108267F920961A1D3785C5DDF9C

Function 004A5711 Relevance: 7.6, APIs: 5, Instructions: 61COMMON

Download Yara Rule

APIs

_memcmp.LIBVCRUNTIME ref: 004A5726
_memcmp.LIBVCRUNTIME ref: 004A5744
_memcmp.LIBVCRUNTIME ref: 004A5757
_memcmp.LIBVCRUNTIME ref: 004A576F
_memcmp.LIBVCRUNTIME ref: 004A5787

Memory Dump Source

Source File: 00000000.00000002.2199307839.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.2199224556.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2199891659.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2199891659.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200033822.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200076254.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: _memcmp
String ID:
API String ID: 2931989736-0
Opcode ID: a61a087a6a27566e95125a28a4182acb567a162141928541f6f5d2c5310c1195
Instruction ID: b7a427bcda0dbcb53ba0bfce7455c1b2e2b7b28630cf46cd425e426177da6559
Opcode Fuzzy Hash: a61a087a6a27566e95125a28a4182acb567a162141928541f6f5d2c5310c1195
Instruction Fuzzy Hash: 29012669240A04BAA21851118E42FFB234C9B323A8F144037FD06AAB41F72CED1082AE

Function 00472DF8 Relevance: 7.6, APIs: 5, Instructions: 53COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,?,0046F2DE,00473863,00511444,?,0045FDF5,?,?,0044A976,00000010,00511440,004413FC,?,004413C6), ref: 00472DFD
_free.LIBCMT ref: 00472E32
_free.LIBCMT ref: 00472E59
SetLastError.KERNEL32(00000000,00441129), ref: 00472E66
SetLastError.KERNEL32(00000000,00441129), ref: 00472E6F

Memory Dump Source

Source File: 00000000.00000002.2199307839.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.2199224556.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2199891659.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2199891659.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200033822.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200076254.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: ErrorLast$_free
String ID:
API String ID: 3170660625-0
Opcode ID: 0068df6a5e92328438a04c93208a2c8bfadd92844b57d013a782f23a3b40a766
Instruction ID: b342478b09e43f567c51bdbfc38e7e1297f4a91df7d4f2e52f57303b5e7675b9
Opcode Fuzzy Hash: 0068df6a5e92328438a04c93208a2c8bfadd92844b57d013a782f23a3b40a766
Instruction Fuzzy Hash: C301497224160077C61227352E85DEB265DABD5379B24C02FF82CA22D3EFEC8C45902C

Function 004A000E Relevance: 7.5, APIs: 5, Instructions: 47stringCOMMON

Download Yara Rule

APIs

CLSIDFromProgID.OLE32 ref: 004A002B
ProgIDFromCLSID.OLE32(?,00000000), ref: 004A0046
lstrcmpiW.KERNEL32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0049FF41,80070057,?,?), ref: 004A0054
CoTaskMemFree.OLE32(00000000), ref: 004A0064
CLSIDFromString.OLE32(?,?), ref: 004A0070

Memory Dump Source

Source File: 00000000.00000002.2199307839.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.2199224556.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2199891659.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2199891659.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200033822.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200076254.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: From$Prog$FreeStringTasklstrcmpi
String ID:
API String ID: 3897988419-0
Opcode ID: b9c9f500950010a91fe6d594c0c2f5f90f5879d5c344827024e6bdd039663625
Instruction ID: efd20aa6bc9e0810138c0ee0a2149bbbdd4274dd76a7d21996da54bdd8fc54eb
Opcode Fuzzy Hash: b9c9f500950010a91fe6d594c0c2f5f90f5879d5c344827024e6bdd039663625
Instruction Fuzzy Hash: 7B01DBB2605205BFDB105F68EC84FAB7BAEEB58392F104126F901E2210E778CD00DBA4

Function 004AE97B Relevance: 7.5, APIs: 5, Instructions: 47sleepCOMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?), ref: 004AE997
QueryPerformanceFrequency.KERNEL32(?), ref: 004AE9A5
Sleep.KERNEL32(00000000), ref: 004AE9AD
QueryPerformanceCounter.KERNEL32(?), ref: 004AE9B7
Sleep.KERNEL32 ref: 004AE9F3

Memory Dump Source

Source File: 00000000.00000002.2199307839.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.2199224556.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2199891659.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2199891659.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200033822.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200076254.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: PerformanceQuery$CounterSleep$Frequency
String ID:
API String ID: 2833360925-0
Opcode ID: 584b643211502e390f196720e310656b75c3d934fa5640b710901e50938d473c
Instruction ID: 125b6d0e9ef8b1d171f45e30b7e483f02d2f84bb112c9b59db4f9e4e3f76545d
Opcode Fuzzy Hash: 584b643211502e390f196720e310656b75c3d934fa5640b710901e50938d473c
Instruction Fuzzy Hash: BC015E71C01629DBCF009BE6D9896DEBB78BB1A300F000557D512B2280CB345551CB69

Function 004A10F9 Relevance: 7.5, APIs: 5, Instructions: 46memoryCOMMON

Download Yara Rule

APIs

GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 004A1114
GetLastError.KERNEL32(?,00000000,00000000,?,?,004A0B9B,?,?,?), ref: 004A1120
GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,004A0B9B,?,?,?), ref: 004A112F
HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,004A0B9B,?,?,?), ref: 004A1136
GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 004A114D

Memory Dump Source

Source File: 00000000.00000002.2199307839.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.2199224556.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2199891659.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2199891659.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200033822.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200076254.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: HeapObjectSecurityUser$AllocErrorLastProcess
String ID:
API String ID: 842720411-0
Opcode ID: fc5cf63baaca712a6dfe296e855a2187a71c0bc410376cb878e1567ef223327b
Instruction ID: 0ff613c46cd3df26d405c9579ac427b82874471ef4583c0c23bb494a8868b0aa
Opcode Fuzzy Hash: fc5cf63baaca712a6dfe296e855a2187a71c0bc410376cb878e1567ef223327b
Instruction Fuzzy Hash: F2011975201216BFDB114FA5DC89A6B3B6EEF8A3A4B20442AFA45D7360DA31DC00DA64

Function 004A0FB4 Relevance: 7.5, APIs: 5, Instructions: 43memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 004A0FCA
GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 004A0FD6
GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 004A0FE5
HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 004A0FEC
GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 004A1002

Memory Dump Source

Source File: 00000000.00000002.2199307839.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.2199224556.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2199891659.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2199891659.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200033822.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200076254.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: HeapInformationToken$AllocErrorLastProcess
String ID:
API String ID: 44706859-0
Opcode ID: dbbda175da9d84a8dbc0919b6d61714fcd7f271c6d8e7ef800e71b756c675628
Instruction ID: e17e0d8f00677d79dd1b8e87eb12ecb418ddba6be4004071de9844e1e3ab2597
Opcode Fuzzy Hash: dbbda175da9d84a8dbc0919b6d61714fcd7f271c6d8e7ef800e71b756c675628
Instruction Fuzzy Hash: BAF06D35241312EBEB214FA4DC8DF5B3BADEF8A762F114426FA45D72A1CA74DC40CA64

Function 004A1014 Relevance: 7.5, APIs: 5, Instructions: 43memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 004A102A
GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 004A1036
GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 004A1045
HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 004A104C
GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 004A1062

Memory Dump Source

Source File: 00000000.00000002.2199307839.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.2199224556.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2199891659.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2199891659.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200033822.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200076254.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: HeapInformationToken$AllocErrorLastProcess
String ID:
API String ID: 44706859-0
Opcode ID: f64ae0021afd97782f982999f3a48da71119908e0025155f8a14d70a9d3ba384
Instruction ID: 716b2252bca9087fce3a3c4f14a2d310f9ab97b96bada927df80d192b5a3b4ce
Opcode Fuzzy Hash: f64ae0021afd97782f982999f3a48da71119908e0025155f8a14d70a9d3ba384
Instruction Fuzzy Hash: 87F06235141312EBDB225FA4EC89F5B3B6DEF8A761F110426F945D72A0CA74D840CA64

Function 004B030F Relevance: 7.5, APIs: 6, Instructions: 41COMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32(?,?,?,?,004B017D,?,004B32FC,?,00000001,00482592,?), ref: 004B0324
CloseHandle.KERNEL32(?,?,?,?,004B017D,?,004B32FC,?,00000001,00482592,?), ref: 004B0331
CloseHandle.KERNEL32(?,?,?,?,004B017D,?,004B32FC,?,00000001,00482592,?), ref: 004B033E
CloseHandle.KERNEL32(?,?,?,?,004B017D,?,004B32FC,?,00000001,00482592,?), ref: 004B034B
CloseHandle.KERNEL32(?,?,?,?,004B017D,?,004B32FC,?,00000001,00482592,?), ref: 004B0358
CloseHandle.KERNEL32(?,?,?,?,004B017D,?,004B32FC,?,00000001,00482592,?), ref: 004B0365

Memory Dump Source

Source File: 00000000.00000002.2199307839.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.2199224556.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2199891659.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2199891659.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200033822.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200076254.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: 20c30cb9a9318ccdc111b99c159153f55532dd6cc1f00a8aa142afc9054e1361
Instruction ID: baf1438ff7e6ca38d5065130e5bbdf2e228e9fa6ea546432583a3500faae1d0b
Opcode Fuzzy Hash: 20c30cb9a9318ccdc111b99c159153f55532dd6cc1f00a8aa142afc9054e1361
Instruction Fuzzy Hash: A601EE72800B058FCB30AF66D880843FBF9BF603063049A3FD19252A30C3B4A988CF94

Function 0047D73A Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 0047D752

Part of subcall function 004729C8: RtlFreeHeap.NTDLL(00000000,00000000,?,0047D7D1,00000000,00000000,00000000,00000000,?,0047D7F8,00000000,00000007,00000000,?,0047DBF5,00000000), ref: 004729DE
Part of subcall function 004729C8: GetLastError.KERNEL32(00000000,?,0047D7D1,00000000,00000000,00000000,00000000,?,0047D7F8,00000000,00000007,00000000,?,0047DBF5,00000000,00000000), ref: 004729F0

_free.LIBCMT ref: 0047D764
_free.LIBCMT ref: 0047D776
_free.LIBCMT ref: 0047D788
_free.LIBCMT ref: 0047D79A

Memory Dump Source

Source File: 00000000.00000002.2199307839.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.2199224556.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2199891659.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2199891659.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200033822.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200076254.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 67921b22d40125357a042d4e89d3aa10ebf62758bc86094a8f63ee98ea5db302
Instruction ID: 44cc389e7f607fb351514d9eb1291057d6996fb77180a364c7f48df3a27e2005
Opcode Fuzzy Hash: 67921b22d40125357a042d4e89d3aa10ebf62758bc86094a8f63ee98ea5db302
Instruction Fuzzy Hash: DBF036F251020457C625E765F9C2C9B7BEDBF45310B98880AF14DE7502C728FC84466C

Function 004A5C44 Relevance: 7.5, APIs: 5, Instructions: 40windowtimeCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003E9), ref: 004A5C58
GetWindowTextW.USER32(00000000,?,00000100), ref: 004A5C6F
MessageBeep.USER32(00000000), ref: 004A5C87
KillTimer.USER32(?,0000040A), ref: 004A5CA3
EndDialog.USER32(?,00000001), ref: 004A5CBD

Memory Dump Source

Source File: 00000000.00000002.2199307839.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.2199224556.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2199891659.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2199891659.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200033822.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200076254.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: BeepDialogItemKillMessageTextTimerWindow
String ID:
API String ID: 3741023627-0
Opcode ID: cb605bda5d0c3a715d9f9488185d3b38c4d871093b29947d7990c341e0fba651
Instruction ID: 698de01f7a73d9c92982753ead982fa21416b4c6b5a005ed421d7865272dfc6a
Opcode Fuzzy Hash: cb605bda5d0c3a715d9f9488185d3b38c4d871093b29947d7990c341e0fba651
Instruction Fuzzy Hash: ED018B305017059BFB205B10DE8EF9677B8FB11705F00166BA543A14E1D7F4A944CA59

Function 004722A0 Relevance: 7.5, APIs: 5, Instructions: 30COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 004722BE

Part of subcall function 004729C8: RtlFreeHeap.NTDLL(00000000,00000000,?,0047D7D1,00000000,00000000,00000000,00000000,?,0047D7F8,00000000,00000007,00000000,?,0047DBF5,00000000), ref: 004729DE
Part of subcall function 004729C8: GetLastError.KERNEL32(00000000,?,0047D7D1,00000000,00000000,00000000,00000000,?,0047D7F8,00000000,00000007,00000000,?,0047DBF5,00000000,00000000), ref: 004729F0

_free.LIBCMT ref: 004722D0
_free.LIBCMT ref: 004722E3
_free.LIBCMT ref: 004722F4
_free.LIBCMT ref: 00472305

Memory Dump Source

Source File: 00000000.00000002.2199307839.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.2199224556.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2199891659.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2199891659.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200033822.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200076254.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: d2d1ff88a47bc1c6be6c18aa5a8cc5f5dc2d875d045c113f01e2d4bfe309f349
Instruction ID: 93e023ed3bb41a0002f92b686a8870a9c4a9c0d273fabfe16e51a71e4cc346f1
Opcode Fuzzy Hash: d2d1ff88a47bc1c6be6c18aa5a8cc5f5dc2d875d045c113f01e2d4bfe309f349
Instruction Fuzzy Hash: 76F01DF85015108BC612AF65AD028CD7E64BB39750B05D64BF518D22B1C7B904DABAAC

Function 004595C5 Relevance: 7.5, APIs: 5, Instructions: 29COMMON

Download Yara Rule

APIs

EndPath.GDI32(?), ref: 004595D4
StrokeAndFillPath.GDI32(?,?,004971F7,00000000,?,?,?), ref: 004595F0
SelectObject.GDI32(?,00000000), ref: 00459603
DeleteObject.GDI32 ref: 00459616
StrokePath.GDI32(?), ref: 00459631

Memory Dump Source

Source File: 00000000.00000002.2199307839.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.2199224556.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2199891659.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2199891659.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200033822.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200076254.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: Path$ObjectStroke$DeleteFillSelect
String ID:
API String ID: 2625713937-0
Opcode ID: 82a5ca17e007ba1f60cafa17a36cbbd813939461611b12aea9eaee306b157317
Instruction ID: 6e4e42c85efc4352b968b89ac8c70058478555dc6e53e3f4396fbf5ef8f38b2f
Opcode Fuzzy Hash: 82a5ca17e007ba1f60cafa17a36cbbd813939461611b12aea9eaee306b157317
Instruction Fuzzy Hash: 4EF03C31006A09EBDB165F65ED5C7A93B61AB10322F04C266FA25551F1C73489ADEF2C

Function 00470F47 Relevance: 7.4, APIs: 2, Strings: 2, Instructions: 389COMMONLIBRARYCODE

Download Yara Rule

APIs

__freea.LIBCMT ref: 004710F9
__freea.LIBCMT ref: 00471117

Part of subcall function 00471537: _free.LIBCMT ref: 0047154F

Strings

a/p, xrefs: 004711DE
am/pm, xrefs: 0047117A

Memory Dump Source

Source File: 00000000.00000002.2199307839.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.2199224556.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2199891659.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2199891659.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200033822.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200076254.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: __freea$_free
String ID: a/p$am/pm
API String ID: 3432400110-3206640213
Opcode ID: 8177489804e67560fe78baf08118f817c0114d23f041e5b0c184eb2ab3113ec5
Instruction ID: cc8f07359c9cf1f880bdcdf81cc7a4d9c09c91c6372003f068ea5dbaa13e8003
Opcode Fuzzy Hash: 8177489804e67560fe78baf08118f817c0114d23f041e5b0c184eb2ab3113ec5
Instruction Fuzzy Hash: 3DD1F231900245CAEB249F6CC895BFBB7B4EF05304F28815BE909ABB61D37D9D81CB59

