Edit tour

Windows Analysis Report
file.exe

Overview

General Information

Sample name:	file.exe
Analysis ID:	1561564
MD5:	7f05860baee4ff5da95e342eaee96e85
SHA1:	a909d75ee89b3123f66c6ab227106c66e8cb5fb7
SHA256:	dabb569816b302dccb1fa4c032f5e39a2660d32c3f95ece75e9ebf4144ce0b17
Tags:	exeuser-Bitsight
Infos:

Detection

Credential Flusher

Score:	72
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

Yara detected Credential Flusher

AI detected suspicious sample

Binary is likely a compiled AutoIt script file

Found API chain indicative of sandbox detection

Machine Learning detection for sample

Connects to many different domains

Contains functionality for execution timing, often used to detect debuggers

Contains functionality for read data from the clipboard

Contains functionality to block mouse and keyboard input (often used to hinder debugging)

Contains functionality to call native functions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Contains functionality to communicate with device drivers

Contains functionality to dynamically determine API calls

Contains functionality to execute programs as a different user

Contains functionality to launch a process as a different user

Contains functionality to launch a program with higher privileges

Contains functionality to modify clipboard data

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to query CPU information (cpuid)

Contains functionality to read the PEB

Contains functionality to read the clipboard data

Contains functionality to retrieve information about pressed keystrokes

Contains functionality to shutdown / reboot the system

Contains functionality to simulate keystroke presses

Contains functionality to simulate mouse events

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Detected potential crypto function

Drops PE files

Enables debug privileges

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

OS version to string mapping found (often used in BOTs)

PE file contains sections with non-standard names

Potential key logger detected (key state polling based)

Sample execution stops while process was sleeping (likely an evasion)

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Uses taskkill to terminate processes

Classification

Process Tree

System is w10x64

file.exe (PID: 4984 cmdline: "C:\Users\user\Desktop\file.exe" MD5: 7F05860BAEE4FF5DA95E342EAEE96E85)

taskkill.exe (PID: 1868 cmdline: taskkill /F /IM firefox.exe /T MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD)

conhost.exe (PID: 6508 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

taskkill.exe (PID: 5580 cmdline: taskkill /F /IM chrome.exe /T MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD)

conhost.exe (PID: 4296 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

taskkill.exe (PID: 984 cmdline: taskkill /F /IM msedge.exe /T MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD)

conhost.exe (PID: 7152 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

taskkill.exe (PID: 6556 cmdline: taskkill /F /IM opera.exe /T MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD)

conhost.exe (PID: 6472 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

taskkill.exe (PID: 6412 cmdline: taskkill /F /IM brave.exe /T MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD)

conhost.exe (PID: 6572 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

firefox.exe (PID: 5160 cmdline: "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

firefox.exe (PID: 5752 cmdline: "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking --attempting-deelevation MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

firefox.exe (PID: 6428 cmdline: "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

firefox.exe (PID: 5560 cmdline: "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2172 -parentBuildID 20230927232528 -prefsHandle 2084 -prefMapHandle 2076 -prefsLen 25308 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {f6789b02-c7c3-48d4-a1ac-a4a2567930bd} 6428 "\\.\pipe\gecko-crash-server-pipe.6428" 24d7ab6df10 socket MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

firefox.exe (PID: 7276 cmdline: "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4364 -parentBuildID 20230927232528 -prefsHandle 4356 -prefMapHandle 2896 -prefsLen 30974 -prefMapSize 237879 -appDir "C:\Program Files\Mozilla Firefox\browser" - {043b44f9-de79-4c7a-a5a7-8092897a0483} 6428 "\\.\pipe\gecko-crash-server-pipe.6428" 24d0d2c4810 rdd MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

firefox.exe (PID: 7700 cmdline: "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5024 -parentBuildID 20230927232528 -sandboxingKind 0 -prefsHandle 5004 -prefMapHandle 4964 -prefsLen 33119 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {d2f9f0cb-803a-47c5-a8fe-41a3040c8247} 6428 "\\.\pipe\gecko-crash-server-pipe.6428" 24d14af1d10 utility MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

cleanup

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000000.00000003.2131607447.00000000009F8000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialFlusher	Yara detected Credential Flusher	Joe Security
Process Memory Space: file.exe PID: 4984	JoeSecurity_CredentialFlusher	Yara detected Credential Flusher	Joe Security

Code function: 0_2_0052EAFF OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,

0_2_0052EAFF

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_0052ED6A OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,

0_2_0052ED6A

Source: C:\Users\user\Desktop\file.exe

0_2_0052EAFF

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_0051AA57 GetKeyboardState,SetKeyboardState,PostMessageW,SendInput,

0_2_0051AA57

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00549576 DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,

0_2_00549576

System Summary

Binary is likely a compiled AutoIt script file

Source: file.exe	String found in binary or memory: This is a third-party compiled AutoIt script.
Source: file.exe, 00000000.00000000.2067067160.0000000000572000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_538bd96b-d
Source: file.exe, 00000000.00000000.2067067160.0000000000572000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_071be180-3
Source: file.exe	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_d536025e-e
Source: file.exe	String found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_59b3bba3-a

Source: C:\Program Files\Mozilla Firefox\firefox.exe	Code function: 17_2_000002113D419172 NtQuerySystemInformation,		17_2_000002113D419172
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Code function: 17_2_000002113D412BF7 NtQuerySystemInformation,		17_2_000002113D412BF7

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_0051D5EB: CreateFileW,DeviceIoControl,CloseHandle,

0_2_0051D5EB

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00511201 LogonUserW,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcslen,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,GetProcessHeap,HeapFree,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,

0_2_00511201

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_0051E8F6 ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,

0_2_0051E8F6

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_004BBF40	0_2_004BBF40
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00522046	0_2_00522046
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_004B8060	0_2_004B8060
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00518298	0_2_00518298
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_004EE4FF	0_2_004EE4FF
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_004E676B	0_2_004E676B
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00544873	0_2_00544873
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_004BCAF0	0_2_004BCAF0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_004DCAA0	0_2_004DCAA0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_004CCC39	0_2_004CCC39
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_004E6DD9	0_2_004E6DD9
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_004CB119	0_2_004CB119
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_004B91C0	0_2_004B91C0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_004D1394	0_2_004D1394
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_004D1706	0_2_004D1706
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_004D781B	0_2_004D781B
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_004C997D	0_2_004C997D
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_004B7920	0_2_004B7920
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_004D19B0	0_2_004D19B0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_004D7A4A	0_2_004D7A4A
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_004D1C77	0_2_004D1C77
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_004D7CA7	0_2_004D7CA7
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0053BE44	0_2_0053BE44
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_004E9EEE	0_2_004E9EEE
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_004D1F32	0_2_004D1F32
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Code function: 17_2_000002113D419172	17_2_000002113D419172
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Code function: 17_2_000002113D412BF7	17_2_000002113D412BF7
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Code function: 17_2_000002113D4191B2	17_2_000002113D4191B2
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Code function: 17_2_000002113D41989C	17_2_000002113D41989C

Source: C:\Users\user\Desktop\file.exe	Code function: String function: 004D0A30 appears 46 times
Source: C:\Users\user\Desktop\file.exe	Code function: String function: 004CF9F2 appears 40 times
Source: C:\Users\user\Desktop\file.exe	Code function: String function: 004B9CB3 appears 31 times

Source: file.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source: classification engine

Classification label: mal72.troj.evad.winEXE@34/34@66/12

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_005237B5 GetLastError,FormatMessageW,

0_2_005237B5

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_005110BF AdjustTokenPrivileges,CloseHandle,		0_2_005110BF
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_005116C3 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,		0_2_005116C3

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_005251CD SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode,

0_2_005251CD

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_0051D4DC CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,

0_2_0051D4DC

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_0052648E _wcslen,CoInitialize,CoCreateInstance,CoUninitialize,

0_2_0052648E

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_004B42A2 CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource,

0_2_004B42A2

Source: C:\Program Files\Mozilla Firefox\firefox.exe

File created: C:\Users\user\AppData\Local\Mozilla\Firefox\SkeletonUILock-c388d246

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4296:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6472:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7152:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6508:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6572:120:WilError_03

Source: C:\Program Files\Mozilla Firefox\firefox.exe

File created: C:\Users\user\AppData\Local\Temp\firefox

Jump to behavior

Source: file.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Windows\SysWOW64\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process

Source: C:\Program Files\Mozilla Firefox\firefox.exe

File read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: firefox.exe, 0000000E.00000003.2243152604.0000024D167D1000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2205039424.0000024D167D1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SELECT * FROM events WHERE timestamp BETWEEN date(:dateFrom) AND date(:dateTo);
Source: firefox.exe, 0000000E.00000003.2236584750.0000024D16D57000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2295240983.0000024D16D57000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SELECT sum(count) FROM events;

Source: file.exe

ReversingLabs: Detection: 26%

Source: unknown	Process created: C:\Users\user\Desktop\file.exe "C:\Users\user\Desktop\file.exe"
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM firefox.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM chrome.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM msedge.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM opera.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM brave.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking
Source: unknown	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking --attempting-deelevation
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2172 -parentBuildID 20230927232528 -prefsHandle 2084 -prefMapHandle 2076 -prefsLen 25308 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {f6789b02-c7c3-48d4-a1ac-a4a2567930bd} 6428 "\\.\pipe\gecko-crash-server-pipe.6428" 24d7ab6df10 socket
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4364 -parentBuildID 20230927232528 -prefsHandle 4356 -prefMapHandle 2896 -prefsLen 30974 -prefMapSize 237879 -appDir "C:\Program Files\Mozilla Firefox\browser" - {043b44f9-de79-4c7a-a5a7-8092897a0483} 6428 "\\.\pipe\gecko-crash-server-pipe.6428" 24d0d2c4810 rdd
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5024 -parentBuildID 20230927232528 -sandboxingKind 0 -prefsHandle 5004 -prefMapHandle 4964 -prefsLen 33119 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {d2f9f0cb-803a-47c5-a8fe-41a3040c8247} 6428 "\\.\pipe\gecko-crash-server-pipe.6428" 24d14af1d10 utility
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM firefox.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM chrome.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM msedge.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM opera.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM brave.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2172 -parentBuildID 20230927232528 -prefsHandle 2084 -prefMapHandle 2076 -prefsLen 25308 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {f6789b02-c7c3-48d4-a1ac-a4a2567930bd} 6428 "\\.\pipe\gecko-crash-server-pipe.6428" 24d7ab6df10 socket	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4364 -parentBuildID 20230927232528 -prefsHandle 4356 -prefMapHandle 2896 -prefsLen 30974 -prefMapSize 237879 -appDir "C:\Program Files\Mozilla Firefox\browser" - {043b44f9-de79-4c7a-a5a7-8092897a0483} 6428 "\\.\pipe\gecko-crash-server-pipe.6428" 24d0d2c4810 rdd	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5024 -parentBuildID 20230927232528 -sandboxingKind 0 -prefsHandle 5004 -prefMapHandle 4964 -prefsLen 33119 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {d2f9f0cb-803a-47c5-a8fe-41a3040c8247} 6428 "\\.\pipe\gecko-crash-server-pipe.6428" 24d14af1d10 utility	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown	Jump to behavior

Source: C:\Users\user\Desktop\file.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: profapi.dll	Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: file.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: z:\task_1551543573\build\openh264\gmpopenh264.pdbV source: gmpopenh264.dll.tmp.14.dr
Source:	Binary string: kbdus.pdb source: firefox.exe, 0000000E.00000003.2257994366.0000024D0A49C000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: wshbth.pdbGCTL source: firefox.exe, 0000000E.00000003.2257267183.0000024D13544000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: wshbth.pdb source: firefox.exe, 0000000E.00000003.2257267183.0000024D13544000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: netprofm.pdb source: firefox.exe, 0000000E.00000003.2255601973.0000024D0A4A2000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: z:\task_1551543573\build\openh264\gmpopenh264.pdb source: gmpopenh264.dll.tmp.14.dr
Source:	Binary string: netprofm.pdbUGP source: firefox.exe, 0000000E.00000003.2255601973.0000024D0A4A2000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: kbdus.pdbGCTL source: firefox.exe, 0000000E.00000003.2257994366.0000024D0A49C000.00000004.00000020.00020000.00000000.sdmp

Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_004B42DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_004B42DE

Source: gmpopenh264.dll.tmp.14.dr

Static PE information: section name: .rodata

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_004D0A76 push ecx; ret

0_2_004D0A89

Source: C:\Program Files\Mozilla Firefox\firefox.exe	File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll.tmp			Jump to dropped file
Source: C:\Program Files\Mozilla Firefox\firefox.exe	File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll (copy)			Jump to dropped file

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_004CF98E GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,		0_2_004CF98E
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00541C41 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,		0_2_00541C41

Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Found API chain indicative of sandbox detection

Source: C:\Users\user\Desktop\file.exe

Sandbox detection routine: GetForegroundWindow, DecisionNode, Sleep

graph_0-95818

Source: C:\Program Files\Mozilla Firefox\firefox.exe

Code function: 17_2_000002113D419172 rdtsc

17_2_000002113D419172

Source: C:\Users\user\Desktop\file.exe

API coverage: 3.5 %

Source: C:\Users\user\Desktop\file.exe TID: 6648	Thread sleep count: 112 > 30			Jump to behavior
Source: C:\Users\user\Desktop\file.exe TID: 6648	Thread sleep count: 162 > 30			Jump to behavior

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0051DBBE lstrlenW,GetFileAttributesW,FindFirstFileW,FindClose,	0_2_0051DBBE
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_004EC2A2 FindFirstFileExW,	0_2_004EC2A2
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_005268EE FindFirstFileW,FindClose,	0_2_005268EE
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0052698F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToSystemTime,FileTimeToSystemTime,	0_2_0052698F
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0051D076 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_0051D076
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0051D3A9 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_0051D3A9
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00529642 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_00529642
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0052979D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_0052979D
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00529B2B FindFirstFileW,Sleep,FindNextFileW,FindClose,	0_2_00529B2B
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00525C97 FindFirstFileW,FindNextFileW,FindClose,	0_2_00525C97

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_004B42DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_004B42DE

Source: firefox.exe, 00000011.00000002.3320845853.000002113D440000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllGB^Ul
Source: firefox.exe, 00000010.00000002.3321910535.000001747F600000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllP
Source: firefox.exe, 00000011.00000002.3320845853.000002113D440000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllZ@k
Source: firefox.exe, 00000010.00000002.3321910535.000001747F600000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000011.00000002.3316083518.000002113CB3A000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000011.00000002.3320845853.000002113D440000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: firefox.exe, 00000010.00000002.3321272779.000001747F520000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW : 2 : 34 : 1 : 1 : 0x20026 : 0x8 : %SystemRoot%\system32\mswsock.dll : : 1234191b-4bf7-4ca7-86e0-dfd7c32b5445
Source: firefox.exe, 00000012.00000002.3321125750.00000224AA800000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW(
Source: firefox.exe, 00000010.00000002.3317900363.000001747F05A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: firefox.exe, 00000012.00000002.3316516757.00000224AA47A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW`
Source: firefox.exe, 00000010.00000002.3321910535.000001747F600000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000011.00000002.3320845853.000002113D440000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\Desktop\file.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Program Files\Mozilla Firefox\firefox.exe

Code function: 17_2_000002113D419172 rdtsc

17_2_000002113D419172

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_0052EAA2 BlockInput,

0_2_0052EAA2

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_004E2622 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

0_2_004E2622

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_004B42DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_004B42DE

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_004D4CE8 mov eax, dword ptr fs:[00000030h]

0_2_004D4CE8

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00510B62 GetSecurityDescriptorDacl,GetAclInformation,GetLengthSid,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,

0_2_00510B62

Source: C:\Windows\SysWOW64\taskkill.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process token adjusted: Debug	Jump to behavior

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_004E2622 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_004E2622
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_004D083F IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_004D083F
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_004D09D5 SetUnhandledExceptionFilter,	0_2_004D09D5
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_004D0C21 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_004D0C21

Source: C:\Users\user\Desktop\file.exe

0_2_00511201

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_004F2BA5 KiUserCallbackDispatcher,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

0_2_004F2BA5

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_0051B226 SendInput,keybd_event,

0_2_0051B226

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_005322DA GetForegroundWindow,GetDesktopWindow,GetWindowRect,mouse_event,GetCursorPos,mouse_event,

0_2_005322DA

Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM firefox.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM chrome.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM msedge.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM opera.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM brave.exe /T	Jump to behavior

Source: C:\Users\user\Desktop\file.exe

0_2_00510B62

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00511663 AllocateAndInitializeSid,CheckTokenMembership,FreeSid,

0_2_00511663

Source: file.exe	Binary or memory string: Run Script:AutoIt script files (.au3, .a3x).au3;.a3xAll files (.).au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
Source: file.exe	Binary or memory string: Shell_TrayWnd
Source: firefox.exe, 0000000E.00000003.2199473363.0000024D13561000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: hSoftware\Policies\Microsoft\Windows\PersonalizationNoChangingStartMenuBackgroundPersonalColors_BackgroundWilStaging_02RtlDisownModuleHeapAllocationRtlQueryFeatureConfigurationRtlRegisterFeatureConfigurationChangeNotificationRtlSubscribeWnfStateChangeNotificationRtlDllShutdownInProgressntdll.dllNtQueryWnfStateDataLocal\SM0:%d:%d:%hs_p0Local\SessionImmersiveColorPreferenceBEGINTHMthmfile\Sessions\%d\Windows\ThemeSectionMessageWindowendthemewndThemeApiConnectionRequest\ThemeApiPortwinsta0SOFTWARE\Microsoft\Windows\CurrentVersion\Themes\PersonalizeAppsUseLightThemeSystemUsesLightThemedefaultshell\themes\uxtheme\render.cppCompositedWindow::WindowdeletedrcacheMDIClientSoftware\Microsoft\Windows\DWMColorPrevalenceSoftware\Microsoft\Windows\CurrentVersion\ImmersiveShellTabletModeMENUAccentColorSoftware\Microsoft\Windows\CurrentVersion\Explorer\AccentDefaultStartColorControl Panel\DesktopAutoColorizationAccentColorMenuStartColorMenuAutoColorSoftware\Microsoft\Windows\CurrentVersion\Themes\History\ColorsSoftware\Microsoft\Windows\CurrentVersion\Themes\HistoryAccentPaletteTab$Shell_TrayWndLocal\SessionImmersiveColorMutex

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_004D0698 cpuid

0_2_004D0698

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00528195 GetLocalTime,SystemTimeToFileTime,LocalFileTimeToFileTime,GetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,

0_2_00528195

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_0050D27A GetUserNameW,

0_2_0050D27A

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_004EB952 _free,_free,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,_free,

0_2_004EB952

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_004B42DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_004B42DE

Stealing of Sensitive Information

Yara detected Credential Flusher

Source: Yara match	File source: 00000000.00000003.2131607447.00000000009F8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: file.exe PID: 4984, type: MEMORYSTR

Source: file.exe	Binary or memory string: WIN_81
Source: file.exe	Binary or memory string: WIN_XP
Source: file.exe	Binary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_11WIN_10WIN_2022WIN_2019WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\AppearanceUSERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte64HKEY_LOCAL_MACHINEHKLMHKEY_CLASSES_ROOTHKCRHKEY_CURRENT_CONFIGHKCCHKEY_CURRENT_USERHKCUHKEY_USERSHKUREG_EXPAND_SZREG_SZREG_MULTI_SZREG_DWORDREG_QWORDREG_BINARYRegDeleteKeyExWadvapi32.dll+.-.\\[\\nrt]\|%%\|%[-+ 0#]?([0-9]\|\)?(\.[0-9]\|\.\)?[hlL]?[diouxXeEfgGs](*UCP)\XISVISIBLEISENABLEDTABLEFTTABRIGHTCURRENTTABSHOWDROPDOWNHIDEDROPDOWNADDSTRINGDELSTRINGFINDSTRINGGETCOUNTSETCURRENTSELECTIONGETCURRENTSELECTIONSELECTSTRINGISCHECKEDCHECKUNCHECKGETSELECTEDGETLINECOUNTGETCURRENTLINEGETCURRENTCOLEDITPASTEGETLINESENDCOMMANDIDGETITEMCOUNTGETSUBITEMCOUNTGETTEXTGETSELECTEDCOUNTISSELECTEDSELECTALLSELECTCLEARSELECTINVERTDESELECTFINDITEMVIEWCHANGEGETTOTALCOUNTCOLLAPSEEXPANDmsctls_statusbar321tooltips_class32%d/%02d/%02dbuttonComboboxListboxSysDateTimePick32SysMonthCal32.icl.exe.dllMsctls_Progress32msctls_trackbar32SysAnimate32msctls_updown32SysTabControl32SysTreeView32SysListView32-----@GUI_DRAGID@GUI_DROPID@GUI_DRAGFILEError text not found (please report)Q\EDEFINEUTF16)UTF)UCP)NO_AUTO_POSSESS)NO_START_OPT)LIMIT_MATCH=LIMIT_RECURSION=CR)LF)CRLF)ANY)ANYCRLF)BSR_ANYCRLF)BSR_UNICODE)argument is not a compiled regular expressionargument not compiled in 16 bit modeinternal error: opcode not recognizedinternal error: missing capturing bracketfailed to get memory
Source: file.exe	Binary or memory string: WIN_XPe
Source: file.exe	Binary or memory string: WIN_VISTA
Source: file.exe	Binary or memory string: WIN_7
Source: file.exe	Binary or memory string: WIN_8

Remote Access Functionality

Yara detected Credential Flusher

Source: Yara match	File source: 00000000.00000003.2131607447.00000000009F8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: file.exe PID: 4984, type: MEMORYSTR

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00531204 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,listen,WSAGetLastError,closesocket,		0_2_00531204
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00531806 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,		0_2_00531806

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	2 Valid Accounts	1 Windows Management Instrumentation	1 DLL Side-Loading	1 Exploitation for Privilege Escalation	2 Disable or Modify Tools	21 Input Capture	2 System Time Discovery	Remote Services	1 Archive Collected Data	2 Ingress Tool Transfer	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	1 Native API	2 Valid Accounts	1 DLL Side-Loading	1 Deobfuscate/Decode Files or Information	LSASS Memory	1 Account Discovery	Remote Desktop Protocol	21 Input Capture	12 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	1 Extra Window Memory Injection	2 Obfuscated Files or Information	Security Account Manager	2 File and Directory Discovery	SMB/Windows Admin Shares	3 Clipboard Data	2 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	2 Valid Accounts	1 DLL Side-Loading	NTDS	16 System Information Discovery	Distributed Component Object Model	Input Capture	3 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	21 Access Token Manipulation	1 Extra Window Memory Injection	LSA Secrets	131 Security Software Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	2 Process Injection	1 Masquerading	Cached Domain Credentials	11 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	2 Valid Accounts	DCSync	3 Process Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	11 Virtualization/Sandbox Evasion	Proc Filesystem	1 Application Window Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	21 Access Token Manipulation	/etc/passwd and /etc/shadow	1 System Owner/User Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement
IP Addresses	Compromise Infrastructure	Supply Chain Compromise	PowerShell	Cron	Cron	2 Process Injection	Network Sniffing	Network Service Discovery	Shared Webroot	Local Data Staging	File Transfer Protocols	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	External Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
file.exe	26%	ReversingLabs	Win32.Trojan.AutoitInject
file.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll (copy)	0%	ReversingLabs
C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll.tmp	0%	ReversingLabs

Source	Detection	Scanner	Label
http://ocsp.digices	0%	Avira URL Cloud	safe
https://browser/siteProtections.ftlbrowser/appmenu.ftl	0%	Avira URL Cloud	safe
http://exslt.org/dates-and-timesZ	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
example.org	93.184.215.14	true	false	high
star-mini.c10r.facebook.com	157.240.196.35	true	false	high
prod.classify-client.prod.webservices.mozgcp.net	35.190.72.216	true	false	high
prod.balrog.prod.cloudops.mozgcp.net	35.244.181.201	true	false	high
twitter.com	104.244.42.129	true	false	high
prod.detectportal.prod.cloudops.mozgcp.net	34.107.221.82	true	false	high
services.addons.mozilla.org	151.101.193.91	true	false	high
dyna.wikimedia.org	185.15.58.224	true	false	high
prod.remote-settings.prod.webservices.mozgcp.net	34.149.100.209	true	false	high
contile.services.mozilla.com	34.117.188.166	true	false	high
youtube.com	142.250.181.142	true	false	high
prod.content-signature-chains.prod.webservices.mozgcp.net	34.160.144.191	true	false	high
youtube-ui.l.google.com	172.217.21.46	true	false	high
us-west1.prod.sumo.prod.webservices.mozgcp.net	34.149.128.2	true	false	high
reddit.map.fastly.net	151.101.129.140	true	false	high
ipv4only.arpa	192.0.0.170	true	false	high
prod.ads.prod.webservices.mozgcp.net	34.117.188.166	true	false	high
push.services.mozilla.com	34.107.243.93	true	false	high
normandy-cdn.services.mozilla.com	35.201.103.21	true	false	high
telemetry-incoming.r53-2.services.mozilla.com	34.120.208.123	true	false	high
www.reddit.com	unknown	unknown	false	high
spocs.getpocket.com	unknown	unknown	false	high
content-signature-2.cdn.mozilla.net	unknown	unknown	false	high
support.mozilla.org	unknown	unknown	false	high
firefox.settings.services.mozilla.com	unknown	unknown	false	high
www.youtube.com	unknown	unknown	false	high
www.facebook.com	unknown	unknown	false	high
detectportal.firefox.com	unknown	unknown	false	high
normandy.cdn.mozilla.net	unknown	unknown	false	high
shavar.services.mozilla.com	unknown	unknown	false	high
www.wikipedia.org	unknown	unknown	false	high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://play.google.com/store/apps/details?id=org.mozilla.firefox.vpn&referrer=utm_source%3Dfirefox-	firefox.exe, 00000010.00000002.3318339127.000001747F160000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3319814250.000002113D380000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3317794527.00000224AA570000.00000002.10000000.00040000.00000000.sdmp	false		high
https://getpocket.cdn.mozilla.net/v3/firefox/trending-topics?version=2&consumer_key=$apiKey&locale_l	firefox.exe, 00000011.00000002.3317310359.000002113CEC6000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000002.3318497386.00000224AA7C4000.00000004.00000800.00020000.00000000.sdmp	false		high
http://detectportal.firefox.com/	firefox.exe, 0000000E.00000003.2295240983.0000024D16DE9000.00000004.00000800.00020000.00000000.sdmp	false		high
https://services.addons.mozilla.org/api/v5/addons/browser-mappings/?browser=%BROWSER%	firefox.exe, 00000010.00000002.3318339127.000001747F160000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3319814250.000002113D380000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3317794527.00000224AA570000.00000002.10000000.00040000.00000000.sdmp	false		high
http://www.mozilla.com0	gmpopenh264.dll.tmp.14.dr	false		high
https://bridge.sfo1.admarketplace.net/ctp?version=16.0.0&key=1696425136400800000.2&ci=1696425136743.	firefox.exe, 0000000E.00000003.2318109040.0000024D7EAAD000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000002.3318998099.000001747F4C8000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000011.00000002.3317310359.000002113CEF1000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000002.3321298534.00000224AA904000.00000004.00000800.00020000.00000000.sdmp, prefs-1.js.14.dr	false		high
https://merino.services.mozilla.com/api/v1/suggest	firefox.exe, 00000012.00000002.3318497386.00000224AA78F000.00000004.00000800.00020000.00000000.sdmp	false		high
https://json-schema.org/draft/2019-09/schema.	firefox.exe, 0000000E.00000003.2171231259.0000024D14B56000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2269110400.0000024D14B55000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2246120604.0000024D14B55000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2162534557.0000024D14B56000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2315519755.0000024D14B58000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2158135589.0000024D14B59000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2176924790.0000024D14B56000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2297498418.0000024D14B55000.00000004.00000800.00020000.00000000.sdmp	false		high
https://browser/siteProtections.ftlbrowser/appmenu.ftl	firefox.exe, 0000000E.00000003.2202881509.0000024D170AE000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2261367195.0000024D170AE000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2311421371.0000024D170AE000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://monitor.firefox.com/oauth/init?entrypoint=protection_report_monitor&utm_source=about-protect	firefox.exe, 00000010.00000002.3318339127.000001747F160000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3319814250.000002113D380000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3317794527.00000224AA570000.00000002.10000000.00040000.00000000.sdmp	false		high
https://spocs.getpocket.com/spocs	firefox.exe, 0000000E.00000003.2246018125.0000024D14BE7000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.amazon.com/exec/obidos/external-search/?field-keywords=&ie=UTF-8&mode=blended&tag=mozill	firefox.exe, 0000000E.00000003.2298023890.0000024D13E7B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2270500908.0000024D13E7B000.00000004.00000800.00020000.00000000.sdmp	false		high
https://shavar.services.mozilla.com	firefox.exe, 0000000E.00000003.2246018125.0000024D14BE7000.00000004.00000800.00020000.00000000.sdmp	false		high
https://completion.amazon.com/search/complete?q=	firefox.exe, 0000000E.00000003.2132104457.0000024D0AA00000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2132919356.0000024D0AC8A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2132774022.0000024D0AC6F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2132450877.0000024D0AC38000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2132280181.0000024D0AC1D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2132620526.0000024D0AC53000.00000004.00000800.00020000.00000000.sdmp	false		high
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/social-media-tracking-report	firefox.exe, 00000010.00000002.3318339127.000001747F160000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3319814250.000002113D380000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3317794527.00000224AA570000.00000002.10000000.00040000.00000000.sdmp	false		high
https://ads.stickyadstv.com/firefox-etp	firefox.exe, 0000000E.00000003.2245045968.0000024D14CF3000.00000004.00000800.00020000.00000000.sdmp	false		high
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/send-tab	firefox.exe, 00000010.00000002.3318339127.000001747F160000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3319814250.000002113D380000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3317794527.00000224AA570000.00000002.10000000.00040000.00000000.sdmp	false		high
https://monitor.firefox.com/breach-details/	firefox.exe, 00000010.00000002.3318339127.000001747F160000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3319814250.000002113D380000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3317794527.00000224AA570000.00000002.10000000.00040000.00000000.sdmp	false		high
http://crl.microso	firefox.exe, 0000000E.00000003.2199590314.0000024D13558000.00000004.00000020.00020000.00000000.sdmp	false		high
https://github.com/w3c/csswg-drafts/issues/4650	firefox.exe, 0000000E.00000003.2171508092.0000024D125F2000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2248343883.0000024D125F2000.00000004.00000800.00020000.00000000.sdmp	false		high
https://versioncheck-bg.addons.mozilla.org/update/VersionCheck.php?reqVersion=%REQ_VERSION%&id=%ITEM	firefox.exe, 00000010.00000002.3318339127.000001747F160000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3319814250.000002113D380000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3317794527.00000224AA570000.00000002.10000000.00040000.00000000.sdmp	false		high
https://www.amazon.com/exec/obidos/external-search/	firefox.exe, 0000000E.00000003.2302061441.0000024D0D4C3000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2132450877.0000024D0AC38000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2132280181.0000024D0AC1D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2277995061.0000024D0C20D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2132620526.0000024D0AC53000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.msn.com	firefox.exe, 0000000E.00000003.2300272050.0000024D0DFB2000.00000004.00000800.00020000.00000000.sdmp	false		high
https://github.com/mozilla-services/screenshots	firefox.exe, 0000000E.00000003.2132104457.0000024D0AA00000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2132774022.0000024D0AC6F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2132450877.0000024D0AC38000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2132280181.0000024D0AC1D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2132620526.0000024D0AC53000.00000004.00000800.00020000.00000000.sdmp	false		high
https://services.addons.mozilla.org/api/v4/addons/addon/	firefox.exe, 00000010.00000002.3318339127.000001747F160000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3319814250.000002113D380000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3317794527.00000224AA570000.00000002.10000000.00040000.00000000.sdmp	false		high
https://tracking-protection-issues.herokuapp.com/new	firefox.exe, 00000010.00000002.3318339127.000001747F160000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3319814250.000002113D380000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3317794527.00000224AA570000.00000002.10000000.00040000.00000000.sdmp	false		high
http://exslt.org/sets	firefox.exe, 0000000E.00000003.2318109040.0000024D7EA86000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2161267990.0000024D7EA8C000.00000004.00000800.00020000.00000000.sdmp	false		high
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/password-manager-report	firefox.exe, 00000010.00000002.3318339127.000001747F160000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3319814250.000002113D380000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3317794527.00000224AA570000.00000002.10000000.00040000.00000000.sdmp	false		high
https://youtube.com/	firefox.exe, 0000000E.00000003.2159121116.0000024D13E1E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2297719402.0000024D1474B000.00000004.00000800.00020000.00000000.sdmp	false		high
https://json-schema.org/draft/2020-12/schema/=	firefox.exe, 0000000E.00000003.2171231259.0000024D14B56000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2269110400.0000024D14B55000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2246120604.0000024D14B55000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2162534557.0000024D14B56000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2315519755.0000024D14B58000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2158135589.0000024D14B59000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2176924790.0000024D14B56000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2297498418.0000024D14B55000.00000004.00000800.00020000.00000000.sdmp	false		high
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/fingerprinters-report	firefox.exe, 00000010.00000002.3318339127.000001747F160000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3319814250.000002113D380000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3317794527.00000224AA570000.00000002.10000000.00040000.00000000.sdmp	false		high
https://api.accounts.firefox.com/v1	firefox.exe, 00000010.00000002.3318339127.000001747F160000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3319814250.000002113D380000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3317794527.00000224AA570000.00000002.10000000.00040000.00000000.sdmp	false		high
http://exslt.org/common	firefox.exe, 0000000E.00000003.2318109040.0000024D7EA86000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2161267990.0000024D7EA8C000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.amazon.com/	firefox.exe, 0000000E.00000003.2246018125.0000024D14BE7000.00000004.00000800.00020000.00000000.sdmp	false		high
https://addons.mozilla.org/%LOCALE%/%APP%/blocked-addon/%addonID%/%addonVersion%/	firefox.exe, 00000010.00000002.3318339127.000001747F160000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3319814250.000002113D380000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3317794527.00000224AA570000.00000002.10000000.00040000.00000000.sdmp	false		high
https://fpn.firefox.com	firefox.exe, 0000000E.00000003.2294226581.0000024D7F3D9000.00000004.00000800.00020000.00000000.sdmp	false		high
https://monitor.firefox.com/?entrypoint=protection_report_monitor&utm_source=about-protections	firefox.exe, 00000010.00000002.3318339127.000001747F160000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3319814250.000002113D380000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3317794527.00000224AA570000.00000002.10000000.00040000.00000000.sdmp	false		high
http://exslt.org/dates-and-times	firefox.exe, 0000000E.00000003.2161267990.0000024D7EA61000.00000004.00000800.00020000.00000000.sdmp	false		high
http://ocsp.rootca1.amazontrust.com0:	firefox.exe, 0000000E.00000003.2163412136.0000024D0B98D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2172520967.0000024D0B98D000.00000004.00000800.00020000.00000000.sdmp	false		high
http://win.mail.ru/cgi-bin/sentmsg?mailto=%s	firefox.exe, 0000000E.00000003.2288482007.0000024D0A2FC000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2138537001.0000024D0A2FC000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.youtube.com/	firefox.exe, 0000000E.00000003.2246018125.0000024D14BE7000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000011.00000002.3317310359.000002113CE03000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000002.3318497386.00000224AA70C000.00000004.00000800.00020000.00000000.sdmp	false		high
https://bugzilla.mozilla.org/show_bug.cgi?id=1283601	firefox.exe, 0000000E.00000003.2185382546.0000024D0B7AD000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2184852832.0000024D0B795000.00000004.00000800.00020000.00000000.sdmp	false		high
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/shield	firefox.exe, 00000010.00000002.3318339127.000001747F160000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3319814250.000002113D380000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3317794527.00000224AA570000.00000002.10000000.00040000.00000000.sdmp	false		high
https://MD8.mozilla.org/1/m	firefox.exe, 0000000E.00000003.2298857274.0000024D12EB5000.00000004.00000800.00020000.00000000.sdmp	false		high
https://getpocket.cdn.mozilla.net/v3/firefox/global-recs?version=3&consumer_key=$apiKey&locale_lang=	firefox.exe, 00000011.00000002.3317310359.000002113CEC6000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000002.3318497386.00000224AA7C4000.00000004.00000800.00020000.00000000.sdmp	false		high
http://127.0.0.1:	firefox.exe, 0000000E.00000003.2297625818.0000024D14AEB000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2316015968.0000024D14AEB000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2177160827.0000024D14AEB000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2319778858.0000024D14AEB000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2162991842.0000024D14AEF000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2270330012.0000024D14AD5000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2158789823.0000024D14B4C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2158789823.0000024D14B48000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2247104035.0000024D14AD5000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000002.3318339127.000001747F160000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3319814250.000002113D380000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3317794527.00000224AA570000.00000002.10000000.00040000.00000000.sdmp	false		high
https://bugzilla.mozilla.org/show_bug.cgi?id=1266220	firefox.exe, 0000000E.00000003.2184852832.0000024D0B77A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2185382546.0000024D0B7AD000.00000004.00000800.00020000.00000000.sdmp	false		high
https://searchfox.org/mozilla-central/source/toolkit/components/search/SearchUtils.jsm#145-152	firefox.exe, 0000000E.00000003.2270417970.0000024D0C2C1000.00000004.00000800.00020000.00000000.sdmp	false		high
https://bugzilla.mo	firefox.exe, 0000000E.00000003.2313606385.0000024D15FBA000.00000004.00000800.00020000.00000000.sdmp	false		high
https://mitmdetection.services.mozilla.com/	firefox.exe, 00000010.00000002.3318339127.000001747F160000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3319814250.000002113D380000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3317794527.00000224AA570000.00000002.10000000.00040000.00000000.sdmp	false		high
https://static.adsafeprotected.com/firefox-etp-js	firefox.exe, 0000000E.00000003.2245045968.0000024D14CF3000.00000004.00000800.00020000.00000000.sdmp	false		high
https://youtube.com/account?=	recovery.jsonlz4.tmp.14.dr	false		high
https://support.mozilla.org/products/firefoxgro.allizom.troppus.GVegJq3nFfBL	firefox.exe, 0000000E.00000003.2176924790.0000024D14B33000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.bestbuy.com/site/electronics/top-deals/pcmcat1563299784494.c/?id=pcmcat1563299784494&ref	firefox.exe, 0000000E.00000003.2318109040.0000024D7EAAD000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000002.3318998099.000001747F4C8000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000011.00000002.3317310359.000002113CEF1000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000002.3321298534.00000224AA904000.00000004.00000800.00020000.00000000.sdmp, prefs-1.js.14.dr	false		high
http://ocsp.digices	firefox.exe, 0000000E.00000003.2199590314.0000024D13558000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.amazon.com/?tag=admarketus-20&ref=pd_sl_35787f1071928bc3a1aef90b79c9bee9c64ba6683fde7477	firefox.exe, 0000000E.00000003.2318109040.0000024D7EAAD000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000002.3318998099.000001747F4C8000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000011.00000002.3317310359.000002113CEF1000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000002.3321298534.00000224AA904000.00000004.00000800.00020000.00000000.sdmp, prefs-1.js.14.dr	false		high
https://spocs.getpocket.com/	firefox.exe, 0000000E.00000003.2246018125.0000024D14BE7000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000011.00000002.3317310359.000002113CE12000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000002.3318497386.00000224AA713000.00000004.00000800.00020000.00000000.sdmp	false		high
https://services.addons.mozilla.org/api/v4/abuse/report/addon/	firefox.exe, 00000010.00000002.3318339127.000001747F160000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3319814250.000002113D380000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3317794527.00000224AA570000.00000002.10000000.00040000.00000000.sdmp	false		high
https://services.addons.mozilla.org/api/v4/addons/search/?guid=%IDS%&lang=%LOCALE%	firefox.exe, 00000010.00000002.3318339127.000001747F160000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3319814250.000002113D380000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3317794527.00000224AA570000.00000002.10000000.00040000.00000000.sdmp	false		high
http://exslt.org/dates-and-timesZ	firefox.exe, 0000000E.00000003.2318109040.0000024D7EA61000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://color.firefox.com/?utm_source=firefox-browser&utm_medium=firefox-browser&utm_content=theme-f	firefox.exe, 00000010.00000002.3318339127.000001747F160000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3319814250.000002113D380000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3317794527.00000224AA570000.00000002.10000000.00040000.00000000.sdmp	false		high
https://youtube.com/account?=https://accounts.google.co	firefox.exe, 00000010.00000002.3318595804.000001747F3F0000.00000004.00000020.00020000.00000000.sdmp	false		high
https://play.google.com/store/apps/details?id=org.mozilla.firefox&referrer=utm_source%3Dprotection_r	firefox.exe, 00000010.00000002.3318339127.000001747F160000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3319814250.000002113D380000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3317794527.00000224AA570000.00000002.10000000.00040000.00000000.sdmp	false		high
https://monitor.firefox.com/user/breach-stats?includeResolved=true	firefox.exe, 00000010.00000002.3318339127.000001747F160000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3319814250.000002113D380000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3317794527.00000224AA570000.00000002.10000000.00040000.00000000.sdmp	false		high
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/cross-site-tracking-report	firefox.exe, 00000010.00000002.3318339127.000001747F160000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3319814250.000002113D380000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3317794527.00000224AA570000.00000002.10000000.00040000.00000000.sdmp	false		high
https://addons.mozilla.org/	firefox.exe, 0000000E.00000003.2268062988.0000024D15FBA000.00000004.00000800.00020000.00000000.sdmp	false		high
https://bugzilla.mozilla.org/show_bug.cgi?id=1584464	firefox.exe, 0000000E.00000003.2171508092.0000024D125F2000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2248343883.0000024D125F2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://a9.com/-/spec/opensearch/1.0/	firefox.exe, 0000000E.00000003.2298857274.0000024D12EC1000.00000004.00000800.00020000.00000000.sdmp	false		high
https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4Qqm4p8dfCfm4pbW1pbWfpbW7ReNxR3UIG8zInwYIFIVs9eYi	prefs-1.js.14.dr	false		high
https://safebrowsing.google.com/safebrowsing/diagnostic?site=	firefox.exe, 00000010.00000002.3318339127.000001747F160000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3319814250.000002113D380000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3317794527.00000224AA570000.00000002.10000000.00040000.00000000.sdmp	false		high
https://monitor.firefox.com/user/dashboard	firefox.exe, 00000010.00000002.3318339127.000001747F160000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3319814250.000002113D380000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3317794527.00000224AA570000.00000002.10000000.00040000.00000000.sdmp	false		high
https://versioncheck.addons.mozilla.org/update/VersionCheck.php?reqVersion=%REQ_VERSION%&id=%ITEM_ID	firefox.exe, 00000010.00000002.3318339127.000001747F160000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3319814250.000002113D380000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3317794527.00000224AA570000.00000002.10000000.00040000.00000000.sdmp	false		high
https://monitor.firefox.com/about	firefox.exe, 00000010.00000002.3318339127.000001747F160000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3319814250.000002113D380000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3317794527.00000224AA570000.00000002.10000000.00040000.00000000.sdmp	false		high
http://mozilla.org/MPL/2.0/.	firefox.exe, 0000000E.00000003.2261367195.0000024D170C2000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2258306007.0000024D1268E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2178293863.0000024D0C23F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2311042259.0000024D0C2DC000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2280544659.0000024D0B178000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2301026529.0000024D0DF6F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2260670693.0000024D129A1000.00000004.00000800.00020000.00000000.sdmp	false		high
https://account.bellmedia.c	firefox.exe, 0000000E.00000003.2300272050.0000024D0DFB2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://youtube.com/	firefox.exe, 0000000E.00000003.2298857274.0000024D12EB5000.00000004.00000800.00020000.00000000.sdmp	false		high
https://login.microsoftonline.com	firefox.exe, 0000000E.00000003.2300272050.0000024D0DFB2000.00000004.00000800.00020000.00000000.sdmp	false		high
https://coverage.mozilla.org	firefox.exe, 00000010.00000002.3318339127.000001747F160000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3319814250.000002113D380000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3317794527.00000224AA570000.00000002.10000000.00040000.00000000.sdmp	false		high
http://crl.thawte.com/ThawteTimestampingCA.crl0	gmpopenh264.dll.tmp.14.dr	false		high
http://x1.c.lencr.org/0	firefox.exe, 0000000E.00000003.2247895011.0000024D127B3000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2163412136.0000024D0B98D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2172520967.0000024D0B98D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2159847731.0000024D127B3000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2297719402.0000024D1474B000.00000004.00000800.00020000.00000000.sdmp	false		high
http://x1.i.lencr.org/0	firefox.exe, 0000000E.00000003.2247895011.0000024D127B3000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2163412136.0000024D0B98D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2172520967.0000024D0B98D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2159847731.0000024D127B3000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2297719402.0000024D1474B000.00000004.00000800.00020000.00000000.sdmp	false		high
http://a9.com/-/spec/opensearch/1.1/	firefox.exe, 0000000E.00000003.2298857274.0000024D12EC1000.00000004.00000800.00020000.00000000.sdmp	false		high
https://blocked.cdn.mozilla.net/	firefox.exe, 00000010.00000002.3318339127.000001747F160000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3319814250.000002113D380000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3317794527.00000224AA570000.00000002.10000000.00040000.00000000.sdmp	false		high
https://json-schema.org/draft/2019-09/schema	firefox.exe, 0000000E.00000003.2298857274.0000024D12ECE000.00000004.00000800.00020000.00000000.sdmp	false		high
https://profiler.firefox.com	firefox.exe, 00000010.00000002.3318339127.000001747F160000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3319814250.000002113D380000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3317794527.00000224AA570000.00000002.10000000.00040000.00000000.sdmp	false		high
https://outlook.live.com/default.aspx?rru=compose&to=%s	firefox.exe, 0000000E.00000003.2284378448.0000024D0A170000.00000004.00000800.00020000.00000000.sdmp	false		high
https://mozilla.cloudflare-dns.com/dns-query	firefox.exe, 00000010.00000002.3318339127.000001747F160000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3319814250.000002113D380000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3317794527.00000224AA570000.00000002.10000000.00040000.00000000.sdmp	false		high
https://support.mozilla.org/kb/refresh-firefox-reset-add-ons-and-settings2	firefox.exe, 0000000E.00000003.2296860236.0000024D14C21000.00000004.00000800.00020000.00000000.sdmp	false		high
https://bugzilla.mozilla.org/show_bug.cgi?id=1678448	firefox.exe, 0000000E.00000003.2184852832.0000024D0B77A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2185382546.0000024D0B7AD000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2184852832.0000024D0B795000.00000004.00000800.00020000.00000000.sdmp	false		high
https://mail.yahoo.co.jp/compose/?To=%s	firefox.exe, 0000000E.00000003.2288482007.0000024D0A2FC000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2138537001.0000024D0A2FC000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2284378448.0000024D0A170000.00000004.00000800.00020000.00000000.sdmp	false		high
https://contile.services.mozilla.com/v1/tiles	firefox.exe, 0000000E.00000003.2159388041.0000024D1286D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000002.3318339127.000001747F160000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3319814250.000002113D380000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3317794527.00000224AA570000.00000002.10000000.00040000.00000000.sdmp	false		high
https://firefox.settings.services.mozilla.com/v1/buckets/main/collections/ms-language-packs/records/	firefox.exe, 0000000E.00000003.2312879253.0000024D167D1000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2243152604.0000024D167E4000.00000004.00000800.00020000.00000000.sdmp	false		high
https://monitor.firefox.com/user/preferences	firefox.exe, 00000010.00000002.3318339127.000001747F160000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3319814250.000002113D380000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3317794527.00000224AA570000.00000002.10000000.00040000.00000000.sdmp	false		high
https://screenshots.firefox.com/	firefox.exe, 0000000E.00000003.2132620526.0000024D0AC53000.00000004.00000800.00020000.00000000.sdmp	false		high
https://truecolors.firefox.com/	firefox.exe, 0000000E.00000003.2268062988.0000024D15FBA000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.google.com/search	firefox.exe, 0000000E.00000003.2270500908.0000024D13E7B000.00000004.00000800.00020000.00000000.sdmp	false		high
https://gpuweb.github.io/gpuweb/	firefox.exe, 0000000E.00000003.2171508092.0000024D125F2000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2248343883.0000024D125F2000.00000004.00000800.00020000.00000000.sdmp	false		high
https://relay.firefox.com/api/v1/	firefox.exe, 00000010.00000002.3318339127.000001747F160000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3319814250.000002113D380000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3317794527.00000224AA570000.00000002.10000000.00040000.00000000.sdmp	false		high
http://json-schema.org/draft-07/schema#-	firefox.exe, 0000000E.00000003.2171231259.0000024D14B56000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2269110400.0000024D14B55000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2246120604.0000024D14B55000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2162534557.0000024D14B56000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2315519755.0000024D14B58000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2158135589.0000024D14B59000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2176924790.0000024D14B56000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2297498418.0000024D14B55000.00000004.00000800.00020000.00000000.sdmp	false		high
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/tracking-content-report	firefox.exe, 00000010.00000002.3318339127.000001747F160000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3319814250.000002113D380000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3317794527.00000224AA570000.00000002.10000000.00040000.00000000.sdmp	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
142.250.181.142	youtube.com	United States	15169	GOOGLEUS	false
34.149.100.209	prod.remote-settings.prod.webservices.mozgcp.net	United States	2686	ATGS-MMD-ASUS	false
34.107.243.93	push.services.mozilla.com	United States	15169	GOOGLEUS	false
34.107.221.82	prod.detectportal.prod.cloudops.mozgcp.net	United States	15169	GOOGLEUS	false
35.244.181.201	prod.balrog.prod.cloudops.mozgcp.net	United States	15169	GOOGLEUS	false
34.117.188.166	contile.services.mozilla.com	United States	139070	GOOGLE-AS-APGoogleAsiaPacificPteLtdSG	false
151.101.193.91	services.addons.mozilla.org	United States	54113	FASTLYUS	false
35.201.103.21	normandy-cdn.services.mozilla.com	United States	15169	GOOGLEUS	false
35.190.72.216	prod.classify-client.prod.webservices.mozgcp.net	United States	15169	GOOGLEUS	false
34.160.144.191	prod.content-signature-chains.prod.webservices.mozgcp.net	United States	2686	ATGS-MMD-ASUS	false
34.120.208.123	telemetry-incoming.r53-2.services.mozilla.com	United States	15169	GOOGLEUS	false