Function 004C61D0 Relevance: 7.3, APIs: 1, Strings: 3, Instructions: 324COMMON

Download Yara Rule

APIs

Part of subcall function 00460242: EnterCriticalSection.KERNEL32(0051070C,00511884,?,?,0045198B,00512518,?,?,?,004412F9,00000000), ref: 0046024D
Part of subcall function 00460242: LeaveCriticalSection.KERNEL32(0051070C,?,0045198B,00512518,?,?,?,004412F9,00000000), ref: 0046028A

Part of subcall function 004600A3: __onexit.LIBCMT ref: 004600A9

__Init_thread_footer.LIBCMT ref: 004C6238

Part of subcall function 004601F8: EnterCriticalSection.KERNEL32(0051070C,?,?,00458747,00512514), ref: 00460202
Part of subcall function 004601F8: LeaveCriticalSection.KERNEL32(0051070C,?,00458747,00512514), ref: 00460235

Part of subcall function 004B359C: LoadStringW.USER32(00000066,?,00000FFF,00000000), ref: 004B35E4
Part of subcall function 004B359C: LoadStringW.USER32(00512390,?,00000FFF,?), ref: 004B360A

Strings

x#Q, xrefs: 004C636F
x#Q, xrefs: 004C633A
x#Q, xrefs: 004C6353

Memory Dump Source

Source File: 00000000.00000002.2199307839.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.2199224556.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2199891659.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2199891659.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200033822.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200076254.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: CriticalSection$EnterLeaveLoadString$Init_thread_footer__onexit
String ID: x#Q$x#Q$x#Q
API String ID: 1072379062-530750269
Opcode ID: fbf9348370fbb2904d5f9c8789440eb99d33fb7584c641fdb19d870c3907391c
Instruction ID: 2bb6a7a682444ce94b255ffcfe83778f06d9648d25b0ad46c9e0b4792dd7693f
Opcode Fuzzy Hash: fbf9348370fbb2904d5f9c8789440eb99d33fb7584c641fdb19d870c3907391c
Instruction Fuzzy Hash: 23C19B75A00105AFDB14EF98C890EBEB7B9FF48304F11806EE9059B291DB78ED45CB99

Function 00475AA9 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 186COMMONLIBRARYCODE

Download Yara Rule

Strings

JOD, xrefs: 00475BA8, 00475C6C

Memory Dump Source

Source File: 00000000.00000002.2199307839.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.2199224556.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2199891659.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2199891659.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200033822.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200076254.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID:
String ID: JOD
API String ID: 0-2216429383
Opcode ID: 6c036bd02561536f8db9f9dad403c58c3cfbc09ad4b2b930c5153fb4c0894f0b
Instruction ID: 855c4581019b82349fb6a31fab86fb240dea39272188df046d2daf10b22c89ed
Opcode Fuzzy Hash: 6c036bd02561536f8db9f9dad403c58c3cfbc09ad4b2b930c5153fb4c0894f0b
Instruction Fuzzy Hash: B351CF71D006099FCB219FA5C945BFFBBB8AF05314F14805BE408AF291D7B99902CB6A

Function 00478A61 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 124COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,00000002,00000000,?,?,?,00000000,?,?,?,?), ref: 00478B6E
GetLastError.KERNEL32(?,?,00000000,?,?,?,?,?,?,?,?,00000000,00001000,?), ref: 00478B7A
__dosmaperr.LIBCMT ref: 00478B81

Strings

.F, xrefs: 00478A63

Memory Dump Source

Source File: 00000000.00000002.2199307839.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.2199224556.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2199891659.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2199891659.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200033822.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200076254.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: ByteCharErrorLastMultiWide__dosmaperr
String ID: .F
API String ID: 2434981716-907655787
Opcode ID: 75a11eb073a95ec5af7e52105cc3c1de6c2de229e2375ee9da0f3d1dc6572e37
Instruction ID: 89f20480cfb91b8fa959483c8b1a0294a35305fb488c2de2e28d9f11ce4b9366
Opcode Fuzzy Hash: 75a11eb073a95ec5af7e52105cc3c1de6c2de229e2375ee9da0f3d1dc6572e37
Instruction Fuzzy Hash: 2F417E70504045AFCB249F25C889AFE7F95DB85304F18C1AFF48D87642DE359C439798

Function 004A2716 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 121windowCOMMON

Download Yara Rule

APIs

Part of subcall function 004AB403: WriteProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,004A21D0,?,?,00000034,00000800,?,00000034), ref: 004AB42D

SendMessageW.USER32(?,00001104,00000000,00000000), ref: 004A2760

Part of subcall function 004AB3CE: ReadProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,004A21FF,?,?,00000800,?,00001073,00000000,?,?), ref: 004AB3F8

Part of subcall function 004AB32A: GetWindowThreadProcessId.USER32(?,?), ref: 004AB355
Part of subcall function 004AB32A: OpenProcess.KERNEL32(00000438,00000000,?,?,?,004A2194,00000034,?,?,00001004,00000000,00000000), ref: 004AB365
Part of subcall function 004AB32A: VirtualAllocEx.KERNEL32(00000000,00000000,?,00001000,00000004,?,?,004A2194,00000034,?,?,00001004,00000000,00000000), ref: 004AB37B

SendMessageW.USER32(?,00001111,00000000,00000000), ref: 004A27CD
SendMessageW.USER32(?,00001111,00000000,00000000), ref: 004A281A

Strings

@, xrefs: 004A2832

Memory Dump Source

Source File: 00000000.00000002.2199307839.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.2199224556.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2199891659.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2199891659.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200033822.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200076254.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: Process$MessageSend$Memory$AllocOpenReadThreadVirtualWindowWrite
String ID: @
API String ID: 4150878124-2766056989
Opcode ID: cd2705d4bb827773e05e7b589c3c111ee2177e43870f9f8a6f1a00a4abfba7f2
Instruction ID: 308108c89327fdb953ec663836991787bcc0bda5ca88cc80faa3442a708648ca
Opcode Fuzzy Hash: cd2705d4bb827773e05e7b589c3c111ee2177e43870f9f8a6f1a00a4abfba7f2
Instruction Fuzzy Hash: 2D413D76900218AFDB10DFA4CD81AEEBBB8EF1A304F00405AFA55B7191DB746E45DBA4

Function 0047172E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 115COMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\Desktop\file.exe,00000104), ref: 00471769
_free.LIBCMT ref: 00471834
_free.LIBCMT ref: 0047183E

Strings

C:\Users\user\Desktop\file.exe, xrefs: 00471760, 00471767, 00471796, 004717CE

Memory Dump Source

Source File: 00000000.00000002.2199307839.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.2199224556.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2199891659.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2199891659.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200033822.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200076254.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: _free$FileModuleName
String ID: C:\Users\user\Desktop\file.exe
API String ID: 2506810119-3695852857
Opcode ID: db938c6f41a80ec770ab831fc6d10777a1ecdf8177db0e14a10a474f8b3bee98
Instruction ID: ffddac4f1815a84a41f564336a27954c514de69aa9bc1a332953554b2c5eea52
Opcode Fuzzy Hash: db938c6f41a80ec770ab831fc6d10777a1ecdf8177db0e14a10a474f8b3bee98
Instruction Fuzzy Hash: 6F319575A00218ABDB21DF9A9881DDFBBFCEB95310B1481ABE50897221D6748A44CB99

Function 004AC27D Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 114windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(00000004,00000000,00000000,?), ref: 004AC306
DeleteMenu.USER32(?,00000007,00000000), ref: 004AC34C
DeleteMenu.USER32(?,00000000,00000000,?,00000000,00000000,00511990,00DC4A58), ref: 004AC395

Strings

0, xrefs: 004AC2DF

Memory Dump Source

Source File: 00000000.00000002.2199307839.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.2199224556.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2199891659.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2199891659.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200033822.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200076254.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: Menu$Delete$InfoItem
String ID: 0
API String ID: 135850232-4108050209
Opcode ID: a08065dcaabd5854bb54d7bdf7e962a8ee3012cbe35864bdc95162113c88498b
Instruction ID: bcb5ffec9493530bc2ce7132751c4c935d32c63eae30356223bcce357727110b
Opcode Fuzzy Hash: a08065dcaabd5854bb54d7bdf7e962a8ee3012cbe35864bdc95162113c88498b
Instruction Fuzzy Hash: 1741A071208301AFDB20DF25D884B1BBBE8AF96314F04861EFDA5973D1D778A904CB5A

Function 004D4416 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 106COMMON

Download Yara Rule

APIs

SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000013,?,?,SysTreeView32,004DCC08,00000000,?,?,?,?), ref: 004D44AA
GetWindowLongW.USER32 ref: 004D44C7
SetWindowLongW.USER32(?,000000F0,00000000), ref: 004D44D7

Strings

SysTreeView32, xrefs: 004D447C

Memory Dump Source

Source File: 00000000.00000002.2199307839.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.2199224556.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2199891659.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2199891659.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200033822.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200076254.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: Window$Long
String ID: SysTreeView32
API String ID: 847901565-1698111956
Opcode ID: 3ab8d8d0d253fcc30a2335493130516706df0f0c67a2d2fac1a9188cc2926542
Instruction ID: 829c795f959bfcad38e3dc4dc2013eda93e5db7b3bee69ba2e5a1bc21c63a922
Opcode Fuzzy Hash: 3ab8d8d0d253fcc30a2335493130516706df0f0c67a2d2fac1a9188cc2926542
Instruction Fuzzy Hash: 07317E31210605AFDF208E38DC95BEB77A9EB49328F20472BF975922D0D778EC919754

Function 004A6E71 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 92memoryCOMMON

Download Yara Rule

APIs

SysReAllocString.OLEAUT32(?,?), ref: 004A6EED
VariantCopyInd.OLEAUT32(?,?), ref: 004A6F08
VariantClear.OLEAUT32(?), ref: 004A6F12

Strings

*jJ, xrefs: 004A6E8B, 004A6E90, 004A6EF8

Memory Dump Source

Source File: 00000000.00000002.2199307839.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.2199224556.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2199891659.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2199891659.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200033822.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200076254.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: Variant$AllocClearCopyString
String ID: *jJ
API String ID: 2173805711-3279958407
Opcode ID: 9bcc00c9a3297a963c4cbf7b5008e53aeb1e0818a37f25692058ca662e9f4a21
Instruction ID: 4d4754c35082ee077d59e2f2dffa684f2120e4ed7f44f03dcdce567146c12476
Opcode Fuzzy Hash: 9bcc00c9a3297a963c4cbf7b5008e53aeb1e0818a37f25692058ca662e9f4a21
Instruction Fuzzy Hash: C931D171704205DFDB04AFA5E8909BE77B6EF92308B1504AEF8064B2A1C738D912CBD9

Function 004C304E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 90networkCOMMON

Download Yara Rule

APIs

Part of subcall function 004C335B: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,?,?,?,?,004C3077,?,?), ref: 004C3378

inet_addr.WSOCK32(?,?,?,?,?,00000000), ref: 004C307A
_wcslen.LIBCMT ref: 004C309B
htons.WSOCK32(00000000,?,?,00000000), ref: 004C3106

Strings

255.255.255.255, xrefs: 004C3095, 004C309A

Memory Dump Source

Source File: 00000000.00000002.2199307839.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.2199224556.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2199891659.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2199891659.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200033822.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200076254.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: ByteCharMultiWide_wcslenhtonsinet_addr
String ID: 255.255.255.255
API String ID: 946324512-2422070025
Opcode ID: d3c5209df74a7f231873a5e5aa31bffbfee2f02e536b178d5b4f55f479140001
Instruction ID: f3acfe79123c2eeb759f278ffa78b72ba8fbfcafc0702058d9365466f6083846
Opcode Fuzzy Hash: d3c5209df74a7f231873a5e5aa31bffbfee2f02e536b178d5b4f55f479140001
Instruction Fuzzy Hash: 3731B23A2002019FDB50DF29C485FAA77E0EF54319F28C05EE9158B392DB7AEE45C765

Function 004D3EB8 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 89windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00001009,00000000,?), ref: 004D3F40
SetWindowPos.USER32(?,00000000,?,?,?,?,00000004), ref: 004D3F54
SendMessageW.USER32(?,00001002,00000000,?), ref: 004D3F78

Strings

SysMonthCal32, xrefs: 004D3F0B

Memory Dump Source

Source File: 00000000.00000002.2199307839.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.2199224556.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2199891659.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2199891659.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200033822.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200076254.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: MessageSend$Window
String ID: SysMonthCal32
API String ID: 2326795674-1439706946
Opcode ID: 2b46f14ab70b2c672dfe24b83a7a899f9e4f9e3d8619e6ce5e1b95c8ba2d18fc
Instruction ID: bbf97a22042148e17f555d23b8dbfa04ec8725639538e1fbb178c1cb050c10d5
Opcode Fuzzy Hash: 2b46f14ab70b2c672dfe24b83a7a899f9e4f9e3d8619e6ce5e1b95c8ba2d18fc
Instruction Fuzzy Hash: 7021BF32600219BFDF118F50CC96FEB3B79EB49718F11021AFA156B2D0D6B5AC50CB94

Function 004D4653 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 87windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000469,?,00000000), ref: 004D4705
SendMessageW.USER32(00000000,00000465,00000000,80017FFF), ref: 004D4713
DestroyWindow.USER32(00000000,00000000,?,?,?,00000000,msctls_updown32,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 004D471A

Strings

msctls_updown32, xrefs: 004D4684

Memory Dump Source

Source File: 00000000.00000002.2199307839.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.2199224556.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2199891659.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2199891659.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200033822.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200076254.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: MessageSend$DestroyWindow
String ID: msctls_updown32
API String ID: 4014797782-2298589950
Opcode ID: ea435fa03d9a3381b2ddbfe86aad0589948ec14ed2bf90500f28a5c8db5e7fc0
Instruction ID: eeca0fdf0b13e5eefb0ba95d9376207a5e6c56eadc571a621743be02dab8851c
Opcode Fuzzy Hash: ea435fa03d9a3381b2ddbfe86aad0589948ec14ed2bf90500f28a5c8db5e7fc0
Instruction Fuzzy Hash: A92151B5600209AFDB10DF65DCD1DBB37ADEB9A398B04005BF6009B391CB75EC11DA64

Function 004A95AD Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 85COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 004A961D

Strings

#requireadmin, xrefs: 004A95D9
#OnAutoItStartRegister, xrefs: 004A95F3
#notrayicon, xrefs: 004A95B7

Memory Dump Source

Source File: 00000000.00000002.2199307839.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.2199224556.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2199891659.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2199891659.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200033822.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200076254.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: _wcslen
String ID: #OnAutoItStartRegister$#notrayicon$#requireadmin
API String ID: 176396367-2734436370
Opcode ID: be4b0950bcf589ab970f88d580edbb433cadc529d22915885d220edf0b090f19
Instruction ID: 80e38fbf8443115e0d173aee05e7419fb459e36931e2edfd5f1fa0028beb1319
Opcode Fuzzy Hash: be4b0950bcf589ab970f88d580edbb433cadc529d22915885d220edf0b090f19
Instruction Fuzzy Hash: 5721357260421066D331AA26DC02FBB73D89FB6314F14442FFA4A97281EB5DAD56C29E