Private

IP
127.0.0.1

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1561564
Start date and time:	2024-11-23 19:51:07 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 6m 59s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	21
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	file.exe
Detection:	MAL
Classification:	mal72.troj.evad.winEXE@34/34@66/12
EGA Information:	Successful, ratio: 50%
HCA Information:	Successful, ratio: 94% Number of executed functions: 40 Number of non-executed functions: 312
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 52.12.64.98, 35.80.238.59, 35.164.125.63, 172.217.17.42, 172.217.17.46, 88.221.134.155, 88.221.134.209
Excluded domains from analysis (whitelisted): fs.microsoft.com, shavar.prod.mozaws.net, ciscobinary.openh264.org, slscr.update.microsoft.com, otelrules.azureedge.net, incoming.telemetry.mozilla.org, ctldl.windowsupdate.com, a17.rackcdn.com.mdc.edgesuite.net, detectportal.prod.mozaws.net, aus5.mozilla.org, fe3cr.delivery.mp.microsoft.com, a19.dscg10.akamai.net, ocsp.digicert.com, redirector.gvt1.com, safebrowsing.googleapis.com, location.services.mozilla.com
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtCreateFile calls found.
Report size getting too big, too many NtOpenFile calls found.
VT rate limit hit for: file.exe

Simulations

Behavior and APIs

Time	Type	Description
13:52:15	API Interceptor	1x Sleep call for process: firefox.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
34.117.188.166	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Amadey, Credential Flusher, Cryptbot, LummaC Stealer, Stealc	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Amadey, Credential Flusher, Cryptbot, LummaC Stealer, Stealc, Vidar	Browse
151.101.193.91	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
34.149.100.209	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Amadey, Credential Flusher, Cryptbot, LummaC Stealer, Stealc, Vidar	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
example.org	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
	file.exe	Get hash	malicious	Amadey, Credential Flusher, Cryptbot, LummaC Stealer, Stealc	Browse	93.184.215.14
	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
	file.exe	Get hash	malicious	Amadey, Credential Flusher, Cryptbot, LummaC Stealer, Stealc, Vidar	Browse	93.184.215.14
star-mini.c10r.facebook.com	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.196.35
	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.196.35
	file.exe	Get hash	malicious	Amadey, Credential Flusher, Cryptbot, LummaC Stealer, Stealc	Browse	157.240.196.35
	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.196.35
	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.195.35
	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.196.35
	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.195.35
	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.195.35
	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.196.35
	file.exe	Get hash	malicious	Amadey, Credential Flusher, Cryptbot, LummaC Stealer, Stealc, Vidar	Browse	157.240.196.35
twitter.com	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.1
	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.129
	file.exe	Get hash	malicious	Amadey, Credential Flusher, Cryptbot, LummaC Stealer, Stealc	Browse	104.244.42.1
	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.1
	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.1
	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.129
	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.65
	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.129
	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.193
	file.exe	Get hash	malicious	Amadey, Credential Flusher, Cryptbot, LummaC Stealer, Stealc, Vidar	Browse	104.244.42.193

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
GOOGLE-AS-APGoogleAsiaPacificPteLtdSG	https://elizgallery.com/nazvanie.js	Get hash	malicious	Unknown	Browse	34.117.77.79
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.117.188.166
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.117.188.166
	file.exe	Get hash	malicious	Amadey, Credential Flusher, Cryptbot, LummaC Stealer, Stealc	Browse	34.117.188.166
	file.exe	Get hash	malicious	Clipboard Hijacker, Cryptbot	Browse	34.116.198.130
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.117.188.166
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.117.188.166
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.117.188.166
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.117.188.166
	file.exe	Get hash	malicious	Clipboard Hijacker, Cryptbot	Browse	34.116.198.130
FASTLYUS	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.129.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.193.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.1.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.193.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.193.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.129.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.129.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.193.91
	file.exe	Get hash	malicious	Amadey, Credential Flusher, Cryptbot, LummaC Stealer, Stealc, Vidar	Browse	151.101.129.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.65.91
ATGS-MMD-ASUS	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	file.exe	Get hash	malicious	Amadey, Credential Flusher, Cryptbot, LummaC Stealer, Stealc	Browse	34.160.144.191
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	sora.arm.elf	Get hash	malicious	Mirai	Browse	32.35.17.38
	sora.m68k.elf	Get hash	malicious	Mirai	Browse	57.28.196.7
	sora.sh4.elf	Get hash	malicious	Mirai	Browse	34.14.230.135

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
fb0aa01abe9d8e4037eb3473ca6e2dca	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.193.91 35.244.181.201 34.149.100.209 34.160.144.191 34.120.208.123
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.193.91 35.244.181.201 34.149.100.209 34.160.144.191 34.120.208.123
	file.exe	Get hash	malicious	Amadey, Credential Flusher, Cryptbot, LummaC Stealer, Stealc	Browse	151.101.193.91 35.244.181.201 34.149.100.209 34.160.144.191 34.120.208.123
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.193.91 35.244.181.201 34.149.100.209 34.160.144.191 34.120.208.123
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.193.91 35.244.181.201 34.149.100.209 34.160.144.191 34.120.208.123
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.193.91 35.244.181.201 34.149.100.209 34.160.144.191 34.120.208.123
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.193.91 35.244.181.201 34.149.100.209 34.160.144.191 34.120.208.123
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.193.91 35.244.181.201 34.149.100.209 34.160.144.191 34.120.208.123
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.193.91 35.244.181.201 34.149.100.209 34.160.144.191 34.120.208.123
	file.exe	Get hash	malicious	Amadey, Credential Flusher, Cryptbot, LummaC Stealer, Stealc, Vidar	Browse	151.101.193.91 35.244.181.201 34.149.100.209 34.160.144.191 34.120.208.123

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll (copy)	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Amadey, Credential Flusher, Cryptbot, LummaC Stealer, Stealc, Vidar	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse

Created / dropped Files

C:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\uninstall_ping_308046B0AF4A39CB_c06fe41f-c289-4a52-9cc3-7be4e2802015.json (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	7813
Entropy (8bit):	5.177766413145864
Encrypted:	false
SSDEEP:	192:7KMXuIbcbhbVbTbfbRbObtbyEl7nUr1JA6wnSrDtTkd/SG:7P7cNhnzFSJ0rwjnSrDhkd/z
MD5:	2ED6615854288FAFF9E0BB0E19A5FFB7
SHA1:	7A7CA4A0288FF7D7C8296BC14E7694CDA28EEAC1
SHA-256:	9D6FE11E950EE9DF88215C07042343C733D1DB41DC905C1299E2C085E1F2AA73
SHA-512:	6AF6C8FF0396DCCA101C1FF42D50FD3C291F16FBE9CD691A3BD4CD294E36248437B9670485284CA0AE6040D1EDBB87E1DFD05E4C9EA16A83A3A34D4105C54812
Malicious:	false
Preview:	{"type":"uninstall","id":"c06fe41f-c289-4a52-9cc3-7be4e2802015","creationDate":"2024-11-23T20:24:46.348Z","version":4,"application":{"architecture":"x86-64","buildId":"20230927232528","name":"Firefox","version":"118.0.1","displayVersion":"118.0.1","vendor":"Mozilla","platformVersion":"118.0.1","xpcomAbi":"x86_64-msvc","channel":"release"},"payload":{"otherInstalls":0},"clientId":"1fca7bd2-7b44-4c45-b0ea-e0486850ce95","environment":{"build":{"applicationId":"{ec8030f7-c20a-464f-9b0e-13a3a9e97384}","applicationName":"Firefox","architecture":"x86-64","buildId":"20230927232528","version":"118.0.1","vendor":"Mozilla","displayVersion":"118.0.1","platformVersion":"118.0.1","xpcomAbi":"x86_64-msvc","updaterAvailable":true},"partner":{"distributionId":null,"distributionVersion":null,"partnerId":null,"distributor":null,"distributorChannel":null,"partnerNames":[]},"system":{"memoryMB":8191,"virtualMaxMB":134217728,"cpu":{"isWindowsSMode":false,"count":4,"cores":2,"vendor":"GenuineIntel","name":"I

C:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\uninstall_ping_308046B0AF4A39CB_c06fe41f-c289-4a52-9cc3-7be4e2802015.json.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	7813
Entropy (8bit):	5.177766413145864
Encrypted:	false
SSDEEP:	192:7KMXuIbcbhbVbTbfbRbObtbyEl7nUr1JA6wnSrDtTkd/SG:7P7cNhnzFSJ0rwjnSrDhkd/z
MD5:	2ED6615854288FAFF9E0BB0E19A5FFB7
SHA1:	7A7CA4A0288FF7D7C8296BC14E7694CDA28EEAC1
SHA-256:	9D6FE11E950EE9DF88215C07042343C733D1DB41DC905C1299E2C085E1F2AA73
SHA-512:	6AF6C8FF0396DCCA101C1FF42D50FD3C291F16FBE9CD691A3BD4CD294E36248437B9670485284CA0AE6040D1EDBB87E1DFD05E4C9EA16A83A3A34D4105C54812
Malicious:	false
Preview:	{"type":"uninstall","id":"c06fe41f-c289-4a52-9cc3-7be4e2802015","creationDate":"2024-11-23T20:24:46.348Z","version":4,"application":{"architecture":"x86-64","buildId":"20230927232528","name":"Firefox","version":"118.0.1","displayVersion":"118.0.1","vendor":"Mozilla","platformVersion":"118.0.1","xpcomAbi":"x86_64-msvc","channel":"release"},"payload":{"otherInstalls":0},"clientId":"1fca7bd2-7b44-4c45-b0ea-e0486850ce95","environment":{"build":{"applicationId":"{ec8030f7-c20a-464f-9b0e-13a3a9e97384}","applicationName":"Firefox","architecture":"x86-64","buildId":"20230927232528","version":"118.0.1","vendor":"Mozilla","displayVersion":"118.0.1","platformVersion":"118.0.1","xpcomAbi":"x86_64-msvc","updaterAvailable":true},"partner":{"distributionId":null,"distributionVersion":null,"partnerId":null,"distributor":null,"distributorChannel":null,"partnerNames":[]},"system":{"memoryMB":8191,"virtualMaxMB":134217728,"cpu":{"isWindowsSMode":false,"count":4,"cores":2,"vendor":"GenuineIntel","name":"I

C:\Users\user\AppData\Local\Temp\mozilla-temp-files\mozilla-temp-41

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	ISO Media, MP4 Base Media v1 [ISO 14496-12:2003]
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	0.4593089050301797
Encrypted:	false
SSDEEP:	48:9SP0nUgwyZXYI65yFRX2D3GNTTfyn0Mk1iA:9SDKaIjo3UzyE1L
MD5:	D910AD167F0217587501FDCDB33CC544
SHA1:	2F57441CEFDC781011B53C1C5D29AC54835AFC1D
SHA-256:	E3699D9404A3FFC1AFF0CA8A3972DC0EF38BDAB927741E9F627C7C55CEA42E81
SHA-512:	F1871BF28FF25EE52BDB99C7A80AB715C7CAC164DCD2FD87E681168EE927FD2C5E80E03C91BB638D955A4627213BF575FF4D9EECAEDA7718C128CF2CE8F7CB3D
Malicious:	false
Preview:	... ftypisom....isomiso2avc1mp41....free....mdat..........E...H..,. .#..x264 - core 152 r2851 ba24899 - H.264/MPEG-4 AVC codec - Copyleft 2003-2017 - http://www.videolan.org/x264.html - options: cabac=1 ref=3 deblock=1:0:0 analyse=0x3:0x113 me=hex subme=7 psy=1 psy_rd=1.00:0.00 mixed_ref=1 me_range=16 chroma_me=1 trellis=1 8x8dct=1 cqm=0 deadzone=21,11 fast_pskip=1 chroma_qp_offset=-2 threads=4 lookahead_threads=1 sliced_threads=0 nr=0 decimate=1 interlaced=0 bluray_compat=0 constrained_intra=0 bframes=3 b_pyramid=2 b_adapt=1 b_bias=0 direct=1 weightb=1 open_gop=0 weightp=2 keyint=250 keyint_min=25 scenecut=40 intra_refresh=0 rc_lookahead=40 rc=crf mbtree=1 crf=23.0 qcomp=0.60 qpmin=0 qpmax=69 qpstep=4 ip_ratio=1.40 aq=1:1.00......e...+...s\|.kG3...'.u.."...,J.w.~.d\..(K....!.+..;....h....(.T.*...M......0..~L..8..B..A.y..R..,.zBP.';j.@.].w..........c......C=.'f....gI.$^.......m5V.L...{U..%V[....8......B..i..^,....:...,..5.m.%dA....moov...lmvhd...................(...........

C:\Users\user\AppData\Local\Temp\tmpaddon

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Zip archive data, at least v2.0 to extract, compression method=deflate
Category:	dropped
Size (bytes):	453023
Entropy (8bit):	7.997718157581587
Encrypted:	true
SSDEEP:	12288:tESTeqTI2r4ZbCgUKWKNeRcPMb6qlV7hVZe3:tEsed2Xh9/bdzZe3
MD5:	85430BAED3398695717B0263807CF97C
SHA1:	FFFBEE923CEA216F50FCE5D54219A188A5100F41
SHA-256:	A9F4281F82B3579581C389E8583DC9F477C7FD0E20C9DFC91A2E611E21E3407E
SHA-512:	06511F1F6C6D44D076B3C593528C26A602348D9C41689DBF5FF716B671C3CA5756B12CB2E5869F836DEDCE27B1A5CFE79B93C707FD01F8E84B620923BB61B5F1
Malicious:	false
Preview:	PK.........bN...R..........gmpopenh264.dll..\|.E.0.=..I.....1....4f1q.`.........q.....'+....hm{.z..o_.{w........$..($A!...\|L...B&A2.s.{..Dd......c.U.U..9u.S...K.l`...../.d.-....\|.....&....9......wn..x......i.#O.+.Y.l......+....,3.3f..\..c.SSS,............N...GG...F.'.&.:'.K.Z&.>.@.g..M...M.`............ZR....^jg.G.Kb.o~va.....<Z..1.#.O.e.....D..X..i..$imBW..Q&.......P.....,M.,..:.c...-...\...........-i.K.I..4.a..6.....Ov=...W..F.CH.>...a.'.x...#@f...d..u.1....OV.1o}....g.5.._.3.J.Hi.Z.ipM....b.Z....%.G..F................/..3.q..J.....o...%.g.N..}..).3.N%.!..q........^I.m..~...6.#.~+.....A...I]r...x...<IYj....p0..`S.M@.E..f.=.;!.@.....E..E....... .0.n....Jd..d......uM.-.qI.lR..z..=}..r.D.XLZ....x.$..\|c.1.cUkM.&.Qn]..a]t.h...!.6 7..Jd.DvKJ"Wgd*%n...w...Jni.inmr.@M.$'Z.s....#)%..Rs..:.h....R....\..t.6..'.g.........Uj+F.cr:\|..!..K.W.Y...17......,....r.....>.N..3.R.Y.._\...Ir.DNJdM... .k...&V-....z.%...-...D..i..&...6....7.2T).>..0..%.&.

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\ExperimentStoreData.json (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	3621
Entropy (8bit):	4.927699197114836
Encrypted:	false
SSDEEP:	96:8S+OVPUFRbOdwNIOdYpjvY1Q6LPrnyy8P:8S+OpU3OdwiOdkjULjyy8P
MD5:	62F6E174344FAA469F7763330B12D854
SHA1:	924128169807EFF341492747BC101398B9697387
SHA-256:	FEC886F0C2670FE6A858C71F1887E41C3C2AAC431F4E82ED92D576015A5AF330
SHA-512:	6C99632F061B5EBA687EAE6724550FA1B25974751ED46DA2544B51D4D22D1AE589CFFDA63C4FB0004ABC7FD0D58394E662921B73C6A969EE297F97A1DA300423
Malicious:	false
Preview:	{"csv-import-release-rollout":{"slug":"csv-import-release-rollout","branch":{"slug":"enable-csv-import","ratio":1,"feature":{"value":{},"enabled":false,"featureId":"this-is-included-for-desktop-pre-95-support"},"features":[{"value":{"csvImport":true},"enabled":true,"featureId":"cm-csv-import"}]},"active":true,"enrollmentId":"3ba649bc-be47-4b92-8762-21cab57bda3b","experimentType":"rollout","source":"rs-loader","userFacingName":"CSV Import (Release Rollout)","userFacingDescription":"This rollout enables users to import logins from a CSV file from the about:logins page.","lastSeen":"2023-10-04T13:40:33.697Z","featureIds":["cm-csv-import"],"prefs":[{"name":"signon.management.page.fileImport.enabled","branch":"default","featureId":"cm-csv-import","variable":"csvImport","originalValue":false}],"isRollout":true},"serp-ad-telemetry-rollout":{"slug":"serp-ad-telemetry-rollout","branch":{"slug":"control","ratio":1,"feature":{"value":{},"enabled":false,"featureId":"this-is-included-for-desktop-pr

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\ExperimentStoreData.json.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	3621
Entropy (8bit):	4.927699197114836
Encrypted:	false
SSDEEP:	96:8S+OVPUFRbOdwNIOdYpjvY1Q6LPrnyy8P:8S+OpU3OdwiOdkjULjyy8P
MD5:	62F6E174344FAA469F7763330B12D854
SHA1:	924128169807EFF341492747BC101398B9697387
SHA-256:	FEC886F0C2670FE6A858C71F1887E41C3C2AAC431F4E82ED92D576015A5AF330
SHA-512:	6C99632F061B5EBA687EAE6724550FA1B25974751ED46DA2544B51D4D22D1AE589CFFDA63C4FB0004ABC7FD0D58394E662921B73C6A969EE297F97A1DA300423
Malicious:	false
Preview:	{"csv-import-release-rollout":{"slug":"csv-import-release-rollout","branch":{"slug":"enable-csv-import","ratio":1,"feature":{"value":{},"enabled":false,"featureId":"this-is-included-for-desktop-pre-95-support"},"features":[{"value":{"csvImport":true},"enabled":true,"featureId":"cm-csv-import"}]},"active":true,"enrollmentId":"3ba649bc-be47-4b92-8762-21cab57bda3b","experimentType":"rollout","source":"rs-loader","userFacingName":"CSV Import (Release Rollout)","userFacingDescription":"This rollout enables users to import logins from a CSV file from the about:logins page.","lastSeen":"2023-10-04T13:40:33.697Z","featureIds":["cm-csv-import"],"prefs":[{"name":"signon.management.page.fileImport.enabled","branch":"default","featureId":"cm-csv-import","variable":"csvImport","originalValue":false}],"isRollout":true},"serp-ad-telemetry-rollout":{"slug":"serp-ad-telemetry-rollout","branch":{"slug":"control","ratio":1,"feature":{"value":{},"enabled":false,"featureId":"this-is-included-for-desktop-pr

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\addonStartup.json.lz4 (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Mozilla lz4 compressed data, originally 22422 bytes
Category:	dropped
Size (bytes):	5308
Entropy (8bit):	6.599374203470186
Encrypted:	false
SSDEEP:	96:z2YbKsKNU2xWrp327tGmD4wBON6h6cHAHJVauvjZHjkTymdS1/qTMg6Uhm:zTx2x2t0FDJ4NpkuvjdeplTMohm
MD5:	EB56C2F4DA9435F3D5574161F414CD17
SHA1:	74A8FC3EC0559740FD9D835B638354985E2DEAB6
SHA-256:	394E803D5FF8E156DFA7D15E96B51A683F4624A1BCF88EAA532399AC2C9B0966
SHA-512:	DF90568D191C757392FB85BDDA5333C7FE7E3BB370C5DE8C50DD810B938D732E39B5608FB4494CAADAE99E1601989FDFC0FEBDCF70F27FFE581F904170A81E0F
Malicious:	false
Preview:	mozLz40..W....{"app-system-defaults":{"addon....formautofill@mozilla.org&..Gdependencies":[],"enabled":true,"lastModifiedTime":1695865283000,"loader":null,"path":s.....xpi","recommendationStateA...rootURI":"jar:file:///C:/Program%20Files/M.......refox/browser/features/...... !/...unInSafeMode..wsignedD...telemetryKey..7%40R...:1.0.1","version":"..`},"pic..#in.....T.n..w...........S.......(.[......0....0"},"screenshots..T.r.....[.......(.V....-39.......},"webcompat-reporter...Ofals..&.z.....[.......(.]....=1.5.............<.)....p....d......1.z.!18...5.....startupData...pX.astentL..!er...webRequest%..onBefore...[[{"incognitoi.UtabId..!yp...."main_frame"],"url...."://login.microsoftonline.com/","..@us/L.dwindows...},["blocking"]],...Iimag...https://smartT.".f.....etp/facebook.svg",...Aplay....8`script...P.....-....-testbed.herokuapp\.`shims_..3.jsh.bexampl\|.......Pexten{..Q../?..s...S.J/_2..@&_3U..s7.addthis . ic...officialK......-angularjs/current/dist(..t.min.js...track.adB...net/s

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\addonStartup.json.lz4.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Mozilla lz4 compressed data, originally 22422 bytes
Category:	dropped
Size (bytes):	5308
Entropy (8bit):	6.599374203470186
Encrypted:	false
SSDEEP:	96:z2YbKsKNU2xWrp327tGmD4wBON6h6cHAHJVauvjZHjkTymdS1/qTMg6Uhm:zTx2x2t0FDJ4NpkuvjdeplTMohm
MD5:	EB56C2F4DA9435F3D5574161F414CD17
SHA1:	74A8FC3EC0559740FD9D835B638354985E2DEAB6
SHA-256:	394E803D5FF8E156DFA7D15E96B51A683F4624A1BCF88EAA532399AC2C9B0966
SHA-512:	DF90568D191C757392FB85BDDA5333C7FE7E3BB370C5DE8C50DD810B938D732E39B5608FB4494CAADAE99E1601989FDFC0FEBDCF70F27FFE581F904170A81E0F
Malicious:	false
Preview:	mozLz40..W....{"app-system-defaults":{"addon....formautofill@mozilla.org&..Gdependencies":[],"enabled":true,"lastModifiedTime":1695865283000,"loader":null,"path":s.....xpi","recommendationStateA...rootURI":"jar:file:///C:/Program%20Files/M.......refox/browser/features/...... !/...unInSafeMode..wsignedD...telemetryKey..7%40R...:1.0.1","version":"..`},"pic..#in.....T.n..w...........S.......(.[......0....0"},"screenshots..T.r.....[.......(.V....-39.......},"webcompat-reporter...Ofals..&.z.....[.......(.]....=1.5.............<.)....p....d......1.z.!18...5.....startupData...pX.astentL..!er...webRequest%..onBefore...[[{"incognitoi.UtabId..!yp...."main_frame"],"url...."://login.microsoftonline.com/","..@us/L.dwindows...},["blocking"]],...Iimag...https://smartT.".f.....etp/facebook.svg",...Aplay....8`script...P.....-....-testbed.herokuapp\.`shims_..3.jsh.bexampl\|.......Pexten{..Q../?..s...S.J/_2..@&_3U..s7.addthis . ic...officialK......-angularjs/current/dist(..t.min.js...track.adB...net/s

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\addons.json (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	24
Entropy (8bit):	3.91829583405449
Encrypted:	false
SSDEEP:	3:YWGifTJE6iHQ:YWGif9EE
MD5:	3088F0272D29FAA42ED452C5E8120B08
SHA1:	C72AA542EF60AFA3DF5DFE1F9FCC06C0B135BE23
SHA-256:	D587CEC944023447DC91BC5F71E2291711BA5ADD337464837909A26F34BC5A06
SHA-512:	B662414EDD6DEF8589304904263584847586ECCA0B0E6296FB3ADB2192D92FB48697C99BD27C4375D192150E3F99102702AF2391117FFF50A9763C74C193D798
Malicious:	false
Preview:	{"schema":6,"addons":[]}