Function 004D37B7 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000180,00000000,?), ref: 004D3840
SendMessageW.USER32(?,00000186,00000000,00000000), ref: 004D3850
MoveWindow.USER32(00000000,?,?,?,?,00000000,?,?,Listbox,00000000,00000000,?,?,?,?,?), ref: 004D3876

Strings

Listbox, xrefs: 004D380F

Memory Dump Source

Source File: 00000000.00000002.2199307839.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.2199224556.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2199891659.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2199891659.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200033822.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200076254.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: MessageSend$MoveWindow
String ID: Listbox
API String ID: 3315199576-2633736733
Opcode ID: 3896f27926b5356bfe5291ac1638631c48be5d8dddb3f966dd48cf3fc9744990
Instruction ID: 13a74f170518cd82caec1cf9b5e3600b3b25bf587dff94147f57ad1244dc1713
Opcode Fuzzy Hash: 3896f27926b5356bfe5291ac1638631c48be5d8dddb3f966dd48cf3fc9744990
Instruction Fuzzy Hash: 3E210472600119BBEF219F54CC85FBB37AEEF89754F008126F9009B290C675DC12D7A4

Function 004B49F4 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 78COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 004B4A08
GetVolumeInformationW.KERNEL32(?,?,00007FFF,?,00000000,00000000,00000000,00000000), ref: 004B4A5C
SetErrorMode.KERNEL32(00000000,?,?,004DCC08), ref: 004B4AD0

Strings

%lu, xrefs: 004B4A6F

Memory Dump Source

Source File: 00000000.00000002.2199307839.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.2199224556.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2199891659.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2199891659.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200033822.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200076254.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: ErrorMode$InformationVolume
String ID: %lu
API String ID: 2507767853-685833217
Opcode ID: 7fe1c2ab4a388395003416380a371522805701318706e014a6b08620a2652059
Instruction ID: 5b683f470ff01471fe4b6c1df3b17ee86dfcc22a2e39b00770b1aca981ebcb21
Opcode Fuzzy Hash: 7fe1c2ab4a388395003416380a371522805701318706e014a6b08620a2652059
Instruction Fuzzy Hash: 87318E74A00109AFDB10DF54C885EAE7BF8EF48308F1480AAE909DB352D775ED46CB65

Function 004D41EB Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 67windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000405,00000000,00000000), ref: 004D424F
SendMessageW.USER32(?,00000406,00000000,00640000), ref: 004D4264
SendMessageW.USER32(?,00000414,0000000A,00000000), ref: 004D4271

Strings

msctls_trackbar32, xrefs: 004D4226

Memory Dump Source

Source File: 00000000.00000002.2199307839.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.2199224556.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2199891659.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2199891659.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200033822.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200076254.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: MessageSend
String ID: msctls_trackbar32
API String ID: 3850602802-1010561917
Opcode ID: 3c941c36bfc4942e8e44f4b0d09b70d3212f1681df46baf0e66eaa82e8efa9c4
Instruction ID: 50127a500a8c5dc359579f458cd6727c291108e999354b6154d191939e34735f
Opcode Fuzzy Hash: 3c941c36bfc4942e8e44f4b0d09b70d3212f1681df46baf0e66eaa82e8efa9c4
Instruction Fuzzy Hash: DD11E331240208BFEF205F29CC46FAB3BACEF95B64F11012AFA55E2290D675D8119B28

Function 004A2F52 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 67windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00446B57: _wcslen.LIBCMT ref: 00446B6A

Part of subcall function 004A2DA7: SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,?), ref: 004A2DC5
Part of subcall function 004A2DA7: GetWindowThreadProcessId.USER32(?,00000000), ref: 004A2DD6
Part of subcall function 004A2DA7: GetCurrentThreadId.KERNEL32 ref: 004A2DDD
Part of subcall function 004A2DA7: AttachThreadInput.USER32(00000000,?,00000000,00000000), ref: 004A2DE4

GetFocus.USER32 ref: 004A2F78

Part of subcall function 004A2DEE: GetParent.USER32(00000000), ref: 004A2DF9

GetClassNameW.USER32(?,?,00000100), ref: 004A2FC3
EnumChildWindows.USER32(?,004A303B), ref: 004A2FEB

Strings

%s%d, xrefs: 004A2FFF

Memory Dump Source

Source File: 00000000.00000002.2199307839.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.2199224556.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2199891659.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2199891659.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200033822.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200076254.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: Thread$AttachChildClassCurrentEnumFocusInputMessageNameParentProcessSendTimeoutWindowWindows_wcslen
String ID: %s%d
API String ID: 1272988791-1110647743
Opcode ID: bea6aa6a8a135b2a6baaa24a93bb140a1ec802427bbe3429048d6056e2742d90
Instruction ID: 0bc569bf23bae8173d30bd299ca2a18b37f34c2932f8fc508cf0beed64782ca7
Opcode Fuzzy Hash: bea6aa6a8a135b2a6baaa24a93bb140a1ec802427bbe3429048d6056e2742d90
Instruction Fuzzy Hash: EB11D5712002056BDF107F658CC5EEE376AAF95309F04407BFD099B292EE789909DB68

Function 004D5882 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(?,?,?,00000030), ref: 004D58C1
SetMenuItemInfoW.USER32(?,?,?,00000030), ref: 004D58EE
DrawMenuBar.USER32(?), ref: 004D58FD

Strings

0, xrefs: 004D588F

Memory Dump Source

Source File: 00000000.00000002.2199307839.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.2199224556.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2199891659.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2199891659.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200033822.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200076254.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: Menu$InfoItem$Draw
String ID: 0
API String ID: 3227129158-4108050209
Opcode ID: 89b9957050112243d3d8f02dba08883c145551f2b138a49e310f362ec17c33bb
Instruction ID: b04b5bece51d957a0a8ee0f12f005dafe6927a80aa7729fed8fcb87a759f746c
Opcode Fuzzy Hash: 89b9957050112243d3d8f02dba08883c145551f2b138a49e310f362ec17c33bb
Instruction Fuzzy Hash: 3301A171500218EFDB109F11DC55BAFBBB4FB45361F0080ABE848D6251DF348A85DF2A

Function 0049D3A0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 30libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32(?,GetSystemWow64DirectoryW), ref: 0049D3BF
FreeLibrary.KERNEL32 ref: 0049D3E5

Strings

X64, xrefs: 0049D2A8
GetSystemWow64DirectoryW, xrefs: 0049D3B9

Memory Dump Source

Source File: 00000000.00000002.2199307839.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.2199224556.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2199891659.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2199891659.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200033822.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200076254.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: AddressFreeLibraryProc
String ID: GetSystemWow64DirectoryW$X64
API String ID: 3013587201-2590602151
Opcode ID: 7b8393184c221bf24f80ba64d9f2871a559fc1e486f40634f92d135a1c4864a7
Instruction ID: c582575667fc07682611908234fa714cbd58bb43cd1f9925d339bd4a92fc2ebc
Opcode Fuzzy Hash: 7b8393184c221bf24f80ba64d9f2871a559fc1e486f40634f92d135a1c4864a7
Instruction Fuzzy Hash: DAF0EC21D06A2297DF7557104C989AE3F14AF11742B9486B7EC02E524DDB1CCD45C69F

Function 004A007F Relevance: 6.3, APIs: 4, Instructions: 322COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2199307839.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.2199224556.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2199891659.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2199891659.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200033822.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200076254.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0c014c28e17ccb39788ef984ba0ba97dd4ee9642940ce23ecd047c837800aad9
Instruction ID: 98626709552b6c92df0f29a06992de049f92cd37a9c09b77a91bcad73a023377
Opcode Fuzzy Hash: 0c014c28e17ccb39788ef984ba0ba97dd4ee9642940ce23ecd047c837800aad9
Instruction Fuzzy Hash: 37C16B75A0020AEFCB14CFA4C894BAEB7B5FF59304F20859AE805EB251D735ED42CB94

Function 004C342E Relevance: 6.3, APIs: 4, Instructions: 257COMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 004C3459
CoUninitialize.OLE32 ref: 004C3463
VariantInit.OLEAUT32(?), ref: 004C346E
VariantClear.OLEAUT32(?), ref: 004C371B

Memory Dump Source

Source File: 00000000.00000002.2199307839.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.2199224556.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2199891659.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2199891659.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200033822.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200076254.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: Variant$ClearInitInitializeUninitialize
String ID:
API String ID: 1998397398-0
Opcode ID: 77936d54243d88dff453116cf20af080cb71b32dbf2e0764cb3d53f7f4ef6e07
Instruction ID: 7e86fce399edd4b75eb98e23bb1f2809f3d1c2d6beb8e6de4bf329f6e420d8c2
Opcode Fuzzy Hash: 77936d54243d88dff453116cf20af080cb71b32dbf2e0764cb3d53f7f4ef6e07
Instruction Fuzzy Hash: D4A16E79604210AFD710DF25C485E1AB7E4FF88719F04885EF94A9B362DB38ED05CB59

Function 004A0436 Relevance: 6.2, APIs: 4, Instructions: 230COMMON

Download Yara Rule

APIs

ProgIDFromCLSID.OLE32(?,00000000), ref: 004A05F0
CoTaskMemFree.OLE32(00000000), ref: 004A0608
CLSIDFromProgID.OLE32(?,?), ref: 004A062D
_memcmp.LIBVCRUNTIME ref: 004A064E

Memory Dump Source

Source File: 00000000.00000002.2199307839.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.2199224556.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2199891659.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2199891659.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200033822.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200076254.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: FromProg$FreeTask_memcmp
String ID:
API String ID: 314563124-0
Opcode ID: 1598e95be5655e2fd8b12dc8d07726dd336745e2e712224f76858938b6dc7f37
Instruction ID: a982c96c7781af07c8f0c91e66fa6bd8a67aff6888e3d06469d274ad82e1960a
Opcode Fuzzy Hash: 1598e95be5655e2fd8b12dc8d07726dd336745e2e712224f76858938b6dc7f37
Instruction Fuzzy Hash: A0814A71A00109EFCB04DF94C988EEEB7B9FF9A315F204159F506AB250DB75AE06CB64

Function 004CA67C Relevance: 6.2, APIs: 4, Instructions: 175processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 004CA6AC
Process32FirstW.KERNEL32(00000000,?), ref: 004CA6BA

Part of subcall function 00449CB3: _wcslen.LIBCMT ref: 00449CBD

Process32NextW.KERNEL32(00000000,?), ref: 004CA79C
CloseHandle.KERNEL32(00000000), ref: 004CA7AB

Part of subcall function 0045CE60: CompareStringW.KERNEL32(00000409,00000001,?,00000000,00000000,?,?,00000000,?,00483303,?), ref: 0045CE8A

Memory Dump Source

Source File: 00000000.00000002.2199307839.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.2199224556.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2199891659.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2199891659.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200033822.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200076254.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: Process32$CloseCompareCreateFirstHandleNextSnapshotStringToolhelp32_wcslen
String ID:
API String ID: 1991900642-0
Opcode ID: 9d4551e71869199e17bb1e53c6cdcf108bce89a3c6a6aa66b1075d1c88bb2a02
Instruction ID: 286eea78f7ebc1037b3ca36e03b34f0a1ff119c2932cfc6224ccd6c25f19aa7b
Opcode Fuzzy Hash: 9d4551e71869199e17bb1e53c6cdcf108bce89a3c6a6aa66b1075d1c88bb2a02
Instruction Fuzzy Hash: F4516E75508301AFD710EF25C886E6BBBE8FF89758F00492EF98597252EB34D904CB96

Function 00481391 Relevance: 6.2, APIs: 4, Instructions: 152COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 004814C0

Memory Dump Source

Source File: 00000000.00000002.2199307839.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.2199224556.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2199891659.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2199891659.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200033822.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200076254.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: e330774bc1040741d440dca393a8957e6cffe588986f43d4eab97f8eb4433040
Instruction ID: 6f2dbfc4c082461a509bfd37ce96e1ab68ee3a353328b9f41e692deec3ae0c31
Opcode Fuzzy Hash: e330774bc1040741d440dca393a8957e6cffe588986f43d4eab97f8eb4433040
Instruction Fuzzy Hash: 2F417071A001006BDB217BBA9C45ABF3BACEF41734F144A6BF418C62B1E67C4843576E

Function 004D6278 Relevance: 6.1, APIs: 4, Instructions: 138COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 004D62E2
ScreenToClient.USER32(?,?), ref: 004D6315
MoveWindow.USER32(?,?,?,?,000000FF,00000001,?,?,?,?,?), ref: 004D6382

Memory Dump Source

Source File: 00000000.00000002.2199307839.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.2199224556.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2199891659.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2199891659.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200033822.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200076254.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: Window$ClientMoveRectScreen
String ID:
API String ID: 3880355969-0
Opcode ID: aaa3884a15ebc6e81b1ef6038e290de3e4c3300506d15243919c667ddc1566fe
Instruction ID: cd0f5c1c45702ed9e3acacddbf467c15daf66712b0086820a72fa60944cff3a8
Opcode Fuzzy Hash: aaa3884a15ebc6e81b1ef6038e290de3e4c3300506d15243919c667ddc1566fe
Instruction Fuzzy Hash: CF514A74A00209AFCF10DF68D8909AE7BB5EF55360F11826BF9259B390D734ED41CB94

Function 004C1AD6 Relevance: 6.1, APIs: 4, Instructions: 138networkCOMMON

Download Yara Rule

APIs

socket.WSOCK32(00000002,00000002,00000011), ref: 004C1AFD
WSAGetLastError.WSOCK32 ref: 004C1B0B
#21.WSOCK32(?,0000FFFF,00000020,00000002,00000004), ref: 004C1B8A
WSAGetLastError.WSOCK32 ref: 004C1B94

Memory Dump Source

Source File: 00000000.00000002.2199307839.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.2199224556.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2199891659.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2199891659.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200033822.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200076254.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: ErrorLast$socket
String ID:
API String ID: 1881357543-0
Opcode ID: 518ebdeaa2ce82bd8b13142bdb4118e611ed1b9941d718c141e03175152b6b62
Instruction ID: d4f162c6049bd760763204c078b893079eb55226a702b7b7ccfa4f0031050f97
Opcode Fuzzy Hash: 518ebdeaa2ce82bd8b13142bdb4118e611ed1b9941d718c141e03175152b6b62
Instruction Fuzzy Hash: 9041D538600201AFE720AF21C886F2677E5AB45718F54845EF9169F3D3E77AED42CB94

Function 0047B41F Relevance: 6.1, APIs: 4, Instructions: 133COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2199307839.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.2199224556.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2199891659.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2199891659.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200033822.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200076254.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b3d3c39b542f68506b9ea5543e2ca34a75aecb67a33fb7a6aae5f6a6c0fc92e7
Instruction ID: 998abe61d2193a6ab3bb89d55d15a32d2e64759f45128d90db0549c27154fc19
Opcode Fuzzy Hash: b3d3c39b542f68506b9ea5543e2ca34a75aecb67a33fb7a6aae5f6a6c0fc92e7
Instruction Fuzzy Hash: 2341E671A00704BFD724AF39C841BAABBA9EB84714F10852FF549DB292D779994187C4