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\addons.json.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	24
Entropy (8bit):	3.91829583405449
Encrypted:	false
SSDEEP:	3:YWGifTJE6iHQ:YWGif9EE
MD5:	3088F0272D29FAA42ED452C5E8120B08
SHA1:	C72AA542EF60AFA3DF5DFE1F9FCC06C0B135BE23
SHA-256:	D587CEC944023447DC91BC5F71E2291711BA5ADD337464837909A26F34BC5A06
SHA-512:	B662414EDD6DEF8589304904263584847586ECCA0B0E6296FB3ADB2192D92FB48697C99BD27C4375D192150E3F99102702AF2391117FFF50A9763C74C193D798
Malicious:	false
Preview:	{"schema":6,"addons":[]}

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\content-prefs.sqlite

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	SQLite 3.x database, user version 5, last written using SQLite version 3042000, page size 32768, file counter 4, database pages 8, cookie 0x6, schema 4, largest root page 8, UTF-8, vacuum mode 1, version-valid-for 4
Category:	dropped
Size (bytes):	262144
Entropy (8bit):	0.04905141882491872
Encrypted:	false
SSDEEP:	24:DLSvwae+Q8Uu50xj0aWe9LxYkKA25Q5tvAA:DKwae+QtMImelekKDa5
MD5:	8736A542C5564A922C47B19D9CC5E0F2
SHA1:	CE9D58967DA9B5356D6C1D8A482F9CE74DA9097A
SHA-256:	97CE5D8AFBB0AA610219C4FAC3927E32C91BFFD9FD971AF68C718E7B27E40077
SHA-512:	99777325893DC7A95FD49B2DA18D32D65F97CC7A8E482D78EDC32F63245457FA5A52750800C074D552D20B6A215604161FDC88763D93C76A8703470C3064196B
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j......\|....~.}.}z}-\|.................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\crashes\store.json.mozlz4 (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Mozilla lz4 compressed data, originally 56 bytes
Category:	dropped
Size (bytes):	66
Entropy (8bit):	4.837595020998689
Encrypted:	false
SSDEEP:	3:3fX/xH8IXl/I3v0lb7iioW:vXpH1RPXt
MD5:	A6338865EB252D0EF8FCF11FA9AF3F0D
SHA1:	CECDD4C4DCAE10C2FFC8EB938121B6231DE48CD3
SHA-256:	078648C042B9B08483CE246B7F01371072541A2E90D1BEB0C8009A6118CBD965
SHA-512:	D950227AC83F4E8246D73F9F35C19E88CE65D0CA5F1EF8CCBB02ED6EFC66B1B7E683E2BA0200279D7CA4B49831FD8C3CEB0584265B10ACCFF2611EC1CA8C0C6C
Malicious:	false
Preview:	mozLz40.8.....{"v":1,"crashes":{},"countsByDay....rruptDate":null}

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\crashes\store.json.mozlz4.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Mozilla lz4 compressed data, originally 56 bytes
Category:	dropped
Size (bytes):	66
Entropy (8bit):	4.837595020998689
Encrypted:	false
SSDEEP:	3:3fX/xH8IXl/I3v0lb7iioW:vXpH1RPXt
MD5:	A6338865EB252D0EF8FCF11FA9AF3F0D
SHA1:	CECDD4C4DCAE10C2FFC8EB938121B6231DE48CD3
SHA-256:	078648C042B9B08483CE246B7F01371072541A2E90D1BEB0C8009A6118CBD965
SHA-512:	D950227AC83F4E8246D73F9F35C19E88CE65D0CA5F1EF8CCBB02ED6EFC66B1B7E683E2BA0200279D7CA4B49831FD8C3CEB0584265B10ACCFF2611EC1CA8C0C6C
Malicious:	false
Preview:	mozLz40.8.....{"v":1,"crashes":{},"countsByDay....rruptDate":null}

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\extensions.json (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	36830
Entropy (8bit):	5.1867463390487
Encrypted:	false
SSDEEP:	768:JI4avfWX94O6L4x4ME454N4ohvM4T4Pia4T4I4t54U:JI4KvG
MD5:	98875950B62B398FFE70C0A8D0998017
SHA1:	CFCFFF938402E53D341FE392E25D2E6C557E548F
SHA-256:	1B445C7E12712026D4E663426527CE58FD221D2E26545AEA699E67D60F16E7F0
SHA-512:	728FF6FF915A45B44D720F41F9545F41F1BF5FB218D58073BD27DB19145D2225488988BE80FB0F712922D7B661E1A64448E3F71F09A1480B6F20BD2480888ABF
Malicious:	false
Preview:	{"schemaVersion":35,"addons":[{"id":"formautofill@mozilla.org","syncGUID":"{7a5650ac-9a89-4807-a040-9f0832bf39a9}","version":"1.0.1","type":"extension","loader":null,"updateURL":null,"installOrigins":null,"manifestVersion":2,"optionsURL":null,"optionsType":null,"optionsBrowserStyle":true,"aboutURL":null,"defaultLocale":{"name":"Form Autofill","creator":null,"developers":null,"translators":null,"contributors":null},"visible":true,"active":true,"userDisabled":false,"appDisabled":false,"embedderDisabled":false,"installDate":1695865283000,"updateDate":1695865283000,"applyBackgroundUpdates":1,"path":"C:\\Program Files\\Mozilla Firefox\\browser\\features\\formautofill@mozilla.org.xpi","skinnable":false,"sourceURI":null,"releaseNotesURI":null,"softDisabled":false,"foreignInstall":false,"strictCompatibility":true,"locales":[],"targetApplications":[{"id":"toolkit@mozilla.org","minVersion":null,"maxVersion":null}],"targetPlatforms":[],"signedDate":null,"seen":true,"dependencies":[],"incognito":"

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\extensions.json.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	36830
Entropy (8bit):	5.1867463390487
Encrypted:	false
SSDEEP:	768:JI4avfWX94O6L4x4ME454N4ohvM4T4Pia4T4I4t54U:JI4KvG
MD5:	98875950B62B398FFE70C0A8D0998017
SHA1:	CFCFFF938402E53D341FE392E25D2E6C557E548F
SHA-256:	1B445C7E12712026D4E663426527CE58FD221D2E26545AEA699E67D60F16E7F0
SHA-512:	728FF6FF915A45B44D720F41F9545F41F1BF5FB218D58073BD27DB19145D2225488988BE80FB0F712922D7B661E1A64448E3F71F09A1480B6F20BD2480888ABF
Malicious:	false
Preview:	{"schemaVersion":35,"addons":[{"id":"formautofill@mozilla.org","syncGUID":"{7a5650ac-9a89-4807-a040-9f0832bf39a9}","version":"1.0.1","type":"extension","loader":null,"updateURL":null,"installOrigins":null,"manifestVersion":2,"optionsURL":null,"optionsType":null,"optionsBrowserStyle":true,"aboutURL":null,"defaultLocale":{"name":"Form Autofill","creator":null,"developers":null,"translators":null,"contributors":null},"visible":true,"active":true,"userDisabled":false,"appDisabled":false,"embedderDisabled":false,"installDate":1695865283000,"updateDate":1695865283000,"applyBackgroundUpdates":1,"path":"C:\\Program Files\\Mozilla Firefox\\browser\\features\\formautofill@mozilla.org.xpi","skinnable":false,"sourceURI":null,"releaseNotesURI":null,"softDisabled":false,"foreignInstall":false,"strictCompatibility":true,"locales":[],"targetApplications":[{"id":"toolkit@mozilla.org","minVersion":null,"maxVersion":null}],"targetPlatforms":[],"signedDate":null,"seen":true,"dependencies":[],"incognito":"

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\favicons.sqlite-shm

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	data
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	0.017262956703125623
Encrypted:	false
SSDEEP:	3:G8lQs2TSlElQs2TtPRp//:G0QjSaQjrpX
MD5:	B7C14EC6110FA820CA6B65F5AEC85911
SHA1:	608EEB7488042453C9CA40F7E1398FC1A270F3F4
SHA-256:	FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB
SHA-512:	D8D75760F29B1E27AC9430BC4F4FFCEC39F1590BE5AEF2BFB5A535850302E067C288EF59CF3B2C5751009A22A6957733F9F80FA18F2B0D33D90C068A3F08F3B0
Malicious:	false
Preview:	..-.....................................8...5.....-.....................................8...5...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1021904
Entropy (8bit):	6.648417932394748
Encrypted:	false
SSDEEP:	12288:vYLdTfFKbNSjv92eFN+3wH+NYriA0Iq6lh6VawYIpAvwHN/Uf1h47HAfg1oet:vYLdTZ923NYrjwNpgwef1hzfg1x
MD5:	FE3355639648C417E8307C6D051E3E37
SHA1:	F54602D4B4778DA21BC97C7238FC66AA68C8EE34
SHA-256:	1ED7877024BE63A049DA98733FD282C16BD620530A4FB580DACEC3A78ACE914E
SHA-512:	8F4030BB2464B98ECCBEA6F06EB186D7216932702D94F6B84C56419E9CF65A18309711AB342D1513BF85AED402BC3535A70DB4395874828F0D35C278DD2EAC9C
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......NH...)...)...)..eM...)..eM...)..eM..)..eM...)...)..i)..XA...)..XA..;)..XA...)...)..g)..cA...)..cA...)..Rich.)..........PE..d....z\.........." .....t................................................................`.........................................P...,...\|...(............P...H...z.................T...........................0...................p............................text...$s.......t.................. ..`.rdata...~...........x..............@..@.data....3..........................@....pdata...H...P...J..................@..@.rodata..............^..............@..@.reloc...............j..............@..B........................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1021904
Entropy (8bit):	6.648417932394748
Encrypted:	false
SSDEEP:	12288:vYLdTfFKbNSjv92eFN+3wH+NYriA0Iq6lh6VawYIpAvwHN/Uf1h47HAfg1oet:vYLdTZ923NYrjwNpgwef1hzfg1x
MD5:	FE3355639648C417E8307C6D051E3E37
SHA1:	F54602D4B4778DA21BC97C7238FC66AA68C8EE34
SHA-256:	1ED7877024BE63A049DA98733FD282C16BD620530A4FB580DACEC3A78ACE914E
SHA-512:	8F4030BB2464B98ECCBEA6F06EB186D7216932702D94F6B84C56419E9CF65A18309711AB342D1513BF85AED402BC3535A70DB4395874828F0D35C278DD2EAC9C
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......NH...)...)...)..eM...)..eM...)..eM..)..eM...)...)..i)..XA...)..XA..;)..XA...)...)..g)..cA...)..cA...)..Rich.)..........PE..d....z\.........." .....t................................................................`.........................................P...,...\|...(............P...H...z.................T...........................0...................p............................text...$s.......t.................. ..`.rdata...~...........x..............@..@.data....3..........................@....pdata...H...P...J..................@..@.rodata..............^..............@..@.reloc...............j..............@..B........................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.info (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	116
Entropy (8bit):	4.968220104601006
Encrypted:	false
SSDEEP:	3:C3OuN9RAM7VDXcEzq+rEakOvTMBv+FdBAIABv+FEn:0BDUmHlvAWeWEn
MD5:	3D33CDC0B3D281E67DD52E14435DD04F
SHA1:	4DB88689282FD4F9E9E6AB95FCBB23DF6E6485DB
SHA-256:	F526E9F98841D987606EFEAFF7F3E017BA9FD516C4BE83890C7F9A093EA4C47B
SHA-512:	A4A96743332CC8EF0F86BC2E6122618BFC75ED46781DADBAC9E580CD73DF89E74738638A2CCCB4CAA4CBBF393D771D7F2C73F825737CDB247362450A0D4A4BC1
Malicious:	false
Preview:	Name: gmpopenh264.Description: GMP Plugin for OpenH264..Version: 1.8.1.APIs: encode-video[h264], decode-video[h264].

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.info.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	116
Entropy (8bit):	4.968220104601006
Encrypted:	false
SSDEEP:	3:C3OuN9RAM7VDXcEzq+rEakOvTMBv+FdBAIABv+FEn:0BDUmHlvAWeWEn
MD5:	3D33CDC0B3D281E67DD52E14435DD04F
SHA1:	4DB88689282FD4F9E9E6AB95FCBB23DF6E6485DB
SHA-256:	F526E9F98841D987606EFEAFF7F3E017BA9FD516C4BE83890C7F9A093EA4C47B
SHA-512:	A4A96743332CC8EF0F86BC2E6122618BFC75ED46781DADBAC9E580CD73DF89E74738638A2CCCB4CAA4CBBF393D771D7F2C73F825737CDB247362450A0D4A4BC1
Malicious:	false
Preview:	Name: gmpopenh264.Description: GMP Plugin for OpenH264..Version: 1.8.1.APIs: encode-video[h264], decode-video[h264].

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\permissions.sqlite

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	SQLite 3.x database, user version 12, last written using SQLite version 3042000, page size 32768, file counter 4, database pages 3, cookie 0x2, schema 4, UTF-8, version-valid-for 4
Category:	dropped
Size (bytes):	98304
Entropy (8bit):	0.07329726171064851
Encrypted:	false
SSDEEP:	12:DBl/A0OWla0mwPxRymgObsCVR45wcYR4fmnsCVR4zki:DLhesh7Owd4+ji
MD5:	87F27790D4742C30D7791B71777AE4E1
SHA1:	D8701F83FEF9F1C7010862EE11A083D627E214AE
SHA-256:	09BD0E88509174E94ACB65036628509277B00A98B570C8DCE919076373B7F9B3
SHA-512:	9CF619DE0CA597EE377F319237466D05933B0B3F63C31CCC0DCEA03EC4A2B6E9C695D598F3420F4C298F2FECD1C623F2AB732209E57B43E10A974A6608AA7626
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j......~s..F~s........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\places.sqlite-shm

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	data
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	0.035325086693798996
Encrypted:	false
SSDEEP:	3:GtlstFQ3XSFltlstFQ3XSqL89//alEl:GtWtSnSftWtSnSQ89XuM
MD5:	669A39A021D8C79C83C781A362CCAEBE
SHA1:	880F71DF3CE2248385C4E2DA16C2A641BAEE5070
SHA-256:	92D2D955C444D7495DB281C2A61853F6189F4F79ACB114A1727CAD0274F25AA8
SHA-512:	70349732688F261546DF5C3A93B871E3F212E1DD28448E7765F6BB7C432771F48962DF306999834544B31D86AB9AA3581727CEC9C3F6925681039ED02D9310FB
Malicious:	false
Preview:	..-......................b...L..o7....DeQ.......-......................b...L..o7....DeQ.............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\places.sqlite-wal

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	SQLite Write-Ahead Log, version 3007000
Category:	dropped
Size (bytes):	32824
Entropy (8bit):	0.03975239513986009
Encrypted:	false
SSDEEP:	3:Ol1R0aL/R1gCfKNECnPbvlqwl8rEXsxdwhml8XW3R2:K8I/Tgs9wl8dMhm93w
MD5:	987643620B8B99DCBA4E82F5F239D018
SHA1:	78998CDD554616B2526E6520724CFF10139963BA
SHA-256:	99394AC47529A4E4860B5B7324B01AD1AFC590F2CF1D1DC2C75C7F46A2242DC4
SHA-512:	14F6A1B77DA898E2E15645197877178876F055F5F2987F04B25A0B9ED6B525440873376E2C37E8613E290ABE6D4C98CBF46E304DC0658D888EFFC2C66A105891
Malicious:	false
Preview:	7....-..........o7....D..:.............o7....D..b...L.................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\prefs-1.js

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	ASCII text, with very long lines (1743), with CRLF line terminators
Category:	dropped
Size (bytes):	13187
Entropy (8bit):	5.477937599925889
Encrypted:	false
SSDEEP:	192:QnPOeRnLYbBp6HJ0aX+g6SEXKAVNbqF5RHWNBw8d2Sl:KDeiJUDNfeRHEwF0
MD5:	9D4A7BA0B93640110E60A27CFE7CE0FB
SHA1:	7DA9D47BA52E04265BADE1E55C170147B877B77E
SHA-256:	94720CE2188BFADDBEF847A43E6CDD49F450CF06AE4BE0C6A51D0B65DD4B69F8
SHA-512:	719C5DB03235A654D1C3749FEE402B73C03FE2D0A37A660A9F8745692802918F6EC5F6D707298722139118CDCB50C0AA4B34FFDD6C73E94202635C08BE07F386
Malicious:	false
Preview:	// Mozilla User Preferences....// DO NOT EDIT THIS FILE...//..// If you make changes to this file while the application is running,..// the changes will be overwritten when the application exits...//..// To change a preference value, you can either:..// - modify it via the UI (e.g. via about:config in the browser); or..// - set it within a user.js file in your profile.....user_pref("app.normandy.first_run", false);..user_pref("app.normandy.migrationsApplied", 12);..user_pref("app.normandy.user_id", "9e34c6e7-cbed-40a0-ba63-35488e171013");..user_pref("app.update.auto.migrated", true);..user_pref("app.update.background.rolledout", true);..user_pref("app.update.backgroundErrors", 2);..user_pref("app.update.lastUpdateTime.addon-background-update-timer", 1732393456);..user_pref("app.update.lastUpdateTime.background-update-timer", 1732393456);..user_pref("app.update.lastUpdateTime.browser-cleanup-thumbnails", 1732393456);..user_pref("app.update.lastUpdateTime.recipe-client-addon-run", 173239

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\prefs.js (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	ASCII text, with very long lines (1743), with CRLF line terminators
Category:	dropped
Size (bytes):	13187
Entropy (8bit):	5.477937599925889
Encrypted:	false
SSDEEP:	192:QnPOeRnLYbBp6HJ0aX+g6SEXKAVNbqF5RHWNBw8d2Sl:KDeiJUDNfeRHEwF0
MD5:	9D4A7BA0B93640110E60A27CFE7CE0FB
SHA1:	7DA9D47BA52E04265BADE1E55C170147B877B77E
SHA-256:	94720CE2188BFADDBEF847A43E6CDD49F450CF06AE4BE0C6A51D0B65DD4B69F8
SHA-512:	719C5DB03235A654D1C3749FEE402B73C03FE2D0A37A660A9F8745692802918F6EC5F6D707298722139118CDCB50C0AA4B34FFDD6C73E94202635C08BE07F386
Malicious:	false
Preview:	// Mozilla User Preferences....// DO NOT EDIT THIS FILE...//..// If you make changes to this file while the application is running,..// the changes will be overwritten when the application exits...//..// To change a preference value, you can either:..// - modify it via the UI (e.g. via about:config in the browser); or..// - set it within a user.js file in your profile.....user_pref("app.normandy.first_run", false);..user_pref("app.normandy.migrationsApplied", 12);..user_pref("app.normandy.user_id", "9e34c6e7-cbed-40a0-ba63-35488e171013");..user_pref("app.update.auto.migrated", true);..user_pref("app.update.background.rolledout", true);..user_pref("app.update.backgroundErrors", 2);..user_pref("app.update.lastUpdateTime.addon-background-update-timer", 1732393456);..user_pref("app.update.lastUpdateTime.background-update-timer", 1732393456);..user_pref("app.update.lastUpdateTime.browser-cleanup-thumbnails", 1732393456);..user_pref("app.update.lastUpdateTime.recipe-client-addon-run", 173239

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\protections.sqlite

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	SQLite 3.x database, user version 1, last written using SQLite version 3042000, page size 32768, file counter 4, database pages 2, cookie 0x1, schema 4, UTF-8, version-valid-for 4
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.04062825861060003
Encrypted:	false
SSDEEP:	3:lSGBl/l/zl9l/AltllPltlnKollzvulJOlzALRWemFxu7TuRjBFbrl58lcV+wgn8:ltBl/lqN1K4BEJYqWvLue3FMOrMZ0l
MD5:	60C09456D6362C6FBED48C69AA342C3C
SHA1:	58B6E22DAA48C75958B429F662DEC1C011AE74D3
SHA-256:	FE1A432A2CD096B7EEA870D46D07F5197E34B4D10666E6E1C357FAA3F2FE2389
SHA-512:	936DBC887276EF07732783B50EAFE450A8598B0492B8F6C838B337EF3E8A6EA595E7C7A2FA4B3E881887FAAE2D207B953A4C65ED8C964D93118E00D3E03882BD
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.......x..x..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\sessionCheckpoints.json (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	90
Entropy (8bit):	4.194538242412464
Encrypted:	false
SSDEEP:	3:YVXKQJAyiVLQwJtJDBA+AJ2LKZXJ3YFwHY:Y9KQOy6Lb1BA+m2L69Yr
MD5:	C4AB2EE59CA41B6D6A6EA911F35BDC00
SHA1:	5942CD6505FC8A9DABA403B082067E1CDEFDFBC4
SHA-256:	00AD9799527C3FD21F3A85012565EAE817490F3E0D417413BF9567BB5909F6A2
SHA-512:	71EA16900479E6AF161E0AAD08C8D1E9DED5868A8D848E7647272F3002E2F2013E16382B677ABE3C6F17792A26293B9E27EC78E16F00BD24BA3D21072BD1CAE2
Malicious:	false
Preview:	{"profile-after-change":true,"final-ui-startup":true,"sessionstore-windows-restored":true}

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\sessionCheckpoints.json.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	90
Entropy (8bit):	4.194538242412464
Encrypted:	false
SSDEEP:	3:YVXKQJAyiVLQwJtJDBA+AJ2LKZXJ3YFwHY:Y9KQOy6Lb1BA+m2L69Yr
MD5:	C4AB2EE59CA41B6D6A6EA911F35BDC00
SHA1:	5942CD6505FC8A9DABA403B082067E1CDEFDFBC4
SHA-256:	00AD9799527C3FD21F3A85012565EAE817490F3E0D417413BF9567BB5909F6A2
SHA-512:	71EA16900479E6AF161E0AAD08C8D1E9DED5868A8D848E7647272F3002E2F2013E16382B677ABE3C6F17792A26293B9E27EC78E16F00BD24BA3D21072BD1CAE2
Malicious:	false
Preview:	{"profile-after-change":true,"final-ui-startup":true,"sessionstore-windows-restored":true}

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\sessionstore-backups\recovery.baklz4 (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Mozilla lz4 compressed data, originally 5861 bytes
Category:	dropped
Size (bytes):	1552
Entropy (8bit):	6.330293592169228
Encrypted:	false
SSDEEP:	24:v+USUGlcAxSgRTLXnIfBw/pnxQwRcrT5sKmgb2H3eHVpjO+uamhujJWO2c0TSVm8:GUpOxVTU2nRchegqH3erjxu4JWclzBtT
MD5:	39540912A1B027E32FAD2D122F822579
SHA1:	0C0167D7CF20BAC7B042D526020C56F63F4D4BC1
SHA-256:	DA3411E17B255281DF5381736553C54A7D70CBF3DBD4E0F4E5990AD0AA735954
SHA-512:	CDBF7C88EA6AF9830CCAAB7485F26ADB8421ABA66089F7A2C464FDD607D1F0450D31EB24FBEB0824E1DC727E57C01E9562D3213A44EA086ABEBACA49078D33AB
Malicious:	false
Preview:	mozLz40.......{"version":["ses....restore",1],"windows":[{"tab..bentrie....url":"https://youtube.com/account?=.....rs.googl%...v3/signin/challenge/pwd","title[.C..cacheKey":0,"ID":5,"docshellUU...D"{5ec0f1c1-00ba-4044-945e-05c34b6b3175}","resultPrincipalURI":null,"hasUserInteracte...true,"triggering8.p_base64z..\"3\":{}^...docIdentifier":6,"persistK..+}],"lastAccessed":1732393462274,"hidden":false,"searchMode...userContextId...attribut...{},"index":1...questedI..p0,"imag....chrome://global/skin/icons/warning.svg"..aselect...,"_closedTZ.@],"_...C..`GroupCF..":-1,"busy...t...Flags":2150633470...dth":116....eight":891,"screenX":4...Y..Aizem..."maximize......BeforeMin...&..workspace9...98952893-68ff-4a5d-a164-705c709ed3db","zD..1...Wm..l........j..:....1":{..mUpdate...startTim..0262...recentCrash..B0},".....Dcook.. hoc..."addons.mozilla.org","valu...'b03116d8508741e1c0453eca6046028f71c7c2b904be5e0a0d4686...b1764f","pa..p"/","na..a"taarI\|.Tecure2..C.Donly..fexpiry...31787,"originA...."first

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\sessionstore-backups\recovery.jsonlz4 (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Mozilla lz4 compressed data, originally 5861 bytes
Category:	dropped
Size (bytes):	1552
Entropy (8bit):	6.330293592169228
Encrypted:	false
SSDEEP:	24:v+USUGlcAxSgRTLXnIfBw/pnxQwRcrT5sKmgb2H3eHVpjO+uamhujJWO2c0TSVm8:GUpOxVTU2nRchegqH3erjxu4JWclzBtT
MD5:	39540912A1B027E32FAD2D122F822579
SHA1:	0C0167D7CF20BAC7B042D526020C56F63F4D4BC1
SHA-256:	DA3411E17B255281DF5381736553C54A7D70CBF3DBD4E0F4E5990AD0AA735954
SHA-512:	CDBF7C88EA6AF9830CCAAB7485F26ADB8421ABA66089F7A2C464FDD607D1F0450D31EB24FBEB0824E1DC727E57C01E9562D3213A44EA086ABEBACA49078D33AB
Malicious:	false
Preview:	mozLz40.......{"version":["ses....restore",1],"windows":[{"tab..bentrie....url":"https://youtube.com/account?=.....rs.googl%...v3/signin/challenge/pwd","title[.C..cacheKey":0,"ID":5,"docshellUU...D"{5ec0f1c1-00ba-4044-945e-05c34b6b3175}","resultPrincipalURI":null,"hasUserInteracte...true,"triggering8.p_base64z..\"3\":{}^...docIdentifier":6,"persistK..+}],"lastAccessed":1732393462274,"hidden":false,"searchMode...userContextId...attribut...{},"index":1...questedI..p0,"imag....chrome://global/skin/icons/warning.svg"..aselect...,"_closedTZ.@],"_...C..`GroupCF..":-1,"busy...t...Flags":2150633470...dth":116....eight":891,"screenX":4...Y..Aizem..."maximize......BeforeMin...&..workspace9...98952893-68ff-4a5d-a164-705c709ed3db","zD..1...Wm..l........j..:....1":{..mUpdate...startTim..0262...recentCrash..B0},".....Dcook.. hoc..."addons.mozilla.org","valu...'b03116d8508741e1c0453eca6046028f71c7c2b904be5e0a0d4686...b1764f","pa..p"/","na..a"taarI\|.Tecure2..C.Donly..fexpiry...31787,"originA...."first

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\sessionstore-backups\recovery.jsonlz4.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Mozilla lz4 compressed data, originally 5861 bytes
Category:	dropped
Size (bytes):	1552
Entropy (8bit):	6.330293592169228
Encrypted:	false
SSDEEP:	24:v+USUGlcAxSgRTLXnIfBw/pnxQwRcrT5sKmgb2H3eHVpjO+uamhujJWO2c0TSVm8:GUpOxVTU2nRchegqH3erjxu4JWclzBtT
MD5:	39540912A1B027E32FAD2D122F822579
SHA1:	0C0167D7CF20BAC7B042D526020C56F63F4D4BC1
SHA-256:	DA3411E17B255281DF5381736553C54A7D70CBF3DBD4E0F4E5990AD0AA735954
SHA-512:	CDBF7C88EA6AF9830CCAAB7485F26ADB8421ABA66089F7A2C464FDD607D1F0450D31EB24FBEB0824E1DC727E57C01E9562D3213A44EA086ABEBACA49078D33AB
Malicious:	false
Preview:	mozLz40.......{"version":["ses....restore",1],"windows":[{"tab..bentrie....url":"https://youtube.com/account?=.....rs.googl%...v3/signin/challenge/pwd","title[.C..cacheKey":0,"ID":5,"docshellUU...D"{5ec0f1c1-00ba-4044-945e-05c34b6b3175}","resultPrincipalURI":null,"hasUserInteracte...true,"triggering8.p_base64z..\"3\":{}^...docIdentifier":6,"persistK..+}],"lastAccessed":1732393462274,"hidden":false,"searchMode...userContextId...attribut...{},"index":1...questedI..p0,"imag....chrome://global/skin/icons/warning.svg"..aselect...,"_closedTZ.@],"_...C..`GroupCF..":-1,"busy...t...Flags":2150633470...dth":116....eight":891,"screenX":4...Y..Aizem..."maximize......BeforeMin...&..workspace9...98952893-68ff-4a5d-a164-705c709ed3db","zD..1...Wm..l........j..:....1":{..mUpdate...startTim..0262...recentCrash..B0},".....Dcook.. hoc..."addons.mozilla.org","valu...'b03116d8508741e1c0453eca6046028f71c7c2b904be5e0a0d4686...b1764f","pa..p"/","na..a"taarI\|.Tecure2..C.Donly..fexpiry...31787,"originA...."first

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\storage.sqlite

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	SQLite 3.x database, user version 131075, last written using SQLite version 3042000, page size 512, file counter 6, database pages 8, cookie 0x4, schema 4, UTF-8, version-valid-for 6
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	2.0836444556178684
Encrypted:	false
SSDEEP:	24:JBwdh/cEUcR9PzNFPFHx/GJRBdkOrDcRB1trwDeAq2gRMyxr3:jnEUo9LXtR+JdkOnohYsl
MD5:	8B40B1534FF0F4B533AF767EB5639A05
SHA1:	63EDB539EA39AD09D701A36B535C4C087AE08CC9
SHA-256:	AF275A19A5C2C682139266065D90C237282274D11C5619A121B7BDBDB252861B
SHA-512:	54AF707698CED33C206B1B193DA414D630901762E88E37E99885A50D4D5F8DDC28367C9B401DFE251CF0552B4FA446EE28F78A97C9096AFB0F2898BFBB673B53
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\targeting.snapshot.json (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	4537
Entropy (8bit):	5.029048848357824
Encrypted:	false
SSDEEP:	96:ycSYMTEr5/lLmI2Ac1zzcxvbw6Kkgrc2Rn27:wTEr5NX0z3DhRe
MD5:	03ECE7BB2B219B94890910535281DC99
SHA1:	74489C11827C958619F9F232FC3BD13240C4CE28
SHA-256:	BAB0749CB5D47BA3843CF115B8BD51002FEDAF37DFFD3397B75B6CD82A802A74
SHA-512:	846989D3739E4E8B547356FC7D5B63DB4E55E3B6144547AFDBBC6CFDC989E06C24F65AFEB572F55562F2B38D31F6D61C97935E7318C870FFBBEC0D9D58E1C96D
Malicious:	false
Preview:	{"environment":{"locale":"en-US","localeLanguageCode":"en","browserSettings":{"update":{"channel":"release","enabled":true,"autoDownload":true,"background":true}},"attributionData":{"campaign":"%2528not%2Bset%2529","content":"%2528not%2Bset%2529","dlsource":"mozorg","dltoken":"cd09ae95-e2cf-4b8b-8929-791b0dd48cdd","experiment":"%2528not%2Bset%2529","medium":"referral","source":"www.google.com","ua":"chrome","variation":"%2528not%2Bset%2529"},"currentDate":"2024-11-23T20:24:05.394Z","profileAgeCreated":1696426830133,"usesFirefoxSync":false,"isFxAEnabled":true,"isFxASignedIn":false,"sync":{"desktopDevices":0,"mobileDevices":0,"totalDevices":0},"xpinstallEnabled":true,"addonsInfo":{"addons":{"formautofill@mozilla.org":{"version":"1.0.1","type":"extension","isSystem":true,"isWebExtension":true,"name":"Form Autofill","userDisabled":false,"installDate":"2023-09-28T01:41:23.000Z"},"pictureinpicture@mozilla.org":{"version":"1.0.0","type":"extension","isSystem":true,"isWebExtension":true,"name"

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\targeting.snapshot.json.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	4537
Entropy (8bit):	5.029048848357824
Encrypted:	false
SSDEEP:	96:ycSYMTEr5/lLmI2Ac1zzcxvbw6Kkgrc2Rn27:wTEr5NX0z3DhRe
MD5:	03ECE7BB2B219B94890910535281DC99
SHA1:	74489C11827C958619F9F232FC3BD13240C4CE28
SHA-256:	BAB0749CB5D47BA3843CF115B8BD51002FEDAF37DFFD3397B75B6CD82A802A74
SHA-512:	846989D3739E4E8B547356FC7D5B63DB4E55E3B6144547AFDBBC6CFDC989E06C24F65AFEB572F55562F2B38D31F6D61C97935E7318C870FFBBEC0D9D58E1C96D
Malicious:	false
Preview:	{"environment":{"locale":"en-US","localeLanguageCode":"en","browserSettings":{"update":{"channel":"release","enabled":true,"autoDownload":true,"background":true}},"attributionData":{"campaign":"%2528not%2Bset%2529","content":"%2528not%2Bset%2529","dlsource":"mozorg","dltoken":"cd09ae95-e2cf-4b8b-8929-791b0dd48cdd","experiment":"%2528not%2Bset%2529","medium":"referral","source":"www.google.com","ua":"chrome","variation":"%2528not%2Bset%2529"},"currentDate":"2024-11-23T20:24:05.394Z","profileAgeCreated":1696426830133,"usesFirefoxSync":false,"isFxAEnabled":true,"isFxASignedIn":false,"sync":{"desktopDevices":0,"mobileDevices":0,"totalDevices":0},"xpinstallEnabled":true,"addonsInfo":{"addons":{"formautofill@mozilla.org":{"version":"1.0.1","type":"extension","isSystem":true,"isWebExtension":true,"name":"Form Autofill","userDisabled":false,"installDate":"2023-09-28T01:41:23.000Z"},"pictureinpicture@mozilla.org":{"version":"1.0.0","type":"extension","isSystem":true,"isWebExtension":true,"name"

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	6.591406128973678
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	file.exe
File size:	922'112 bytes
MD5:	7f05860baee4ff5da95e342eaee96e85
SHA1:	a909d75ee89b3123f66c6ab227106c66e8cb5fb7
SHA256:	dabb569816b302dccb1fa4c032f5e39a2660d32c3f95ece75e9ebf4144ce0b17
SHA512:	a963cabe33d4f92041a1731afae796add8fd1ebb448583edfa9cf1a7e427bad514881b9dbf3d404c700d3bb24beab89fad4266fbaefd1aef3e76d4fad05bc0d0
SSDEEP:	12288:mqDEvFo+yo4DdbbMWu/jrQu4M9lBAlKhQcDGB3cuBNGE6iOrpfe4JdaDgawTp:mqDEvCTbMWu7rQYlBQcBiT6rprG8aIp
TLSH:	28159E0273D1C062FFAB92334B5AF6515BBC69260123E61F13981DB9BE701B1563E7A3
File Content Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......................j:......j:..C...j:......@.*...............................n.......~.............{.......{.......{.........z....