Function 004B56D9 Relevance: 6.1, APIs: 4, Instructions: 110fileCOMMON

Download Yara Rule

APIs

CreateHardLinkW.KERNEL32(00000002,?,00000000), ref: 004B5783
GetLastError.KERNEL32(?,00000000), ref: 004B57A9
DeleteFileW.KERNEL32(00000002,?,00000000), ref: 004B57CE
CreateHardLinkW.KERNEL32(00000002,?,00000000,?,00000000), ref: 004B57FA

Memory Dump Source

Source File: 00000000.00000002.2199307839.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.2199224556.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2199891659.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2199891659.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200033822.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200076254.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: CreateHardLink$DeleteErrorFileLast
String ID:
API String ID: 3321077145-0
Opcode ID: ff0154770d8b9a5dc8f16829245b2a50124b409c364071eaa98ed39745458c56
Instruction ID: 320549d413e82f32af03376d58cc566e6a1bd7fa0bf839db32533621b2b93766
Opcode Fuzzy Hash: ff0154770d8b9a5dc8f16829245b2a50124b409c364071eaa98ed39745458c56
Instruction Fuzzy Hash: 8D414135600610DFDB11EF16C584A5EBBE1EF49319B18889AEC4A5F361CB38FD01CB95

Function 0047D8C3 Relevance: 6.1, APIs: 4, Instructions: 110COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,00000000,?,00466D71,00000000,00000000,004682D9,?,004682D9,?,00000001,00466D71,?,00000001,004682D9,004682D9), ref: 0047D910
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 0047D999
GetStringTypeW.KERNEL32(?,00000000,00000000,?), ref: 0047D9AB
__freea.LIBCMT ref: 0047D9B4

Part of subcall function 00473820: HeapAlloc.KERNEL32(00000000,?,00511444,?,0045FDF5,?,?,0044A976,00000010,00511440,004413FC,?,004413C6,?,00441129), ref: 00473852

Memory Dump Source

Source File: 00000000.00000002.2199307839.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.2199224556.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2199891659.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2199891659.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200033822.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200076254.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: ByteCharMultiWide$AllocHeapStringType__freea
String ID:
API String ID: 573072132-0
Opcode ID: 20d83221810b4dcfa51e20f72d6da70f53a28705cd54b5ce694e37b902652127
Instruction ID: 98a71480fb4f13076a837ad5b3108f33b4284f82f1c86bca29e39467fcffc922
Opcode Fuzzy Hash: 20d83221810b4dcfa51e20f72d6da70f53a28705cd54b5ce694e37b902652127
Instruction Fuzzy Hash: E531DFB2A1021AABDB249F65DC41EEF7BB5EF40310F05826AFD0896250E739CD50CB95

Function 004D52C1 Relevance: 6.1, APIs: 4, Instructions: 104windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001024,00000000,?), ref: 004D5352
GetWindowLongW.USER32(?,000000F0), ref: 004D5375
SetWindowLongW.USER32(?,000000F0,00000000), ref: 004D5382
InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 004D53A8

Memory Dump Source

Source File: 00000000.00000002.2199307839.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.2199224556.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2199891659.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2199891659.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200033822.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200076254.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: LongWindow$InvalidateMessageRectSend
String ID:
API String ID: 3340791633-0
Opcode ID: c0d50b07211dbf753d4482b6c16d4f8700ce75a8ba501efe1224202b1bd5d538
Instruction ID: a49919a1f5e09118e2096183bc1c00c0845a6718d91db8f1dbc11d4f76e5938f
Opcode Fuzzy Hash: c0d50b07211dbf753d4482b6c16d4f8700ce75a8ba501efe1224202b1bd5d538
Instruction Fuzzy Hash: CF31E330A55A08EFEB309F14CC65BEA3761AB05390F584103FE10963E1CFB8AD50EB4A

Function 004AAB9C Relevance: 6.1, APIs: 4, Instructions: 103keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,7694C0D0,?,00008000), ref: 004AABF1
SetKeyboardState.USER32(00000080,?,00008000), ref: 004AAC0D
PostMessageW.USER32(00000000,00000101,00000000), ref: 004AAC74
SendInput.USER32(00000001,?,0000001C,7694C0D0,?,00008000), ref: 004AACC6

Memory Dump Source

Source File: 00000000.00000002.2199307839.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.2199224556.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2199891659.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2199891659.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200033822.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200076254.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: 3d7fea61392394a6092d229cb0c5cd4f43ef4e8c6a75a5ce92bf33e0c0b15a9b
Instruction ID: 40043c2a0c3c661470ce19e209218f9fca30a6ec91bb5bb8bbface2ae7e58682
Opcode Fuzzy Hash: 3d7fea61392394a6092d229cb0c5cd4f43ef4e8c6a75a5ce92bf33e0c0b15a9b
Instruction Fuzzy Hash: 4F311670A006186FFF35CB6588087FB7BA6ABA7330F04421BE481922D1C37D89A1C75A

Function 004D7674 Relevance: 6.1, APIs: 4, Instructions: 102windowCOMMON

Download Yara Rule

APIs

ClientToScreen.USER32(?,?), ref: 004D769A
GetWindowRect.USER32(?,?), ref: 004D7710
PtInRect.USER32(?,?,004D8B89), ref: 004D7720
MessageBeep.USER32(00000000), ref: 004D778C

Memory Dump Source

Source File: 00000000.00000002.2199307839.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.2199224556.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2199891659.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2199891659.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200033822.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200076254.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: Rect$BeepClientMessageScreenWindow
String ID:
API String ID: 1352109105-0
Opcode ID: 1f900d0f9a7a37351b4cbef90bf8f2a464dd94d1f7983a5a0bb1dde9e2325290
Instruction ID: 8f3a65c4a8ff03e7a759bd4d1f5725d529b9a937930d519c53d682d88f4dd903
Opcode Fuzzy Hash: 1f900d0f9a7a37351b4cbef90bf8f2a464dd94d1f7983a5a0bb1dde9e2325290
Instruction Fuzzy Hash: 34419C34A092159FCB01CF58C8A8EA977F4BB49314F1885ABE5249B361E338F945CF98

Function 004D16DA Relevance: 6.1, APIs: 4, Instructions: 101COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32 ref: 004D16EB

Part of subcall function 004A3A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 004A3A57
Part of subcall function 004A3A3D: GetCurrentThreadId.KERNEL32 ref: 004A3A5E
Part of subcall function 004A3A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,004A25B3), ref: 004A3A65

GetCaretPos.USER32(?), ref: 004D16FF
ClientToScreen.USER32(00000000,?), ref: 004D174C
GetForegroundWindow.USER32 ref: 004D1752

Memory Dump Source

Source File: 00000000.00000002.2199307839.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.2199224556.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2199891659.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2199891659.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200033822.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200076254.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: ThreadWindow$Foreground$AttachCaretClientCurrentInputProcessScreen
String ID:
API String ID: 2759813231-0
Opcode ID: ade4181b589b7775c423c86fe611288d8c9837b24b56d04d30bee13cd4edbbd3
Instruction ID: 0a04db13fd0ee4e6d4adf26e5b4dc06a50121e452adf452a93ae64d024ab87af
Opcode Fuzzy Hash: ade4181b589b7775c423c86fe611288d8c9837b24b56d04d30bee13cd4edbbd3
Instruction Fuzzy Hash: D8315E75D01249AFD700DFAAC8C18AEB7F9EF49308B5480ABE415E7211E7359E45CBA4

Function 004D8FC9 Relevance: 6.1, APIs: 4, Instructions: 78windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00459BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00459BB2

GetCursorPos.USER32(?), ref: 004D9001
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000,?,00497711,?,?,?,?,?), ref: 004D9016
GetCursorPos.USER32(?), ref: 004D905E
DefDlgProcW.USER32(?,0000007B,?,?,?,?,?,?,?,?,?,?,00497711,?,?,?), ref: 004D9094

Memory Dump Source

Source File: 00000000.00000002.2199307839.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.2199224556.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2199891659.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2199891659.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200033822.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200076254.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: Cursor$LongMenuPopupProcTrackWindow
String ID:
API String ID: 2864067406-0
Opcode ID: 4390e80675207fbeb0eeeb8e8e83242288aa10403112035c62a96edc71fa6b60
Instruction ID: 13b8a4e9fc8e3f57add1d32b8bfe3de1062370f23f9fcf4f1cabd224e5859f1e
Opcode Fuzzy Hash: 4390e80675207fbeb0eeeb8e8e83242288aa10403112035c62a96edc71fa6b60
Instruction Fuzzy Hash: 38219E31600018FFDB169F94D8A8EEA3BB9EF49350F0481ABF9058B361C3359D50DB64

Function 004AD2C1 Relevance: 6.1, APIs: 4, Instructions: 78COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNEL32(?,004DCB68), ref: 004AD2FB
GetLastError.KERNEL32 ref: 004AD30A
CreateDirectoryW.KERNEL32(?,00000000), ref: 004AD319
CreateDirectoryW.KERNEL32(?,00000000,00000000,000000FF,004DCB68), ref: 004AD376

Memory Dump Source

Source File: 00000000.00000002.2199307839.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.2199224556.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2199891659.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2199891659.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200033822.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200076254.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: CreateDirectory$AttributesErrorFileLast
String ID:
API String ID: 2267087916-0
Opcode ID: 0308c23645edc4cd9090e24b7d84c4b4f5d3c9dfa31ba4f6abb5560a37225735
Instruction ID: 1a56ec8e2de61954e0d0b8e79fb5e106c3b73b29e309e54118aa7ecd19b79cd3
Opcode Fuzzy Hash: 0308c23645edc4cd9090e24b7d84c4b4f5d3c9dfa31ba4f6abb5560a37225735
Instruction Fuzzy Hash: D72194709052019F8B00DF29C88146F77E4AF66358F104A6FF896C76A1D734DD46CB9B

Function 004A1571 Relevance: 6.1, APIs: 4, Instructions: 78memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 004A1014: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 004A102A
Part of subcall function 004A1014: GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 004A1036
Part of subcall function 004A1014: GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 004A1045
Part of subcall function 004A1014: HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 004A104C
Part of subcall function 004A1014: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 004A1062

LookupPrivilegeValueW.ADVAPI32(00000000,?,?), ref: 004A15BE
_memcmp.LIBVCRUNTIME ref: 004A15E1
GetProcessHeap.KERNEL32(00000000,00000000), ref: 004A1617
HeapFree.KERNEL32(00000000), ref: 004A161E

Memory Dump Source

Source File: 00000000.00000002.2199307839.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.2199224556.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2199891659.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2199891659.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200033822.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200076254.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: Heap$InformationProcessToken$AllocErrorFreeLastLookupPrivilegeValue_memcmp
String ID:
API String ID: 1592001646-0
Opcode ID: 7c5cab6a9adc8f937351826cfcb86d3df126583ed39bd5baac50f3bd41d5aeb8
Instruction ID: 7dcdc3a462846f7a98e1eb8cc9406d212eb466ef1673c32e2a142dd7fd6fde4f
Opcode Fuzzy Hash: 7c5cab6a9adc8f937351826cfcb86d3df126583ed39bd5baac50f3bd41d5aeb8
Instruction Fuzzy Hash: A3219D31E41109EFDF00DFA4C945BEFB7B8EF56344F08445AE441AB261E738AA05CBA4

Function 004D2782 Relevance: 6.1, APIs: 4, Instructions: 75COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000EC), ref: 004D280A
SetWindowLongW.USER32(?,000000EC,00000000), ref: 004D2824
SetWindowLongW.USER32(?,000000EC,00000000), ref: 004D2832
SetLayeredWindowAttributes.USER32(?,00000000,?,00000002), ref: 004D2840

Memory Dump Source

Source File: 00000000.00000002.2199307839.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.2199224556.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2199891659.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2199891659.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200033822.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200076254.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: Window$Long$AttributesLayered
String ID:
API String ID: 2169480361-0
Opcode ID: 0c71e76a39449fbc67f71344197956211f9b0553544a23c149f900fef4091b1a
Instruction ID: 1b3e7198f5bbff1fb9e761f408cd0d6d1153e514e34a056da38bcb3ae55b1b44
Opcode Fuzzy Hash: 0c71e76a39449fbc67f71344197956211f9b0553544a23c149f900fef4091b1a
Instruction Fuzzy Hash: B9210031205111AFD7109B24C9A0FAABB95EF55328F14825BF4268B3E2C7B9FC42C798

Function 004A78F5 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 71stringCOMMON

Download Yara Rule

APIs

Part of subcall function 004A8D7D: lstrlenW.KERNEL32(?,00000002,000000FF,?,?,?,004A790A,?,000000FF,?,004A8754,00000000,?,0000001C,?,?), ref: 004A8D8C
Part of subcall function 004A8D7D: lstrcpyW.KERNEL32(00000000,?,?,004A790A,?,000000FF,?,004A8754,00000000,?,0000001C,?,?,00000000), ref: 004A8DB2
Part of subcall function 004A8D7D: lstrcmpiW.KERNEL32(00000000,?,004A790A,?,000000FF,?,004A8754,00000000,?,0000001C,?,?), ref: 004A8DE3

lstrlenW.KERNEL32(?,00000002,000000FF,?,000000FF,?,004A8754,00000000,?,0000001C,?,?,00000000), ref: 004A7923
lstrcpyW.KERNEL32(00000000,?,?,004A8754,00000000,?,0000001C,?,?,00000000), ref: 004A7949
lstrcmpiW.KERNEL32(00000002,cdecl,?,004A8754,00000000,?,0000001C,?,?,00000000), ref: 004A7984

Strings

cdecl, xrefs: 004A797B

Memory Dump Source

Source File: 00000000.00000002.2199307839.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.2199224556.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2199891659.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2199891659.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200033822.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200076254.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: lstrcmpilstrcpylstrlen
String ID: cdecl
API String ID: 4031866154-3896280584
Opcode ID: ee18a15defd7d50fe2a0e31846a8eb6393ba3c658a6207717f76bcdc18db7f53
Instruction ID: 509687913b0c37282026e872e5027bfa20625c91b5b9fad6cd85afd04c5c36d3
Opcode Fuzzy Hash: ee18a15defd7d50fe2a0e31846a8eb6393ba3c658a6207717f76bcdc18db7f53
Instruction Fuzzy Hash: 6611037A201202ABDB259F39CC45E7B77A9FF96354B40402FF802C73A4EB359811C7A9

Function 004D7CC2 Relevance: 6.1, APIs: 4, Instructions: 70COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000F0), ref: 004D7D0B
SetWindowLongW.USER32(00000000,000000F0,?), ref: 004D7D2A
SetWindowLongW.USER32(00000000,000000EC,000000FF), ref: 004D7D42
SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,?,?,?,?,?,?,?,?,004BB7AD,00000000), ref: 004D7D6B

Part of subcall function 00459BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00459BB2

Memory Dump Source

Source File: 00000000.00000002.2199307839.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.2199224556.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2199891659.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2199891659.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200033822.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200076254.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: Window$Long
String ID:
API String ID: 847901565-0
Opcode ID: e81c573fb7cb0e757388a87ac243c8ec438454bf2472e04f7727fd1c0afdc30b
Instruction ID: b18d8aa63c24655f6205e7434e52b755bbcd4d8531fe05a1468ec0d92b6ea7a3
Opcode Fuzzy Hash: e81c573fb7cb0e757388a87ac243c8ec438454bf2472e04f7727fd1c0afdc30b
Instruction Fuzzy Hash: FC11CD31205625AFCB108F28CC54AA63BA6AF45360B118327F93AC73F0E7349951DB48

Function 004D5660 Relevance: 6.1, APIs: 4, Instructions: 67windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001060,?,00000004), ref: 004D56BB
_wcslen.LIBCMT ref: 004D56CD
_wcslen.LIBCMT ref: 004D56D8
SendMessageW.USER32(?,00001002,00000000,?), ref: 004D5816

Memory Dump Source

Source File: 00000000.00000002.2199307839.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.2199224556.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2199891659.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2199891659.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200033822.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200076254.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: MessageSend_wcslen
String ID:
API String ID: 455545452-0
Opcode ID: 948fa785b0f3d027f3672580c03e90aeca2a8b3e0a10b981a453d43264046542
Instruction ID: f70eeee61b37d2f99d075fae6d288b7fc304222dd3e9a8baafd71933fe31f63f
Opcode Fuzzy Hash: 948fa785b0f3d027f3672580c03e90aeca2a8b3e0a10b981a453d43264046542
Instruction Fuzzy Hash: 0011D271600608A6DB20DB658C91AEE37ACEB11364B10406BF91596281EF78C984CB6D

Function 00471D09 Relevance: 6.1, APIs: 4, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2199307839.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.2199224556.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2199891659.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2199891659.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200033822.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200076254.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1e29bdf9d6b6e2c0f9c77981c2cf3037a4f214cb855130b0cef5a3d1608ee15c
Instruction ID: e4ce1974a869e209f734acdd605bd55bc18ec583b26f87f9278e564935526d28
Opcode Fuzzy Hash: 1e29bdf9d6b6e2c0f9c77981c2cf3037a4f214cb855130b0cef5a3d1608ee15c
Instruction Fuzzy Hash: 8A01F7F22056163EF621167C7CC1FA7671CDF413B8F34832BF529912E1DB689C405928

Function 004A1A27 Relevance: 6.1, APIs: 4, Instructions: 56windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,000000B0,?,?), ref: 004A1A47
SendMessageW.USER32(?,000000C9,?,00000000), ref: 004A1A59
SendMessageW.USER32(?,000000C9,?,00000000), ref: 004A1A6F
SendMessageW.USER32(?,000000C9,?,00000000), ref: 004A1A8A

Memory Dump Source

Source File: 00000000.00000002.2199307839.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.2199224556.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2199891659.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2199891659.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200033822.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200076254.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 027376dd4c6df002427607145238f7d8e6850e2b93a2849e473bcac6b98ca45c
Instruction ID: db1206e9744381a2b6116de1b78b5958f9bb0c0d6a64a905431cc192e6494f91
Opcode Fuzzy Hash: 027376dd4c6df002427607145238f7d8e6850e2b93a2849e473bcac6b98ca45c
Instruction Fuzzy Hash: AD113C3AD01219FFEB10DBA5CD85FADBB78EB15750F200092E600B7290D6716E50DB98

Function 004AE1D6 Relevance: 6.1, APIs: 4, Instructions: 55synchronizationthreadwindowCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 004AE1FD
MessageBoxW.USER32(?,?,?,?), ref: 004AE230
WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?), ref: 004AE246
CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 004AE24D

Memory Dump Source

Source File: 00000000.00000002.2199307839.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.2199224556.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2199891659.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2199891659.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200033822.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200076254.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: CloseCurrentHandleMessageObjectSingleThreadWait
String ID:
API String ID: 2880819207-0
Opcode ID: 27e846efd7271b0c7e5bf23445bb114121d8a96ac445db88fea091a2b2064b78
Instruction ID: 14327a9de35e3f84be5e7d4eacf3e66f0750f66ababda21258b09cbc1ef9be48
Opcode Fuzzy Hash: 27e846efd7271b0c7e5bf23445bb114121d8a96ac445db88fea091a2b2064b78
Instruction Fuzzy Hash: BA110872E04259BBC7019BA99C49BDF7FACDB56310F0086A6F935D3291D2748D0487A8

Function 0046D1CC Relevance: 6.1, APIs: 4, Instructions: 55threadCOMMON

Download Yara Rule

APIs

CreateThread.KERNEL32(00000000,?,0046CFF9,00000000,00000004,00000000), ref: 0046D218
GetLastError.KERNEL32 ref: 0046D224
__dosmaperr.LIBCMT ref: 0046D22B
ResumeThread.KERNEL32(00000000), ref: 0046D249

Memory Dump Source

Source File: 00000000.00000002.2199307839.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.2199224556.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2199891659.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2199891659.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200033822.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200076254.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: Thread$CreateErrorLastResume__dosmaperr
String ID:
API String ID: 173952441-0
Opcode ID: e3e6754619fe229ec3ce3358fbbbaada51671352c706bcbe36fc6f676a3df27d
Instruction ID: 185c4b4b806d7e22eaa87621dd1c17646272a937dcd2fd26d974b53fc305ec6c
Opcode Fuzzy Hash: e3e6754619fe229ec3ce3358fbbbaada51671352c706bcbe36fc6f676a3df27d
Instruction Fuzzy Hash: 3A012636D052047BCB105BA6DC05BAF7B68DF81334F10426BF824921D0EF75C901C6AB

Function 004D9EF3 Relevance: 6.1, APIs: 4, Instructions: 55COMMON

Download Yara Rule

APIs

Part of subcall function 00459BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00459BB2

GetClientRect.USER32(?,?), ref: 004D9F31
GetCursorPos.USER32(?), ref: 004D9F3B
ScreenToClient.USER32(?,?), ref: 004D9F46
DefDlgProcW.USER32(?,00000020,?,00000000,?,?,?), ref: 004D9F7A

Memory Dump Source

Source File: 00000000.00000002.2199307839.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.2199224556.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2199891659.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2199891659.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200033822.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200076254.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: Client$CursorLongProcRectScreenWindow
String ID:
API String ID: 4127811313-0
Opcode ID: fdb46f825d0c9c0a02048e3c3985d8b2bca7e246593491caa4f59fdc47d02380
Instruction ID: c0f480d867c035fd48f5ecb899952186af955f961292ce2f631643572e8a8646
Opcode Fuzzy Hash: fdb46f825d0c9c0a02048e3c3985d8b2bca7e246593491caa4f59fdc47d02380
Instruction Fuzzy Hash: 47114832A0011ABBDB00DF69D8999EE77B8FB05315F40056BF911E3240D338BE81CBA9

Function 0044600E Relevance: 6.1, APIs: 4, Instructions: 53windowCOMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 0044604C
GetStockObject.GDI32(00000011), ref: 00446060
SendMessageW.USER32(00000000,00000030,00000000), ref: 0044606A

Memory Dump Source

Source File: 00000000.00000002.2199307839.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.2199224556.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2199891659.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2199891659.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200033822.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200076254.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: CreateMessageObjectSendStockWindow
String ID:
API String ID: 3970641297-0
Opcode ID: 65e84a1f5ffe90201bde4ec3030c145bac4accdf6b6e1ebd9ef25b6dec211cc3
Instruction ID: a1ecd2a35bdc41763f742d6e1e2133045762a127e5ed639f7c99f76b3d1ff69e
Opcode Fuzzy Hash: 65e84a1f5ffe90201bde4ec3030c145bac4accdf6b6e1ebd9ef25b6dec211cc3
Instruction Fuzzy Hash: 2E11A1B2102509BFEF128FA4CC44EEBBB69EF09355F010217FA1452110C736DC60DBA5

Function 00463B3C Relevance: 6.1, APIs: 4, Instructions: 53COMMONLIBRARYCODE

Download Yara Rule

APIs

___BuildCatchObject.LIBVCRUNTIME ref: 00463B56

Part of subcall function 00463AA3: BuildCatchObjectHelperInternal.LIBVCRUNTIME ref: 00463AD2
Part of subcall function 00463AA3: ___AdjustPointer.LIBCMT ref: 00463AED

_UnwindNestedFrames.LIBCMT ref: 00463B6B
__FrameHandler3::FrameUnwindToState.LIBVCRUNTIME ref: 00463B7C
CallCatchBlock.LIBVCRUNTIME ref: 00463BA4

Memory Dump Source

Source File: 00000000.00000002.2199307839.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.2199224556.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2199891659.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2199891659.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200033822.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200076254.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: Catch$BuildFrameObjectUnwind$AdjustBlockCallFramesHandler3::HelperInternalNestedPointerState
String ID:
API String ID: 737400349-0
Opcode ID: 12ea49abee573113f57dbd3ec3a577afcc9c348439d29e6cbe32e78011ac24d3
Instruction ID: baef11e2670b8e669d5dc69bc645bd4508640475bad923596370180b6adc5e1f
Opcode Fuzzy Hash: 12ea49abee573113f57dbd3ec3a577afcc9c348439d29e6cbe32e78011ac24d3
Instruction Fuzzy Hash: 80018032100189BBDF125E96CC42DEB3F6DEF88759F04400AFE4856121E73AE961DBA5

Function 00473073 Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(00000000,00000000,00000800,004413C6,00000000,00000000,?,0047301A,004413C6,00000000,00000000,00000000,?,0047328B,00000006,FlsSetValue), ref: 004730A5
GetLastError.KERNEL32(?,0047301A,004413C6,00000000,00000000,00000000,?,0047328B,00000006,FlsSetValue,004E2290,FlsSetValue,00000000,00000364,?,00472E46), ref: 004730B1
LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,0047301A,004413C6,00000000,00000000,00000000,?,0047328B,00000006,FlsSetValue,004E2290,FlsSetValue,00000000), ref: 004730BF

Memory Dump Source

Source File: 00000000.00000002.2199307839.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.2199224556.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2199891659.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2199891659.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200033822.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200076254.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: LibraryLoad$ErrorLast
String ID:
API String ID: 3177248105-0
Opcode ID: cd460baee730a5fc062a3830443ea61a31d7ed47ba38f6cc8f0673754b835c48
Instruction ID: 5e7b070fca632c926db95e8c61440554c631d2e6c48814794bd542727d34338c
Opcode Fuzzy Hash: cd460baee730a5fc062a3830443ea61a31d7ed47ba38f6cc8f0673754b835c48
Instruction Fuzzy Hash: 4B01FC32752263ABCB314F789C849D777989F05B62B108732F909D7284D725D905D6D8

Function 004A7464 Relevance: 6.1, APIs: 4, Instructions: 51registryCOMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(?,?,00000104,00000000), ref: 004A747F
LoadTypeLibEx.OLEAUT32(?,00000002,?), ref: 004A7497
RegisterTypeLib.OLEAUT32(?,?,00000000), ref: 004A74AC
RegisterTypeLibForUser.OLEAUT32(?,?,00000000), ref: 004A74CA

Memory Dump Source

Source File: 00000000.00000002.2199307839.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.2199224556.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2199891659.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2199891659.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200033822.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200076254.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: Type$Register$FileLoadModuleNameUser
String ID:
API String ID: 1352324309-0
Opcode ID: 06cf105919da84dd6528e902219d047aea51d88f6e12889b535f7c86b01ae603
Instruction ID: 3050082cd5ca89934f75524ba3deb1d905f38cb66990f7fe957bc9a23a36e035
Opcode Fuzzy Hash: 06cf105919da84dd6528e902219d047aea51d88f6e12889b535f7c86b01ae603
Instruction Fuzzy Hash: 0A11ADB120A311AFE7308F14DD48B927BFCEB09B00F10856BE616D6191D7B4E904DBA5

Function 004AB0A8 Relevance: 6.0, APIs: 4, Instructions: 50sleepCOMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,004AACD3,?,00008000), ref: 004AB0C4
Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,004AACD3,?,00008000), ref: 004AB0E9
QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,004AACD3,?,00008000), ref: 004AB0F3
Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,004AACD3,?,00008000), ref: 004AB126

Memory Dump Source

Source File: 00000000.00000002.2199307839.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.2199224556.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2199891659.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2199891659.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200033822.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200076254.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: CounterPerformanceQuerySleep
String ID:
API String ID: 2875609808-0
Opcode ID: 427a209ace80c095cc8a1610c761dbed6a10fd2c332abe7ed14676c8004223e0
Instruction ID: 4a88bd620ab87f1c5a41ab028966d3fb503e972ba1393ac22d5179d0d8c360d4
Opcode Fuzzy Hash: 427a209ace80c095cc8a1610c761dbed6a10fd2c332abe7ed14676c8004223e0
Instruction Fuzzy Hash: 4A115E31C0152DE7CF009FE5D9986EEBB78FF2A751F1040A7D941B6282CB345651CB99

Function 004D7E14 Relevance: 6.0, APIs: 4, Instructions: 46COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 004D7E33
ScreenToClient.USER32(?,?), ref: 004D7E4B
ScreenToClient.USER32(?,?), ref: 004D7E6F
InvalidateRect.USER32(?,?,?,?,?,?,?,?,?,?,?,?), ref: 004D7E8A

Memory Dump Source

Source File: 00000000.00000002.2199307839.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.2199224556.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2199891659.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2199891659.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200033822.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200076254.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: ClientRectScreen$InvalidateWindow
String ID:
API String ID: 357397906-0
Opcode ID: 23650e8f1e8a09cbd1bb4709f9152d47dd88e1088ee2bb693f424b3ee7cbaa78
Instruction ID: 34ab880896ad92d93435ca30d8b98aaab698f739ca6b87f4ccd9e92b3def29ad
Opcode Fuzzy Hash: 23650e8f1e8a09cbd1bb4709f9152d47dd88e1088ee2bb693f424b3ee7cbaa78
Instruction Fuzzy Hash: 3C1140B9D0020AAFDB41CF98C884AEEBBF9FB08310F509166E915E2210D735AA54CF94

Function 004A2DA7 Relevance: 6.0, APIs: 4, Instructions: 34threadwindowtimeCOMMON

Download Yara Rule

APIs

SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,?), ref: 004A2DC5
GetWindowThreadProcessId.USER32(?,00000000), ref: 004A2DD6
GetCurrentThreadId.KERNEL32 ref: 004A2DDD
AttachThreadInput.USER32(00000000,?,00000000,00000000), ref: 004A2DE4

Memory Dump Source

Source File: 00000000.00000002.2199307839.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.2199224556.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2199891659.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2199891659.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200033822.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200076254.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: Thread$AttachCurrentInputMessageProcessSendTimeoutWindow
String ID:
API String ID: 2710830443-0
Opcode ID: 875ce4e6fa84875c9714ca1075041573b23a2489e474233f0260d040329d8919
Instruction ID: c640dc4997dd81bfc8981cc77e39e8818434e40ab040f886a04aa59b1adb4f35
Opcode Fuzzy Hash: 875ce4e6fa84875c9714ca1075041573b23a2489e474233f0260d040329d8919
Instruction Fuzzy Hash: ACE092711422257BDB201B769C4DFEB3F6CEF53BA1F000027F505D10819AE8C841D6B4

Function 004D8863 Relevance: 6.0, APIs: 4, Instructions: 31COMMON

Download Yara Rule

APIs

Part of subcall function 00459639: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00459693
Part of subcall function 00459639: SelectObject.GDI32(?,00000000), ref: 004596A2
Part of subcall function 00459639: BeginPath.GDI32(?), ref: 004596B9
Part of subcall function 00459639: SelectObject.GDI32(?,00000000), ref: 004596E2