File Icon


Icon Hash:	aaf3e3e3938382a0

Static PE Info

General

Entrypoint:	0x420577
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, TERMINAL_SERVER_AWARE
Time Stamp:	0x674220A2 [Sat Nov 23 18:36:18 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	1
File Version Major:	5
File Version Minor:	1
Subsystem Version Major:	5
Subsystem Version Minor:	1
Import Hash:	948cc502fe9226992dce9417f952fce3

Entrypoint Preview

Instruction
call 00007F94E0B62073h
jmp 00007F94E0B6197Fh
push ebp
mov ebp, esp
push esi
push dword ptr [ebp+08h]
mov esi, ecx
call 00007F94E0B61B5Dh
mov dword ptr [esi], 0049FDF0h
mov eax, esi
pop esi
pop ebp
retn 0004h
and dword ptr [ecx+04h], 00000000h
mov eax, ecx
and dword ptr [ecx+08h], 00000000h
mov dword ptr [ecx+04h], 0049FDF8h
mov dword ptr [ecx], 0049FDF0h
ret
push ebp
mov ebp, esp
push esi
push dword ptr [ebp+08h]
mov esi, ecx
call 00007F94E0B61B2Ah
mov dword ptr [esi], 0049FE0Ch
mov eax, esi
pop esi
pop ebp
retn 0004h
and dword ptr [ecx+04h], 00000000h
mov eax, ecx
and dword ptr [ecx+08h], 00000000h
mov dword ptr [ecx+04h], 0049FE14h
mov dword ptr [ecx], 0049FE0Ch
ret
push ebp
mov ebp, esp
push esi
mov esi, ecx
lea eax, dword ptr [esi+04h]
mov dword ptr [esi], 0049FDD0h
and dword ptr [eax], 00000000h
and dword ptr [eax+04h], 00000000h
push eax
mov eax, dword ptr [ebp+08h]
add eax, 04h
push eax
call 00007F94E0B6471Dh
pop ecx
pop ecx
mov eax, esi
pop esi
pop ebp
retn 0004h
lea eax, dword ptr [ecx+04h]
mov dword ptr [ecx], 0049FDD0h
push eax
call 00007F94E0B64768h
pop ecx
ret
push ebp
mov ebp, esp
push esi
mov esi, ecx
lea eax, dword ptr [esi+04h]
mov dword ptr [esi], 0049FDD0h
push eax
call 00007F94E0B64751h
test byte ptr [ebp+08h], 00000001h
pop ecx

Rich Headers

Programming Language:

[ C ] VS2008 SP1 build 30729
[IMP] VS2008 SP1 build 30729

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xc8e64	0x17c	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xd4000	0xa784	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xdf000	0x7594	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0xb0ff0	0x1c	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0xc3400	0x18	.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0xb1010	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x9c000	0x894	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x9ab1d	0x9ac00	0a1473f3064dcbc32ef93c5c8a90f3a6	False	0.565500681542811	data	6.668273581389308	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x9c000	0x2fb82	0x2fc00	c9cf2468b60bf4f80f136ed54b3989fb	False	0.35289185209424084	data	5.691811547483722	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0xcc000	0x706c	0x4800	53b9025d545d65e23295e30afdbd16d9	False	0.04356553819444445	DOS executable (block device driver @\273\)	0.5846666986982398	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0xd4000	0xa784	0xa800	3e20b0d859ef6e463bca65b2be20d177	False	0.3679315476190476	data	5.6105329820699605	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0xdf000	0x7594	0x7600	c68ee8931a32d45eb82dc450ee40efc3	False	0.7628111758474576	data	6.7972128181359786	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0xd45a8	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain	0.7466216216216216
RT_ICON	0xd46d0	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 128, 16 important colors	English	Great Britain	0.3277027027027027
RT_ICON	0xd47f8	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain	0.3885135135135135
RT_ICON	0xd4920	0x2e8	Device independent bitmap graphic, 32 x 64 x 4, image size 0	English	Great Britain	0.3333333333333333
RT_ICON	0xd4c08	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 0	English	Great Britain	0.5
RT_ICON	0xd4d30	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 0	English	Great Britain	0.2835820895522388
RT_ICON	0xd5bd8	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 0	English	Great Britain	0.37906137184115524
RT_ICON	0xd6480	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 0	English	Great Britain	0.23699421965317918
RT_ICON	0xd69e8	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0	English	Great Britain	0.13858921161825727
RT_ICON	0xd8f90	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 0	English	Great Britain	0.25070356472795496
RT_ICON	0xda038	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	English	Great Britain	0.3173758865248227
RT_MENU	0xda4a0	0x50	data	English	Great Britain	0.9
RT_STRING	0xda4f0	0x594	data	English	Great Britain	0.3333333333333333
RT_STRING	0xdaa84	0x68a	data	English	Great Britain	0.2735961768219833
RT_STRING	0xdb110	0x490	data	English	Great Britain	0.3715753424657534
RT_STRING	0xdb5a0	0x5fc	data	English	Great Britain	0.3087467362924282
RT_STRING	0xdbb9c	0x65c	data	English	Great Britain	0.34336609336609336
RT_STRING	0xdc1f8	0x466	data	English	Great Britain	0.3605683836589698
RT_STRING	0xdc660	0x158	Matlab v4 mat-file (little endian) n, numeric, rows 0, columns 0	English	Great Britain	0.502906976744186
RT_RCDATA	0xdc7b8	0x1a4a	data			1.0016344725111441
RT_GROUP_ICON	0xde204	0x76	data	English	Great Britain	0.6610169491525424
RT_GROUP_ICON	0xde27c	0x14	data	English	Great Britain	1.25
RT_GROUP_ICON	0xde290	0x14	data	English	Great Britain	1.15
RT_GROUP_ICON	0xde2a4	0x14	data	English	Great Britain	1.25
RT_VERSION	0xde2b8	0xdc	data	English	Great Britain	0.6181818181818182
RT_MANIFEST	0xde394	0x3ef	ASCII text, with CRLF line terminators	English	Great Britain	0.5074478649453823

Imports

DLL	Import
WSOCK32.dll	gethostbyname, recv, send, socket, inet_ntoa, setsockopt, ntohs, WSACleanup, WSAStartup, sendto, htons, __WSAFDIsSet, select, accept, listen, bind, inet_addr, ioctlsocket, recvfrom, WSAGetLastError, closesocket, gethostname, connect
VERSION.dll	GetFileVersionInfoW, VerQueryValueW, GetFileVersionInfoSizeW
WINMM.dll	timeGetTime, waveOutSetVolume, mciSendStringW
COMCTL32.dll	ImageList_ReplaceIcon, ImageList_Destroy, ImageList_Remove, ImageList_SetDragCursorImage, ImageList_BeginDrag, ImageList_DragEnter, ImageList_DragLeave, ImageList_EndDrag, ImageList_DragMove, InitCommonControlsEx, ImageList_Create
MPR.dll	WNetGetConnectionW, WNetCancelConnection2W, WNetUseConnectionW, WNetAddConnection2W
WININET.dll	HttpOpenRequestW, InternetCloseHandle, InternetOpenW, InternetSetOptionW, InternetCrackUrlW, HttpQueryInfoW, InternetQueryOptionW, InternetConnectW, HttpSendRequestW, FtpOpenFileW, FtpGetFileSize, InternetOpenUrlW, InternetReadFile, InternetQueryDataAvailable
PSAPI.DLL	GetProcessMemoryInfo
IPHLPAPI.DLL	IcmpSendEcho, IcmpCloseHandle, IcmpCreateFile
USERENV.dll	DestroyEnvironmentBlock, LoadUserProfileW, CreateEnvironmentBlock, UnloadUserProfile
UxTheme.dll	IsThemeActive
KERNEL32.dll	DuplicateHandle, CreateThread, WaitForSingleObject, HeapAlloc, GetProcessHeap, HeapFree, Sleep, GetCurrentThreadId, MultiByteToWideChar, MulDiv, GetVersionExW, IsWow64Process, GetSystemInfo, FreeLibrary, LoadLibraryA, GetProcAddress, SetErrorMode, GetModuleFileNameW, WideCharToMultiByte, lstrcpyW, lstrlenW, GetModuleHandleW, QueryPerformanceCounter, VirtualFreeEx, OpenProcess, VirtualAllocEx, WriteProcessMemory, ReadProcessMemory, CreateFileW, SetFilePointerEx, SetEndOfFile, ReadFile, WriteFile, FlushFileBuffers, TerminateProcess, CreateToolhelp32Snapshot, Process32FirstW, Process32NextW, SetFileTime, GetFileAttributesW, FindFirstFileW, FindClose, GetLongPathNameW, GetShortPathNameW, DeleteFileW, IsDebuggerPresent, CopyFileExW, MoveFileW, CreateDirectoryW, RemoveDirectoryW, SetSystemPowerState, QueryPerformanceFrequency, LoadResource, LockResource, SizeofResource, OutputDebugStringW, GetTempPathW, GetTempFileNameW, DeviceIoControl, LoadLibraryW, GetLocalTime, CompareStringW, GetCurrentThread, EnterCriticalSection, LeaveCriticalSection, GetStdHandle, CreatePipe, InterlockedExchange, TerminateThread, LoadLibraryExW, FindResourceExW, CopyFileW, VirtualFree, FormatMessageW, GetExitCodeProcess, GetPrivateProfileStringW, WritePrivateProfileStringW, GetPrivateProfileSectionW, WritePrivateProfileSectionW, GetPrivateProfileSectionNamesW, FileTimeToLocalFileTime, FileTimeToSystemTime, SystemTimeToFileTime, LocalFileTimeToFileTime, GetDriveTypeW, GetDiskFreeSpaceExW, GetDiskFreeSpaceW, GetVolumeInformationW, SetVolumeLabelW, CreateHardLinkW, SetFileAttributesW, CreateEventW, SetEvent, GetEnvironmentVariableW, SetEnvironmentVariableW, GlobalLock, GlobalUnlock, GlobalAlloc, GetFileSize, GlobalFree, GlobalMemoryStatusEx, Beep, GetSystemDirectoryW, HeapReAlloc, HeapSize, GetComputerNameW, GetWindowsDirectoryW, GetCurrentProcessId, GetProcessIoCounters, CreateProcessW, GetProcessId, SetPriorityClass, VirtualAlloc, GetCurrentDirectoryW, lstrcmpiW, DecodePointer, GetLastError, RaiseException, InitializeCriticalSectionAndSpinCount, DeleteCriticalSection, InterlockedDecrement, InterlockedIncrement, ResetEvent, WaitForSingleObjectEx, IsProcessorFeaturePresent, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetCurrentProcess, CloseHandle, GetFullPathNameW, GetStartupInfoW, GetSystemTimeAsFileTime, InitializeSListHead, RtlUnwind, SetLastError, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, EncodePointer, ExitProcess, GetModuleHandleExW, ExitThread, ResumeThread, FreeLibraryAndExitThread, GetACP, GetDateFormatW, GetTimeFormatW, LCMapStringW, GetStringTypeW, GetFileType, SetStdHandle, GetConsoleCP, GetConsoleMode, ReadConsoleW, GetTimeZoneInformation, FindFirstFileExW, IsValidCodePage, GetOEMCP, GetCPInfo, GetCommandLineA, GetCommandLineW, GetEnvironmentStringsW, FreeEnvironmentStringsW, SetEnvironmentVariableA, SetCurrentDirectoryW, FindNextFileW, WriteConsoleW
USER32.dll	GetKeyboardLayoutNameW, IsCharAlphaW, IsCharAlphaNumericW, IsCharLowerW, IsCharUpperW, GetMenuStringW, GetSubMenu, GetCaretPos, IsZoomed, GetMonitorInfoW, SetWindowLongW, SetLayeredWindowAttributes, FlashWindow, GetClassLongW, TranslateAcceleratorW, IsDialogMessageW, GetSysColor, InflateRect, DrawFocusRect, DrawTextW, FrameRect, DrawFrameControl, FillRect, PtInRect, DestroyAcceleratorTable, CreateAcceleratorTableW, SetCursor, GetWindowDC, GetSystemMetrics, GetActiveWindow, CharNextW, wsprintfW, RedrawWindow, DrawMenuBar, DestroyMenu, SetMenu, GetWindowTextLengthW, CreateMenu, IsDlgButtonChecked, DefDlgProcW, CallWindowProcW, ReleaseCapture, SetCapture, PeekMessageW, GetInputState, UnregisterHotKey, CharLowerBuffW, MonitorFromPoint, MonitorFromRect, LoadImageW, mouse_event, ExitWindowsEx, SetActiveWindow, FindWindowExW, EnumThreadWindows, SetMenuDefaultItem, InsertMenuItemW, IsMenu, ClientToScreen, GetCursorPos, DeleteMenu, CheckMenuRadioItem, GetMenuItemID, GetMenuItemCount, SetMenuItemInfoW, GetMenuItemInfoW, SetForegroundWindow, IsIconic, FindWindowW, SystemParametersInfoW, LockWindowUpdate, SendInput, GetAsyncKeyState, SetKeyboardState, GetKeyboardState, GetKeyState, VkKeyScanW, LoadStringW, DialogBoxParamW, MessageBeep, EndDialog, SendDlgItemMessageW, GetDlgItem, SetWindowTextW, CopyRect, ReleaseDC, GetDC, EndPaint, BeginPaint, GetClientRect, GetMenu, DestroyWindow, EnumWindows, GetDesktopWindow, IsWindow, IsWindowEnabled, IsWindowVisible, EnableWindow, InvalidateRect, GetWindowLongW, GetWindowThreadProcessId, AttachThreadInput, GetFocus, GetWindowTextW, SendMessageTimeoutW, EnumChildWindows, CharUpperBuffW, GetClassNameW, GetParent, GetDlgCtrlID, SendMessageW, MapVirtualKeyW, PostMessageW, GetWindowRect, SetUserObjectSecurity, CloseDesktop, CloseWindowStation, OpenDesktopW, RegisterHotKey, GetCursorInfo, SetWindowPos, CopyImage, AdjustWindowRectEx, SetRect, SetClipboardData, EmptyClipboard, CountClipboardFormats, CloseClipboard, GetClipboardData, IsClipboardFormatAvailable, OpenClipboard, BlockInput, TrackPopupMenuEx, GetMessageW, SetProcessWindowStation, GetProcessWindowStation, OpenWindowStationW, GetUserObjectSecurity, MessageBoxW, DefWindowProcW, MoveWindow, SetFocus, PostQuitMessage, KillTimer, CreatePopupMenu, RegisterWindowMessageW, SetTimer, ShowWindow, CreateWindowExW, RegisterClassExW, LoadIconW, LoadCursorW, GetSysColorBrush, GetForegroundWindow, MessageBoxA, DestroyIcon, DispatchMessageW, keybd_event, TranslateMessage, ScreenToClient
GDI32.dll	EndPath, DeleteObject, GetTextExtentPoint32W, ExtCreatePen, StrokeAndFillPath, GetDeviceCaps, SetPixel, CloseFigure, LineTo, AngleArc, MoveToEx, Ellipse, CreateCompatibleBitmap, CreateCompatibleDC, PolyDraw, BeginPath, Rectangle, SetViewportOrgEx, GetObjectW, SetBkMode, RoundRect, SetBkColor, CreatePen, SelectObject, StretchBlt, CreateSolidBrush, SetTextColor, CreateFontW, GetTextFaceW, GetStockObject, CreateDCW, GetPixel, DeleteDC, GetDIBits, StrokePath
COMDLG32.dll	GetSaveFileNameW, GetOpenFileNameW
ADVAPI32.dll	GetAce, RegEnumValueW, RegDeleteValueW, RegDeleteKeyW, RegEnumKeyExW, RegSetValueExW, RegOpenKeyExW, RegCloseKey, RegQueryValueExW, RegConnectRegistryW, InitializeSecurityDescriptor, InitializeAcl, AdjustTokenPrivileges, OpenThreadToken, OpenProcessToken, LookupPrivilegeValueW, DuplicateTokenEx, CreateProcessAsUserW, CreateProcessWithLogonW, GetLengthSid, CopySid, LogonUserW, AllocateAndInitializeSid, CheckTokenMembership, FreeSid, GetTokenInformation, RegCreateKeyExW, GetSecurityDescriptorDacl, GetAclInformation, GetUserNameW, AddAce, SetSecurityDescriptorDacl, InitiateSystemShutdownExW
SHELL32.dll	DragFinish, DragQueryPoint, ShellExecuteExW, DragQueryFileW, SHEmptyRecycleBinW, SHGetPathFromIDListW, SHBrowseForFolderW, SHCreateShellItem, SHGetDesktopFolder, SHGetSpecialFolderLocation, SHGetFolderPathW, SHFileOperationW, ExtractIconExW, Shell_NotifyIconW, ShellExecuteW
ole32.dll	CoTaskMemAlloc, CoTaskMemFree, CLSIDFromString, ProgIDFromCLSID, CLSIDFromProgID, OleSetMenuDescriptor, MkParseDisplayName, OleSetContainedObject, CoCreateInstance, IIDFromString, StringFromGUID2, CreateStreamOnHGlobal, OleInitialize, OleUninitialize, CoInitialize, CoUninitialize, GetRunningObjectTable, CoGetInstanceFromFile, CoGetObject, CoInitializeSecurity, CoCreateInstanceEx, CoSetProxyBlanket
OLEAUT32.dll	CreateStdDispatch, CreateDispTypeInfo, UnRegisterTypeLib, UnRegisterTypeLibForUser, RegisterTypeLibForUser, RegisterTypeLib, LoadTypeLibEx, VariantCopyInd, SysReAllocString, SysFreeString, VariantChangeType, SafeArrayDestroyData, SafeArrayUnaccessData, SafeArrayAccessData, SafeArrayAllocData, SafeArrayAllocDescriptorEx, SafeArrayCreateVector, SysStringLen, QueryPathOfRegTypeLib, SysAllocString, VariantInit, VariantClear, DispCallFunc, VariantTimeToSystemTime, VarR8FromDec, SafeArrayGetVartype, SafeArrayDestroyDescriptor, VariantCopy, OleLoadPicture