MoveToEx.GDI32(?,00000000,00000000,00000000), ref: 004D8887
LineTo.GDI32(?,?,?), ref: 004D8894
EndPath.GDI32(?), ref: 004D88A4
StrokePath.GDI32(?), ref: 004D88B2

Memory Dump Source

Source File: 00000000.00000002.2199307839.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.2199224556.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2199891659.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2199891659.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200033822.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200076254.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: Path$ObjectSelect$BeginCreateLineMoveStroke
String ID:
API String ID: 1539411459-0
Opcode ID: f5ab688d72cffe9a957683257d67deb686fbeca8addc102e9761c82c06749508
Instruction ID: 2664e38b7238247bb07a401e116605790665306b17a4334baa32ab1815d2c055
Opcode Fuzzy Hash: f5ab688d72cffe9a957683257d67deb686fbeca8addc102e9761c82c06749508
Instruction Fuzzy Hash: 18F09A36002259FADB122F94AC09FDE3B19AF06310F008012FA11611E2C7781515DFAD

Function 004598B0 Relevance: 6.0, APIs: 4, Instructions: 23COMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000008), ref: 004598CC
SetTextColor.GDI32(?,?), ref: 004598D6
SetBkMode.GDI32(?,00000001), ref: 004598E9
GetStockObject.GDI32(00000005), ref: 004598F1

Memory Dump Source

Source File: 00000000.00000002.2199307839.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.2199224556.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2199891659.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2199891659.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200033822.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200076254.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: Color$ModeObjectStockText
String ID:
API String ID: 4037423528-0
Opcode ID: e26463eab76b0fc71440375ccb2d85fe008c63a816323d3d9392049652d7d88b
Instruction ID: b099cf2ee14519a9ff141320a8571acd5c6f363b4344eb77e9d1607a7d2e3d4e
Opcode Fuzzy Hash: e26463eab76b0fc71440375ccb2d85fe008c63a816323d3d9392049652d7d88b
Instruction Fuzzy Hash: 57E03931245291AADF215B74AC49BED3F60AB12336F04822BF6FA581E2C3754640DF14

Function 004A162B Relevance: 6.0, APIs: 4, Instructions: 22threadCOMMON

Download Yara Rule

APIs

GetCurrentThread.KERNEL32 ref: 004A1634
OpenThreadToken.ADVAPI32(00000000,?,?,?,004A11D9), ref: 004A163B
GetCurrentProcess.KERNEL32(00000028,?,?,?,?,004A11D9), ref: 004A1648
OpenProcessToken.ADVAPI32(00000000,?,?,?,004A11D9), ref: 004A164F

Memory Dump Source

Source File: 00000000.00000002.2199307839.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.2199224556.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2199891659.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2199891659.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200033822.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200076254.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: CurrentOpenProcessThreadToken
String ID:
API String ID: 3974789173-0
Opcode ID: 02697746fb84ed9abf6250e8d851bdfb5cb9cd2586addd8346ae99a9b8fc4a02
Instruction ID: 35d023e7b05fb92314854e21ee2d9a1adc1f5b86a08682e16fb29d83da064714
Opcode Fuzzy Hash: 02697746fb84ed9abf6250e8d851bdfb5cb9cd2586addd8346ae99a9b8fc4a02
Instruction Fuzzy Hash: 58E08631603212DBDB201FE09E4DB473B7CAF657A1F14482AF646C9090D6384440C798

Function 0049D858 Relevance: 6.0, APIs: 4, Instructions: 19COMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 0049D858
GetDC.USER32(00000000), ref: 0049D862
GetDeviceCaps.GDI32(00000000,0000000C), ref: 0049D882
ReleaseDC.USER32(?), ref: 0049D8A3

Memory Dump Source

Source File: 00000000.00000002.2199307839.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.2199224556.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2199891659.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2199891659.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200033822.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200076254.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: CapsDesktopDeviceReleaseWindow
String ID:
API String ID: 2889604237-0
Opcode ID: a3498a10f2bb73d47a91dcc14269409cd809ebd074732f6f2e776d94ee45b594
Instruction ID: 3aaf4053f2078168c9955281b5f654ba84837fd02694930be7fe47ba03efe72d
Opcode Fuzzy Hash: a3498a10f2bb73d47a91dcc14269409cd809ebd074732f6f2e776d94ee45b594
Instruction Fuzzy Hash: 66E01AB0C01206DFCF41AFA1D88C66DBBB2FB08311F18802AE806E7250C7388906EF49

Function 0049D86C Relevance: 6.0, APIs: 4, Instructions: 18COMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 0049D86C
GetDC.USER32(00000000), ref: 0049D876
GetDeviceCaps.GDI32(00000000,0000000C), ref: 0049D882
ReleaseDC.USER32(?), ref: 0049D8A3

Memory Dump Source

Source File: 00000000.00000002.2199307839.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.2199224556.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2199891659.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2199891659.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200033822.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200076254.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: CapsDesktopDeviceReleaseWindow
String ID:
API String ID: 2889604237-0
Opcode ID: afb1cae67f1dbccf9c3338bf22ba5292c787c2f63e3ce4fe37678ff89ba98f3d
Instruction ID: 8a0dd66dbd2cf0e8632969383f4558a253f4a699c4b0c1b5bdf8a92fedab7319
Opcode Fuzzy Hash: afb1cae67f1dbccf9c3338bf22ba5292c787c2f63e3ce4fe37678ff89ba98f3d
Instruction Fuzzy Hash: 01E01A70C01201DFCF519FA0D88C66DBBB1FB08311B18801AE806E7250C7389906DF48

Function 004B4D87 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 230shareCOMMON

Download Yara Rule

APIs

Part of subcall function 00447620: _wcslen.LIBCMT ref: 00447625

WNetUseConnectionW.MPR(00000000,?,0000002A,00000000,?,?,0000002A,?), ref: 004B4ED4

Strings

LPT, xrefs: 004B4DFB
*, xrefs: 004B4E10

Memory Dump Source

Source File: 00000000.00000002.2199307839.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.2199224556.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2199891659.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2199891659.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200033822.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200076254.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: Connection_wcslen
String ID: *$LPT
API String ID: 1725874428-3443410124
Opcode ID: 75a9bc348361778638d3c28c16445c3eabefd753ee4476fcfd657b5a606efba0
Instruction ID: fc6d50f192e5efcd8ea09b424c24f5cd83eeac2870246fe44556ac36402dc668
Opcode Fuzzy Hash: 75a9bc348361778638d3c28c16445c3eabefd753ee4476fcfd657b5a606efba0
Instruction Fuzzy Hash: 82916275A002149FDB14DF59C484EAABBF1BF84308F15809EE80A9F362D739ED46CB65

Function 004C7771 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 189COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(0049569E,00000000,?,004DCC08,?,00000000,00000000), ref: 004C78DD

Part of subcall function 00446B57: _wcslen.LIBCMT ref: 00446B6A

CharUpperBuffW.USER32(0049569E,00000000,?,004DCC08,00000000,?,00000000,00000000), ref: 004C783B

Strings

<sP, xrefs: 004C77C8

Memory Dump Source

Source File: 00000000.00000002.2199307839.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.2199224556.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2199891659.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2199891659.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200033822.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200076254.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: BuffCharUpper$_wcslen
String ID: <sP
API String ID: 3544283678-3175726631
Opcode ID: 54d96038577731159b43ad5261e1892af406e9be15824d66bceb810929d6c411
Instruction ID: a53b1428dbe54a61496e558a0edd951661e58ad60d94939172bb17e6dfdc153d
Opcode Fuzzy Hash: 54d96038577731159b43ad5261e1892af406e9be15824d66bceb810929d6c411
Instruction Fuzzy Hash: 08616E76914119ABEF04FFA5CC91EFEB374BF14704B44052FE602A3191EB386A05DBA9

Function 0045E187 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 184COMMON

Download Yara Rule

Strings

#, xrefs: 0045E1B1

Memory Dump Source

Source File: 00000000.00000002.2199307839.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.2199224556.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2199891659.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2199891659.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200033822.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200076254.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID:
String ID: #
API String ID: 0-1885708031
Opcode ID: 3e6ac99848bb605edfe9246f7fd244e9b7fae93246d95f4b24dc47cd5f51c8d7
Instruction ID: b4315caa145df46ccb7fd89d66e4fc10af2c076208bdc4ae863a783938ca52a6
Opcode Fuzzy Hash: 3e6ac99848bb605edfe9246f7fd244e9b7fae93246d95f4b24dc47cd5f51c8d7
Instruction Fuzzy Hash: B0512235504206DFDF18DFAAC0806BA7BA4EF55310F2440ABFC519B391D6389E47CB6A

Function 0045F291 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 144sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(00000000), ref: 0045F2A2
GlobalMemoryStatusEx.KERNEL32(?), ref: 0045F2BB

Strings

@, xrefs: 0045F2AF

Memory Dump Source

Source File: 00000000.00000002.2199307839.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.2199224556.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2199891659.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2199891659.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200033822.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200076254.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: GlobalMemorySleepStatus
String ID: @
API String ID: 2783356886-2766056989
Opcode ID: 4538dff3fd4836339bfc40263d9710bb2781d9f4dea7ae7cf927123355d85d65
Instruction ID: 34a939415a702d6c7226b88bc9533915341ea8f3f7fad2a26033a73c6dfb2535
Opcode Fuzzy Hash: 4538dff3fd4836339bfc40263d9710bb2781d9f4dea7ae7cf927123355d85d65
Instruction Fuzzy Hash: DD5155714097449BE320AF51D886BAFBBF8FB84304F81885EF1D9411A5EB358529CB6B

Function 004C5745 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 125COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,?,00000003,?,?), ref: 004C57E0
_wcslen.LIBCMT ref: 004C57EC

Strings

CALLARGARRAY, xrefs: 004C57E6, 004C57EB

Memory Dump Source

Source File: 00000000.00000002.2199307839.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.2199224556.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2199891659.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2199891659.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200033822.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200076254.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: BuffCharUpper_wcslen
String ID: CALLARGARRAY
API String ID: 157775604-1150593374
Opcode ID: f6733cac7e221959566494705cae0f42dfa393df55eea385818ac982d3dca2a9
Instruction ID: b039225f3c0b8f1924038c040c322aa6086fa70ee05cfdbc7127f434df01eec2
Opcode Fuzzy Hash: f6733cac7e221959566494705cae0f42dfa393df55eea385818ac982d3dca2a9
Instruction Fuzzy Hash: 9341A135A001059FCB14EFAAC881DAEBBB5EF59354F10406EF505A7352D738AD81CBA8

Function 004BD0F4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 98networkCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 004BD130
InternetCrackUrlW.WININET(?,00000000,00000000,0000007C), ref: 004BD13A

Strings

|, xrefs: 004BD10B

Memory Dump Source

Source File: 00000000.00000002.2199307839.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.2199224556.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2199891659.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2199891659.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200033822.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200076254.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: CrackInternet_wcslen
String ID: |
API String ID: 596671847-2343686810
Opcode ID: 2ee2b61de4ba264264921098ebee19c5feb20cf9203e359011c142a940ca8a52
Instruction ID: 97d0fa522cf00627de11069acf3e5aef7b2f3a08354bfaf10af945ac474c0140
Opcode Fuzzy Hash: 2ee2b61de4ba264264921098ebee19c5feb20cf9203e359011c142a940ca8a52
Instruction Fuzzy Hash: A6315071D00209ABDF15EFA5CC85AEF7FB9FF05304F10005AF815A6261E735A906CB69

Function 004D356C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 96COMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?,?,?), ref: 004D3621
MoveWindow.USER32(?,?,?,?,?,00000001,?,?,?), ref: 004D365C

Strings

static, xrefs: 004D35BC

Memory Dump Source

Source File: 00000000.00000002.2199307839.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.2199224556.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2199891659.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2199891659.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200033822.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200076254.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: Window$DestroyMove
String ID: static
API String ID: 2139405536-2160076837
Opcode ID: 2f55c15cc4cef9b8d1fd29aa5476389035e451670476e82d4a645b920e90d0bd
Instruction ID: e1354b893329e14a86276c5e1b0cc98c33cb79a2a3a18fcfd104cbf1477665a1
Opcode Fuzzy Hash: 2f55c15cc4cef9b8d1fd29aa5476389035e451670476e82d4a645b920e90d0bd
Instruction Fuzzy Hash: 1631AE71100604AADB20DF28DC90ABB73A9FF48724F00861FF8A597280DA39ED81D769

Function 004D4537 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 95windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000027,00001132,00000000,?), ref: 004D461F
SendMessageW.USER32(?,00001105,00000000,00000000), ref: 004D4634

Strings

', xrefs: 004D458E

Memory Dump Source

Source File: 00000000.00000002.2199307839.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.2199224556.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2199891659.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2199891659.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200033822.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200076254.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: MessageSend
String ID: '
API String ID: 3850602802-1997036262
Opcode ID: bde404b34ffff47073bd94a9ca1ec898818a83c058ceafcb0084d58d9cc4641b
Instruction ID: 03f51e7ef033263042f15b21f0236713621bd572ee70497e4af5210c61d5f84b
Opcode Fuzzy Hash: bde404b34ffff47073bd94a9ca1ec898818a83c058ceafcb0084d58d9cc4641b
Instruction Fuzzy Hash: 92312774A0120AAFDB14CFA9D9A1BDA7BB5FF49300F10406BEA05AB381D774E941CF94

Function 004D31EF Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000143,00000000,?), ref: 004D327C
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 004D3287

Strings

Combobox, xrefs: 004D3249

Memory Dump Source

Source File: 00000000.00000002.2199307839.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.2199224556.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2199891659.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2199891659.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200033822.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200076254.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: MessageSend
String ID: Combobox
API String ID: 3850602802-2096851135
Opcode ID: 85faac9b5f1fd0a7ed863b29855315abec2e746e800ceeff68f94d24d302e6ce
Instruction ID: 3b457fb67f3f3924f69618d8a80f09f709bb9dbb7456207f2377ca6322dc6b7f
Opcode Fuzzy Hash: 85faac9b5f1fd0a7ed863b29855315abec2e746e800ceeff68f94d24d302e6ce
Instruction Fuzzy Hash: C9112271B002087FFF219F94DC90EBB3B6AEB98364F10412BF91897390C6399D518765

Function 004D3710 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 67COMMON

Download Yara Rule

APIs

Part of subcall function 0044600E: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 0044604C
Part of subcall function 0044600E: GetStockObject.GDI32(00000011), ref: 00446060
Part of subcall function 0044600E: SendMessageW.USER32(00000000,00000030,00000000), ref: 0044606A

GetWindowRect.USER32(00000000,?), ref: 004D377A
GetSysColor.USER32(00000012), ref: 004D3794

Strings

static, xrefs: 004D3757

Memory Dump Source

Source File: 00000000.00000002.2199307839.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.2199224556.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2199891659.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2199891659.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200033822.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200076254.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: Window$ColorCreateMessageObjectRectSendStock
String ID: static
API String ID: 1983116058-2160076837
Opcode ID: eb57c96b918cdaa56d1f626eb82be2ef7fb499d5b63829b9e5cbaff2f103bda5
Instruction ID: fc0cd06173cac8f1bbfd3cf2a2525b9ad7b54a156b47af07ae6bf56b961d23c6
Opcode Fuzzy Hash: eb57c96b918cdaa56d1f626eb82be2ef7fb499d5b63829b9e5cbaff2f103bda5
Instruction Fuzzy Hash: 011159B261060AAFDF00DFA8CC46AEA7BB8EB08304F00452AF955E2250D739E811DB64