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	Great Britain

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 23, 2024 19:52:12.403872013 CET	49712	443	192.168.2.5	35.190.72.216
Nov 23, 2024 19:52:12.403918028 CET	443	49712	35.190.72.216	192.168.2.5
Nov 23, 2024 19:52:12.404089928 CET	49712	443	192.168.2.5	35.190.72.216
Nov 23, 2024 19:52:12.411690950 CET	49712	443	192.168.2.5	35.190.72.216
Nov 23, 2024 19:52:12.411714077 CET	443	49712	35.190.72.216	192.168.2.5
Nov 23, 2024 19:52:12.448478937 CET	49713	443	192.168.2.5	142.250.181.142
Nov 23, 2024 19:52:12.448529005 CET	443	49713	142.250.181.142	192.168.2.5
Nov 23, 2024 19:52:12.448625088 CET	49713	443	192.168.2.5	142.250.181.142
Nov 23, 2024 19:52:12.450095892 CET	49713	443	192.168.2.5	142.250.181.142
Nov 23, 2024 19:52:12.450118065 CET	443	49713	142.250.181.142	192.168.2.5
Nov 23, 2024 19:52:12.512641907 CET	49714	443	192.168.2.5	142.250.181.142
Nov 23, 2024 19:52:12.512681007 CET	443	49714	142.250.181.142	192.168.2.5
Nov 23, 2024 19:52:12.512749910 CET	49714	443	192.168.2.5	142.250.181.142
Nov 23, 2024 19:52:12.514286041 CET	49714	443	192.168.2.5	142.250.181.142
Nov 23, 2024 19:52:12.514298916 CET	443	49714	142.250.181.142	192.168.2.5
Nov 23, 2024 19:52:12.851186037 CET	49715	80	192.168.2.5	34.107.221.82
Nov 23, 2024 19:52:12.989485979 CET	80	49715	34.107.221.82	192.168.2.5
Nov 23, 2024 19:52:12.989609957 CET	49715	80	192.168.2.5	34.107.221.82
Nov 23, 2024 19:52:12.989828110 CET	49715	80	192.168.2.5	34.107.221.82
Nov 23, 2024 19:52:12.993448019 CET	49717	443	192.168.2.5	34.117.188.166
Nov 23, 2024 19:52:12.993520021 CET	443	49717	34.117.188.166	192.168.2.5
Nov 23, 2024 19:52:12.993788958 CET	49717	443	192.168.2.5	34.117.188.166
Nov 23, 2024 19:52:12.997972965 CET	49717	443	192.168.2.5	34.117.188.166
Nov 23, 2024 19:52:12.997996092 CET	443	49717	34.117.188.166	192.168.2.5
Nov 23, 2024 19:52:12.998413086 CET	49718	443	192.168.2.5	34.117.188.166
Nov 23, 2024 19:52:12.998440981 CET	443	49718	34.117.188.166	192.168.2.5
Nov 23, 2024 19:52:12.998543978 CET	49719	443	192.168.2.5	35.244.181.201
Nov 23, 2024 19:52:12.998552084 CET	443	49719	35.244.181.201	192.168.2.5
Nov 23, 2024 19:52:12.998574972 CET	49718	443	192.168.2.5	34.117.188.166
Nov 23, 2024 19:52:12.998600960 CET	49719	443	192.168.2.5	35.244.181.201
Nov 23, 2024 19:52:12.998747110 CET	49719	443	192.168.2.5	35.244.181.201
Nov 23, 2024 19:52:12.998755932 CET	443	49719	35.244.181.201	192.168.2.5
Nov 23, 2024 19:52:13.000413895 CET	49718	443	192.168.2.5	34.117.188.166
Nov 23, 2024 19:52:13.000426054 CET	443	49718	34.117.188.166	192.168.2.5
Nov 23, 2024 19:52:13.012382030 CET	49720	443	192.168.2.5	34.160.144.191
Nov 23, 2024 19:52:13.012415886 CET	443	49720	34.160.144.191	192.168.2.5
Nov 23, 2024 19:52:13.012490988 CET	49720	443	192.168.2.5	34.160.144.191
Nov 23, 2024 19:52:13.012660027 CET	49720	443	192.168.2.5	34.160.144.191
Nov 23, 2024 19:52:13.012671947 CET	443	49720	34.160.144.191	192.168.2.5
Nov 23, 2024 19:52:13.116184950 CET	80	49715	34.107.221.82	192.168.2.5
Nov 23, 2024 19:52:13.733968973 CET	443	49712	35.190.72.216	192.168.2.5
Nov 23, 2024 19:52:13.734607935 CET	49712	443	192.168.2.5	35.190.72.216
Nov 23, 2024 19:52:13.833158016 CET	49712	443	192.168.2.5	35.190.72.216
Nov 23, 2024 19:52:13.833184958 CET	443	49712	35.190.72.216	192.168.2.5
Nov 23, 2024 19:52:13.833389044 CET	49712	443	192.168.2.5	35.190.72.216
Nov 23, 2024 19:52:13.833535910 CET	443	49712	35.190.72.216	192.168.2.5
Nov 23, 2024 19:52:13.833785057 CET	49721	443	192.168.2.5	35.190.72.216
Nov 23, 2024 19:52:13.833828926 CET	443	49721	35.190.72.216	192.168.2.5
Nov 23, 2024 19:52:13.834867954 CET	49712	443	192.168.2.5	35.190.72.216
Nov 23, 2024 19:52:13.834906101 CET	49721	443	192.168.2.5	35.190.72.216
Nov 23, 2024 19:52:13.836416006 CET	49721	443	192.168.2.5	35.190.72.216
Nov 23, 2024 19:52:13.836431026 CET	443	49721	35.190.72.216	192.168.2.5
Nov 23, 2024 19:52:14.131206989 CET	80	49715	34.107.221.82	192.168.2.5
Nov 23, 2024 19:52:14.182643890 CET	49715	80	192.168.2.5	34.107.221.82
Nov 23, 2024 19:52:14.251135111 CET	443	49718	34.117.188.166	192.168.2.5
Nov 23, 2024 19:52:14.251621008 CET	49718	443	192.168.2.5	34.117.188.166
Nov 23, 2024 19:52:14.280519962 CET	443	49719	35.244.181.201	192.168.2.5
Nov 23, 2024 19:52:14.282896042 CET	49719	443	192.168.2.5	35.244.181.201
Nov 23, 2024 19:52:14.288567066 CET	443	49717	34.117.188.166	192.168.2.5
Nov 23, 2024 19:52:14.295360088 CET	443	49717	34.117.188.166	192.168.2.5
Nov 23, 2024 19:52:14.299448967 CET	49717	443	192.168.2.5	34.117.188.166
Nov 23, 2024 19:52:14.311260939 CET	49719	443	192.168.2.5	35.244.181.201
Nov 23, 2024 19:52:14.311299086 CET	443	49719	35.244.181.201	192.168.2.5
Nov 23, 2024 19:52:14.312283993 CET	443	49719	35.244.181.201	192.168.2.5
Nov 23, 2024 19:52:14.329440117 CET	443	49713	142.250.181.142	192.168.2.5
Nov 23, 2024 19:52:14.330148935 CET	443	49713	142.250.181.142	192.168.2.5
Nov 23, 2024 19:52:14.333870888 CET	49718	443	192.168.2.5	34.117.188.166
Nov 23, 2024 19:52:14.333900928 CET	443	49718	34.117.188.166	192.168.2.5
Nov 23, 2024 19:52:14.333964109 CET	49718	443	192.168.2.5	34.117.188.166
Nov 23, 2024 19:52:14.334518909 CET	443	49718	34.117.188.166	192.168.2.5
Nov 23, 2024 19:52:14.335333109 CET	443	49713	142.250.181.142	192.168.2.5
Nov 23, 2024 19:52:14.336688995 CET	49719	443	192.168.2.5	35.244.181.201
Nov 23, 2024 19:52:14.336760998 CET	49719	443	192.168.2.5	35.244.181.201
Nov 23, 2024 19:52:14.337165117 CET	443	49719	35.244.181.201	192.168.2.5
Nov 23, 2024 19:52:14.338702917 CET	443	49714	142.250.181.142	192.168.2.5
Nov 23, 2024 19:52:14.339039087 CET	49717	443	192.168.2.5	34.117.188.166
Nov 23, 2024 19:52:14.339056969 CET	443	49717	34.117.188.166	192.168.2.5
Nov 23, 2024 19:52:14.339102030 CET	49717	443	192.168.2.5	34.117.188.166
Nov 23, 2024 19:52:14.339715958 CET	443	49714	142.250.181.142	192.168.2.5
Nov 23, 2024 19:52:14.339896917 CET	49718	443	192.168.2.5	34.117.188.166
Nov 23, 2024 19:52:14.339910030 CET	49713	443	192.168.2.5	142.250.181.142
Nov 23, 2024 19:52:14.340205908 CET	443	49717	34.117.188.166	192.168.2.5
Nov 23, 2024 19:52:14.343576908 CET	443	49720	34.160.144.191	192.168.2.5
Nov 23, 2024 19:52:14.346211910 CET	49719	443	192.168.2.5	35.244.181.201
Nov 23, 2024 19:52:14.346244097 CET	49717	443	192.168.2.5	34.117.188.166
Nov 23, 2024 19:52:14.346275091 CET	49714	443	192.168.2.5	142.250.181.142
Nov 23, 2024 19:52:14.346290112 CET	443	49714	142.250.181.142	192.168.2.5
Nov 23, 2024 19:52:14.346333981 CET	49720	443	192.168.2.5	34.160.144.191
Nov 23, 2024 19:52:14.400418043 CET	49720	443	192.168.2.5	34.160.144.191
Nov 23, 2024 19:52:14.400487900 CET	49714	443	192.168.2.5	142.250.181.142
Nov 23, 2024 19:52:14.727618933 CET	49720	443	192.168.2.5	34.160.144.191
Nov 23, 2024 19:52:14.727639914 CET	443	49720	34.160.144.191	192.168.2.5
Nov 23, 2024 19:52:14.728035927 CET	443	49720	34.160.144.191	192.168.2.5
Nov 23, 2024 19:52:14.735600948 CET	49720	443	192.168.2.5	34.160.144.191
Nov 23, 2024 19:52:14.735730886 CET	49720	443	192.168.2.5	34.160.144.191
Nov 23, 2024 19:52:14.735791922 CET	443	49720	34.160.144.191	192.168.2.5
Nov 23, 2024 19:52:14.735817909 CET	49713	443	192.168.2.5	142.250.181.142
Nov 23, 2024 19:52:14.735862017 CET	443	49713	142.250.181.142	192.168.2.5
Nov 23, 2024 19:52:14.735949993 CET	49713	443	192.168.2.5	142.250.181.142
Nov 23, 2024 19:52:14.735964060 CET	49714	443	192.168.2.5	142.250.181.142
Nov 23, 2024 19:52:14.735976934 CET	443	49714	142.250.181.142	192.168.2.5
Nov 23, 2024 19:52:14.736141920 CET	49714	443	192.168.2.5	142.250.181.142
Nov 23, 2024 19:52:14.736210108 CET	443	49713	142.250.181.142	192.168.2.5
Nov 23, 2024 19:52:14.736404896 CET	49722	443	192.168.2.5	142.250.181.142
Nov 23, 2024 19:52:14.736440897 CET	443	49722	142.250.181.142	192.168.2.5
Nov 23, 2024 19:52:14.736660004 CET	443	49714	142.250.181.142	192.168.2.5
Nov 23, 2024 19:52:14.738004923 CET	49720	443	192.168.2.5	34.160.144.191
Nov 23, 2024 19:52:14.738019943 CET	49713	443	192.168.2.5	142.250.181.142
Nov 23, 2024 19:52:14.738074064 CET	49714	443	192.168.2.5	142.250.181.142
Nov 23, 2024 19:52:14.738158941 CET	49722	443	192.168.2.5	142.250.181.142
Nov 23, 2024 19:52:14.739398956 CET	49722	443	192.168.2.5	142.250.181.142
Nov 23, 2024 19:52:14.739411116 CET	443	49722	142.250.181.142	192.168.2.5
Nov 23, 2024 19:52:14.767852068 CET	49715	80	192.168.2.5	34.107.221.82
Nov 23, 2024 19:52:14.800401926 CET	49723	443	192.168.2.5	34.117.188.166
Nov 23, 2024 19:52:14.800442934 CET	443	49723	34.117.188.166	192.168.2.5
Nov 23, 2024 19:52:14.802017927 CET	49723	443	192.168.2.5	34.117.188.166
Nov 23, 2024 19:52:14.803477049 CET	49723	443	192.168.2.5	34.117.188.166
Nov 23, 2024 19:52:14.803495884 CET	443	49723	34.117.188.166	192.168.2.5
Nov 23, 2024 19:52:14.887953997 CET	80	49715	34.107.221.82	192.168.2.5
Nov 23, 2024 19:52:14.888026953 CET	49715	80	192.168.2.5	34.107.221.82
Nov 23, 2024 19:52:15.113138914 CET	49724	80	192.168.2.5	34.107.221.82
Nov 23, 2024 19:52:15.113406897 CET	49725	80	192.168.2.5	34.107.221.82
Nov 23, 2024 19:52:15.115655899 CET	443	49721	35.190.72.216	192.168.2.5
Nov 23, 2024 19:52:15.118982077 CET	49721	443	192.168.2.5	35.190.72.216
Nov 23, 2024 19:52:15.124284029 CET	49721	443	192.168.2.5	35.190.72.216
Nov 23, 2024 19:52:15.124294043 CET	443	49721	35.190.72.216	192.168.2.5
Nov 23, 2024 19:52:15.124375105 CET	49721	443	192.168.2.5	35.190.72.216
Nov 23, 2024 19:52:15.124521017 CET	443	49721	35.190.72.216	192.168.2.5
Nov 23, 2024 19:52:15.124573946 CET	49721	443	192.168.2.5	35.190.72.216
Nov 23, 2024 19:52:15.241919041 CET	80	49724	34.107.221.82	192.168.2.5
Nov 23, 2024 19:52:15.241971016 CET	80	49725	34.107.221.82	192.168.2.5
Nov 23, 2024 19:52:15.241993904 CET	49724	80	192.168.2.5	34.107.221.82
Nov 23, 2024 19:52:15.242178917 CET	49724	80	192.168.2.5	34.107.221.82
Nov 23, 2024 19:52:15.242321968 CET	49725	80	192.168.2.5	34.107.221.82
Nov 23, 2024 19:52:15.242458105 CET	49725	80	192.168.2.5	34.107.221.82
Nov 23, 2024 19:52:15.361702919 CET	80	49724	34.107.221.82	192.168.2.5
Nov 23, 2024 19:52:15.366115093 CET	80	49725	34.107.221.82	192.168.2.5
Nov 23, 2024 19:52:16.087532043 CET	443	49723	34.117.188.166	192.168.2.5
Nov 23, 2024 19:52:16.091217041 CET	49723	443	192.168.2.5	34.117.188.166
Nov 23, 2024 19:52:16.113420010 CET	49723	443	192.168.2.5	34.117.188.166
Nov 23, 2024 19:52:16.113446951 CET	443	49723	34.117.188.166	192.168.2.5
Nov 23, 2024 19:52:16.113590002 CET	49723	443	192.168.2.5	34.117.188.166
Nov 23, 2024 19:52:16.113935947 CET	443	49723	34.117.188.166	192.168.2.5
Nov 23, 2024 19:52:16.114074945 CET	49728	443	192.168.2.5	34.117.188.166
Nov 23, 2024 19:52:16.114141941 CET	443	49728	34.117.188.166	192.168.2.5
Nov 23, 2024 19:52:16.114222050 CET	49723	443	192.168.2.5	34.117.188.166
Nov 23, 2024 19:52:16.114265919 CET	49728	443	192.168.2.5	34.117.188.166
Nov 23, 2024 19:52:16.116260052 CET	49728	443	192.168.2.5	34.117.188.166
Nov 23, 2024 19:52:16.116292953 CET	443	49728	34.117.188.166	192.168.2.5
Nov 23, 2024 19:52:16.222980976 CET	49729	443	192.168.2.5	34.120.208.123
Nov 23, 2024 19:52:16.223048925 CET	443	49729	34.120.208.123	192.168.2.5
Nov 23, 2024 19:52:16.224594116 CET	49729	443	192.168.2.5	34.120.208.123
Nov 23, 2024 19:52:16.226836920 CET	49729	443	192.168.2.5	34.120.208.123
Nov 23, 2024 19:52:16.226857901 CET	443	49729	34.120.208.123	192.168.2.5
Nov 23, 2024 19:52:16.271013021 CET	49730	443	192.168.2.5	34.107.243.93
Nov 23, 2024 19:52:16.271071911 CET	443	49730	34.107.243.93	192.168.2.5
Nov 23, 2024 19:52:16.271290064 CET	49730	443	192.168.2.5	34.107.243.93
Nov 23, 2024 19:52:16.273355007 CET	49730	443	192.168.2.5	34.107.243.93
Nov 23, 2024 19:52:16.273372889 CET	443	49730	34.107.243.93	192.168.2.5
Nov 23, 2024 19:52:16.299161911 CET	49731	443	192.168.2.5	35.244.181.201
Nov 23, 2024 19:52:16.299211979 CET	443	49731	35.244.181.201	192.168.2.5
Nov 23, 2024 19:52:16.299549103 CET	49731	443	192.168.2.5	35.244.181.201
Nov 23, 2024 19:52:16.299695015 CET	49731	443	192.168.2.5	35.244.181.201
Nov 23, 2024 19:52:16.299724102 CET	443	49731	35.244.181.201	192.168.2.5
Nov 23, 2024 19:52:16.300792933 CET	49732	443	192.168.2.5	34.149.100.209
Nov 23, 2024 19:52:16.300811052 CET	443	49732	34.149.100.209	192.168.2.5
Nov 23, 2024 19:52:16.301291943 CET	49732	443	192.168.2.5	34.149.100.209
Nov 23, 2024 19:52:16.302674055 CET	49732	443	192.168.2.5	34.149.100.209
Nov 23, 2024 19:52:16.302692890 CET	443	49732	34.149.100.209	192.168.2.5
Nov 23, 2024 19:52:16.375077009 CET	80	49724	34.107.221.82	192.168.2.5
Nov 23, 2024 19:52:16.418154955 CET	49724	80	192.168.2.5	34.107.221.82
Nov 23, 2024 19:52:16.423732996 CET	80	49725	34.107.221.82	192.168.2.5
Nov 23, 2024 19:52:16.451829910 CET	49724	80	192.168.2.5	34.107.221.82
Nov 23, 2024 19:52:16.478964090 CET	49725	80	192.168.2.5	34.107.221.82
Nov 23, 2024 19:52:16.482161045 CET	443	49722	142.250.181.142	192.168.2.5
Nov 23, 2024 19:52:16.483073950 CET	443	49722	142.250.181.142	192.168.2.5
Nov 23, 2024 19:52:16.484841108 CET	49722	443	192.168.2.5	142.250.181.142
Nov 23, 2024 19:52:16.484872103 CET	443	49722	142.250.181.142	192.168.2.5
Nov 23, 2024 19:52:16.490324020 CET	49722	443	192.168.2.5	142.250.181.142
Nov 23, 2024 19:52:16.490343094 CET	443	49722	142.250.181.142	192.168.2.5
Nov 23, 2024 19:52:16.490469933 CET	49722	443	192.168.2.5	142.250.181.142
Nov 23, 2024 19:52:16.490506887 CET	443	49722	142.250.181.142	192.168.2.5
Nov 23, 2024 19:52:16.496684074 CET	49722	443	192.168.2.5	142.250.181.142
Nov 23, 2024 19:52:16.497591019 CET	49725	80	192.168.2.5	34.107.221.82
Nov 23, 2024 19:52:16.636554003 CET	80	49724	34.107.221.82	192.168.2.5
Nov 23, 2024 19:52:16.636858940 CET	80	49725	34.107.221.82	192.168.2.5
Nov 23, 2024 19:52:16.841358900 CET	80	49724	34.107.221.82	192.168.2.5
Nov 23, 2024 19:52:16.850760937 CET	80	49725	34.107.221.82	192.168.2.5
Nov 23, 2024 19:52:16.884123087 CET	49724	80	192.168.2.5	34.107.221.82
Nov 23, 2024 19:52:16.899736881 CET	49725	80	192.168.2.5	34.107.221.82
Nov 23, 2024 19:52:17.428148985 CET	443	49728	34.117.188.166	192.168.2.5
Nov 23, 2024 19:52:17.428236961 CET	49728	443	192.168.2.5	34.117.188.166
Nov 23, 2024 19:52:17.448062897 CET	49728	443	192.168.2.5	34.117.188.166
Nov 23, 2024 19:52:17.448080063 CET	443	49728	34.117.188.166	192.168.2.5
Nov 23, 2024 19:52:17.448158026 CET	49728	443	192.168.2.5	34.117.188.166
Nov 23, 2024 19:52:17.448252916 CET	443	49728	34.117.188.166	192.168.2.5
Nov 23, 2024 19:52:17.448307991 CET	49728	443	192.168.2.5	34.117.188.166
Nov 23, 2024 19:52:17.605890036 CET	443	49731	35.244.181.201	192.168.2.5
Nov 23, 2024 19:52:17.605976105 CET	49731	443	192.168.2.5	35.244.181.201
Nov 23, 2024 19:52:17.609044075 CET	49731	443	192.168.2.5	35.244.181.201
Nov 23, 2024 19:52:17.609060049 CET	443	49731	35.244.181.201	192.168.2.5
Nov 23, 2024 19:52:17.609323978 CET	443	49731	35.244.181.201	192.168.2.5
Nov 23, 2024 19:52:17.612421036 CET	49731	443	192.168.2.5	35.244.181.201
Nov 23, 2024 19:52:17.612498045 CET	49731	443	192.168.2.5	35.244.181.201
Nov 23, 2024 19:52:17.612591028 CET	443	49731	35.244.181.201	192.168.2.5
Nov 23, 2024 19:52:17.612657070 CET	49731	443	192.168.2.5	35.244.181.201
Nov 23, 2024 19:52:17.659508944 CET	443	49732	34.149.100.209	192.168.2.5
Nov 23, 2024 19:52:17.659585953 CET	49732	443	192.168.2.5	34.149.100.209
Nov 23, 2024 19:52:17.662158012 CET	443	49730	34.107.243.93	192.168.2.5
Nov 23, 2024 19:52:17.663203955 CET	49732	443	192.168.2.5	34.149.100.209
Nov 23, 2024 19:52:17.663211107 CET	443	49732	34.149.100.209	192.168.2.5
Nov 23, 2024 19:52:17.663285017 CET	49732	443	192.168.2.5	34.149.100.209
Nov 23, 2024 19:52:17.663362980 CET	443	49732	34.149.100.209	192.168.2.5
Nov 23, 2024 19:52:17.664102077 CET	49732	443	192.168.2.5	34.149.100.209
Nov 23, 2024 19:52:17.664102077 CET	49730	443	192.168.2.5	34.107.243.93
Nov 23, 2024 19:52:17.667763948 CET	443	49729	34.120.208.123	192.168.2.5
Nov 23, 2024 19:52:17.667839050 CET	49729	443	192.168.2.5	34.120.208.123
Nov 23, 2024 19:52:17.673188925 CET	49730	443	192.168.2.5	34.107.243.93
Nov 23, 2024 19:52:17.673204899 CET	443	49730	34.107.243.93	192.168.2.5
Nov 23, 2024 19:52:17.673250914 CET	49730	443	192.168.2.5	34.107.243.93
Nov 23, 2024 19:52:17.673348904 CET	49729	443	192.168.2.5	34.120.208.123
Nov 23, 2024 19:52:17.673353910 CET	443	49729	34.120.208.123	192.168.2.5
Nov 23, 2024 19:52:17.673412085 CET	49729	443	192.168.2.5	34.120.208.123
Nov 23, 2024 19:52:17.673441887 CET	443	49730	34.107.243.93	192.168.2.5
Nov 23, 2024 19:52:17.673640966 CET	443	49729	34.120.208.123	192.168.2.5
Nov 23, 2024 19:52:17.673734903 CET	49730	443	192.168.2.5	34.107.243.93
Nov 23, 2024 19:52:17.673754930 CET	49729	443	192.168.2.5	34.120.208.123
Nov 23, 2024 19:52:20.848275900 CET	49724	80	192.168.2.5	34.107.221.82
Nov 23, 2024 19:52:20.910057068 CET	49725	80	192.168.2.5	34.107.221.82
Nov 23, 2024 19:52:21.161645889 CET	80	49724	34.107.221.82	192.168.2.5
Nov 23, 2024 19:52:21.204204082 CET	80	49725	34.107.221.82	192.168.2.5
Nov 23, 2024 19:52:21.366137028 CET	80	49724	34.107.221.82	192.168.2.5
Nov 23, 2024 19:52:21.420588970 CET	49724	80	192.168.2.5	34.107.221.82
Nov 23, 2024 19:52:21.422842979 CET	80	49725	34.107.221.82	192.168.2.5
Nov 23, 2024 19:52:21.481122971 CET	49725	80	192.168.2.5	34.107.221.82
Nov 23, 2024 19:52:22.272535086 CET	49736	443	192.168.2.5	34.120.208.123
Nov 23, 2024 19:52:22.272574902 CET	443	49736	34.120.208.123	192.168.2.5
Nov 23, 2024 19:52:22.273900032 CET	49736	443	192.168.2.5	34.120.208.123
Nov 23, 2024 19:52:22.275330067 CET	49736	443	192.168.2.5	34.120.208.123
Nov 23, 2024 19:52:22.275342941 CET	443	49736	34.120.208.123	192.168.2.5
Nov 23, 2024 19:52:23.517520905 CET	443	49736	34.120.208.123	192.168.2.5
Nov 23, 2024 19:52:23.517606974 CET	49736	443	192.168.2.5	34.120.208.123
Nov 23, 2024 19:52:23.521883011 CET	49736	443	192.168.2.5	34.120.208.123
Nov 23, 2024 19:52:23.521892071 CET	443	49736	34.120.208.123	192.168.2.5
Nov 23, 2024 19:52:23.521991014 CET	49736	443	192.168.2.5	34.120.208.123
Nov 23, 2024 19:52:23.522054911 CET	443	49736	34.120.208.123	192.168.2.5
Nov 23, 2024 19:52:23.522218943 CET	49736	443	192.168.2.5	34.120.208.123
Nov 23, 2024 19:52:26.790317059 CET	49746	443	192.168.2.5	34.149.100.209
Nov 23, 2024 19:52:26.790358067 CET	443	49746	34.149.100.209	192.168.2.5
Nov 23, 2024 19:52:26.794187069 CET	49746	443	192.168.2.5	34.149.100.209
Nov 23, 2024 19:52:26.795746088 CET	49746	443	192.168.2.5	34.149.100.209
Nov 23, 2024 19:52:26.795758963 CET	443	49746	34.149.100.209	192.168.2.5
Nov 23, 2024 19:52:27.737641096 CET	49747	443	192.168.2.5	34.120.208.123
Nov 23, 2024 19:52:27.737684011 CET	443	49747	34.120.208.123	192.168.2.5
Nov 23, 2024 19:52:27.737884045 CET	49748	443	192.168.2.5	34.120.208.123
Nov 23, 2024 19:52:27.737945080 CET	443	49748	34.120.208.123	192.168.2.5
Nov 23, 2024 19:52:27.740082979 CET	49724	80	192.168.2.5	34.107.221.82
Nov 23, 2024 19:52:27.743221998 CET	49747	443	192.168.2.5	34.120.208.123
Nov 23, 2024 19:52:27.743360996 CET	49748	443	192.168.2.5	34.120.208.123
Nov 23, 2024 19:52:27.743364096 CET	49747	443	192.168.2.5	34.120.208.123
Nov 23, 2024 19:52:27.743377924 CET	443	49747	34.120.208.123	192.168.2.5
Nov 23, 2024 19:52:27.743453979 CET	49748	443	192.168.2.5	34.120.208.123
Nov 23, 2024 19:52:27.743474007 CET	443	49748	34.120.208.123	192.168.2.5
Nov 23, 2024 19:52:27.886326075 CET	80	49724	34.107.221.82	192.168.2.5
Nov 23, 2024 19:52:28.091995955 CET	80	49724	34.107.221.82	192.168.2.5
Nov 23, 2024 19:52:28.113722086 CET	443	49746	34.149.100.209	192.168.2.5
Nov 23, 2024 19:52:28.113794088 CET	49746	443	192.168.2.5	34.149.100.209
Nov 23, 2024 19:52:28.118937969 CET	49746	443	192.168.2.5	34.149.100.209
Nov 23, 2024 19:52:28.118951082 CET	443	49746	34.149.100.209	192.168.2.5
Nov 23, 2024 19:52:28.119029999 CET	49746	443	192.168.2.5	34.149.100.209
Nov 23, 2024 19:52:28.119101048 CET	443	49746	34.149.100.209	192.168.2.5
Nov 23, 2024 19:52:28.119185925 CET	49746	443	192.168.2.5	34.149.100.209
Nov 23, 2024 19:52:28.135703087 CET	49724	80	192.168.2.5	34.107.221.82
Nov 23, 2024 19:52:28.978607893 CET	443	49748	34.120.208.123	192.168.2.5
Nov 23, 2024 19:52:28.979335070 CET	49748	443	192.168.2.5	34.120.208.123
Nov 23, 2024 19:52:29.074549913 CET	443	49747	34.120.208.123	192.168.2.5
Nov 23, 2024 19:52:29.076502085 CET	49747	443	192.168.2.5	34.120.208.123
Nov 23, 2024 19:52:29.152668953 CET	49748	443	192.168.2.5	34.120.208.123
Nov 23, 2024 19:52:29.152713060 CET	443	49748	34.120.208.123	192.168.2.5
Nov 23, 2024 19:52:29.152987957 CET	443	49748	34.120.208.123	192.168.2.5
Nov 23, 2024 19:52:29.154974937 CET	49747	443	192.168.2.5	34.120.208.123
Nov 23, 2024 19:52:29.154987097 CET	443	49747	34.120.208.123	192.168.2.5
Nov 23, 2024 19:52:29.155117989 CET	49725	80	192.168.2.5	34.107.221.82
Nov 23, 2024 19:52:29.155438900 CET	443	49747	34.120.208.123	192.168.2.5
Nov 23, 2024 19:52:29.158730984 CET	49748	443	192.168.2.5	34.120.208.123
Nov 23, 2024 19:52:29.158808947 CET	49748	443	192.168.2.5	34.120.208.123
Nov 23, 2024 19:52:29.158909082 CET	443	49748	34.120.208.123	192.168.2.5
Nov 23, 2024 19:52:29.158930063 CET	49747	443	192.168.2.5	34.120.208.123
Nov 23, 2024 19:52:29.158951044 CET	49747	443	192.168.2.5	34.120.208.123
Nov 23, 2024 19:52:29.159080029 CET	49747	443	192.168.2.5	34.120.208.123
Nov 23, 2024 19:52:29.159089088 CET	443	49747	34.120.208.123	192.168.2.5
Nov 23, 2024 19:52:29.159094095 CET	49748	443	192.168.2.5	34.120.208.123
Nov 23, 2024 19:52:29.159276962 CET	49747	443	192.168.2.5	34.120.208.123
Nov 23, 2024 19:52:29.275206089 CET	80	49725	34.107.221.82	192.168.2.5
Nov 23, 2024 19:52:29.404431105 CET	49756	443	192.168.2.5	34.120.208.123
Nov 23, 2024 19:52:29.404494047 CET	443	49756	34.120.208.123	192.168.2.5
Nov 23, 2024 19:52:29.407028913 CET	49757	443	192.168.2.5	34.120.208.123
Nov 23, 2024 19:52:29.407048941 CET	443	49757	34.120.208.123	192.168.2.5
Nov 23, 2024 19:52:29.417412043 CET	49756	443	192.168.2.5	34.120.208.123
Nov 23, 2024 19:52:29.417412996 CET	49757	443	192.168.2.5	34.120.208.123
Nov 23, 2024 19:52:29.420380116 CET	49756	443	192.168.2.5	34.120.208.123
Nov 23, 2024 19:52:29.420403004 CET	443	49756	34.120.208.123	192.168.2.5
Nov 23, 2024 19:52:29.420481920 CET	49757	443	192.168.2.5	34.120.208.123
Nov 23, 2024 19:52:29.420496941 CET	443	49757	34.120.208.123	192.168.2.5
Nov 23, 2024 19:52:29.421801090 CET	49758	443	192.168.2.5	34.107.243.93
Nov 23, 2024 19:52:29.421811104 CET	443	49758	34.107.243.93	192.168.2.5
Nov 23, 2024 19:52:29.431375027 CET	49758	443	192.168.2.5	34.107.243.93
Nov 23, 2024 19:52:29.432899952 CET	49758	443	192.168.2.5	34.107.243.93
Nov 23, 2024 19:52:29.432933092 CET	443	49758	34.107.243.93	192.168.2.5
Nov 23, 2024 19:52:29.452480078 CET	49759	443	192.168.2.5	34.120.208.123
Nov 23, 2024 19:52:29.452512980 CET	443	49759	34.120.208.123	192.168.2.5
Nov 23, 2024 19:52:29.454044104 CET	49759	443	192.168.2.5	34.120.208.123
Nov 23, 2024 19:52:29.454195023 CET	49759	443	192.168.2.5	34.120.208.123
Nov 23, 2024 19:52:29.454204082 CET	443	49759	34.120.208.123	192.168.2.5
Nov 23, 2024 19:52:29.488425016 CET	80	49725	34.107.221.82	192.168.2.5
Nov 23, 2024 19:52:29.494106054 CET	49724	80	192.168.2.5	34.107.221.82
Nov 23, 2024 19:52:29.539792061 CET	49725	80	192.168.2.5	34.107.221.82
Nov 23, 2024 19:52:29.619991064 CET	80	49724	34.107.221.82	192.168.2.5
Nov 23, 2024 19:52:29.824434042 CET	80	49724	34.107.221.82	192.168.2.5
Nov 23, 2024 19:52:29.871876001 CET	49724	80	192.168.2.5	34.107.221.82
Nov 23, 2024 19:52:30.639570951 CET	443	49757	34.120.208.123	192.168.2.5
Nov 23, 2024 19:52:30.639583111 CET	443	49757	34.120.208.123	192.168.2.5
Nov 23, 2024 19:52:30.639648914 CET	49757	443	192.168.2.5	34.120.208.123
Nov 23, 2024 19:52:30.643281937 CET	49757	443	192.168.2.5	34.120.208.123
Nov 23, 2024 19:52:30.643296003 CET	443	49757	34.120.208.123	192.168.2.5
Nov 23, 2024 19:52:30.643552065 CET	443	49757	34.120.208.123	192.168.2.5
Nov 23, 2024 19:52:30.645975113 CET	49757	443	192.168.2.5	34.120.208.123
Nov 23, 2024 19:52:30.646090984 CET	49757	443	192.168.2.5	34.120.208.123
Nov 23, 2024 19:52:30.646126986 CET	443	49757	34.120.208.123	192.168.2.5
Nov 23, 2024 19:52:30.646904945 CET	49757	443	192.168.2.5	34.120.208.123
Nov 23, 2024 19:52:30.648823023 CET	49725	80	192.168.2.5	34.107.221.82
Nov 23, 2024 19:52:30.686012030 CET	443	49756	34.120.208.123	192.168.2.5
Nov 23, 2024 19:52:30.686029911 CET	443	49756	34.120.208.123	192.168.2.5
Nov 23, 2024 19:52:30.686115026 CET	49756	443	192.168.2.5	34.120.208.123
Nov 23, 2024 19:52:30.690118074 CET	49756	443	192.168.2.5	34.120.208.123
Nov 23, 2024 19:52:30.690145016 CET	443	49756	34.120.208.123	192.168.2.5
Nov 23, 2024 19:52:30.690213919 CET	49756	443	192.168.2.5	34.120.208.123
Nov 23, 2024 19:52:30.690305948 CET	443	49756	34.120.208.123	192.168.2.5
Nov 23, 2024 19:52:30.691693068 CET	49756	443	192.168.2.5	34.120.208.123
Nov 23, 2024 19:52:30.696681976 CET	443	49758	34.107.243.93	192.168.2.5
Nov 23, 2024 19:52:30.696697950 CET	443	49758	34.107.243.93	192.168.2.5
Nov 23, 2024 19:52:30.696919918 CET	49758	443	192.168.2.5	34.107.243.93
Nov 23, 2024 19:52:30.701138020 CET	49758	443	192.168.2.5	34.107.243.93
Nov 23, 2024 19:52:30.701138020 CET	49758	443	192.168.2.5	34.107.243.93
Nov 23, 2024 19:52:30.701158047 CET	443	49758	34.107.243.93	192.168.2.5
Nov 23, 2024 19:52:30.701329947 CET	443	49758	34.107.243.93	192.168.2.5
Nov 23, 2024 19:52:30.701776981 CET	49758	443	192.168.2.5	34.107.243.93
Nov 23, 2024 19:52:30.767091990 CET	443	49759	34.120.208.123	192.168.2.5
Nov 23, 2024 19:52:30.767167091 CET	49759	443	192.168.2.5	34.120.208.123
Nov 23, 2024 19:52:30.770051003 CET	49759	443	192.168.2.5	34.120.208.123
Nov 23, 2024 19:52:30.770061970 CET	443	49759	34.120.208.123	192.168.2.5
Nov 23, 2024 19:52:30.770297050 CET	443	49759	34.120.208.123	192.168.2.5
Nov 23, 2024 19:52:30.772763968 CET	49759	443	192.168.2.5	34.120.208.123
Nov 23, 2024 19:52:30.772867918 CET	49759	443	192.168.2.5	34.120.208.123
Nov 23, 2024 19:52:30.772907019 CET	443	49759	34.120.208.123	192.168.2.5
Nov 23, 2024 19:52:30.773338079 CET	49759	443	192.168.2.5	34.120.208.123
Nov 23, 2024 19:52:30.798434019 CET	80	49725	34.107.221.82	192.168.2.5
Nov 23, 2024 19:52:31.011598110 CET	80	49725	34.107.221.82	192.168.2.5
Nov 23, 2024 19:52:31.014874935 CET	49724	80	192.168.2.5	34.107.221.82
Nov 23, 2024 19:52:31.059736013 CET	49725	80	192.168.2.5	34.107.221.82
Nov 23, 2024 19:52:31.134366989 CET	80	49724	34.107.221.82	192.168.2.5
Nov 23, 2024 19:52:31.226319075 CET	49725	80	192.168.2.5	34.107.221.82
Nov 23, 2024 19:52:31.338992119 CET	80	49724	34.107.221.82	192.168.2.5
Nov 23, 2024 19:52:31.346539974 CET	80	49725	34.107.221.82	192.168.2.5
Nov 23, 2024 19:52:31.391885042 CET	49724	80	192.168.2.5	34.107.221.82
Nov 23, 2024 19:52:31.560344934 CET	80	49725	34.107.221.82	192.168.2.5
Nov 23, 2024 19:52:31.563626051 CET	49724	80	192.168.2.5	34.107.221.82
Nov 23, 2024 19:52:31.608093023 CET	49725	80	192.168.2.5	34.107.221.82
Nov 23, 2024 19:52:31.683654070 CET	80	49724	34.107.221.82	192.168.2.5
Nov 23, 2024 19:52:31.888292074 CET	80	49724	34.107.221.82	192.168.2.5
Nov 23, 2024 19:52:31.946772099 CET	49724	80	192.168.2.5	34.107.221.82
Nov 23, 2024 19:52:40.384191990 CET	49780	443	192.168.2.5	35.244.181.201
Nov 23, 2024 19:52:40.384236097 CET	443	49780	35.244.181.201	192.168.2.5
Nov 23, 2024 19:52:40.385035038 CET	49780	443	192.168.2.5	35.244.181.201
Nov 23, 2024 19:52:40.385215998 CET	49780	443	192.168.2.5	35.244.181.201
Nov 23, 2024 19:52:40.385222912 CET	443	49780	35.244.181.201	192.168.2.5
Nov 23, 2024 19:52:40.408852100 CET	49781	443	192.168.2.5	34.149.100.209
Nov 23, 2024 19:52:40.408898115 CET	443	49781	34.149.100.209	192.168.2.5
Nov 23, 2024 19:52:40.409710884 CET	49782	443	192.168.2.5	35.190.72.216
Nov 23, 2024 19:52:40.409733057 CET	443	49782	35.190.72.216	192.168.2.5
Nov 23, 2024 19:52:40.412568092 CET	49781	443	192.168.2.5	34.149.100.209
Nov 23, 2024 19:52:40.412568092 CET	49782	443	192.168.2.5	35.190.72.216
Nov 23, 2024 19:52:40.412756920 CET	49781	443	192.168.2.5	34.149.100.209
Nov 23, 2024 19:52:40.412770987 CET	443	49781	34.149.100.209	192.168.2.5
Nov 23, 2024 19:52:40.414330006 CET	49782	443	192.168.2.5	35.190.72.216
Nov 23, 2024 19:52:40.414340973 CET	443	49782	35.190.72.216	192.168.2.5
Nov 23, 2024 19:52:40.596054077 CET	49783	443	192.168.2.5	151.101.193.91
Nov 23, 2024 19:52:40.596105099 CET	443	49783	151.101.193.91	192.168.2.5
Nov 23, 2024 19:52:40.596575022 CET	49783	443	192.168.2.5	151.101.193.91
Nov 23, 2024 19:52:40.596724033 CET	49783	443	192.168.2.5	151.101.193.91
Nov 23, 2024 19:52:40.596743107 CET	443	49783	151.101.193.91	192.168.2.5
Nov 23, 2024 19:52:40.604908943 CET	49784	443	192.168.2.5	35.201.103.21
Nov 23, 2024 19:52:40.604948044 CET	443	49784	35.201.103.21	192.168.2.5
Nov 23, 2024 19:52:40.605204105 CET	49784	443	192.168.2.5	35.201.103.21
Nov 23, 2024 19:52:40.606575966 CET	49784	443	192.168.2.5	35.201.103.21
Nov 23, 2024 19:52:40.606589079 CET	443	49784	35.201.103.21	192.168.2.5
Nov 23, 2024 19:52:40.878359079 CET	49785	443	192.168.2.5	34.107.243.93
Nov 23, 2024 19:52:40.878400087 CET	443	49785	34.107.243.93	192.168.2.5
Nov 23, 2024 19:52:40.879045010 CET	49785	443	192.168.2.5	34.107.243.93
Nov 23, 2024 19:52:40.880575895 CET	49785	443	192.168.2.5	34.107.243.93
Nov 23, 2024 19:52:40.880584955 CET	443	49785	34.107.243.93	192.168.2.5
Nov 23, 2024 19:52:41.574980021 CET	49725	80	192.168.2.5	34.107.221.82
Nov 23, 2024 19:52:41.701225996 CET	80	49725	34.107.221.82	192.168.2.5
Nov 23, 2024 19:52:41.711227894 CET	443	49780	35.244.181.201	192.168.2.5
Nov 23, 2024 19:52:41.711388111 CET	49780	443	192.168.2.5	35.244.181.201
Nov 23, 2024 19:52:41.714308977 CET	49780	443	192.168.2.5	35.244.181.201
Nov 23, 2024 19:52:41.714318037 CET	443	49780	35.244.181.201	192.168.2.5
Nov 23, 2024 19:52:41.714555979 CET	443	49780	35.244.181.201	192.168.2.5
Nov 23, 2024 19:52:41.716628075 CET	49780	443	192.168.2.5	35.244.181.201
Nov 23, 2024 19:52:41.716730118 CET	49780	443	192.168.2.5	35.244.181.201
Nov 23, 2024 19:52:41.716773987 CET	443	49780	35.244.181.201	192.168.2.5
Nov 23, 2024 19:52:41.716948986 CET	49780	443	192.168.2.5	35.244.181.201
Nov 23, 2024 19:52:41.719305992 CET	443	49781	34.149.100.209	192.168.2.5
Nov 23, 2024 19:52:41.719377995 CET	49781	443	192.168.2.5	34.149.100.209
Nov 23, 2024 19:52:41.722310066 CET	49781	443	192.168.2.5	34.149.100.209
Nov 23, 2024 19:52:41.722322941 CET	443	49781	34.149.100.209	192.168.2.5
Nov 23, 2024 19:52:41.722451925 CET	49725	80	192.168.2.5	34.107.221.82
Nov 23, 2024 19:52:41.722565889 CET	443	49781	34.149.100.209	192.168.2.5
Nov 23, 2024 19:52:41.724843025 CET	49781	443	192.168.2.5	34.149.100.209
Nov 23, 2024 19:52:41.724931955 CET	49781	443	192.168.2.5	34.149.100.209
Nov 23, 2024 19:52:41.724981070 CET	443	49781	34.149.100.209	192.168.2.5
Nov 23, 2024 19:52:41.725081921 CET	49781	443	192.168.2.5	34.149.100.209
Nov 23, 2024 19:52:41.768724918 CET	443	49782	35.190.72.216	192.168.2.5
Nov 23, 2024 19:52:41.768847942 CET	49782	443	192.168.2.5	35.190.72.216
Nov 23, 2024 19:52:41.772775888 CET	49782	443	192.168.2.5	35.190.72.216
Nov 23, 2024 19:52:41.772785902 CET	443	49782	35.190.72.216	192.168.2.5
Nov 23, 2024 19:52:41.772897005 CET	49782	443	192.168.2.5	35.190.72.216
Nov 23, 2024 19:52:41.772934914 CET	443	49782	35.190.72.216	192.168.2.5
Nov 23, 2024 19:52:41.773449898 CET	49782	443	192.168.2.5	35.190.72.216
Nov 23, 2024 19:52:41.843787909 CET	80	49725	34.107.221.82	192.168.2.5
Nov 23, 2024 19:52:41.891495943 CET	49724	80	192.168.2.5	34.107.221.82
Nov 23, 2024 19:52:41.919743061 CET	443	49784	35.201.103.21	192.168.2.5
Nov 23, 2024 19:52:41.919826031 CET	49784	443	192.168.2.5	35.201.103.21
Nov 23, 2024 19:52:41.923494101 CET	443	49783	151.101.193.91	192.168.2.5
Nov 23, 2024 19:52:41.924670935 CET	49784	443	192.168.2.5	35.201.103.21
Nov 23, 2024 19:52:41.924685955 CET	443	49784	35.201.103.21	192.168.2.5
Nov 23, 2024 19:52:41.924756050 CET	49784	443	192.168.2.5	35.201.103.21
Nov 23, 2024 19:52:41.924952030 CET	443	49784	35.201.103.21	192.168.2.5
Nov 23, 2024 19:52:41.926223993 CET	49784	443	192.168.2.5	35.201.103.21
Nov 23, 2024 19:52:41.926239014 CET	49783	443	192.168.2.5	151.101.193.91
Nov 23, 2024 19:52:41.929323912 CET	49783	443	192.168.2.5	151.101.193.91
Nov 23, 2024 19:52:41.929337978 CET	443	49783	151.101.193.91	192.168.2.5
Nov 23, 2024 19:52:41.929626942 CET	443	49783	151.101.193.91	192.168.2.5
Nov 23, 2024 19:52:41.931474924 CET	49783	443	192.168.2.5	151.101.193.91
Nov 23, 2024 19:52:41.931577921 CET	49783	443	192.168.2.5	151.101.193.91
Nov 23, 2024 19:52:41.931632996 CET	443	49783	151.101.193.91	192.168.2.5
Nov 23, 2024 19:52:41.938384056 CET	49783	443	192.168.2.5	151.101.193.91
Nov 23, 2024 19:52:41.938410997 CET	49783	443	192.168.2.5	151.101.193.91
Nov 23, 2024 19:52:41.944453001 CET	49786	443	192.168.2.5	35.244.181.201
Nov 23, 2024 19:52:41.944513083 CET	443	49786	35.244.181.201	192.168.2.5
Nov 23, 2024 19:52:41.948301077 CET	49787	443	192.168.2.5	35.244.181.201
Nov 23, 2024 19:52:41.948349953 CET	443	49787	35.244.181.201	192.168.2.5
Nov 23, 2024 19:52:41.952002048 CET	49788	443	192.168.2.5	34.149.100.209
Nov 23, 2024 19:52:41.952039003 CET	443	49788	34.149.100.209	192.168.2.5
Nov 23, 2024 19:52:41.954078913 CET	49786	443	192.168.2.5	35.244.181.201
Nov 23, 2024 19:52:41.954363108 CET	49788	443	192.168.2.5	34.149.100.209
Nov 23, 2024 19:52:41.954365969 CET	49787	443	192.168.2.5	35.244.181.201
Nov 23, 2024 19:52:41.954565048 CET	49786	443	192.168.2.5	35.244.181.201
Nov 23, 2024 19:52:41.954591036 CET	443	49786	35.244.181.201	192.168.2.5
Nov 23, 2024 19:52:41.954706907 CET	49787	443	192.168.2.5	35.244.181.201
Nov 23, 2024 19:52:41.954721928 CET	443	49787	35.244.181.201	192.168.2.5
Nov 23, 2024 19:52:41.954809904 CET	49788	443	192.168.2.5	34.149.100.209
Nov 23, 2024 19:52:41.954826117 CET	443	49788	34.149.100.209	192.168.2.5
Nov 23, 2024 19:52:41.964282036 CET	49789	443	192.168.2.5	35.244.181.201
Nov 23, 2024 19:52:41.964323997 CET	443	49789	35.244.181.201	192.168.2.5
Nov 23, 2024 19:52:41.971787930 CET	49789	443	192.168.2.5	35.244.181.201
Nov 23, 2024 19:52:41.972012997 CET	49789	443	192.168.2.5	35.244.181.201
Nov 23, 2024 19:52:41.972042084 CET	443	49789	35.244.181.201	192.168.2.5
Nov 23, 2024 19:52:42.011183023 CET	80	49724	34.107.221.82	192.168.2.5
Nov 23, 2024 19:52:42.083228111 CET	80	49725	34.107.221.82	192.168.2.5
Nov 23, 2024 19:52:42.086441040 CET	49724	80	192.168.2.5	34.107.221.82
Nov 23, 2024 19:52:42.139031887 CET	49725	80	192.168.2.5	34.107.221.82
Nov 23, 2024 19:52:42.206497908 CET	80	49724	34.107.221.82	192.168.2.5
Nov 23, 2024 19:52:42.255739927 CET	443	49785	34.107.243.93	192.168.2.5
Nov 23, 2024 19:52:42.255917072 CET	49785	443	192.168.2.5	34.107.243.93
Nov 23, 2024 19:52:42.259735107 CET	49785	443	192.168.2.5	34.107.243.93
Nov 23, 2024 19:52:42.259744883 CET	443	49785	34.107.243.93	192.168.2.5
Nov 23, 2024 19:52:42.259844065 CET	49785	443	192.168.2.5	34.107.243.93
Nov 23, 2024 19:52:42.259900093 CET	443	49785	34.107.243.93	192.168.2.5
Nov 23, 2024 19:52:42.260466099 CET	49785	443	192.168.2.5	34.107.243.93
Nov 23, 2024 19:52:42.262269974 CET	49725	80	192.168.2.5	34.107.221.82
Nov 23, 2024 19:52:42.419938087 CET	80	49725	34.107.221.82	192.168.2.5
Nov 23, 2024 19:52:42.421000004 CET	80	49724	34.107.221.82	192.168.2.5
Nov 23, 2024 19:52:42.477627993 CET	49724	80	192.168.2.5	34.107.221.82
Nov 23, 2024 19:52:42.634207010 CET	80	49725	34.107.221.82	192.168.2.5
Nov 23, 2024 19:52:42.637057066 CET	49724	80	192.168.2.5	34.107.221.82
Nov 23, 2024 19:52:42.678226948 CET	49725	80	192.168.2.5	34.107.221.82
Nov 23, 2024 19:52:42.763446093 CET	80	49724	34.107.221.82	192.168.2.5
Nov 23, 2024 19:52:42.967953920 CET	80	49724	34.107.221.82	192.168.2.5
Nov 23, 2024 19:52:43.010040045 CET	49724	80	192.168.2.5	34.107.221.82
Nov 23, 2024 19:52:43.331413031 CET	443	49786	35.244.181.201	192.168.2.5
Nov 23, 2024 19:52:43.331429005 CET	443	49786	35.244.181.201	192.168.2.5
Nov 23, 2024 19:52:43.342170000 CET	49786	443	192.168.2.5	35.244.181.201
Nov 23, 2024 19:52:43.343878031 CET	443	49789	35.244.181.201	192.168.2.5
Nov 23, 2024 19:52:43.343894005 CET	443	49789	35.244.181.201	192.168.2.5
Nov 23, 2024 19:52:43.349019051 CET	49789	443	192.168.2.5	35.244.181.201
Nov 23, 2024 19:52:43.349263906 CET	49786	443	192.168.2.5	35.244.181.201
Nov 23, 2024 19:52:43.349272013 CET	443	49786	35.244.181.201	192.168.2.5
Nov 23, 2024 19:52:43.349618912 CET	443	49786	35.244.181.201	192.168.2.5
Nov 23, 2024 19:52:43.352139950 CET	49789	443	192.168.2.5	35.244.181.201
Nov 23, 2024 19:52:43.352148056 CET	443	49789	35.244.181.201	192.168.2.5
Nov 23, 2024 19:52:43.352407932 CET	443	49789	35.244.181.201	192.168.2.5
Nov 23, 2024 19:52:43.354528904 CET	49786	443	192.168.2.5	35.244.181.201
Nov 23, 2024 19:52:43.354713917 CET	443	49786	35.244.181.201	192.168.2.5
Nov 23, 2024 19:52:43.354717016 CET	49786	443	192.168.2.5	35.244.181.201
Nov 23, 2024 19:52:43.354729891 CET	443	49786	35.244.181.201	192.168.2.5
Nov 23, 2024 19:52:43.355032921 CET	49789	443	192.168.2.5	35.244.181.201
Nov 23, 2024 19:52:43.355114937 CET	49789	443	192.168.2.5	35.244.181.201
Nov 23, 2024 19:52:43.355169058 CET	443	49789	35.244.181.201	192.168.2.5
Nov 23, 2024 19:52:43.355570078 CET	49789	443	192.168.2.5	35.244.181.201
Nov 23, 2024 19:52:43.355570078 CET	49789	443	192.168.2.5	35.244.181.201
Nov 23, 2024 19:52:43.355592012 CET	49786	443	192.168.2.5	35.244.181.201
Nov 23, 2024 19:52:43.360451937 CET	49725	80	192.168.2.5	34.107.221.82
Nov 23, 2024 19:52:43.366303921 CET	443	49787	35.244.181.201	192.168.2.5
Nov 23, 2024 19:52:43.366313934 CET	443	49788	34.149.100.209	192.168.2.5
Nov 23, 2024 19:52:43.366668940 CET	49788	443	192.168.2.5	34.149.100.209
Nov 23, 2024 19:52:43.366671085 CET	49787	443	192.168.2.5	35.244.181.201
Nov 23, 2024 19:52:43.369338036 CET	49787	443	192.168.2.5	35.244.181.201
Nov 23, 2024 19:52:43.369349003 CET	443	49787	35.244.181.201	192.168.2.5
Nov 23, 2024 19:52:43.369617939 CET	443	49787	35.244.181.201	192.168.2.5
Nov 23, 2024 19:52:43.372011900 CET	49788	443	192.168.2.5	34.149.100.209
Nov 23, 2024 19:52:43.372024059 CET	443	49788	34.149.100.209	192.168.2.5
Nov 23, 2024 19:52:43.372350931 CET	443	49788	34.149.100.209	192.168.2.5
Nov 23, 2024 19:52:43.374623060 CET	49787	443	192.168.2.5	35.244.181.201
Nov 23, 2024 19:52:43.374711990 CET	49787	443	192.168.2.5	35.244.181.201
Nov 23, 2024 19:52:43.374768972 CET	443	49787	35.244.181.201	192.168.2.5
Nov 23, 2024 19:52:43.374986887 CET	49788	443	192.168.2.5	34.149.100.209
Nov 23, 2024 19:52:43.375037909 CET	49788	443	192.168.2.5	34.149.100.209
Nov 23, 2024 19:52:43.375135899 CET	443	49788	34.149.100.209	192.168.2.5
Nov 23, 2024 19:52:43.377366066 CET	49787	443	192.168.2.5	35.244.181.201
Nov 23, 2024 19:52:43.377383947 CET	49788	443	192.168.2.5	34.149.100.209
Nov 23, 2024 19:52:43.377393007 CET	49787	443	192.168.2.5	35.244.181.201
Nov 23, 2024 19:52:43.377403021 CET	49788	443	192.168.2.5	34.149.100.209
Nov 23, 2024 19:52:43.566984892 CET	80	49725	34.107.221.82	192.168.2.5
Nov 23, 2024 19:52:43.780576944 CET	80	49725	34.107.221.82	192.168.2.5
Nov 23, 2024 19:52:43.783749104 CET	49724	80	192.168.2.5	34.107.221.82
Nov 23, 2024 19:52:43.827987909 CET	49725	80	192.168.2.5	34.107.221.82
Nov 23, 2024 19:52:43.903336048 CET	80	49724	34.107.221.82	192.168.2.5
Nov 23, 2024 19:52:44.107690096 CET	80	49724	34.107.221.82	192.168.2.5
Nov 23, 2024 19:52:44.160140038 CET	49724	80	192.168.2.5	34.107.221.82
Nov 23, 2024 19:52:53.789113045 CET	49725	80	192.168.2.5	34.107.221.82
Nov 23, 2024 19:52:53.916994095 CET	80	49725	34.107.221.82	192.168.2.5
Nov 23, 2024 19:52:54.112123966 CET	49724	80	192.168.2.5	34.107.221.82
Nov 23, 2024 19:52:54.278166056 CET	80	49724	34.107.221.82	192.168.2.5
Nov 23, 2024 19:53:02.942637920 CET	49836	443	192.168.2.5	34.107.243.93
Nov 23, 2024 19:53:02.942683935 CET	443	49836	34.107.243.93	192.168.2.5
Nov 23, 2024 19:53:02.943546057 CET	49836	443	192.168.2.5	34.107.243.93
Nov 23, 2024 19:53:02.945058107 CET	49836	443	192.168.2.5	34.107.243.93
Nov 23, 2024 19:53:02.945074081 CET	443	49836	34.107.243.93	192.168.2.5
Nov 23, 2024 19:53:03.920655966 CET	49725	80	192.168.2.5	34.107.221.82
Nov 23, 2024 19:53:04.043917894 CET	80	49725	34.107.221.82	192.168.2.5
Nov 23, 2024 19:53:04.267343998 CET	443	49836	34.107.243.93	192.168.2.5
Nov 23, 2024 19:53:04.267513990 CET	49836	443	192.168.2.5	34.107.243.93
Nov 23, 2024 19:53:04.272202015 CET	49836	443	192.168.2.5	34.107.243.93
Nov 23, 2024 19:53:04.272211075 CET	443	49836	34.107.243.93	192.168.2.5
Nov 23, 2024 19:53:04.272299051 CET	49836	443	192.168.2.5	34.107.243.93
Nov 23, 2024 19:53:04.272406101 CET	443	49836	34.107.243.93	192.168.2.5
Nov 23, 2024 19:53:04.273251057 CET	49836	443	192.168.2.5	34.107.243.93
Nov 23, 2024 19:53:04.275166035 CET	49725	80	192.168.2.5	34.107.221.82
Nov 23, 2024 19:53:04.283979893 CET	49724	80	192.168.2.5	34.107.221.82
Nov 23, 2024 19:53:04.406239033 CET	80	49725	34.107.221.82	192.168.2.5
Nov 23, 2024 19:53:04.410069942 CET	80	49724	34.107.221.82	192.168.2.5
Nov 23, 2024 19:53:04.623455048 CET	80	49725	34.107.221.82	192.168.2.5
Nov 23, 2024 19:53:04.626734018 CET	49724	80	192.168.2.5	34.107.221.82
Nov 23, 2024 19:53:04.669534922 CET	49725	80	192.168.2.5	34.107.221.82
Nov 23, 2024 19:53:04.747876883 CET	80	49724	34.107.221.82	192.168.2.5
Nov 23, 2024 19:53:04.953876019 CET	80	49724	34.107.221.82	192.168.2.5
Nov 23, 2024 19:53:05.001276970 CET	49724	80	192.168.2.5	34.107.221.82
Nov 23, 2024 19:53:10.296382904 CET	49853	443	192.168.2.5	34.120.208.123
Nov 23, 2024 19:53:10.296417952 CET	443	49853	34.120.208.123	192.168.2.5
Nov 23, 2024 19:53:10.297209024 CET	49853	443	192.168.2.5	34.120.208.123
Nov 23, 2024 19:53:10.297354937 CET	49853	443	192.168.2.5	34.120.208.123
Nov 23, 2024 19:53:10.297363997 CET	443	49853	34.120.208.123	192.168.2.5
Nov 23, 2024 19:53:10.339554071 CET	49854	443	192.168.2.5	34.120.208.123
Nov 23, 2024 19:53:10.339576006 CET	443	49854	34.120.208.123	192.168.2.5
Nov 23, 2024 19:53:10.344007969 CET	49854	443	192.168.2.5	34.120.208.123
Nov 23, 2024 19:53:10.344206095 CET	49854	443	192.168.2.5	34.120.208.123
Nov 23, 2024 19:53:10.344219923 CET	443	49854	34.120.208.123	192.168.2.5
Nov 23, 2024 19:53:11.576920986 CET	443	49853	34.120.208.123	192.168.2.5
Nov 23, 2024 19:53:11.577054024 CET	49853	443	192.168.2.5	34.120.208.123
Nov 23, 2024 19:53:11.580508947 CET	49853	443	192.168.2.5	34.120.208.123
Nov 23, 2024 19:53:11.580530882 CET	443	49853	34.120.208.123	192.168.2.5
Nov 23, 2024 19:53:11.581221104 CET	443	49853	34.120.208.123	192.168.2.5
Nov 23, 2024 19:53:11.583242893 CET	49853	443	192.168.2.5	34.120.208.123
Nov 23, 2024 19:53:11.583359003 CET	49853	443	192.168.2.5	34.120.208.123
Nov 23, 2024 19:53:11.583462954 CET	443	49853	34.120.208.123	192.168.2.5
Nov 23, 2024 19:53:11.586749077 CET	49853	443	192.168.2.5	34.120.208.123
Nov 23, 2024 19:53:11.587521076 CET	49725	80	192.168.2.5	34.107.221.82
Nov 23, 2024 19:53:11.718920946 CET	80	49725	34.107.221.82	192.168.2.5
Nov 23, 2024 19:53:11.771663904 CET	443	49854	34.120.208.123	192.168.2.5
Nov 23, 2024 19:53:11.771799088 CET	49854	443	192.168.2.5	34.120.208.123
Nov 23, 2024 19:53:11.775584936 CET	49854	443	192.168.2.5	34.120.208.123
Nov 23, 2024 19:53:11.775592089 CET	443	49854	34.120.208.123	192.168.2.5
Nov 23, 2024 19:53:11.775917053 CET	443	49854	34.120.208.123	192.168.2.5
Nov 23, 2024 19:53:11.778321981 CET	49854	443	192.168.2.5	34.120.208.123
Nov 23, 2024 19:53:11.778434038 CET	49854	443	192.168.2.5	34.120.208.123
Nov 23, 2024 19:53:11.778476000 CET	443	49854	34.120.208.123	192.168.2.5
Nov 23, 2024 19:53:11.779324055 CET	49854	443	192.168.2.5	34.120.208.123
Nov 23, 2024 19:53:11.931770086 CET	80	49725	34.107.221.82	192.168.2.5
Nov 23, 2024 19:53:11.934784889 CET	49724	80	192.168.2.5	34.107.221.82
Nov 23, 2024 19:53:11.974704027 CET	49725	80	192.168.2.5	34.107.221.82
Nov 23, 2024 19:53:12.061197042 CET	80	49724	34.107.221.82	192.168.2.5
Nov 23, 2024 19:53:12.265372992 CET	80	49724	34.107.221.82	192.168.2.5
Nov 23, 2024 19:53:12.306813002 CET	49724	80	192.168.2.5	34.107.221.82
Nov 23, 2024 19:53:21.934016943 CET	49725	80	192.168.2.5	34.107.221.82
Nov 23, 2024 19:53:22.054832935 CET	80	49725	34.107.221.82	192.168.2.5
Nov 23, 2024 19:53:22.272710085 CET	49724	80	192.168.2.5	34.107.221.82
Nov 23, 2024 19:53:22.392199993 CET	80	49724	34.107.221.82	192.168.2.5
Nov 23, 2024 19:53:32.062578917 CET	49725	80	192.168.2.5	34.107.221.82
Nov 23, 2024 19:53:32.183466911 CET	80	49725	34.107.221.82	192.168.2.5
Nov 23, 2024 19:53:32.401237965 CET	49724	80	192.168.2.5	34.107.221.82
Nov 23, 2024 19:53:32.523399115 CET	80	49724	34.107.221.82	192.168.2.5
Nov 23, 2024 19:53:42.191060066 CET	49725	80	192.168.2.5	34.107.221.82
Nov 23, 2024 19:53:42.313024044 CET	80	49725	34.107.221.82	192.168.2.5
Nov 23, 2024 19:53:42.529663086 CET	49724	80	192.168.2.5	34.107.221.82
Nov 23, 2024 19:53:42.649116039 CET	80	49724	34.107.221.82	192.168.2.5
Nov 23, 2024 19:53:44.287255049 CET	49926	443	192.168.2.5	34.107.243.93
Nov 23, 2024 19:53:44.287297010 CET	443	49926	34.107.243.93	192.168.2.5
Nov 23, 2024 19:53:44.287389994 CET	49926	443	192.168.2.5	34.107.243.93
Nov 23, 2024 19:53:44.288875103 CET	49926	443	192.168.2.5	34.107.243.93
Nov 23, 2024 19:53:44.288887024 CET	443	49926	34.107.243.93	192.168.2.5
Nov 23, 2024 19:53:45.581310987 CET	443	49926	34.107.243.93	192.168.2.5
Nov 23, 2024 19:53:45.581397057 CET	49926	443	192.168.2.5	34.107.243.93
Nov 23, 2024 19:53:45.587495089 CET	49926	443	192.168.2.5	34.107.243.93
Nov 23, 2024 19:53:45.587517977 CET	443	49926	34.107.243.93	192.168.2.5
Nov 23, 2024 19:53:45.587604046 CET	49926	443	192.168.2.5	34.107.243.93
Nov 23, 2024 19:53:45.587707996 CET	443	49926	34.107.243.93	192.168.2.5
Nov 23, 2024 19:53:45.588685989 CET	49926	443	192.168.2.5	34.107.243.93
Nov 23, 2024 19:53:45.590527058 CET	49725	80	192.168.2.5	34.107.221.82
Nov 23, 2024 19:53:45.710129976 CET	80	49725	34.107.221.82	192.168.2.5
Nov 23, 2024 19:53:45.922990084 CET	80	49725	34.107.221.82	192.168.2.5
Nov 23, 2024 19:53:45.928015947 CET	49724	80	192.168.2.5	34.107.221.82
Nov 23, 2024 19:53:45.970952988 CET	49725	80	192.168.2.5	34.107.221.82
Nov 23, 2024 19:53:46.077735901 CET	80	49724	34.107.221.82	192.168.2.5
Nov 23, 2024 19:53:46.282120943 CET	80	49724	34.107.221.82	192.168.2.5
Nov 23, 2024 19:53:46.340981007 CET	49724	80	192.168.2.5	34.107.221.82
Nov 23, 2024 19:53:55.930809975 CET	49725	80	192.168.2.5	34.107.221.82
Nov 23, 2024 19:53:56.073065996 CET	80	49725	34.107.221.82	192.168.2.5
Nov 23, 2024 19:53:56.285182953 CET	49724	80	192.168.2.5	34.107.221.82
Nov 23, 2024 19:53:56.411031961 CET	80	49724	34.107.221.82	192.168.2.5
Nov 23, 2024 19:54:06.076751947 CET	49725	80	192.168.2.5	34.107.221.82
Nov 23, 2024 19:54:06.196281910 CET	80	49725	34.107.221.82	192.168.2.5
Nov 23, 2024 19:54:06.415539026 CET	49724	80	192.168.2.5	34.107.221.82
Nov 23, 2024 19:54:06.541233063 CET	80	49724	34.107.221.82	192.168.2.5

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 23, 2024 19:52:12.258384943 CET	62750	53	192.168.2.5	1.1.1.1
Nov 23, 2024 19:52:12.258641005 CET	58018	53	192.168.2.5	1.1.1.1
Nov 23, 2024 19:52:12.403934002 CET	55326	53	192.168.2.5	1.1.1.1
Nov 23, 2024 19:52:12.447241068 CET	53	58018	1.1.1.1	192.168.2.5
Nov 23, 2024 19:52:12.450854063 CET	53903	53	192.168.2.5	1.1.1.1
Nov 23, 2024 19:52:12.455804110 CET	62366	53	192.168.2.5	1.1.1.1
Nov 23, 2024 19:52:12.556679010 CET	53	55326	1.1.1.1	192.168.2.5
Nov 23, 2024 19:52:12.561908960 CET	52140	53	192.168.2.5	1.1.1.1
Nov 23, 2024 19:52:12.603491068 CET	53	53903	1.1.1.1	192.168.2.5
Nov 23, 2024 19:52:12.604136944 CET	50798	53	192.168.2.5	1.1.1.1
Nov 23, 2024 19:52:12.609313965 CET	53	62366	1.1.1.1	192.168.2.5
Nov 23, 2024 19:52:12.609874964 CET	56942	53	192.168.2.5	1.1.1.1
Nov 23, 2024 19:52:12.784615993 CET	58795	53	192.168.2.5	1.1.1.1
Nov 23, 2024 19:52:12.817734003 CET	53360	53	192.168.2.5	1.1.1.1
Nov 23, 2024 19:52:12.830298901 CET	58473	53	192.168.2.5	1.1.1.1
Nov 23, 2024 19:52:12.849549055 CET	53	50798	1.1.1.1	192.168.2.5
Nov 23, 2024 19:52:12.850411892 CET	53	56942	1.1.1.1	192.168.2.5
Nov 23, 2024 19:52:12.992654085 CET	53	58795	1.1.1.1	192.168.2.5
Nov 23, 2024 19:52:12.992999077 CET	53	53360	1.1.1.1	192.168.2.5
Nov 23, 2024 19:52:12.993757963 CET	55812	53	192.168.2.5	1.1.1.1
Nov 23, 2024 19:52:12.995398998 CET	57125	53	192.168.2.5	1.1.1.1
Nov 23, 2024 19:52:13.011209011 CET	53	58473	1.1.1.1	192.168.2.5
Nov 23, 2024 19:52:13.052007914 CET	53	52140	1.1.1.1	192.168.2.5
Nov 23, 2024 19:52:13.052954912 CET	60994	53	192.168.2.5	1.1.1.1
Nov 23, 2024 19:52:13.148436069 CET	53	55812	1.1.1.1	192.168.2.5
Nov 23, 2024 19:52:13.148508072 CET	53	57125	1.1.1.1	192.168.2.5
Nov 23, 2024 19:52:13.149349928 CET	55855	53	192.168.2.5	1.1.1.1
Nov 23, 2024 19:52:13.150053024 CET	54657	53	192.168.2.5	1.1.1.1
Nov 23, 2024 19:52:13.225162029 CET	53	60994	1.1.1.1	192.168.2.5
Nov 23, 2024 19:52:13.225821972 CET	64204	53	192.168.2.5	1.1.1.1
Nov 23, 2024 19:52:13.296375036 CET	53	55855	1.1.1.1	192.168.2.5
Nov 23, 2024 19:52:13.342602968 CET	53	54657	1.1.1.1	192.168.2.5
Nov 23, 2024 19:52:13.391470909 CET	53	64204	1.1.1.1	192.168.2.5
Nov 23, 2024 19:52:13.403904915 CET	64198	53	192.168.2.5	1.1.1.1
Nov 23, 2024 19:52:13.542944908 CET	53	64198	1.1.1.1	192.168.2.5
Nov 23, 2024 19:52:13.543823957 CET	51202	53	192.168.2.5	1.1.1.1
Nov 23, 2024 19:52:13.736186981 CET	53	51202	1.1.1.1	192.168.2.5
Nov 23, 2024 19:52:14.731532097 CET	60449	53	192.168.2.5	1.1.1.1
Nov 23, 2024 19:52:14.731693029 CET	52284	53	192.168.2.5	1.1.1.1
Nov 23, 2024 19:52:14.799726009 CET	57405	53	192.168.2.5	1.1.1.1
Nov 23, 2024 19:52:14.871011019 CET	53	52284	1.1.1.1	192.168.2.5
Nov 23, 2024 19:52:14.872977018 CET	53	60449	1.1.1.1	192.168.2.5
Nov 23, 2024 19:52:15.803472996 CET	57225	53	192.168.2.5	1.1.1.1
Nov 23, 2024 19:52:15.836828947 CET	59622	53	192.168.2.5	1.1.1.1
Nov 23, 2024 19:52:15.990362883 CET	53	59622	1.1.1.1	192.168.2.5
Nov 23, 2024 19:52:15.991565943 CET	56273	53	192.168.2.5	1.1.1.1
Nov 23, 2024 19:52:16.129293919 CET	53	56273	1.1.1.1	192.168.2.5
Nov 23, 2024 19:52:16.130001068 CET	52828	53	192.168.2.5	1.1.1.1
Nov 23, 2024 19:52:16.130681038 CET	65191	53	192.168.2.5	1.1.1.1
Nov 23, 2024 19:52:16.223735094 CET	59504	53	192.168.2.5	1.1.1.1
Nov 23, 2024 19:52:16.269716978 CET	53	52828	1.1.1.1	192.168.2.5
Nov 23, 2024 19:52:16.270174026 CET	53	65191	1.1.1.1	192.168.2.5
Nov 23, 2024 19:52:16.301032066 CET	53533	53	192.168.2.5	1.1.1.1
Nov 23, 2024 19:52:16.364531040 CET	53	59504	1.1.1.1	192.168.2.5
Nov 23, 2024 19:52:16.405711889 CET	53168	53	192.168.2.5	1.1.1.1
Nov 23, 2024 19:52:16.446914911 CET	53	53533	1.1.1.1	192.168.2.5
Nov 23, 2024 19:52:16.455071926 CET	52356	53	192.168.2.5	1.1.1.1
Nov 23, 2024 19:52:16.537800074 CET	53	64539	1.1.1.1	192.168.2.5
Nov 23, 2024 19:52:16.668442011 CET	53	53168	1.1.1.1	192.168.2.5
Nov 23, 2024 19:52:16.668760061 CET	53	52356	1.1.1.1	192.168.2.5
Nov 23, 2024 19:52:20.835423946 CET	59635	53	192.168.2.5	1.1.1.1
Nov 23, 2024 19:52:21.179759026 CET	53	59635	1.1.1.1	192.168.2.5
Nov 23, 2024 19:52:22.270071030 CET	56387	53	192.168.2.5	1.1.1.1
Nov 23, 2024 19:52:22.427707911 CET	53	56387	1.1.1.1	192.168.2.5
Nov 23, 2024 19:52:22.463519096 CET	56616	53	192.168.2.5	1.1.1.1
Nov 23, 2024 19:52:22.750601053 CET	53	56616	1.1.1.1	192.168.2.5
Nov 23, 2024 19:52:26.790842056 CET	60583	53	192.168.2.5	1.1.1.1
Nov 23, 2024 19:52:26.790961981 CET	58954	53	192.168.2.5	1.1.1.1
Nov 23, 2024 19:52:26.791141033 CET	60403	53	192.168.2.5	1.1.1.1
Nov 23, 2024 19:52:26.968183041 CET	53	60583	1.1.1.1	192.168.2.5
Nov 23, 2024 19:52:26.968204975 CET	53	58954	1.1.1.1	192.168.2.5
Nov 23, 2024 19:52:26.969556093 CET	53	60403	1.1.1.1	192.168.2.5
Nov 23, 2024 19:52:27.736614943 CET	62473	53	192.168.2.5	1.1.1.1
Nov 23, 2024 19:52:27.736843109 CET	52666	53	192.168.2.5	1.1.1.1
Nov 23, 2024 19:52:27.737044096 CET	51412	53	192.168.2.5	1.1.1.1
Nov 23, 2024 19:52:27.902419090 CET	53	52666	1.1.1.1	192.168.2.5
Nov 23, 2024 19:52:27.902787924 CET	53	51412	1.1.1.1	192.168.2.5
Nov 23, 2024 19:52:27.903425932 CET	51231	53	192.168.2.5	1.1.1.1
Nov 23, 2024 19:52:27.903513908 CET	53	62473	1.1.1.1	192.168.2.5
Nov 23, 2024 19:52:27.903995037 CET	60330	53	192.168.2.5	1.1.1.1
Nov 23, 2024 19:52:27.904052019 CET	50669	53	192.168.2.5	1.1.1.1
Nov 23, 2024 19:52:28.067780018 CET	53	60330	1.1.1.1	192.168.2.5
Nov 23, 2024 19:52:28.067792892 CET	53	51231	1.1.1.1	192.168.2.5
Nov 23, 2024 19:52:28.068456888 CET	53	50669	1.1.1.1	192.168.2.5
Nov 23, 2024 19:52:28.068654060 CET	50555	53	192.168.2.5	1.1.1.1
Nov 23, 2024 19:52:28.068805933 CET	53155	53	192.168.2.5	1.1.1.1
Nov 23, 2024 19:52:28.070003033 CET	64514	53	192.168.2.5	1.1.1.1
Nov 23, 2024 19:52:28.210072994 CET	53	53155	1.1.1.1	192.168.2.5
Nov 23, 2024 19:52:28.210823059 CET	54228	53	192.168.2.5	1.1.1.1
Nov 23, 2024 19:52:28.210896969 CET	53	50555	1.1.1.1	192.168.2.5
Nov 23, 2024 19:52:28.210995913 CET	53	64514	1.1.1.1	192.168.2.5
Nov 23, 2024 19:52:28.211555958 CET	52345	53	192.168.2.5	1.1.1.1
Nov 23, 2024 19:52:28.364933968 CET	53	54228	1.1.1.1	192.168.2.5
Nov 23, 2024 19:52:28.365578890 CET	64586	53	192.168.2.5	1.1.1.1
Nov 23, 2024 19:52:28.365844011 CET	53	52345	1.1.1.1	192.168.2.5
Nov 23, 2024 19:52:28.366388083 CET	53211	53	192.168.2.5	1.1.1.1
Nov 23, 2024 19:52:28.521325111 CET	53	64586	1.1.1.1	192.168.2.5
Nov 23, 2024 19:52:28.676645041 CET	53	53211	1.1.1.1	192.168.2.5
Nov 23, 2024 19:52:29.422833920 CET	53029	53	192.168.2.5	1.1.1.1
Nov 23, 2024 19:52:29.562630892 CET	53	53029	1.1.1.1	192.168.2.5
Nov 23, 2024 19:52:40.384974957 CET	53875	53	192.168.2.5	1.1.1.1
Nov 23, 2024 19:52:40.405083895 CET	59340	53	192.168.2.5	1.1.1.1
Nov 23, 2024 19:52:40.415268898 CET	58209	53	192.168.2.5	1.1.1.1
Nov 23, 2024 19:52:40.595012903 CET	53	59340	1.1.1.1	192.168.2.5
Nov 23, 2024 19:52:40.596524000 CET	56314	53	192.168.2.5	1.1.1.1
Nov 23, 2024 19:52:40.604087114 CET	53	58209	1.1.1.1	192.168.2.5
Nov 23, 2024 19:52:40.696752071 CET	53	53875	1.1.1.1	192.168.2.5
Nov 23, 2024 19:52:40.697431087 CET	55855	53	192.168.2.5	1.1.1.1
Nov 23, 2024 19:52:40.697751045 CET	57043	53	192.168.2.5	1.1.1.1
Nov 23, 2024 19:52:40.803168058 CET	53	56314	1.1.1.1	192.168.2.5
Nov 23, 2024 19:52:40.803899050 CET	54328	53	192.168.2.5	1.1.1.1
Nov 23, 2024 19:52:40.837776899 CET	53	55855	1.1.1.1	192.168.2.5
Nov 23, 2024 19:52:40.839715004 CET	53	57043	1.1.1.1	192.168.2.5
Nov 23, 2024 19:52:40.842298031 CET	56300	53	192.168.2.5	1.1.1.1
Nov 23, 2024 19:52:40.878974915 CET	52621	53	192.168.2.5	1.1.1.1
Nov 23, 2024 19:52:40.968605995 CET	53	54328	1.1.1.1	192.168.2.5
Nov 23, 2024 19:52:41.036041975 CET	53	52621	1.1.1.1	192.168.2.5
Nov 23, 2024 19:52:41.037056923 CET	53	56300	1.1.1.1	192.168.2.5
Nov 23, 2024 19:53:02.802333117 CET	49559	53	192.168.2.5	1.1.1.1
Nov 23, 2024 19:53:02.941310883 CET	53	49559	1.1.1.1	192.168.2.5
Nov 23, 2024 19:53:02.943481922 CET	60272	53	192.168.2.5	1.1.1.1
Nov 23, 2024 19:53:03.096544027 CET	53	60272	1.1.1.1	192.168.2.5
Nov 23, 2024 19:53:04.275409937 CET	51572	53	192.168.2.5	1.1.1.1
Nov 23, 2024 19:53:10.296924114 CET	62129	53	192.168.2.5	1.1.1.1
Nov 23, 2024 19:53:10.447403908 CET	53	62129	1.1.1.1	192.168.2.5
Nov 23, 2024 19:53:44.287763119 CET	52665	53	192.168.2.5	1.1.1.1
Nov 23, 2024 19:53:44.426187038 CET	53	52665	1.1.1.1	192.168.2.5
Nov 23, 2024 19:53:45.590773106 CET	53655	53	192.168.2.5	1.1.1.1