Function 004BCD1E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66networkCOMMON

Download Yara Rule

APIs

InternetOpenW.WININET(?,00000000,00000000,00000000,00000000), ref: 004BCD7D
InternetSetOptionW.WININET(00000000,00000032,?,00000008), ref: 004BCDA6

Strings

<local>, xrefs: 004BCD66

Memory Dump Source

Source File: 00000000.00000002.2199307839.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.2199224556.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2199891659.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2199891659.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200033822.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200076254.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: Internet$OpenOption
String ID: <local>
API String ID: 942729171-4266983199
Opcode ID: ce9d563cbc023c67c2ffb78bfb61432b0ffb826bdf7fa9c688e809ca380ba349
Instruction ID: 6593229dd68f8330d21f8bcc2e13eb8938a26f9a109c86a3041524e2ce44e710
Opcode Fuzzy Hash: ce9d563cbc023c67c2ffb78bfb61432b0ffb826bdf7fa9c688e809ca380ba349
Instruction Fuzzy Hash: 0311C279245632BAD7384B668CC9EE7BEACEF527A4F40423BB14983180D7789841D6F4

Function 004D3429 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 64windowCOMMON

Download Yara Rule

APIs

GetWindowTextLengthW.USER32(00000000), ref: 004D34AB
SendMessageW.USER32(?,000000B1,00000000,00000000), ref: 004D34BA

Strings

edit, xrefs: 004D348F

Memory Dump Source

Source File: 00000000.00000002.2199307839.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.2199224556.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2199891659.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2199891659.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200033822.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200076254.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: LengthMessageSendTextWindow
String ID: edit
API String ID: 2978978980-2167791130
Opcode ID: 0dfbe3b06bc623a6073ca19c96c83c7f88adb74e936b347bfcee1f13724a0fd8
Instruction ID: 2f59a3fba9966ff46245516af3b08cc07ef20119f7348624a7216ad763ab03e4
Opcode Fuzzy Hash: 0dfbe3b06bc623a6073ca19c96c83c7f88adb74e936b347bfcee1f13724a0fd8
Instruction Fuzzy Hash: A1116D71100108AAEB118E64ECA4AEB376AEB15379F504327F961933D0C77DEC519B5A

Function 004A6C86 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 56COMMON

Download Yara Rule

APIs

Part of subcall function 00449CB3: _wcslen.LIBCMT ref: 00449CBD

CharUpperBuffW.USER32(?,?,?), ref: 004A6CB6
_wcslen.LIBCMT ref: 004A6CC2

Strings

STOP, xrefs: 004A6CBC, 004A6CC1

Memory Dump Source

Source File: 00000000.00000002.2199307839.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.2199224556.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2199891659.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2199891659.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200033822.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200076254.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: _wcslen$BuffCharUpper
String ID: STOP
API String ID: 1256254125-2411985666
Opcode ID: 585f838addd6a1dcfa1d862e0a6b0067b0df7693e44685537eafc5f3cb32a4e4
Instruction ID: 51f64ff4f491644127389aad8bd5d4712397159713f694c84840bab8a5ce5ed0
Opcode Fuzzy Hash: 585f838addd6a1dcfa1d862e0a6b0067b0df7693e44685537eafc5f3cb32a4e4
Instruction Fuzzy Hash: 300104326005278BDB20AFBDDC808BF37A4EF72764716052AE86292295EB39D900C658

Function 004A1CDE Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 52windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00449CB3: _wcslen.LIBCMT ref: 00449CBD

Part of subcall function 004A3CA7: GetClassNameW.USER32(?,?,000000FF), ref: 004A3CCA

SendMessageW.USER32(?,000001A2,000000FF,?), ref: 004A1D4C

Strings

ComboBox, xrefs: 004A1CEB
ListBox, xrefs: 004A1D16

Memory Dump Source

Source File: 00000000.00000002.2199307839.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.2199224556.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2199891659.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2199891659.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200033822.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200076254.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: 262886b944b74f2666aae01c137df1a02ea99058284643ea095d9063cb77da5a
Instruction ID: 15b7849d1167e34117b6e4773c509ced9e1cce4180d483045116549f4b1e2cc6
Opcode Fuzzy Hash: 262886b944b74f2666aae01c137df1a02ea99058284643ea095d9063cb77da5a
Instruction Fuzzy Hash: 0601F535611214ABDB04EBA4CC518FF7768FB23354F00061FB832573D1EA3869089664

Function 004A1BD8 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00449CB3: _wcslen.LIBCMT ref: 00449CBD

Part of subcall function 004A3CA7: GetClassNameW.USER32(?,?,000000FF), ref: 004A3CCA

SendMessageW.USER32(?,00000180,00000000,?), ref: 004A1C46

Strings

ComboBox, xrefs: 004A1BE5
ListBox, xrefs: 004A1C10

Memory Dump Source

Source File: 00000000.00000002.2199307839.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.2199224556.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2199891659.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2199891659.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200033822.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200076254.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: 071a49af97f0ce6f05aef86313eab9341a6e2db73793d0a2dccfd44056e4b402
Instruction ID: d21346630dbf068fb782e4f9e67ee212914faffb0e9e8c5e8d863d645ead0480
Opcode Fuzzy Hash: 071a49af97f0ce6f05aef86313eab9341a6e2db73793d0a2dccfd44056e4b402
Instruction Fuzzy Hash: 5901A775AC110466DB14FB91CD519FF77A89B27394F14001FB407672D2EA289E08D6B9

Function 004A1C5C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 49windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00449CB3: _wcslen.LIBCMT ref: 00449CBD

Part of subcall function 004A3CA7: GetClassNameW.USER32(?,?,000000FF), ref: 004A3CCA

SendMessageW.USER32(?,00000182,?,00000000), ref: 004A1CC8

Strings

ComboBox, xrefs: 004A1C69
ListBox, xrefs: 004A1C94

Memory Dump Source

Source File: 00000000.00000002.2199307839.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.2199224556.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2199891659.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2199891659.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200033822.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200076254.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: 8cbfb959939cb0bc9baa5f2f0d27be3b8cd24e6d1caf9223ccbeacf4a14da1a8
Instruction ID: f7a51ce49430393806f4c2f418fc2b9c8c77bb6fc90578602ee0c1d10dfc0609
Opcode Fuzzy Hash: 8cbfb959939cb0bc9baa5f2f0d27be3b8cd24e6d1caf9223ccbeacf4a14da1a8
Instruction Fuzzy Hash: 5201DB75A8111467DF04FB95CE41AFF77A89B23354F54001BB80273291FA289F08D6B9

Function 0045A4D6 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 47COMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 0045A529

Part of subcall function 00449CB3: _wcslen.LIBCMT ref: 00449CBD

Strings

3yI, xrefs: 0045A545, 0045A54D, 0045A552
,%Q, xrefs: 0045A509

Memory Dump Source

Source File: 00000000.00000002.2199307839.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.2199224556.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2199891659.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2199891659.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200033822.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200076254.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: Init_thread_footer_wcslen
String ID: ,%Q$3yI
API String ID: 2551934079-1071883843
Opcode ID: b2421759035faadda96409f4d5995b7c02545e247171ecd844caccc2912c28cf
Instruction ID: 648746e381d02eb8b48b1fab99bc4f4a83cb9c0427ee793c85b59d53f0d1da34
Opcode Fuzzy Hash: b2421759035faadda96409f4d5995b7c02545e247171ecd844caccc2912c28cf
Instruction Fuzzy Hash: 7901473170061497D600F7A9D85BE9E3354AB05715F50011FF9021B2C3FE5C6D598A9F

Function 004A1D68 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 46windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00449CB3: _wcslen.LIBCMT ref: 00449CBD

Part of subcall function 004A3CA7: GetClassNameW.USER32(?,?,000000FF), ref: 004A3CCA

SendMessageW.USER32(?,0000018B,00000000,00000000), ref: 004A1DD3

Strings

ComboBox, xrefs: 004A1D75
ListBox, xrefs: 004A1DA0

Memory Dump Source

Source File: 00000000.00000002.2199307839.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.2199224556.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2199891659.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2199891659.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200033822.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200076254.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: a4ebf01f1b1661291d97dc04fda52d19682a7369e3b0a27b14d596ab95f65b68
Instruction ID: 22d49934ac4b6e9a1eaf528c44c616dc7801ff811ab3188651c4907c5c818e70
Opcode Fuzzy Hash: a4ebf01f1b1661291d97dc04fda52d19682a7369e3b0a27b14d596ab95f65b68
Instruction Fuzzy Hash: 2EF02D71B4121466D704F7A5CC91FFF7778AB13354F44091FB422632D1EB786D088668

Function 0045FDDB Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 43COMMON

Download Yara Rule

APIs

__CxxThrowException@8.LIBVCRUNTIME ref: 00460668

Part of subcall function 004632A4: RaiseException.KERNEL32(?,?,?,0046068A,?,00511444,?,?,?,?,?,?,0046068A,00441129,00508738,00441129), ref: 00463304

__CxxThrowException@8.LIBVCRUNTIME ref: 00460685

Strings

Unknown exception, xrefs: 00460692

Memory Dump Source

Source File: 00000000.00000002.2199307839.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.2199224556.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2199891659.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2199891659.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200033822.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200076254.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: Exception@8Throw$ExceptionRaise
String ID: Unknown exception
API String ID: 3476068407-410509341
Opcode ID: d79350511744dcf0ec1d8af1fcd7c5f1b34531754a836dd64b432e8bf0c56611
Instruction ID: 9cb27959b7f77c09cd8d132bb688fbda648552e3a84517e7ee9e3535ec688763
Opcode Fuzzy Hash: d79350511744dcf0ec1d8af1fcd7c5f1b34531754a836dd64b432e8bf0c56611
Instruction Fuzzy Hash: A4F0FF2490020D73CB00BAA6D846C9F7B6C6E00308B60403BB915866D2FF39DA2E858B

Function 004D8172 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 40processCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000020,00000000,00000000,00513018,0051305C), ref: 004D81BF
CloseHandle.KERNEL32 ref: 004D81D1

Strings

\0Q, xrefs: 004D818A

Memory Dump Source

Source File: 00000000.00000002.2199307839.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.2199224556.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2199891659.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2199891659.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200033822.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200076254.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: CloseCreateHandleProcess
String ID: \0Q
API String ID: 3712363035-1506629975
Opcode ID: 39298829c5b8a0fc278ccc73f95ce168ab7a9d112297db2e89ca192b9a615c6f
Instruction ID: 2f46f9e9cc4a55fa7a43527276f2522fb7c47d8640e7181e99b9e487f1882361
Opcode Fuzzy Hash: 39298829c5b8a0fc278ccc73f95ce168ab7a9d112297db2e89ca192b9a615c6f
Instruction Fuzzy Hash: F8F05EB1640700BAF7206761AC69FF73EDCEB18754F004426BF08D52A2D6798F4492B9

Function 004C747E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 36COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 004C7493
_wcslen.LIBCMT ref: 004C74B9

Strings

3, 3, 16, 1, xrefs: 004C7483

Memory Dump Source

Source File: 00000000.00000002.2199307839.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.2199224556.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2199891659.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2199891659.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200033822.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200076254.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: _wcslen
String ID: 3, 3, 16, 1
API String ID: 176396367-3042988571
Opcode ID: 543f7f5fbd605bfa83c3cff0e5a95485baa07f2ea8535f11277f376d504e51e9
Instruction ID: 45e17eaf5e2bffe9cb0ae5974074b864ff73e130e5230a90b159cc22b5b3f666
Opcode Fuzzy Hash: 543f7f5fbd605bfa83c3cff0e5a95485baa07f2ea8535f11277f376d504e51e9
Instruction Fuzzy Hash: 68E02B4A74462011A3B5127B9CC1F7F5A8ADFC9760714182FF981C2366FA9C8D9193AD

Function 004A0B15 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 28windowCOMMON

Download Yara Rule

APIs

MessageBoxW.USER32(00000000,Error allocating memory.,AutoIt,00000010), ref: 004A0B23

Strings

AutoIt, xrefs: 004A0B17
Error allocating memory., xrefs: 004A0B1C

Memory Dump Source

Source File: 00000000.00000002.2199307839.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.2199224556.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2199891659.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2199891659.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200033822.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200076254.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: Message
String ID: AutoIt$Error allocating memory.
API String ID: 2030045667-4017498283
Opcode ID: 9a775e167b6fc839143063dce834c67a8458069c72b6458096579f3666b5b14e
Instruction ID: beb60d32a384848502b03807395dd6013ba68455c33db475916b32eda1e4b68d
Opcode Fuzzy Hash: 9a775e167b6fc839143063dce834c67a8458069c72b6458096579f3666b5b14e
Instruction Fuzzy Hash: 36E0D83134430926D2143795BC43F897B848F05F15F10042FFB48555C39ADA685486EE

Function 00460D42 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22COMMON

Download Yara Rule

APIs

Part of subcall function 0045F7C9: InitializeCriticalSectionAndSpinCount.KERNEL32(?,00000000,?,00460D71,?,?,?,0044100A), ref: 0045F7CE

IsDebuggerPresent.KERNEL32(?,?,?,0044100A), ref: 00460D75
OutputDebugStringW.KERNEL32(ERROR : Unable to initialize critical section in CAtlBaseModule,?,?,?,0044100A), ref: 00460D84

Strings

ERROR : Unable to initialize critical section in CAtlBaseModule, xrefs: 00460D7F

Memory Dump Source

Source File: 00000000.00000002.2199307839.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.2199224556.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2199891659.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2199891659.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200033822.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200076254.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: CountCriticalDebugDebuggerInitializeOutputPresentSectionSpinString
String ID: ERROR : Unable to initialize critical section in CAtlBaseModule
API String ID: 55579361-631824599
Opcode ID: ea63d9ddd9de19cb85ede8b66247d616cd774e183023d3b75d13869ea5c6fbea
Instruction ID: b4396aaf9c4384deaaf9898fd2facedd68c0a123982e56a229f96da5c52b3928
Opcode Fuzzy Hash: ea63d9ddd9de19cb85ede8b66247d616cd774e183023d3b75d13869ea5c6fbea
Instruction Fuzzy Hash: 1FE092702007018BD3309FB9E4483477BE4AF14749F008A7FE486C6755EBB8E448CB9A

Function 0045E398 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 21COMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 0045E3D5

Strings

8%Q, xrefs: 0045E3CA
0%Q, xrefs: 0045E3B5

Memory Dump Source

Source File: 00000000.00000002.2199307839.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.2199224556.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2199891659.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2199891659.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200033822.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200076254.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: Init_thread_footer
String ID: 0%Q$8%Q
API String ID: 1385522511-2527737110
Opcode ID: 9add2d6fbb9792fce667f23d7d305d5abad1d3831bc80dc2617747b3f047374f
Instruction ID: 8c4a2a4ae19e0495878f0562025d59f2ceb8b111f464fd6dc04e021678371acf
Opcode Fuzzy Hash: 9add2d6fbb9792fce667f23d7d305d5abad1d3831bc80dc2617747b3f047374f
Instruction Fuzzy Hash: 8FE02631400A10CBC708971AF9E4EC93397BB05325F1241ABEC02CF2D2EB386D89A64E

Function 004B3017 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 18COMMON

Download Yara Rule

APIs

GetTempPathW.KERNEL32(00000104,?,00000001), ref: 004B302F
GetTempFileNameW.KERNEL32(?,aut,00000000,?), ref: 004B3044