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Nov 23, 2024 19:52:12.258384943 CET	192.168.2.5	1.1.1.1	0xe07b	Standard query (0)	detectportal.firefox.com	A (IP address)	IN (0x0001)	false
Nov 23, 2024 19:52:12.258641005 CET	192.168.2.5	1.1.1.1	0x3de3	Standard query (0)	youtube.com	A (IP address)	IN (0x0001)	false
Nov 23, 2024 19:52:12.403934002 CET	192.168.2.5	1.1.1.1	0xcaa	Standard query (0)	prod.classify-client.prod.webservices.mozgcp.net	A (IP address)	IN (0x0001)	false
Nov 23, 2024 19:52:12.450854063 CET	192.168.2.5	1.1.1.1	0xe76a	Standard query (0)	youtube.com	A (IP address)	IN (0x0001)	false
Nov 23, 2024 19:52:12.455804110 CET	192.168.2.5	1.1.1.1	0x5449	Standard query (0)	prod.detectportal.prod.cloudops.mozgcp.net	A (IP address)	IN (0x0001)	false
Nov 23, 2024 19:52:12.561908960 CET	192.168.2.5	1.1.1.1	0x6e1f	Standard query (0)	prod.classify-client.prod.webservices.mozgcp.net	28	IN (0x0001)	false
Nov 23, 2024 19:52:12.604136944 CET	192.168.2.5	1.1.1.1	0xa50b	Standard query (0)	youtube.com	28	IN (0x0001)	false
Nov 23, 2024 19:52:12.609874964 CET	192.168.2.5	1.1.1.1	0xccf4	Standard query (0)	prod.detectportal.prod.cloudops.mozgcp.net	28	IN (0x0001)	false
Nov 23, 2024 19:52:12.784615993 CET	192.168.2.5	1.1.1.1	0xc20d	Standard query (0)	contile.services.mozilla.com	A (IP address)	IN (0x0001)	false
Nov 23, 2024 19:52:12.817734003 CET	192.168.2.5	1.1.1.1	0x43b8	Standard query (0)	spocs.getpocket.com	A (IP address)	IN (0x0001)	false
Nov 23, 2024 19:52:12.830298901 CET	192.168.2.5	1.1.1.1	0x4afb	Standard query (0)	content-signature-2.cdn.mozilla.net	A (IP address)	IN (0x0001)	false
Nov 23, 2024 19:52:12.993757963 CET	192.168.2.5	1.1.1.1	0x4bee	Standard query (0)	contile.services.mozilla.com	A (IP address)	IN (0x0001)	false
Nov 23, 2024 19:52:12.995398998 CET	192.168.2.5	1.1.1.1	0x4eef	Standard query (0)	prod.ads.prod.webservices.mozgcp.net	A (IP address)	IN (0x0001)	false
Nov 23, 2024 19:52:13.052954912 CET	192.168.2.5	1.1.1.1	0xe4d4	Standard query (0)	prod.balrog.prod.cloudops.mozgcp.net	A (IP address)	IN (0x0001)	false
Nov 23, 2024 19:52:13.149349928 CET	192.168.2.5	1.1.1.1	0x5f0a	Standard query (0)	contile.services.mozilla.com	28	IN (0x0001)	false
Nov 23, 2024 19:52:13.150053024 CET	192.168.2.5	1.1.1.1	0x3cb1	Standard query (0)	prod.ads.prod.webservices.mozgcp.net	28	IN (0x0001)	false
Nov 23, 2024 19:52:13.225821972 CET	192.168.2.5	1.1.1.1	0x8f1e	Standard query (0)	prod.balrog.prod.cloudops.mozgcp.net	28	IN (0x0001)	false
Nov 23, 2024 19:52:13.403904915 CET	192.168.2.5	1.1.1.1	0x1023	Standard query (0)	prod.content-signature-chains.prod.webservices.mozgcp.net	A (IP address)	IN (0x0001)	false
Nov 23, 2024 19:52:13.543823957 CET	192.168.2.5	1.1.1.1	0x732d	Standard query (0)	prod.content-signature-chains.prod.webservices.mozgcp.net	28	IN (0x0001)	false
Nov 23, 2024 19:52:14.731532097 CET	192.168.2.5	1.1.1.1	0x1f25	Standard query (0)	example.org	A (IP address)	IN (0x0001)	false
Nov 23, 2024 19:52:14.731693029 CET	192.168.2.5	1.1.1.1	0xf102	Standard query (0)	ipv4only.arpa	A (IP address)	IN (0x0001)	false
Nov 23, 2024 19:52:14.799726009 CET	192.168.2.5	1.1.1.1	0x4e7	Standard query (0)	detectportal.firefox.com	A (IP address)	IN (0x0001)	false
Nov 23, 2024 19:52:15.803472996 CET	192.168.2.5	1.1.1.1	0xed21	Standard query (0)	shavar.services.mozilla.com	A (IP address)	IN (0x0001)	false
Nov 23, 2024 19:52:15.836828947 CET	192.168.2.5	1.1.1.1	0xa05e	Standard query (0)	push.services.mozilla.com	A (IP address)	IN (0x0001)	false
Nov 23, 2024 19:52:15.991565943 CET	192.168.2.5	1.1.1.1	0x9b12	Standard query (0)	push.services.mozilla.com	A (IP address)	IN (0x0001)	false
Nov 23, 2024 19:52:16.130001068 CET	192.168.2.5	1.1.1.1	0xd0f0	Standard query (0)	push.services.mozilla.com	28	IN (0x0001)	false
Nov 23, 2024 19:52:16.130681038 CET	192.168.2.5	1.1.1.1	0xbbdb	Standard query (0)	firefox.settings.services.mozilla.com	A (IP address)	IN (0x0001)	false
Nov 23, 2024 19:52:16.223735094 CET	192.168.2.5	1.1.1.1	0x76b0	Standard query (0)	telemetry-incoming.r53-2.services.mozilla.com	A (IP address)	IN (0x0001)	false
Nov 23, 2024 19:52:16.301032066 CET	192.168.2.5	1.1.1.1	0x506e	Standard query (0)	prod.remote-settings.prod.webservices.mozgcp.net	A (IP address)	IN (0x0001)	false
Nov 23, 2024 19:52:16.405711889 CET	192.168.2.5	1.1.1.1	0xf756	Standard query (0)	telemetry-incoming.r53-2.services.mozilla.com	28	IN (0x0001)	false
Nov 23, 2024 19:52:16.455071926 CET	192.168.2.5	1.1.1.1	0x59e9	Standard query (0)	prod.remote-settings.prod.webservices.mozgcp.net	28	IN (0x0001)	false
Nov 23, 2024 19:52:20.835423946 CET	192.168.2.5	1.1.1.1	0xf213	Standard query (0)	support.mozilla.org	A (IP address)	IN (0x0001)	false
Nov 23, 2024 19:52:22.270071030 CET	192.168.2.5	1.1.1.1	0x4520	Standard query (0)	us-west1.prod.sumo.prod.webservices.mozgcp.net	A (IP address)	IN (0x0001)	false
Nov 23, 2024 19:52:22.463519096 CET	192.168.2.5	1.1.1.1	0x96c9	Standard query (0)	us-west1.prod.sumo.prod.webservices.mozgcp.net	28	IN (0x0001)	false
Nov 23, 2024 19:52:26.790842056 CET	192.168.2.5	1.1.1.1	0x8777	Standard query (0)	www.youtube.com	A (IP address)	IN (0x0001)	false
Nov 23, 2024 19:52:26.790961981 CET	192.168.2.5	1.1.1.1	0xcec2	Standard query (0)	www.facebook.com	A (IP address)	IN (0x0001)	false
Nov 23, 2024 19:52:26.791141033 CET	192.168.2.5	1.1.1.1	0x1f22	Standard query (0)	www.wikipedia.org	A (IP address)	IN (0x0001)	false
Nov 23, 2024 19:52:27.736614943 CET	192.168.2.5	1.1.1.1	0x255e	Standard query (0)	dyna.wikimedia.org	A (IP address)	IN (0x0001)	false
Nov 23, 2024 19:52:27.736843109 CET	192.168.2.5	1.1.1.1	0xd099	Standard query (0)	youtube-ui.l.google.com	A (IP address)	IN (0x0001)	false
Nov 23, 2024 19:52:27.737044096 CET	192.168.2.5	1.1.1.1	0xa0c2	Standard query (0)	star-mini.c10r.facebook.com	A (IP address)	IN (0x0001)	false
Nov 23, 2024 19:52:27.903425932 CET	192.168.2.5	1.1.1.1	0x7537	Standard query (0)	youtube-ui.l.google.com	28	IN (0x0001)	false
Nov 23, 2024 19:52:27.903995037 CET	192.168.2.5	1.1.1.1	0x2924	Standard query (0)	star-mini.c10r.facebook.com	28	IN (0x0001)	false
Nov 23, 2024 19:52:27.904052019 CET	192.168.2.5	1.1.1.1	0xbb71	Standard query (0)	dyna.wikimedia.org	28	IN (0x0001)	false
Nov 23, 2024 19:52:28.068654060 CET	192.168.2.5	1.1.1.1	0xbff5	Standard query (0)	www.reddit.com	A (IP address)	IN (0x0001)	false
Nov 23, 2024 19:52:28.068805933 CET	192.168.2.5	1.1.1.1	0xe42d	Standard query (0)	twitter.com	A (IP address)	IN (0x0001)	false
Nov 23, 2024 19:52:28.070003033 CET	192.168.2.5	1.1.1.1	0xa7f5	Standard query (0)	telemetry-incoming.r53-2.services.mozilla.com	28	IN (0x0001)	false
Nov 23, 2024 19:52:28.210823059 CET	192.168.2.5	1.1.1.1	0x6f34	Standard query (0)	twitter.com	A (IP address)	IN (0x0001)	false
Nov 23, 2024 19:52:28.211555958 CET	192.168.2.5	1.1.1.1	0x2544	Standard query (0)	reddit.map.fastly.net	A (IP address)	IN (0x0001)	false
Nov 23, 2024 19:52:28.365578890 CET	192.168.2.5	1.1.1.1	0xe471	Standard query (0)	twitter.com	28	IN (0x0001)	false
Nov 23, 2024 19:52:28.366388083 CET	192.168.2.5	1.1.1.1	0xb730	Standard query (0)	reddit.map.fastly.net	28	IN (0x0001)	false
Nov 23, 2024 19:52:29.422833920 CET	192.168.2.5	1.1.1.1	0x979f	Standard query (0)	push.services.mozilla.com	28	IN (0x0001)	false
Nov 23, 2024 19:52:40.384974957 CET	192.168.2.5	1.1.1.1	0xc744	Standard query (0)	prod.balrog.prod.cloudops.mozgcp.net	A (IP address)	IN (0x0001)	false
Nov 23, 2024 19:52:40.405083895 CET	192.168.2.5	1.1.1.1	0x3102	Standard query (0)	services.addons.mozilla.org	A (IP address)	IN (0x0001)	false
Nov 23, 2024 19:52:40.415268898 CET	192.168.2.5	1.1.1.1	0x818e	Standard query (0)	normandy.cdn.mozilla.net	A (IP address)	IN (0x0001)	false
Nov 23, 2024 19:52:40.596524000 CET	192.168.2.5	1.1.1.1	0x4d9	Standard query (0)	services.addons.mozilla.org	A (IP address)	IN (0x0001)	false
Nov 23, 2024 19:52:40.697431087 CET	192.168.2.5	1.1.1.1	0xeefb	Standard query (0)	prod.balrog.prod.cloudops.mozgcp.net	28	IN (0x0001)	false
Nov 23, 2024 19:52:40.697751045 CET	192.168.2.5	1.1.1.1	0x78e9	Standard query (0)	normandy-cdn.services.mozilla.com	A (IP address)	IN (0x0001)	false
Nov 23, 2024 19:52:40.803899050 CET	192.168.2.5	1.1.1.1	0x519f	Standard query (0)	services.addons.mozilla.org	28	IN (0x0001)	false
Nov 23, 2024 19:52:40.842298031 CET	192.168.2.5	1.1.1.1	0x33d8	Standard query (0)	normandy-cdn.services.mozilla.com	28	IN (0x0001)	false
Nov 23, 2024 19:52:40.878974915 CET	192.168.2.5	1.1.1.1	0x722d	Standard query (0)	push.services.mozilla.com	28	IN (0x0001)	false
Nov 23, 2024 19:53:02.802333117 CET	192.168.2.5	1.1.1.1	0x3c1	Standard query (0)	push.services.mozilla.com	A (IP address)	IN (0x0001)	false
Nov 23, 2024 19:53:02.943481922 CET	192.168.2.5	1.1.1.1	0x3d88	Standard query (0)	push.services.mozilla.com	28	IN (0x0001)	false
Nov 23, 2024 19:53:04.275409937 CET	192.168.2.5	1.1.1.1	0x1a90	Standard query (0)	detectportal.firefox.com	A (IP address)	IN (0x0001)	false
Nov 23, 2024 19:53:10.296924114 CET	192.168.2.5	1.1.1.1	0x1f24	Standard query (0)	telemetry-incoming.r53-2.services.mozilla.com	28	IN (0x0001)	false
Nov 23, 2024 19:53:44.287763119 CET	192.168.2.5	1.1.1.1	0xb201	Standard query (0)	push.services.mozilla.com	28	IN (0x0001)	false
Nov 23, 2024 19:53:45.590773106 CET	192.168.2.5	1.1.1.1	0x27f1	Standard query (0)	detectportal.firefox.com	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Nov 23, 2024 19:52:12.400832891 CET	1.1.1.1	192.168.2.5	0x740e	No error (0)	prod.classify-client.prod.webservices.mozgcp.net		35.190.72.216	A (IP address)	IN (0x0001)	false
Nov 23, 2024 19:52:12.447241068 CET	1.1.1.1	192.168.2.5	0x3de3	No error (0)	youtube.com		142.250.181.142	A (IP address)	IN (0x0001)	false
Nov 23, 2024 19:52:12.447906017 CET	1.1.1.1	192.168.2.5	0xe07b	No error (0)	detectportal.firefox.com	detectportal.prod.mozaws.net		CNAME (Canonical name)	IN (0x0001)	false
Nov 23, 2024 19:52:12.447906017 CET	1.1.1.1	192.168.2.5	0xe07b	No error (0)	prod.detectportal.prod.cloudops.mozgcp.net		34.107.221.82	A (IP address)	IN (0x0001)	false
Nov 23, 2024 19:52:12.556679010 CET	1.1.1.1	192.168.2.5	0xcaa	No error (0)	prod.classify-client.prod.webservices.mozgcp.net		35.190.72.216	A (IP address)	IN (0x0001)	false
Nov 23, 2024 19:52:12.603491068 CET	1.1.1.1	192.168.2.5	0xe76a	No error (0)	youtube.com		142.250.181.142	A (IP address)	IN (0x0001)	false
Nov 23, 2024 19:52:12.609313965 CET	1.1.1.1	192.168.2.5	0x5449	No error (0)	prod.detectportal.prod.cloudops.mozgcp.net		34.107.221.82	A (IP address)	IN (0x0001)	false
Nov 23, 2024 19:52:12.849549055 CET	1.1.1.1	192.168.2.5	0xa50b	No error (0)	youtube.com			28	IN (0x0001)	false
Nov 23, 2024 19:52:12.850411892 CET	1.1.1.1	192.168.2.5	0xccf4	No error (0)	prod.detectportal.prod.cloudops.mozgcp.net			28	IN (0x0001)	false
Nov 23, 2024 19:52:12.992654085 CET	1.1.1.1	192.168.2.5	0xc20d	No error (0)	contile.services.mozilla.com		34.117.188.166	A (IP address)	IN (0x0001)	false
Nov 23, 2024 19:52:12.992999077 CET	1.1.1.1	192.168.2.5	0x43b8	No error (0)	spocs.getpocket.com	prod.ads.prod.webservices.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Nov 23, 2024 19:52:12.992999077 CET	1.1.1.1	192.168.2.5	0x43b8	No error (0)	prod.ads.prod.webservices.mozgcp.net		34.117.188.166	A (IP address)	IN (0x0001)	false
Nov 23, 2024 19:52:12.993138075 CET	1.1.1.1	192.168.2.5	0xd7d9	No error (0)	balrog-aus5.r53-2.services.mozilla.com	prod.balrog.prod.cloudops.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Nov 23, 2024 19:52:12.993138075 CET	1.1.1.1	192.168.2.5	0xd7d9	No error (0)	prod.balrog.prod.cloudops.mozgcp.net		35.244.181.201	A (IP address)	IN (0x0001)	false
Nov 23, 2024 19:52:13.011209011 CET	1.1.1.1	192.168.2.5	0x4afb	No error (0)	content-signature-2.cdn.mozilla.net	content-signature-chains.prod.autograph.services.mozaws.net		CNAME (Canonical name)	IN (0x0001)	false
Nov 23, 2024 19:52:13.011209011 CET	1.1.1.1	192.168.2.5	0x4afb	No error (0)	content-signature-chains.prod.autograph.services.mozaws.net	prod.content-signature-chains.prod.webservices.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Nov 23, 2024 19:52:13.011209011 CET	1.1.1.1	192.168.2.5	0x4afb	No error (0)	prod.content-signature-chains.prod.webservices.mozgcp.net		34.160.144.191	A (IP address)	IN (0x0001)	false
Nov 23, 2024 19:52:13.148436069 CET	1.1.1.1	192.168.2.5	0x4bee	No error (0)	contile.services.mozilla.com		34.117.188.166	A (IP address)	IN (0x0001)	false
Nov 23, 2024 19:52:13.148508072 CET	1.1.1.1	192.168.2.5	0x4eef	No error (0)	prod.ads.prod.webservices.mozgcp.net		34.117.188.166	A (IP address)	IN (0x0001)	false
Nov 23, 2024 19:52:13.225162029 CET	1.1.1.1	192.168.2.5	0xe4d4	No error (0)	prod.balrog.prod.cloudops.mozgcp.net		35.244.181.201	A (IP address)	IN (0x0001)	false
Nov 23, 2024 19:52:13.542944908 CET	1.1.1.1	192.168.2.5	0x1023	No error (0)	prod.content-signature-chains.prod.webservices.mozgcp.net		34.160.144.191	A (IP address)	IN (0x0001)	false
Nov 23, 2024 19:52:13.736186981 CET	1.1.1.1	192.168.2.5	0x732d	No error (0)	prod.content-signature-chains.prod.webservices.mozgcp.net			28	IN (0x0001)	false
Nov 23, 2024 19:52:14.871011019 CET	1.1.1.1	192.168.2.5	0xf102	No error (0)	ipv4only.arpa		192.0.0.170	A (IP address)	IN (0x0001)	false
Nov 23, 2024 19:52:14.871011019 CET	1.1.1.1	192.168.2.5	0xf102	No error (0)	ipv4only.arpa		192.0.0.171	A (IP address)	IN (0x0001)	false
Nov 23, 2024 19:52:14.872977018 CET	1.1.1.1	192.168.2.5	0x1f25	No error (0)	example.org		93.184.215.14	A (IP address)	IN (0x0001)	false
Nov 23, 2024 19:52:14.995949984 CET	1.1.1.1	192.168.2.5	0x4e7	No error (0)	detectportal.firefox.com	detectportal.prod.mozaws.net		CNAME (Canonical name)	IN (0x0001)	false
Nov 23, 2024 19:52:14.995949984 CET	1.1.1.1	192.168.2.5	0x4e7	No error (0)	prod.detectportal.prod.cloudops.mozgcp.net		34.107.221.82	A (IP address)	IN (0x0001)	false
Nov 23, 2024 19:52:15.990362883 CET	1.1.1.1	192.168.2.5	0xa05e	No error (0)	push.services.mozilla.com		34.107.243.93	A (IP address)	IN (0x0001)	false
Nov 23, 2024 19:52:16.039438963 CET	1.1.1.1	192.168.2.5	0xed21	No error (0)	shavar.services.mozilla.com	shavar.prod.mozaws.net		CNAME (Canonical name)	IN (0x0001)	false
Nov 23, 2024 19:52:16.129293919 CET	1.1.1.1	192.168.2.5	0x9b12	No error (0)	push.services.mozilla.com		34.107.243.93	A (IP address)	IN (0x0001)	false
Nov 23, 2024 19:52:16.221651077 CET	1.1.1.1	192.168.2.5	0x46ab	No error (0)	telemetry-incoming.r53-2.services.mozilla.com		34.120.208.123	A (IP address)	IN (0x0001)	false
Nov 23, 2024 19:52:16.262520075 CET	1.1.1.1	192.168.2.5	0xf66	No error (0)	balrog-aus5.r53-2.services.mozilla.com	prod.balrog.prod.cloudops.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Nov 23, 2024 19:52:16.262520075 CET	1.1.1.1	192.168.2.5	0xf66	No error (0)	prod.balrog.prod.cloudops.mozgcp.net		35.244.181.201	A (IP address)	IN (0x0001)	false
Nov 23, 2024 19:52:16.270174026 CET	1.1.1.1	192.168.2.5	0xbbdb	No error (0)	firefox.settings.services.mozilla.com	prod.remote-settings.prod.webservices.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Nov 23, 2024 19:52:16.270174026 CET	1.1.1.1	192.168.2.5	0xbbdb	No error (0)	prod.remote-settings.prod.webservices.mozgcp.net		34.149.100.209	A (IP address)	IN (0x0001)	false
Nov 23, 2024 19:52:16.364531040 CET	1.1.1.1	192.168.2.5	0x76b0	No error (0)	telemetry-incoming.r53-2.services.mozilla.com		34.120.208.123	A (IP address)	IN (0x0001)	false
Nov 23, 2024 19:52:16.446914911 CET	1.1.1.1	192.168.2.5	0x506e	No error (0)	prod.remote-settings.prod.webservices.mozgcp.net		34.149.100.209	A (IP address)	IN (0x0001)	false
Nov 23, 2024 19:52:21.179759026 CET	1.1.1.1	192.168.2.5	0xf213	No error (0)	support.mozilla.org	prod.sumo.prod.webservices.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Nov 23, 2024 19:52:21.179759026 CET	1.1.1.1	192.168.2.5	0xf213	No error (0)	prod.sumo.prod.webservices.mozgcp.net	us-west1.prod.sumo.prod.webservices.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Nov 23, 2024 19:52:21.179759026 CET	1.1.1.1	192.168.2.5	0xf213	No error (0)	us-west1.prod.sumo.prod.webservices.mozgcp.net		34.149.128.2	A (IP address)	IN (0x0001)	false
Nov 23, 2024 19:52:21.224478960 CET	1.1.1.1	192.168.2.5	0xf76e	No error (0)	telemetry-incoming.r53-2.services.mozilla.com		34.120.208.123	A (IP address)	IN (0x0001)	false
Nov 23, 2024 19:52:22.427707911 CET	1.1.1.1	192.168.2.5	0x4520	No error (0)	us-west1.prod.sumo.prod.webservices.mozgcp.net		34.149.128.2	A (IP address)	IN (0x0001)	false
Nov 23, 2024 19:52:26.968183041 CET	1.1.1.1	192.168.2.5	0x8777	No error (0)	www.youtube.com	youtube-ui.l.google.com		CNAME (Canonical name)	IN (0x0001)	false
Nov 23, 2024 19:52:26.968183041 CET	1.1.1.1	192.168.2.5	0x8777	No error (0)	youtube-ui.l.google.com		172.217.21.46	A (IP address)	IN (0x0001)	false
Nov 23, 2024 19:52:26.968183041 CET	1.1.1.1	192.168.2.5	0x8777	No error (0)	youtube-ui.l.google.com		142.250.181.14	A (IP address)	IN (0x0001)	false
Nov 23, 2024 19:52:26.968183041 CET	1.1.1.1	192.168.2.5	0x8777	No error (0)	youtube-ui.l.google.com		142.250.181.46	A (IP address)	IN (0x0001)	false
Nov 23, 2024 19:52:26.968183041 CET	1.1.1.1	192.168.2.5	0x8777	No error (0)	youtube-ui.l.google.com		142.250.181.78	A (IP address)	IN (0x0001)	false
Nov 23, 2024 19:52:26.968183041 CET	1.1.1.1	192.168.2.5	0x8777	No error (0)	youtube-ui.l.google.com		216.58.208.238	A (IP address)	IN (0x0001)	false
Nov 23, 2024 19:52:26.968183041 CET	1.1.1.1	192.168.2.5	0x8777	No error (0)	youtube-ui.l.google.com		142.250.181.142	A (IP address)	IN (0x0001)	false
Nov 23, 2024 19:52:26.968183041 CET	1.1.1.1	192.168.2.5	0x8777	No error (0)	youtube-ui.l.google.com		172.217.17.46	A (IP address)	IN (0x0001)	false
Nov 23, 2024 19:52:26.968183041 CET	1.1.1.1	192.168.2.5	0x8777	No error (0)	youtube-ui.l.google.com		172.217.17.78	A (IP address)	IN (0x0001)	false
Nov 23, 2024 19:52:26.968183041 CET	1.1.1.1	192.168.2.5	0x8777	No error (0)	youtube-ui.l.google.com		172.217.19.206	A (IP address)	IN (0x0001)	false
Nov 23, 2024 19:52:26.968183041 CET	1.1.1.1	192.168.2.5	0x8777	No error (0)	youtube-ui.l.google.com		142.250.181.110	A (IP address)	IN (0x0001)	false
Nov 23, 2024 19:52:26.968183041 CET	1.1.1.1	192.168.2.5	0x8777	No error (0)	youtube-ui.l.google.com		172.217.19.238	A (IP address)	IN (0x0001)	false
Nov 23, 2024 19:52:26.968204975 CET	1.1.1.1	192.168.2.5	0xcec2	No error (0)	www.facebook.com	star-mini.c10r.facebook.com		CNAME (Canonical name)	IN (0x0001)	false
Nov 23, 2024 19:52:26.968204975 CET	1.1.1.1	192.168.2.5	0xcec2	No error (0)	star-mini.c10r.facebook.com		157.240.196.35	A (IP address)	IN (0x0001)	false
Nov 23, 2024 19:52:26.969556093 CET	1.1.1.1	192.168.2.5	0x1f22	No error (0)	www.wikipedia.org	dyna.wikimedia.org		CNAME (Canonical name)	IN (0x0001)	false
Nov 23, 2024 19:52:26.969556093 CET	1.1.1.1	192.168.2.5	0x1f22	No error (0)	dyna.wikimedia.org		185.15.58.224	A (IP address)	IN (0x0001)	false
Nov 23, 2024 19:52:27.043549061 CET	1.1.1.1	192.168.2.5	0xe880	No error (0)	telemetry-incoming.r53-2.services.mozilla.com		34.120.208.123	A (IP address)	IN (0x0001)	false
Nov 23, 2024 19:52:27.902419090 CET	1.1.1.1	192.168.2.5	0xd099	No error (0)	youtube-ui.l.google.com		142.250.181.142	A (IP address)	IN (0x0001)	false
Nov 23, 2024 19:52:27.902419090 CET	1.1.1.1	192.168.2.5	0xd099	No error (0)	youtube-ui.l.google.com		172.217.19.14	A (IP address)	IN (0x0001)	false
Nov 23, 2024 19:52:27.902419090 CET	1.1.1.1	192.168.2.5	0xd099	No error (0)	youtube-ui.l.google.com		172.217.17.46	A (IP address)	IN (0x0001)	false
Nov 23, 2024 19:52:27.902419090 CET	1.1.1.1	192.168.2.5	0xd099	No error (0)	youtube-ui.l.google.com		142.250.181.110	A (IP address)	IN (0x0001)	false
Nov 23, 2024 19:52:27.902419090 CET	1.1.1.1	192.168.2.5	0xd099	No error (0)	youtube-ui.l.google.com		172.217.19.206	A (IP address)	IN (0x0001)	false
Nov 23, 2024 19:52:27.902419090 CET	1.1.1.1	192.168.2.5	0xd099	No error (0)	youtube-ui.l.google.com		216.58.208.238	A (IP address)	IN (0x0001)	false
Nov 23, 2024 19:52:27.902419090 CET	1.1.1.1	192.168.2.5	0xd099	No error (0)	youtube-ui.l.google.com		172.217.19.238	A (IP address)	IN (0x0001)	false
Nov 23, 2024 19:52:27.902419090 CET	1.1.1.1	192.168.2.5	0xd099	No error (0)	youtube-ui.l.google.com		172.217.17.78	A (IP address)	IN (0x0001)	false
Nov 23, 2024 19:52:27.902787924 CET	1.1.1.1	192.168.2.5	0xa0c2	No error (0)	star-mini.c10r.facebook.com		157.240.196.35	A (IP address)	IN (0x0001)	false
Nov 23, 2024 19:52:27.903513908 CET	1.1.1.1	192.168.2.5	0x255e	No error (0)	dyna.wikimedia.org		185.15.58.224	A (IP address)	IN (0x0001)	false
Nov 23, 2024 19:52:28.067780018 CET	1.1.1.1	192.168.2.5	0x2924	No error (0)	star-mini.c10r.facebook.com			28	IN (0x0001)	false
Nov 23, 2024 19:52:28.067792892 CET	1.1.1.1	192.168.2.5	0x7537	No error (0)	youtube-ui.l.google.com			28	IN (0x0001)	false
Nov 23, 2024 19:52:28.067792892 CET	1.1.1.1	192.168.2.5	0x7537	No error (0)	youtube-ui.l.google.com			28	IN (0x0001)	false
Nov 23, 2024 19:52:28.067792892 CET	1.1.1.1	192.168.2.5	0x7537	No error (0)	youtube-ui.l.google.com			28	IN (0x0001)	false
Nov 23, 2024 19:52:28.067792892 CET	1.1.1.1	192.168.2.5	0x7537	No error (0)	youtube-ui.l.google.com			28	IN (0x0001)	false
Nov 23, 2024 19:52:28.068456888 CET	1.1.1.1	192.168.2.5	0xbb71	No error (0)	dyna.wikimedia.org			28	IN (0x0001)	false
Nov 23, 2024 19:52:28.210072994 CET	1.1.1.1	192.168.2.5	0xe42d	No error (0)	twitter.com		104.244.42.129	A (IP address)	IN (0x0001)	false
Nov 23, 2024 19:52:28.210896969 CET	1.1.1.1	192.168.2.5	0xbff5	No error (0)	www.reddit.com	reddit.map.fastly.net		CNAME (Canonical name)	IN (0x0001)	false
Nov 23, 2024 19:52:28.210896969 CET	1.1.1.1	192.168.2.5	0xbff5	No error (0)	reddit.map.fastly.net		151.101.129.140	A (IP address)	IN (0x0001)	false
Nov 23, 2024 19:52:28.210896969 CET	1.1.1.1	192.168.2.5	0xbff5	No error (0)	reddit.map.fastly.net		151.101.65.140	A (IP address)	IN (0x0001)	false
Nov 23, 2024 19:52:28.210896969 CET	1.1.1.1	192.168.2.5	0xbff5	No error (0)	reddit.map.fastly.net		151.101.193.140	A (IP address)	IN (0x0001)	false
Nov 23, 2024 19:52:28.210896969 CET	1.1.1.1	192.168.2.5	0xbff5	No error (0)	reddit.map.fastly.net		151.101.1.140	A (IP address)	IN (0x0001)	false
Nov 23, 2024 19:52:28.364933968 CET	1.1.1.1	192.168.2.5	0x6f34	No error (0)	twitter.com		104.244.42.1	A (IP address)	IN (0x0001)	false
Nov 23, 2024 19:52:28.365844011 CET	1.1.1.1	192.168.2.5	0x2544	No error (0)	reddit.map.fastly.net		151.101.1.140	A (IP address)	IN (0x0001)	false
Nov 23, 2024 19:52:28.365844011 CET	1.1.1.1	192.168.2.5	0x2544	No error (0)	reddit.map.fastly.net		151.101.65.140	A (IP address)	IN (0x0001)	false
Nov 23, 2024 19:52:28.365844011 CET	1.1.1.1	192.168.2.5	0x2544	No error (0)	reddit.map.fastly.net		151.101.193.140	A (IP address)	IN (0x0001)	false
Nov 23, 2024 19:52:28.365844011 CET	1.1.1.1	192.168.2.5	0x2544	No error (0)	reddit.map.fastly.net		151.101.129.140	A (IP address)	IN (0x0001)	false
Nov 23, 2024 19:52:29.301467896 CET	1.1.1.1	192.168.2.5	0x5081	No error (0)	telemetry-incoming.r53-2.services.mozilla.com		34.120.208.123	A (IP address)	IN (0x0001)	false
Nov 23, 2024 19:52:40.595012903 CET	1.1.1.1	192.168.2.5	0x3102	No error (0)	services.addons.mozilla.org		151.101.193.91	A (IP address)	IN (0x0001)	false
Nov 23, 2024 19:52:40.595012903 CET	1.1.1.1	192.168.2.5	0x3102	No error (0)	services.addons.mozilla.org		151.101.65.91	A (IP address)	IN (0x0001)	false
Nov 23, 2024 19:52:40.595012903 CET	1.1.1.1	192.168.2.5	0x3102	No error (0)	services.addons.mozilla.org		151.101.129.91	A (IP address)	IN (0x0001)	false
Nov 23, 2024 19:52:40.595012903 CET	1.1.1.1	192.168.2.5	0x3102	No error (0)	services.addons.mozilla.org		151.101.1.91	A (IP address)	IN (0x0001)	false
Nov 23, 2024 19:52:40.595029116 CET	1.1.1.1	192.168.2.5	0x4061	No error (0)	balrog-aus5.r53-2.services.mozilla.com	prod.balrog.prod.cloudops.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Nov 23, 2024 19:52:40.595029116 CET	1.1.1.1	192.168.2.5	0x4061	No error (0)	prod.balrog.prod.cloudops.mozgcp.net		35.244.181.201	A (IP address)	IN (0x0001)	false
Nov 23, 2024 19:52:40.604087114 CET	1.1.1.1	192.168.2.5	0x818e	No error (0)	normandy.cdn.mozilla.net	normandy-cdn.services.mozilla.com		CNAME (Canonical name)	IN (0x0001)	false
Nov 23, 2024 19:52:40.604087114 CET	1.1.1.1	192.168.2.5	0x818e	No error (0)	normandy-cdn.services.mozilla.com		35.201.103.21	A (IP address)	IN (0x0001)	false
Nov 23, 2024 19:52:40.696752071 CET	1.1.1.1	192.168.2.5	0xc744	No error (0)	prod.balrog.prod.cloudops.mozgcp.net		35.244.181.201	A (IP address)	IN (0x0001)	false
Nov 23, 2024 19:52:40.803168058 CET	1.1.1.1	192.168.2.5	0x4d9	No error (0)	services.addons.mozilla.org		151.101.1.91	A (IP address)	IN (0x0001)	false
Nov 23, 2024 19:52:40.803168058 CET	1.1.1.1	192.168.2.5	0x4d9	No error (0)	services.addons.mozilla.org		151.101.129.91	A (IP address)	IN (0x0001)	false
Nov 23, 2024 19:52:40.803168058 CET	1.1.1.1	192.168.2.5	0x4d9	No error (0)	services.addons.mozilla.org		151.101.65.91	A (IP address)	IN (0x0001)	false
Nov 23, 2024 19:52:40.803168058 CET	1.1.1.1	192.168.2.5	0x4d9	No error (0)	services.addons.mozilla.org		151.101.193.91	A (IP address)	IN (0x0001)	false
Nov 23, 2024 19:52:40.839715004 CET	1.1.1.1	192.168.2.5	0x78e9	No error (0)	normandy-cdn.services.mozilla.com		35.201.103.21	A (IP address)	IN (0x0001)	false
Nov 23, 2024 19:52:40.968605995 CET	1.1.1.1	192.168.2.5	0x519f	No error (0)	services.addons.mozilla.org			28	IN (0x0001)	false
Nov 23, 2024 19:52:40.968605995 CET	1.1.1.1	192.168.2.5	0x519f	No error (0)	services.addons.mozilla.org			28	IN (0x0001)	false
Nov 23, 2024 19:52:40.968605995 CET	1.1.1.1	192.168.2.5	0x519f	No error (0)	services.addons.mozilla.org			28	IN (0x0001)	false
Nov 23, 2024 19:52:40.968605995 CET	1.1.1.1	192.168.2.5	0x519f	No error (0)	services.addons.mozilla.org			28	IN (0x0001)	false
Nov 23, 2024 19:52:44.303543091 CET	1.1.1.1	192.168.2.5	0xecca	No error (0)	a21ed24aedde648804e7-228765c84088fef4ff5e70f2710398e9.r17.cf1.rackcdn.com	a17.rackcdn.com		CNAME (Canonical name)	IN (0x0001)	false
Nov 23, 2024 19:52:44.303543091 CET	1.1.1.1	192.168.2.5	0xecca	No error (0)	a17.rackcdn.com	a17.rackcdn.com.mdc.edgesuite.net		CNAME (Canonical name)	IN (0x0001)	false
Nov 23, 2024 19:53:02.941310883 CET	1.1.1.1	192.168.2.5	0x3c1	No error (0)	push.services.mozilla.com		34.107.243.93	A (IP address)	IN (0x0001)	false
Nov 23, 2024 19:53:04.425268888 CET	1.1.1.1	192.168.2.5	0x1a90	No error (0)	detectportal.firefox.com	detectportal.prod.mozaws.net		CNAME (Canonical name)	IN (0x0001)	false
Nov 23, 2024 19:53:04.425268888 CET	1.1.1.1	192.168.2.5	0x1a90	No error (0)	prod.detectportal.prod.cloudops.mozgcp.net		34.107.221.82	A (IP address)	IN (0x0001)	false
Nov 23, 2024 19:53:45.804292917 CET	1.1.1.1	192.168.2.5	0x27f1	No error (0)	detectportal.firefox.com	detectportal.prod.mozaws.net		CNAME (Canonical name)	IN (0x0001)	false
Nov 23, 2024 19:53:45.804292917 CET	1.1.1.1	192.168.2.5	0x27f1	No error (0)	prod.detectportal.prod.cloudops.mozgcp.net		34.107.221.82	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

detectportal.firefox.com

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.5	49715	34.107.221.82	80	6428	C:\Program Files\Mozilla Firefox\firefox.exe

Timestamp	Bytes transferred	Direction	Data
Nov 23, 2024 19:52:12.989828110 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Nov 23, 2024 19:52:14.131206989 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Sat, 23 Nov 2024 06:47:57 GMT Age: 43456 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.5	49724	34.107.221.82	80	6428	C:\Program Files\Mozilla Firefox\firefox.exe

Timestamp	Bytes transferred	Direction	Data
Nov 23, 2024 19:52:15.242178917 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Nov 23, 2024 19:52:16.375077009 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Sat, 23 Nov 2024 01:09:05 GMT Age: 63791 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Nov 23, 2024 19:52:16.451829910 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Nov 23, 2024 19:52:16.841358900 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Sat, 23 Nov 2024 01:09:05 GMT Age: 63791 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Nov 23, 2024 19:52:20.848275900 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Nov 23, 2024 19:52:21.366137028 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Sat, 23 Nov 2024 01:09:05 GMT Age: 63796 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Nov 23, 2024 19:52:27.740082979 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Nov 23, 2024 19:52:28.091995955 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Sat, 23 Nov 2024 01:09:05 GMT Age: 63802 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Nov 23, 2024 19:52:29.494106054 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Nov 23, 2024 19:52:29.824434042 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Sat, 23 Nov 2024 01:09:05 GMT Age: 63804 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Nov 23, 2024 19:52:31.014874935 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Nov 23, 2024 19:52:31.338992119 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Sat, 23 Nov 2024 01:09:05 GMT Age: 63806 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Nov 23, 2024 19:52:31.563626051 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Nov 23, 2024 19:52:31.888292074 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Sat, 23 Nov 2024 01:09:05 GMT Age: 63806 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Nov 23, 2024 19:52:41.891495943 CET	6	OUT	Data Raw: 00 Data Ascii:
Nov 23, 2024 19:52:42.086441040 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Nov 23, 2024 19:52:42.421000004 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Sat, 23 Nov 2024 01:09:05 GMT Age: 63817 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Nov 23, 2024 19:52:42.637057066 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Nov 23, 2024 19:52:42.967953920 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Sat, 23 Nov 2024 01:09:05 GMT Age: 63817 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Nov 23, 2024 19:52:43.783749104 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Nov 23, 2024 19:52:44.107690096 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Sat, 23 Nov 2024 01:09:05 GMT Age: 63818 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Nov 23, 2024 19:52:54.112123966 CET	6	OUT	Data Raw: 00 Data Ascii:
Nov 23, 2024 19:53:04.283979893 CET	6	OUT	Data Raw: 00 Data Ascii:
Nov 23, 2024 19:53:04.626734018 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Nov 23, 2024 19:53:04.953876019 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Sat, 23 Nov 2024 01:09:05 GMT Age: 63839 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Nov 23, 2024 19:53:11.934784889 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Nov 23, 2024 19:53:12.265372992 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Sat, 23 Nov 2024 01:09:05 GMT Age: 63847 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Nov 23, 2024 19:53:22.272710085 CET	6	OUT	Data Raw: 00 Data Ascii:
Nov 23, 2024 19:53:32.401237965 CET	6	OUT	Data Raw: 00 Data Ascii:
Nov 23, 2024 19:53:42.529663086 CET	6	OUT	Data Raw: 00 Data Ascii:
Nov 23, 2024 19:53:45.928015947 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Nov 23, 2024 19:53:46.282120943 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Sat, 23 Nov 2024 01:09:05 GMT Age: 63881 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Nov 23, 2024 19:53:56.285182953 CET	6	OUT	Data Raw: 00 Data Ascii:
Nov 23, 2024 19:54:06.415539026 CET	6	OUT	Data Raw: 00 Data Ascii:

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.5	49725	34.107.221.82	80	6428	C:\Program Files\Mozilla Firefox\firefox.exe

Timestamp	Bytes transferred	Direction	Data
Nov 23, 2024 19:52:15.242458105 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Nov 23, 2024 19:52:16.423732996 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Fri, 22 Nov 2024 23:05:23 GMT Age: 71213 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Nov 23, 2024 19:52:16.497591019 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Nov 23, 2024 19:52:16.850760937 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Fri, 22 Nov 2024 23:05:23 GMT Age: 71213 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Nov 23, 2024 19:52:20.910057068 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Nov 23, 2024 19:52:21.422842979 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Fri, 22 Nov 2024 23:05:23 GMT Age: 71218 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Nov 23, 2024 19:52:29.155117989 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Nov 23, 2024 19:52:29.488425016 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Fri, 22 Nov 2024 23:05:23 GMT Age: 71226 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Nov 23, 2024 19:52:30.648823023 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Nov 23, 2024 19:52:31.011598110 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Fri, 22 Nov 2024 23:05:23 GMT Age: 71227 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Nov 23, 2024 19:52:31.226319075 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Nov 23, 2024 19:52:31.560344934 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Fri, 22 Nov 2024 23:05:23 GMT Age: 71228 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Nov 23, 2024 19:52:41.574980021 CET	6	OUT	Data Raw: 00 Data Ascii:
Nov 23, 2024 19:52:41.722451925 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Nov 23, 2024 19:52:42.083228111 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Fri, 22 Nov 2024 23:05:23 GMT Age: 71238 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Nov 23, 2024 19:52:42.262269974 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Nov 23, 2024 19:52:42.634207010 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Fri, 22 Nov 2024 23:05:23 GMT Age: 71239 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Nov 23, 2024 19:52:43.360451937 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Nov 23, 2024 19:52:43.780576944 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Fri, 22 Nov 2024 23:05:23 GMT Age: 71240 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Nov 23, 2024 19:52:53.789113045 CET	6	OUT	Data Raw: 00 Data Ascii:
Nov 23, 2024 19:53:03.920655966 CET	6	OUT	Data Raw: 00 Data Ascii:
Nov 23, 2024 19:53:04.275166035 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Nov 23, 2024 19:53:04.623455048 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Fri, 22 Nov 2024 23:05:23 GMT Age: 71261 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Nov 23, 2024 19:53:11.587521076 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Nov 23, 2024 19:53:11.931770086 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Fri, 22 Nov 2024 23:05:23 GMT Age: 71268 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Nov 23, 2024 19:53:21.934016943 CET	6	OUT	Data Raw: 00 Data Ascii:
Nov 23, 2024 19:53:32.062578917 CET	6	OUT	Data Raw: 00 Data Ascii:
Nov 23, 2024 19:53:42.191060066 CET	6	OUT	Data Raw: 00 Data Ascii:
Nov 23, 2024 19:53:45.590527058 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Nov 23, 2024 19:53:45.922990084 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Fri, 22 Nov 2024 23:05:23 GMT Age: 71302 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Nov 23, 2024 19:53:55.930809975 CET	6	OUT	Data Raw: 00 Data Ascii:
Nov 23, 2024 19:54:06.076751947 CET	6	OUT	Data Raw: 00 Data Ascii:

Target ID:	0
Start time:	13:52:03
Start date:	23/11/2024
Path:	C:\Users\user\Desktop\file.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\file.exe"
Imagebase:	0x4b0000
File size:	922'112 bytes
MD5 hash:	7F05860BAEE4FF5DA95E342EAEE96E85
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CredentialFlusher, Description: Yara detected Credential Flusher, Source: 00000000.00000003.2131607447.00000000009F8000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	13:52:03
Start date:	23/11/2024
Path:	C:\Windows\SysWOW64\taskkill.exe
Wow64 process (32bit):	true
Commandline:	taskkill /F /IM firefox.exe /T
Imagebase:	0xeb0000
File size:	74'240 bytes
MD5 hash:	CA313FD7E6C2A778FFD21CFB5C1C56CD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	13:52:03
Start date:	23/11/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	13:52:05
Start date:	23/11/2024
Path:	C:\Windows\SysWOW64\taskkill.exe
Wow64 process (32bit):	true
Commandline:	taskkill /F /IM chrome.exe /T
Imagebase:	0xeb0000
File size:	74'240 bytes
MD5 hash:	CA313FD7E6C2A778FFD21CFB5C1C56CD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	13:52:05
Start date:	23/11/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	13:52:05
Start date:	23/11/2024
Path:	C:\Windows\SysWOW64\taskkill.exe
Wow64 process (32bit):	true
Commandline:	taskkill /F /IM msedge.exe /T
Imagebase:	0xeb0000
File size:	74'240 bytes
MD5 hash:	CA313FD7E6C2A778FFD21CFB5C1C56CD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	13:52:05
Start date:	23/11/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	13:52:06
Start date:	23/11/2024
Path:	C:\Windows\SysWOW64\taskkill.exe
Wow64 process (32bit):	true
Commandline:	taskkill /F /IM opera.exe /T
Imagebase:	0xeb0000
File size:	74'240 bytes
MD5 hash:	CA313FD7E6C2A778FFD21CFB5C1C56CD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	9
Start time:	13:52:06
Start date:	23/11/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	10
Start time:	13:52:06
Start date:	23/11/2024
Path:	C:\Windows\SysWOW64\taskkill.exe
Wow64 process (32bit):	true
Commandline:	taskkill /F /IM brave.exe /T
Imagebase:	0xeb0000
File size:	74'240 bytes
MD5 hash:	CA313FD7E6C2A778FFD21CFB5C1C56CD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	11
Start time:	13:52:06
Start date:	23/11/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	12
Start time:	13:52:06
Start date:	23/11/2024
Path:	C:\Program Files\Mozilla Firefox\firefox.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking
Imagebase:	0x7ff79f9e0000
File size:	676'768 bytes
MD5 hash:	C86B1BE9ED6496FE0E0CBE73F81D8045
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	13
Start time:	13:52:07
Start date:	23/11/2024
Path:	C:\Program Files\Mozilla Firefox\firefox.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking --attempting-deelevation
Imagebase:	0x7ff79f9e0000
File size:	676'768 bytes
MD5 hash:	C86B1BE9ED6496FE0E0CBE73F81D8045
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	14
Start time:	13:52:07
Start date:	23/11/2024
Path:	C:\Program Files\Mozilla Firefox\firefox.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking
Imagebase:	0x7ff79f9e0000
File size:	676'768 bytes
MD5 hash:	C86B1BE9ED6496FE0E0CBE73F81D8045
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	16
Start time:	13:52:09
Start date:	23/11/2024
Path:	C:\Program Files\Mozilla Firefox\firefox.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2172 -parentBuildID 20230927232528 -prefsHandle 2084 -prefMapHandle 2076 -prefsLen 25308 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {f6789b02-c7c3-48d4-a1ac-a4a2567930bd} 6428 "\\.\pipe\gecko-crash-server-pipe.6428" 24d7ab6df10 socket
Imagebase:	0x7ff79f9e0000
File size:	676'768 bytes
MD5 hash:	C86B1BE9ED6496FE0E0CBE73F81D8045
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	17
Start time:	13:52:11
Start date:	23/11/2024
Path:	C:\Program Files\Mozilla Firefox\firefox.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4364 -parentBuildID 20230927232528 -prefsHandle 4356 -prefMapHandle 2896 -prefsLen 30974 -prefMapSize 237879 -appDir "C:\Program Files\Mozilla Firefox\browser" - {043b44f9-de79-4c7a-a5a7-8092897a0483} 6428 "\\.\pipe\gecko-crash-server-pipe.6428" 24d0d2c4810 rdd
Imagebase:	0x7ff79f9e0000
File size:	676'768 bytes
MD5 hash:	C86B1BE9ED6496FE0E0CBE73F81D8045
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	18
Start time:	13:52:15
Start date:	23/11/2024
Path:	C:\Program Files\Mozilla Firefox\firefox.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5024 -parentBuildID 20230927232528 -sandboxingKind 0 -prefsHandle 5004 -prefMapHandle 4964 -prefsLen 33119 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {d2f9f0cb-803a-47c5-a8fe-41a3040c8247} 6428 "\\.\pipe\gecko-crash-server-pipe.6428" 24d14af1d10 utility
Imagebase:	0x7ff79f9e0000
File size:	676'768 bytes
MD5 hash:	C86B1BE9ED6496FE0E0CBE73F81D8045
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	2.1%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	6.5%
Total number of Nodes:	1575
Total number of Limit Nodes:	65

Executed Functions

Function 004B42DE Relevance: 21.2, APIs: 9, Strings: 3, Instructions: 235
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetVersionExW.KERNEL32(?), ref: 004B430D

Part of subcall function 004B6B57: _wcslen.LIBCMT ref: 004B6B6A

GetCurrentProcess.KERNEL32(?,0054CB64,00000000,?,?), ref: 004B4422
IsWow64Process.KERNEL32(00000000,?,?), ref: 004B4429
LoadLibraryA.KERNEL32(kernel32.dll,?,?), ref: 004B4454
GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo), ref: 004B4466
GetNativeSystemInfo.KERNELBASE(?,?,?), ref: 004B4474
FreeLibrary.KERNEL32(00000000,?,?), ref: 004B447B
GetSystemInfo.KERNEL32(?,?,?), ref: 004B44A0

Strings

kernel32.dll, xrefs: 004B444F
GetNativeSystemInfo, xrefs: 004B4460
|O, xrefs: 004F36F8

Memory Dump Source

Source File: 00000000.00000002.2132574574.00000000004B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true

Associated: 00000000.00000002.2132555531.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132647663.000000000054C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132647663.0000000000572000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132705506.000000000057C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132725644.0000000000584000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b0000_file.jbxd

Similarity

API ID: InfoLibraryProcessSystem$AddressCurrentFreeLoadNativeProcVersionWow64_wcslen
String ID: GetNativeSystemInfo$kernel32.dll$|O
API String ID: 3290436268-3101561225
Opcode ID: a5608373a64e5f70b39e32652ea1939be6dc57b37f49901255039f57af0e8fc6
Instruction ID: 2ff8e507e9bb5fdbe6210b4796e2635f4fc1b4b36ec7081585f859490c012bea
Opcode Fuzzy Hash: a5608373a64e5f70b39e32652ea1939be6dc57b37f49901255039f57af0e8fc6
Instruction Fuzzy Hash: 79A1C57190AAD4CFC711CB6978401E53FEC6B76744B186C9AD841B3B22DA68450FEB2E

Function 004B42A2 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 61
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateStreamOnHGlobal.COMBASE(00000000,00000001,?,?,?,?,?,004B50AA,?,?,00000000,00000000), ref: 004B42B2
FindResourceExW.KERNEL32(?,0000000A,SCRIPT,00000000,?,?,004B50AA,?,?,00000000,00000000), ref: 004B42C9
LoadResource.KERNEL32(?,00000000,?,?,004B50AA,?,?,00000000,00000000,?,?,?,?,?,?,004B4F20), ref: 004F35BE
SizeofResource.KERNEL32(?,00000000,?,?,004B50AA,?,?,00000000,00000000,?,?,?,?,?,?,004B4F20), ref: 004F35D3
LockResource.KERNEL32(004B50AA,?,?,004B50AA,?,?,00000000,00000000,?,?,?,?,?,?,004B4F20,?), ref: 004F35E6

Strings

SCRIPT, xrefs: 004B42BF

Memory Dump Source

Source File: 00000000.00000002.2132574574.00000000004B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true

Associated: 00000000.00000002.2132555531.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132647663.000000000054C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132647663.0000000000572000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132705506.000000000057C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132725644.0000000000584000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b0000_file.jbxd

Similarity

API ID: Resource$CreateFindGlobalLoadLockSizeofStream
String ID: SCRIPT
API String ID: 3051347437-3967369404
Opcode ID: a0f0fd22cd704f631b8d02c7610de1c7916677c21e5a9ce93c09f95551296f22
Instruction ID: df5c80a9b52b886204b0755593efd652d94fbe74cbf7eb9bb5422c5bcc182b37
Opcode Fuzzy Hash: a0f0fd22cd704f631b8d02c7610de1c7916677c21e5a9ce93c09f95551296f22
Instruction Fuzzy Hash: 9E117078201700BFD7258FA5DC49FA77FB9EBD5B55F1041AAF442962A0DBB1D804A630

Function 004F2BA5 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 62
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetCurrentDirectoryW.KERNEL32(?), ref: 004B2B6B

Part of subcall function 004B3A5A: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,00581418,?,004B2E7F,?,?,?,00000000), ref: 004B3A78

Part of subcall function 004B9CB3: _wcslen.LIBCMT ref: 004B9CBD

GetForegroundWindow.USER32(runas,?,?,?,?,?,00572224), ref: 004F2C10
ShellExecuteW.SHELL32(00000000,?,?,00572224), ref: 004F2C17

Strings

runas, xrefs: 004F2C0B

Memory Dump Source

Source File: 00000000.00000002.2132574574.00000000004B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true

Associated: 00000000.00000002.2132555531.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132647663.000000000054C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132647663.0000000000572000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132705506.000000000057C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132725644.0000000000584000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b0000_file.jbxd

Similarity

API ID: CurrentDirectoryExecuteFileForegroundModuleNameShellWindow_wcslen
String ID: runas
API String ID: 448630720-4000483414
Opcode ID: e08d4860329278f6426ede46407ac80c0da45dd736fa0c9c4b278cb249b0fd8d
Instruction ID: 379d457f13d33ad9a5a4ac28b8a350208e8f48900dc7fae654e8fbd0cade227b
Opcode Fuzzy Hash: e08d4860329278f6426ede46407ac80c0da45dd736fa0c9c4b278cb249b0fd8d
Instruction Fuzzy Hash: 7911E7311083056ACB04FF62D9519FE7FE8AB91749F44142FF542120A2DF68994AD73A

Function 0051D4DC Relevance: 6.1, APIs: 4, Instructions: 86
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 0051D501
Process32FirstW.KERNEL32(00000000,?), ref: 0051D50F
Process32NextW.KERNEL32(00000000,?), ref: 0051D52F
CloseHandle.KERNELBASE(00000000), ref: 0051D5DC

Memory Dump Source

Source File: 00000000.00000002.2132574574.00000000004B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true

Associated: 00000000.00000002.2132555531.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132647663.000000000054C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132647663.0000000000572000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132705506.000000000057C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132725644.0000000000584000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b0000_file.jbxd

Similarity

API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32
String ID:
API String ID: 420147892-0
Opcode ID: b1ce17ca153672a583e36e660a8a64c4e3a2b2f07d0d96498c11ed7f474d2e8d
Instruction ID: 18931800ff8513a1514dcdcdac34db71e650eb0e82e886890ee8d2a00391334f
Opcode Fuzzy Hash: b1ce17ca153672a583e36e660a8a64c4e3a2b2f07d0d96498c11ed7f474d2e8d
Instruction Fuzzy Hash: 973170711082009FD300EF54C885AEFBFF9AF99358F14092EF585861A1EB719989CBA2

Function 0051DBBE Relevance: 6.0, APIs: 4, Instructions: 29
filestringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

lstrlenW.KERNEL32(?,004F5222), ref: 0051DBCE
GetFileAttributesW.KERNELBASE(?), ref: 0051DBDD
FindFirstFileW.KERNEL32(?,?), ref: 0051DBEE
FindClose.KERNEL32(00000000), ref: 0051DBFA

Memory Dump Source

Source File: 00000000.00000002.2132574574.00000000004B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true

Associated: 00000000.00000002.2132555531.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132647663.000000000054C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132647663.0000000000572000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132705506.000000000057C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132725644.0000000000584000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b0000_file.jbxd

Similarity

API ID: FileFind$AttributesCloseFirstlstrlen
String ID:
API String ID: 2695905019-0
Opcode ID: f2d420c36eb6a2898b9c9caac5f0f855f7418c89aa9802782cbf99f2a76d9660
Instruction ID: f4afeedabf3a46c28bbaffdc8ef0badc9d04da41f0dfb379a45981ce74bc96f7
Opcode Fuzzy Hash: f2d420c36eb6a2898b9c9caac5f0f855f7418c89aa9802782cbf99f2a76d9660
Instruction Fuzzy Hash: 0EF0A0388159105792206B78AC0D8EA3F7CAF8233CB104B02F976C20E0EBF05D98DAE5

Function 004D4CE8 Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(004E28E9,?,004D4CBE,004E28E9,005788B8,0000000C,004D4E15,004E28E9,00000002,00000000,?,004E28E9), ref: 004D4D09
TerminateProcess.KERNEL32(00000000,?,004D4CBE,004E28E9,005788B8,0000000C,004D4E15,004E28E9,00000002,00000000,?,004E28E9), ref: 004D4D10
ExitProcess.KERNEL32 ref: 004D4D22

Memory Dump Source

Source File: 00000000.00000002.2132574574.00000000004B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true

Associated: 00000000.00000002.2132555531.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132647663.000000000054C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132647663.0000000000572000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132705506.000000000057C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132725644.0000000000584000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b0000_file.jbxd

Similarity

API ID: Process$CurrentExitTerminate
String ID:
API String ID: 1703294689-0
Opcode ID: 7d2187ab39e85e425528ca02fc05598f7ee19acf660b8490bc3e6ac840968f65
Instruction ID: 8e8e00426cf6e2de92123fa11ed392af2ae4ced8d698295724ecf5195e6813bc
Opcode Fuzzy Hash: 7d2187ab39e85e425528ca02fc05598f7ee19acf660b8490bc3e6ac840968f65
Instruction Fuzzy Hash: 69E0B635001188ABCF61AF65DD19A993F6AEB9278AB14441AFC058B222CB39DD46DA84

Function 004BBF40 Relevance: 2.4, Strings: 1, Instructions: 1178COMMON

Download Yara Rule

Strings

p#X, xrefs: 005007CE

Memory Dump Source

Source File: 00000000.00000002.2132574574.00000000004B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true

Associated: 00000000.00000002.2132555531.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132647663.000000000054C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132647663.0000000000572000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132705506.000000000057C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132725644.0000000000584000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b0000_file.jbxd

Similarity

API ID: BuffCharUpper
String ID: p#X
API String ID: 3964851224-1890131941
Opcode ID: c60f249fd1ea680ab33fec82bfacb503006601f7c2ce9e14ca55e4a2366abb3d
Instruction ID: 9d18c313eee2ec9371eadc744a5664c0598d04b841153e589b6599e3f5966b38
Opcode Fuzzy Hash: c60f249fd1ea680ab33fec82bfacb503006601f7c2ce9e14ca55e4a2366abb3d
Instruction Fuzzy Hash: E8A26F746083018FD714DF14C4C0B6ABBE1BF89304F14996EE89A8B392D779EC45CBA6

Function 0053AFF9 Relevance: 24.4, APIs: 16, Instructions: 418
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_wcslen.LIBCMT ref: 0053B198
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 0053B1B0
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 0053B1D4
_wcslen.LIBCMT ref: 0053B200
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 0053B214
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 0053B236
_wcslen.LIBCMT ref: 0053B332

Part of subcall function 005205A7: GetStdHandle.KERNEL32(000000F6), ref: 005205C6

_wcslen.LIBCMT ref: 0053B34B
_wcslen.LIBCMT ref: 0053B366
CreateProcessW.KERNELBASE(00000000,?,00000000,00000000,?,?,00000000,?,?,?), ref: 0053B3B6
GetLastError.KERNEL32(00000000), ref: 0053B407
CloseHandle.KERNEL32(?), ref: 0053B439
CloseHandle.KERNEL32(00000000), ref: 0053B44A
CloseHandle.KERNEL32(00000000), ref: 0053B45C
CloseHandle.KERNEL32(00000000), ref: 0053B46E
CloseHandle.KERNEL32(?), ref: 0053B4E3

Memory Dump Source

Source File: 00000000.00000002.2132574574.00000000004B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true

Associated: 00000000.00000002.2132555531.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132647663.000000000054C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132647663.0000000000572000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132705506.000000000057C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132725644.0000000000584000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b0000_file.jbxd

Similarity

API ID: Handle$Close_wcslen$Directory$CurrentSystem$CreateErrorLastProcess
String ID:
API String ID: 2178637699-0
Opcode ID: 66d1ccffb68ba18529a6a265c3a61f29fa527e15b1576045885267bdb5c9a974
Instruction ID: 70bfc671fb629491e79b91d77aa3d36ba6dff4529570d0edcadd366008611070
Opcode Fuzzy Hash: 66d1ccffb68ba18529a6a265c3a61f29fa527e15b1576045885267bdb5c9a974
Instruction Fuzzy Hash: CDF1C0315043009FDB24EF25C895B6EBBE1BF85318F14895EF9958B2A2CB35EC44CB66

Function 004BD730 Relevance: 21.6, APIs: 14, Instructions: 627windowsleeptimeCOMMON

Download Yara Rule

APIs

GetInputState.USER32 ref: 004BD807
timeGetTime.WINMM ref: 004BDA07
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 004BDB28
TranslateMessage.USER32(?), ref: 004BDB7B
DispatchMessageW.USER32(?), ref: 004BDB89
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 004BDB9F
Sleep.KERNELBASE(0000000A), ref: 004BDBB1

Memory Dump Source

Source File: 00000000.00000002.2132574574.00000000004B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true

Associated: 00000000.00000002.2132555531.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132647663.000000000054C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132647663.0000000000572000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132705506.000000000057C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132725644.0000000000584000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b0000_file.jbxd

Similarity

API ID: Message$Peek$DispatchInputSleepStateTimeTranslatetime
String ID:
API String ID: 2189390790-0
Opcode ID: d0a7f0605b7d54974059c56ab7b96725c25da1ec43822688b4d4a3debb7f9861
Instruction ID: c67566b88f4fd80888e00d9c87e19db6be3097bb3af26c19714800b50c2445cd
Opcode Fuzzy Hash: d0a7f0605b7d54974059c56ab7b96725c25da1ec43822688b4d4a3debb7f9861
Instruction Fuzzy Hash: 4B420770A08741DFD728CF24C848BEEBBE0BF95304F14459EE85587291E778E845DBA6

Function 004B2CD4 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 53
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 004B2D07
RegisterClassExW.USER32(00000030), ref: 004B2D31
RegisterWindowMessageW.USER32(TaskbarCreated), ref: 004B2D42
InitCommonControlsEx.COMCTL32(?), ref: 004B2D5F
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 004B2D6F
LoadIconW.USER32(000000A9), ref: 004B2D85
ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 004B2D94

Strings

0, xrefs: 004B2CE9
TaskbarCreated, xrefs: 004B2D37
+, xrefs: 004B2CF0
AutoIt v3 GUI, xrefs: 004B2D23

Memory Dump Source

Source File: 00000000.00000002.2132574574.00000000004B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true

Associated: 00000000.00000002.2132555531.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132647663.000000000054C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132647663.0000000000572000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132705506.000000000057C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132725644.0000000000584000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b0000_file.jbxd

Similarity

API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
String ID: +$0$AutoIt v3 GUI$TaskbarCreated
API String ID: 2914291525-1005189915
Opcode ID: 42b61fef2c3890eacd51fa50594a34fa045b616b019a60883c36380cb2d4625c
Instruction ID: ceab6fb42e8c5f9dde5ae0cfe0dbeb2fdefb5a24865b46e48c0fbbcdfe9d4372
Opcode Fuzzy Hash: 42b61fef2c3890eacd51fa50594a34fa045b616b019a60883c36380cb2d4625c
Instruction Fuzzy Hash: 1B21E3B5902308AFDB40DFA4E849BDDBFB8FB59704F00811AF911B62A0D7B10549EF94

Function 004F065B Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 272
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 004F039A: CreateFileW.KERNELBASE(00000000,00000000,?,004F0704,?,?,00000000,?,004F0704,00000000,0000000C), ref: 004F03B7

GetLastError.KERNEL32 ref: 004F076F
__dosmaperr.LIBCMT ref: 004F0776
GetFileType.KERNELBASE(00000000), ref: 004F0782
GetLastError.KERNEL32 ref: 004F078C
__dosmaperr.LIBCMT ref: 004F0795
CloseHandle.KERNEL32(00000000), ref: 004F07B5
CloseHandle.KERNEL32(?), ref: 004F08FF
GetLastError.KERNEL32 ref: 004F0931
__dosmaperr.LIBCMT ref: 004F0938

Strings

H, xrefs: 004F08BD

Memory Dump Source

Source File: 00000000.00000002.2132574574.00000000004B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true

Associated: 00000000.00000002.2132555531.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132647663.000000000054C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132647663.0000000000572000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132705506.000000000057C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132725644.0000000000584000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b0000_file.jbxd

Similarity

API ID: ErrorLast__dosmaperr$CloseFileHandle$CreateType
String ID: H
API String ID: 4237864984-2852464175
Opcode ID: a939291816f4ef96eaa101c27206fdf317bcd82fc98e98731e6c2a07182bee0d
Instruction ID: abbcff633c73dfbd748f7a1c80e31a78b1cf5d6015f16c7038d31c4cd5953566
Opcode Fuzzy Hash: a939291816f4ef96eaa101c27206fdf317bcd82fc98e98731e6c2a07182bee0d
Instruction Fuzzy Hash: 06A13832A001088FDF19AF68D851BBE7BA0AB86314F14415EF9119F3D2D7399816DB95

Function 004B344D Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 201
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 004B3A5A: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,00581418,?,004B2E7F,?,?,?,00000000), ref: 004B3A78

Part of subcall function 004B3357: GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 004B3379

RegOpenKeyExW.KERNELBASE(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?,?,\Include\), ref: 004B356A
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,00000000,?), ref: 004F318D
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,?,?,00000000), ref: 004F31CE
RegCloseKey.ADVAPI32(?), ref: 004F3210
_wcslen.LIBCMT ref: 004F3277
_wcslen.LIBCMT ref: 004F3286

Strings

\, xrefs: 004F328C
Software\AutoIt v3\AutoIt, xrefs: 004B3560
Include, xrefs: 004F3184, 004F31C5
\Include\, xrefs: 004B3527

Memory Dump Source

Source File: 00000000.00000002.2132574574.00000000004B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true

Associated: 00000000.00000002.2132555531.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132647663.000000000054C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132647663.0000000000572000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132705506.000000000057C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132725644.0000000000584000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b0000_file.jbxd

Similarity

API ID: NameQueryValue_wcslen$CloseFileFullModuleOpenPath
String ID: Include$Software\AutoIt v3\AutoIt$\$\Include\
API String ID: 98802146-2727554177
Opcode ID: f162e682605c8416e910363ad915836341da3e31735a0f619667c56230849751
Instruction ID: bcd803b4fd1152cd35ae5a7ffbdc5a601a3cc0e6e744c3dbb35b3bc6f59aeb4b
Opcode Fuzzy Hash: f162e682605c8416e910363ad915836341da3e31735a0f619667c56230849751
Instruction Fuzzy Hash: FB71B1715043009EC314EF66DC919ABBFE8FF95744F40182FF945A3260EB389A48DB66

Function 004B2B83 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 63
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 004B2B8E
LoadCursorW.USER32(00000000,00007F00), ref: 004B2B9D
LoadIconW.USER32(00000063), ref: 004B2BB3
LoadIconW.USER32(000000A4), ref: 004B2BC5
LoadIconW.USER32(000000A2), ref: 004B2BD7
LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 004B2BEF
RegisterClassExW.USER32(?), ref: 004B2C40

Part of subcall function 004B2CD4: GetSysColorBrush.USER32(0000000F), ref: 004B2D07
Part of subcall function 004B2CD4: RegisterClassExW.USER32(00000030), ref: 004B2D31
Part of subcall function 004B2CD4: RegisterWindowMessageW.USER32(TaskbarCreated), ref: 004B2D42
Part of subcall function 004B2CD4: InitCommonControlsEx.COMCTL32(?), ref: 004B2D5F
Part of subcall function 004B2CD4: ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 004B2D6F
Part of subcall function 004B2CD4: LoadIconW.USER32(000000A9), ref: 004B2D85
Part of subcall function 004B2CD4: ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 004B2D94

Strings

AutoIt v3, xrefs: 004B2C2F
0, xrefs: 004B2C0F
#, xrefs: 004B2C16

Memory Dump Source

Source File: 00000000.00000002.2132574574.00000000004B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true

Associated: 00000000.00000002.2132555531.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132647663.000000000054C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132647663.0000000000572000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132705506.000000000057C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132725644.0000000000584000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b0000_file.jbxd

Similarity

API ID: Load$Icon$ImageRegister$BrushClassColorList_$CommonControlsCreateCursorInitMessageReplaceWindow
String ID: #$0$AutoIt v3
API String ID: 423443420-4155596026
Opcode ID: c156f27da5cb4fbbd3e0a3ccfc76eff997efd3ae1a6dac7241eddd4d250eee5f
Instruction ID: b64adb7b828ed2957cdda0ccbbe66f2232e02b592533474a4d738c9ba24d98fd
Opcode Fuzzy Hash: c156f27da5cb4fbbd3e0a3ccfc76eff997efd3ae1a6dac7241eddd4d250eee5f
Instruction Fuzzy Hash: 22217974E01318ABDB109FA6EC44AED7FB8FB58B44F00141AE900B26A0DBB10509EF98

Function 004B3170 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 145
windowtimeregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DefWindowProcW.USER32(?,?,?,?,?,?,?,?,?,004B316A,?,?), ref: 004B31D8
KillTimer.USER32(?,00000001,?,?,?,?,?,004B316A,?,?), ref: 004B3204
SetTimer.USER32(?,00000001,000002EE,00000000), ref: 004B3227
RegisterWindowMessageW.USER32(TaskbarCreated,?,?,?,?,?,004B316A,?,?), ref: 004B3232
CreatePopupMenu.USER32 ref: 004B3246
PostQuitMessage.USER32(00000000), ref: 004B3267

Strings

TaskbarCreated, xrefs: 004B322D

Memory Dump Source

Source File: 00000000.00000002.2132574574.00000000004B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true

Associated: 00000000.00000002.2132555531.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132647663.000000000054C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132647663.0000000000572000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132705506.000000000057C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132725644.0000000000584000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b0000_file.jbxd

Similarity

API ID: MessageTimerWindow$CreateKillMenuPopupPostProcQuitRegister
String ID: TaskbarCreated
API String ID: 129472671-2362178303
Opcode ID: dcc03017231765ea88bf67c5599baba457c143934b819751350a02d0085cf74d
Instruction ID: 7399f8353a9e3d4fe5e626fca2c4ba8f55351a2926f23a42633908a1c4b82c17
Opcode Fuzzy Hash: dcc03017231765ea88bf67c5599baba457c143934b819751350a02d0085cf74d
Instruction Fuzzy Hash: F4412835240604A7DB182F6ACD0ABFA3E5DF755306F04015BF902A52A1CB789E46A77E

Function 004B1410 Relevance: 14.3, APIs: 7, Strings: 1, Instructions: 332
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

mciSendStringW.WINMM(close all,00000000,00000000,00000000), ref: 004B1459
CoUninitialize.COMBASE ref: 004B14F8
UnregisterHotKey.USER32(?), ref: 004B16DD
DestroyWindow.USER32(?), ref: 004F24B9
FreeLibrary.KERNEL32(?), ref: 004F251E
VirtualFree.KERNEL32(?,00000000,00008000), ref: 004F254B

Strings

close all, xrefs: 004B1454

Memory Dump Source

Source File: 00000000.00000002.2132574574.00000000004B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true

Associated: 00000000.00000002.2132555531.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132647663.000000000054C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132647663.0000000000572000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132705506.000000000057C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132725644.0000000000584000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b0000_file.jbxd

Similarity

API ID: Free$DestroyLibrarySendStringUninitializeUnregisterVirtualWindow
String ID: close all
API String ID: 469580280-3243417748
Opcode ID: b1b0823c272e879d5d214981b7bde645756fdad4474d4e796c30ce2f5dc9e49b
Instruction ID: 01cce009dae0d6df9e6322fb29b075f3692d9723679edea465bfbbaba869e70e
Opcode Fuzzy Hash: b1b0823c272e879d5d214981b7bde645756fdad4474d4e796c30ce2f5dc9e49b
Instruction Fuzzy Hash: 55D1B030702212DFCB19EF15C5A9BA9F7A0BF05304F5441AEE54A6B361CB78AC12CF69

Function 004B2C63 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 004B2C91
CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 004B2CB2
ShowWindow.USER32(00000000,?,?,?,?,?,?,004B1CAD,?), ref: 004B2CC6
ShowWindow.USER32(00000000,?,?,?,?,?,?,004B1CAD,?), ref: 004B2CCF

Strings

AutoIt v3, xrefs: 004B2C89, 004B2C8E, 004B2C8F
edit, xrefs: 004B2CAC

Memory Dump Source

Source File: 00000000.00000002.2132574574.00000000004B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true

Associated: 00000000.00000002.2132555531.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132647663.000000000054C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132647663.0000000000572000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132705506.000000000057C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132725644.0000000000584000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b0000_file.jbxd

Similarity

API ID: Window$CreateShow
String ID: AutoIt v3$edit
API String ID: 1584632944-3779509399
Opcode ID: 5bf510e5be0e188b864aaccd917d3fef6c08827914eed68d4032a46ca4bc1175
Instruction ID: 453024dacca5c050bf6d79c569efefc0d0998d895034e00f07bb418ea72c18cb
Opcode Fuzzy Hash: 5bf510e5be0e188b864aaccd917d3fef6c08827914eed68d4032a46ca4bc1175
Instruction Fuzzy Hash: 2FF03A755403907AEB300713AC09EB72EBDE7E7F50B00141EFD00A21A0CA71184AEBB8

Function 004B3B1C Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 58
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegOpenKeyExW.KERNELBASE(80000001,Control Panel\Mouse,00000000,00000001,00000000,?,?,80000001,80000001,?,004B3B0F,SwapMouseButtons,00000004,?), ref: 004B3B40
RegQueryValueExW.KERNELBASE(00000000,00000000,00000000,00000000,?,?,?,?,?,80000001,80000001,?,004B3B0F,SwapMouseButtons,00000004,?), ref: 004B3B61
RegCloseKey.KERNELBASE(00000000,?,?,?,80000001,80000001,?,004B3B0F,SwapMouseButtons,00000004,?), ref: 004B3B83

Strings

Control Panel\Mouse, xrefs: 004B3B3E

Memory Dump Source

Source File: 00000000.00000002.2132574574.00000000004B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true

Associated: 00000000.00000002.2132555531.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132647663.000000000054C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132647663.0000000000572000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132705506.000000000057C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132725644.0000000000584000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b0000_file.jbxd

Similarity

API ID: CloseOpenQueryValue
String ID: Control Panel\Mouse
API String ID: 3677997916-824357125
Opcode ID: e3e82ae162659f36e195dd30e2618fa03465165969498b82febafa4981452dd2
Instruction ID: fc53847f11a7c8ff78a134bbae0e5df6d805475bad6909370bb8313fc2e62cf8
Opcode Fuzzy Hash: e3e82ae162659f36e195dd30e2618fa03465165969498b82febafa4981452dd2
Instruction Fuzzy Hash: 41119AB5511208FFDB208FA6DC48AEFBBB8EF51349B00451AA805D3215D231AE04A764

Function 004B3923 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 94windowCOMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000065,?,0000007F,00000104), ref: 004F33A2

Part of subcall function 004B6B57: _wcslen.LIBCMT ref: 004B6B6A

Shell_NotifyIconW.SHELL32(00000001,?), ref: 004B3A04

Strings

Line: , xrefs: 004F33EB

Memory Dump Source

Source File: 00000000.00000002.2132574574.00000000004B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true

Associated: 00000000.00000002.2132555531.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132647663.000000000054C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132647663.0000000000572000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132705506.000000000057C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132725644.0000000000584000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b0000_file.jbxd

Similarity

API ID: IconLoadNotifyShell_String_wcslen
String ID: Line:
API String ID: 2289894680-1585850449
Opcode ID: 2f435031a8c9223a02f97ee9b4fc4904f953916de309942f234f63589b827cea
Instruction ID: 72034e1081db5844ad489bc8d9595773da823329f1d361472b1eb85074383f64
Opcode Fuzzy Hash: 2f435031a8c9223a02f97ee9b4fc4904f953916de309942f234f63589b827cea
Instruction Fuzzy Hash: 0C310371408300AAC320EF21DC45BEBB7DCAB50719F00492FF99992191EF789A49C7EA

Function 004B2DE3 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 64COMMON

Download Yara Rule

APIs

GetOpenFileNameW.COMDLG32(?), ref: 004F2C8C

Part of subcall function 004B3AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,004B3A97,?,?,004B2E7F,?,?,?,00000000), ref: 004B3AC2

Part of subcall function 004B2DA5: GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 004B2DC4

Strings

X, xrefs: 004F2C5A
`eW, xrefs: 004F2C85

Memory Dump Source

Source File: 00000000.00000002.2132574574.00000000004B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true

Associated: 00000000.00000002.2132555531.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132647663.000000000054C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132647663.0000000000572000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132705506.000000000057C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132725644.0000000000584000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b0000_file.jbxd

Similarity

API ID: Name$Path$FileFullLongOpen
String ID: X$`eW
API String ID: 779396738-1145297899
Opcode ID: 65db7ad32e18fdd92e316d838b6500e9c1b069d9c64502a75cd0ed37040ab8f5
Instruction ID: 8c7038d3b411dde0cb6e4ba3afe7c0fc28bf39d0b0ffebafac2f23e879bdd735
Opcode Fuzzy Hash: 65db7ad32e18fdd92e316d838b6500e9c1b069d9c64502a75cd0ed37040ab8f5
Instruction Fuzzy Hash: 64218171A002989ACB019F95D845BEE7BF9AF49308F00805AE509A7241DBF89A499B75

Function 004CFDDB Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 43COMMON

Download Yara Rule

APIs

__CxxThrowException@8.LIBVCRUNTIME ref: 004D0668

Part of subcall function 004D32A4: RaiseException.KERNEL32(?,?,?,004D068A,?,00581444,?,?,?,?,?,?,004D068A,004B1129,00578738,004B1129), ref: 004D3304

__CxxThrowException@8.LIBVCRUNTIME ref: 004D0685

Strings

Unknown exception, xrefs: 004D0692

Memory Dump Source

Source File: 00000000.00000002.2132574574.00000000004B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true

Associated: 00000000.00000002.2132555531.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132647663.000000000054C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132647663.0000000000572000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132705506.000000000057C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132725644.0000000000584000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b0000_file.jbxd

Similarity

API ID: Exception@8Throw$ExceptionRaise
String ID: Unknown exception
API String ID: 3476068407-410509341
Opcode ID: c9e80f58ea7324db97d90d634665dfdc1fdaac0ead45dd3c22a8e94cf3cd7e78
Instruction ID: f9cc2fd51c548cee571135a4c3df568453e92d226a2908f9e5a854a0238136b9
Opcode Fuzzy Hash: c9e80f58ea7324db97d90d634665dfdc1fdaac0ead45dd3c22a8e94cf3cd7e78
Instruction Fuzzy Hash: 89F0283490020D73CB00BA66E86AE9E7B6D6E00304F60407BB815877D1EF39DA19C589

Function 004B10F3 Relevance: 4.7, APIs: 3, Instructions: 153comCOMMON

Download Yara Rule

APIs

Part of subcall function 004B1BC3: MapVirtualKeyW.USER32(0000005B,00000000), ref: 004B1BF4
Part of subcall function 004B1BC3: MapVirtualKeyW.USER32(00000010,00000000), ref: 004B1BFC
Part of subcall function 004B1BC3: MapVirtualKeyW.USER32(000000A0,00000000), ref: 004B1C07
Part of subcall function 004B1BC3: MapVirtualKeyW.USER32(000000A1,00000000), ref: 004B1C12
Part of subcall function 004B1BC3: MapVirtualKeyW.USER32(00000011,00000000), ref: 004B1C1A
Part of subcall function 004B1BC3: MapVirtualKeyW.USER32(00000012,00000000), ref: 004B1C22

Part of subcall function 004B1B4A: RegisterWindowMessageW.USER32(00000004,?,004B12C4), ref: 004B1BA2

GetStdHandle.KERNEL32(000000F6,00000000,00000000), ref: 004B136A
OleInitialize.OLE32 ref: 004B1388
CloseHandle.KERNEL32(00000000,00000000), ref: 004F24AB

Memory Dump Source

Source File: 00000000.00000002.2132574574.00000000004B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true

Associated: 00000000.00000002.2132555531.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132647663.000000000054C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132647663.0000000000572000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132705506.000000000057C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132725644.0000000000584000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b0000_file.jbxd

Similarity

API ID: Virtual$Handle$CloseInitializeMessageRegisterWindow
String ID:
API String ID: 1986988660-0
Opcode ID: a68a32afebd1593b9b86993d3bb58a419c83304151eefbd83ba3806b9acb27d7
Instruction ID: ed7489381a71552ca082b9bda540337aaf12fb100feba34b0e842820cd41a08c
Opcode Fuzzy Hash: a68a32afebd1593b9b86993d3bb58a419c83304151eefbd83ba3806b9acb27d7
Instruction Fuzzy Hash: 8C71C0B4901A008EC784EF7AE8556953EE8FBA9348744652EDC0AF7271EB34440BEF5C

Function 0051C161 Relevance: 4.6, APIs: 3, Instructions: 74timewindowCOMMON

Download Yara Rule

APIs

Part of subcall function 004B3923: Shell_NotifyIconW.SHELL32(00000001,?), ref: 004B3A04

Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 0051C259
KillTimer.USER32(?,00000001,?,?), ref: 0051C261
SetTimer.USER32(?,00000001,000002EE,00000000), ref: 0051C270

Memory Dump Source

Source File: 00000000.00000002.2132574574.00000000004B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true

Associated: 00000000.00000002.2132555531.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132647663.000000000054C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132647663.0000000000572000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132705506.000000000057C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132725644.0000000000584000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b0000_file.jbxd

Similarity

API ID: IconNotifyShell_Timer$Kill
String ID:
API String ID: 3500052701-0
Opcode ID: 2ce0adb0ea230ef514940b22b27551fb8e2714b7ff4b0302063408f39727fafb
Instruction ID: afc8883bd1d0d743a8863eb207f36f8bad6ba152fc9590de7f31f003e966bdda
Opcode Fuzzy Hash: 2ce0adb0ea230ef514940b22b27551fb8e2714b7ff4b0302063408f39727fafb
Instruction Fuzzy Hash: 9A31B174944344AFEB229F648855BEABFECAB16308F00049ED5EAA3241C7755AC9CB51

Function 004E86AE Relevance: 4.6, APIs: 3, Instructions: 61COMMONLIBRARYCODE

Download Yara Rule

APIs

CloseHandle.KERNELBASE(00000000,00000000,?,?,004E85CC,?,00578CC8,0000000C), ref: 004E8704
GetLastError.KERNEL32(?,004E85CC,?,00578CC8,0000000C), ref: 004E870E
__dosmaperr.LIBCMT ref: 004E8739

Memory Dump Source

Source File: 00000000.00000002.2132574574.00000000004B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true

Associated: 00000000.00000002.2132555531.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132647663.000000000054C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132647663.0000000000572000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132705506.000000000057C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132725644.0000000000584000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b0000_file.jbxd

Similarity

API ID: CloseErrorHandleLast__dosmaperr
String ID:
API String ID: 2583163307-0
Opcode ID: dc7814466f5c9aff681473c1375bf5c5267a16e611d64aefefd91cafdb7c4700
Instruction ID: de21cf72afa5d0a24910d4a3d8273b46454f81762bb685e027cd154853820522
Opcode Fuzzy Hash: dc7814466f5c9aff681473c1375bf5c5267a16e611d64aefefd91cafdb7c4700
Instruction Fuzzy Hash: F4016B326052E016CA606237684577F6B594B9277EF39019FFC1C9B2D3DEAC8C85825C

Function 004BDB38 Relevance: 4.5, APIs: 3, Instructions: 29windowsleepCOMMON

Download Yara Rule

APIs

TranslateMessage.USER32(?), ref: 004BDB7B
DispatchMessageW.USER32(?), ref: 004BDB89
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 004BDB9F
Sleep.KERNELBASE(0000000A), ref: 004BDBB1
TranslateAcceleratorW.USER32(?,?,?), ref: 00501CC9

Memory Dump Source

Source File: 00000000.00000002.2132574574.00000000004B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true

Associated: 00000000.00000002.2132555531.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132647663.000000000054C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132647663.0000000000572000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132705506.000000000057C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132725644.0000000000584000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b0000_file.jbxd

Similarity

API ID: Message$Translate$AcceleratorDispatchPeekSleep
String ID:
API String ID: 3288985973-0
Opcode ID: 6bd2295fd21ea51861e08f6979624480771671eecc76a67efe5c89c11b3f0314
Instruction ID: aa51211ba16e913afd76d4d2222d7800d429db73533cfec38c63afb291e2cb93
Opcode Fuzzy Hash: 6bd2295fd21ea51861e08f6979624480771671eecc76a67efe5c89c11b3f0314
Instruction Fuzzy Hash: 4BF05E306453409BEB70DB608C49FEA7BACFB99354F104669E61A930C0EB34A4499F2E

Function 004C1310 Relevance: 4.0, APIs: 1, Strings: 1, Instructions: 531COMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 004C17F6

Strings

CALL, xrefs: 004C17C6

Memory Dump Source

Source File: 00000000.00000002.2132574574.00000000004B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true

Associated: 00000000.00000002.2132555531.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132647663.000000000054C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132647663.0000000000572000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132705506.000000000057C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132725644.0000000000584000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b0000_file.jbxd

Similarity

API ID: Init_thread_footer
String ID: CALL
API String ID: 1385522511-4196123274
Opcode ID: 865b92b2bb4e6db426369d184d8d0015c866b8e0e7183181b1c044674596028b
Instruction ID: f6fe82e33fdcd11fd803480fbe232a709a834ece99f2a478362026eeee9062c9
Opcode Fuzzy Hash: 865b92b2bb4e6db426369d184d8d0015c866b8e0e7183181b1c044674596028b
Instruction Fuzzy Hash: F2229C786082019FC754DF15C484F2ABBF1BF86314F28891EF4968B3A2D739E855CB96

Function 004B3837 Relevance: 3.1, APIs: 2, Instructions: 77windowCOMMON

Download Yara Rule

APIs

Shell_NotifyIconW.SHELL32(00000000,?), ref: 004B3908

Memory Dump Source

Source File: 00000000.00000002.2132574574.00000000004B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true

Associated: 00000000.00000002.2132555531.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132647663.000000000054C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132647663.0000000000572000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132705506.000000000057C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132725644.0000000000584000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b0000_file.jbxd

Similarity

API ID: IconNotifyShell_
String ID:
API String ID: 1144537725-0