Strings

aut, xrefs: 004B3038

Memory Dump Source

Source File: 00000000.00000002.2199307839.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.2199224556.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2199891659.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2199891659.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200033822.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200076254.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: Temp$FileNamePath
String ID: aut
API String ID: 3285503233-3010740371
Opcode ID: b3277536a4cb5df4c3a667068b3ed478dc328f6ab5f84d2595a744fbca9442f0
Instruction ID: 13abb99cc5a8c4c081aa7898c79f42adcd3ca04a175a76869cb90a64868084a9
Opcode Fuzzy Hash: b3277536a4cb5df4c3a667068b3ed478dc328f6ab5f84d2595a744fbca9442f0
Instruction Fuzzy Hash: EED05B7190131467DA20A7949C4DFCB3B6CD704750F0002A2B655D20D1DAB09544CAD4

Function 0049D21C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 17timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?), ref: 0049D220

Strings

X64, xrefs: 0049D2A8
%.3d, xrefs: 0049D22B

Memory Dump Source

Source File: 00000000.00000002.2199307839.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.2199224556.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2199891659.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2199891659.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200033822.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200076254.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: LocalTime
String ID: %.3d$X64
API String ID: 481472006-1077770165
Opcode ID: c9ee536fc51e451d710907bd79b8d3d4af697d0c1c1a609f429ce980c0fe654a
Instruction ID: 7e60b206db3f89b3522522619b4067cad92b38d9d71239abe66f9f19c7c2704b
Opcode Fuzzy Hash: c9ee536fc51e451d710907bd79b8d3d4af697d0c1c1a609f429ce980c0fe654a
Instruction Fuzzy Hash: 47D01261C09109EACF5097D0DC498BDBB7CBB18301F5084B3FC0691081D62CD50EA76B

Function 004D2356 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON

Download Yara Rule

APIs

FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 004D236C
PostMessageW.USER32(00000000), ref: 004D2373

Part of subcall function 004AE97B: Sleep.KERNEL32 ref: 004AE9F3

Strings

Shell_TrayWnd, xrefs: 004D2365

Memory Dump Source

Source File: 00000000.00000002.2199307839.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.2199224556.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2199891659.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2199891659.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200033822.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200076254.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: FindMessagePostSleepWindow
String ID: Shell_TrayWnd
API String ID: 529655941-2988720461
Opcode ID: d5eabe8c3a6d1bb7d4d779b9b342d14d425be867012a1a85325c245ad38eb643
Instruction ID: 118abc622daaf8b6b6466703975a8a8aab730f7cb9861cb04c7a6f99d4823945
Opcode Fuzzy Hash: d5eabe8c3a6d1bb7d4d779b9b342d14d425be867012a1a85325c245ad38eb643
Instruction Fuzzy Hash: B1D0C972382321BAEA64A771AC4FFCA7A58AB15B14F0049277655AA1D0C9A4A801CA58

Function 004D2322 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON

Download Yara Rule

APIs

FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 004D232C
PostMessageW.USER32(00000000,00000111,00000197,00000000), ref: 004D233F

Part of subcall function 004AE97B: Sleep.KERNEL32 ref: 004AE9F3

Strings

Shell_TrayWnd, xrefs: 004D2325

Memory Dump Source

Source File: 00000000.00000002.2199307839.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.2199224556.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2199891659.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2199891659.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200033822.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200076254.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: FindMessagePostSleepWindow
String ID: Shell_TrayWnd
API String ID: 529655941-2988720461
Opcode ID: fdf151f8e975d3b289e382a6ce2166b8d07e5f8aa9bfe89ca91270416045b8f8
Instruction ID: cbfc64e605fddf7b1545781ed22937103b29056cdebe4301e6b55c2b8bb51b2a
Opcode Fuzzy Hash: fdf151f8e975d3b289e382a6ce2166b8d07e5f8aa9bfe89ca91270416045b8f8
Instruction Fuzzy Hash: 7FD02272381320B7EA74B331EC4FFCB7B08AB00B00F0009277305AA0D0C9F0A800CA08

Function 0047BDFD Relevance: 5.1, APIs: 4, Instructions: 139COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,00000009,?,00000000,00000000,?,?,?,00000000,?,?,?,?,?,00000000,?), ref: 0047BE93
GetLastError.KERNEL32 ref: 0047BEA1
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 0047BEFC

Memory Dump Source

Source File: 00000000.00000002.2199307839.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.2199224556.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2199891659.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2199891659.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200033822.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2200076254.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: ByteCharMultiWide$ErrorLast
String ID:
API String ID: 1717984340-0
Opcode ID: 0485c0fed95156766e203775d21f581f7f78ca9f101a8892b8c46fb6a7bb3245
Instruction ID: a060bf7ae58d43eb116cd07179123c307ca63948accc4a1297d94b76ad0f830d
Opcode Fuzzy Hash: 0485c0fed95156766e203775d21f581f7f78ca9f101a8892b8c46fb6a7bb3245
Instruction Fuzzy Hash: 4D41C134601216ABCB218F65CC54BEB7BA4EF41B20F14C16BF95DA73A1EB348C01CB99

Source: Joe Sandbox View	IP Address: 34.149.100.209 34.149.100.209
Source: Joe Sandbox View	IP Address: 151.101.129.91 151.101.129.91
Source: Joe Sandbox View	IP Address: 34.117.188.166 34.117.188.166

Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache

Source: firefox.exe, 0000000E.00000003.2231296534.000001805C7B0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: ://www.facebook.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000E.00000003.2350791589.000001805F12C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2354319677.000001805F12C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: 8://www.facebook.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000E.00000003.2358909713.000001805F463000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2289176958.000001805F440000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: 8://www.youtube.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000E.00000003.2350153005.000001805FC84000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2350153005.000001805FC67000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: 8https://www.facebook.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000E.00000003.2350153005.000001805FC84000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2350153005.000001805FC67000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: 8https://www.youtube.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000E.00000003.2350791589.000001805F12C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2354319677.000001805F12C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2340783116.000001805C89C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: 8www.facebook.com equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000E.00000003.2358909713.000001805F463000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2289176958.000001805F440000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: 8www.youtube.com equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000E.00000003.2376994503.00000180543DA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: `https://www.facebook.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000E.00000003.2376994503.00000180543DA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: `https://www.youtube.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000E.00000003.2350153005.000001805FC84000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2350153005.000001805FC67000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.facebook.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000E.00000003.2350153005.000001805FC84000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2350153005.000001805FC67000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 00000013.00000002.3386159799.00000150DC10C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 00000013.00000002.3386159799.00000150DC10C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/ equals www.twitter.com (Twitter)
Source: firefox.exe, 00000013.00000002.3386159799.00000150DC10C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000E.00000003.2375325603.00000180535D5000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000002.3387215969.000001FAC7803000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000013.00000002.3386159799.00000150DC10C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000E.00000003.2375325603.00000180535D5000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000002.3387215969.000001FAC7803000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000013.00000002.3386159799.00000150DC10C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/ equals www.twitter.com (Twitter)
Source: firefox.exe, 0000000E.00000003.2375325603.00000180535D5000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000002.3387215969.000001FAC7803000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000013.00000002.3386159799.00000150DC10C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000E.00000003.2289176958.000001805F440000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: moz-extension://6edd4cbe-8a9f-4158-beca-90f5feba9c8c/injections/js/bug1842437-www.youtube.com-performance-now-precision.js equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000E.00000003.2350153005.000001805FC84000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2243601159.000001805123F000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2378889357.000001805FCAD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: www.facebook.com equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000E.00000003.2242025219.0000018051265000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2242172891.000001805126A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: www.facebook.comLMEM(XU equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000E.00000003.2242025219.0000018051265000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2242172891.000001805126A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: www.facebook.coml?-xJ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000E.00000003.2350153005.000001805FC84000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2243601159.000001805123F000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2378889357.000001805FCAD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: www.youtube.com equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000E.00000003.2354319677.000001805F17F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2350791589.000001805F17F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2381659545.000001805F17F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: www.youtube.com- equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000E.00000003.2242025219.0000018051265000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2242172891.000001805126A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: www.youtube.comitedY? equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000E.00000003.2340783116.000001805C89C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: x://www.facebook.com/platform/impression.php equals www.facebook.com (Facebook)

Source: global traffic	DNS traffic detected: DNS query: youtube.com
Source: global traffic	DNS traffic detected: DNS query: detectportal.firefox.com
Source: global traffic	DNS traffic detected: DNS query: prod.detectportal.prod.cloudops.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: prod.classify-client.prod.webservices.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: contile.services.mozilla.com
Source: global traffic	DNS traffic detected: DNS query: spocs.getpocket.com
Source: global traffic	DNS traffic detected: DNS query: prod.ads.prod.webservices.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: prod.balrog.prod.cloudops.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: content-signature-2.cdn.mozilla.net
Source: global traffic	DNS traffic detected: DNS query: prod.content-signature-chains.prod.webservices.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: shavar.services.mozilla.com
Source: global traffic	DNS traffic detected: DNS query: push.services.mozilla.com
Source: global traffic	DNS traffic detected: DNS query: example.org
Source: global traffic	DNS traffic detected: DNS query: ipv4only.arpa
Source: global traffic	DNS traffic detected: DNS query: firefox.settings.services.mozilla.com
Source: global traffic	DNS traffic detected: DNS query: telemetry-incoming.r53-2.services.mozilla.com
Source: global traffic	DNS traffic detected: DNS query: prod.remote-settings.prod.webservices.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: www.youtube.com
Source: global traffic	DNS traffic detected: DNS query: www.wikipedia.org
Source: global traffic	DNS traffic detected: DNS query: www.facebook.com
Source: global traffic	DNS traffic detected: DNS query: dyna.wikimedia.org
Source: global traffic	DNS traffic detected: DNS query: youtube-ui.l.google.com
Source: global traffic	DNS traffic detected: DNS query: star-mini.c10r.facebook.com
Source: global traffic	DNS traffic detected: DNS query: www.reddit.com
Source: global traffic	DNS traffic detected: DNS query: twitter.com
Source: global traffic	DNS traffic detected: DNS query: reddit.map.fastly.net
Source: global traffic	DNS traffic detected: DNS query: support.mozilla.org
Source: global traffic	DNS traffic detected: DNS query: us-west1.prod.sumo.prod.webservices.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: services.addons.mozilla.org
Source: global traffic	DNS traffic detected: DNS query: normandy.cdn.mozilla.net
Source: global traffic	DNS traffic detected: DNS query: normandy-cdn.services.mozilla.com

Source: unknown	HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.6:49722 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.160.144.191:443 -> 192.168.2.6:49723 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.6:49734 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.6:49744 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.6:49743 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.6:49772 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.6:49770 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.149.100.209:443 -> 192.168.2.6:49805 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 151.101.129.91:443 -> 192.168.2.6:49809 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.6:49808 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.6:49817 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.6:49818 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.6:49816 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.149.100.209:443 -> 192.168.2.6:49819 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.6:49887 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.6:49885 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.6:49886 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.6:49883 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.6:49882 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.6:49884 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.6:49892 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.6:49893 version: TLS 1.2

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: unknown	Network traffic detected: HTTP traffic on port 49733 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49744
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49743
Source: unknown	Network traffic detected: HTTP traffic on port 49817 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49864
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49742
Source: unknown	Network traffic detected: HTTP traffic on port 49727 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49743 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49720 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49807 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49819
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49818
Source: unknown	Network traffic detected: HTTP traffic on port 49810 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49817
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49816
Source: unknown	Network traffic detected: HTTP traffic on port 49717 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49735
Source: unknown	Network traffic detected: HTTP traffic on port 49885 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49734
Source: unknown	Network traffic detected: HTTP traffic on port 49772 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49733
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49777
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49810
Source: unknown	Network traffic detected: HTTP traffic on port 49816 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49730
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49772
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49893
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49771
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49892
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49770
Source: unknown	Network traffic detected: HTTP traffic on port 49742 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49893 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49728 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49809
Source: unknown	Network traffic detected: HTTP traffic on port 49806 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49808
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49807
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49729
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49806
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49728
Source: unknown	Network traffic detected: HTTP traffic on port 49777 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49805
Source: unknown	Network traffic detected: HTTP traffic on port 49882 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49727
Source: unknown	Network traffic detected: HTTP traffic on port 49886 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49725
Source: unknown	Network traffic detected: HTTP traffic on port 49735 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49966
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49723
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49722
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49887
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49721
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49886
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49720
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49885
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49884
Source: unknown	Network traffic detected: HTTP traffic on port 49819 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49883
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49882
Source: unknown	Network traffic detected: HTTP traffic on port 49966 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49725 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49729 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49892 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49770 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49722 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49805 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49809 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49883 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49717
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49716
Source: unknown	Network traffic detected: HTTP traffic on port 49715 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49715
Source: unknown	Network traffic detected: HTTP traffic on port 49887 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49734 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49864 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49730 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49818 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49744 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49808 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49884 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49716 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49771 -> 443

Description:	Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access, network devices, and remote desktop.Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence.
Tactics:	Defense Evasion, Initial Access, Persistence, Privilege Escalation
Data Sources:	Logon Session: Logon Session Creation, Logon Session: Logon Session Metadata, User Account: User Account Authentication
Platforms:	Azure AD, Containers, Google Workspace, IaaS, Linux, macOS, Network, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in an attempt to elevate privileges. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. Security constructs such as permission levels will often hinder access to information and use of certain techniques, so adversaries will likely need to perform privilege escalation to include use of software exploitation to circumvent those restrictions.
Tactics:	Privilege Escalation
Data Sources:	Driver: Driver Load, Process: Process Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject malicious code into process via Extra Window Memory (EWM) in order to evade process-based defenses as well as possibly elevate privileges. EWM injection is a method of executing arbitrary code in the address space of a separate live process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Process: OS API Execution
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of valid accounts, usernames, or email addresses on a system or within a compromised environment. This information can help adversaries determine which accounts exist, which can aid in follow-on behavior such as brute-forcing, spear-phishing attacks, or account takeovers (e.g., Valid Accounts ).
Tactics:	Discovery
Data Sources:	Command: Command Execution, File: File Access, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report file.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Memory Dumps

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\uninstall_ping_308046B0AF4A39CB_5c9c6db3-4be8-4519-85ae-68ba3e2788e6.json (copy)

C:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\uninstall_ping_308046B0AF4A39CB_5c9c6db3-4be8-4519-85ae-68ba3e2788e6.json.tmp

C:\Users\user\AppData\Local\Temp\mozilla-temp-files\mozilla-temp-41

C:\Users\user\AppData\Local\Temp\tmpaddon

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\ExperimentStoreData.json (copy)

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\ExperimentStoreData.json.tmp

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\addonStartup.json.lz4 (copy)

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\addonStartup.json.lz4.tmp

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\addons.json (copy)

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\addons.json.tmp

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\content-prefs.sqlite

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\crashes\store.json.mozlz4 (copy)

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\crashes\store.json.mozlz4.tmp

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\extensions.json (copy)

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\extensions.json.tmp

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\favicons.sqlite-shm

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll (copy)

Windows Analysis Report
file.exe

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems. Operating systems may contain commands to initiate a shutdown/reboot of a machine or network device. In some cases, these commands may also be used to initiate a shutdown/reboot of a remote computer or network device via Network Device CLI (e.g. `reload` ).
Tactics:	Impact
Data Sources:	Command: Command Execution, Process: Process Creation, Sensor Health: Host Status
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre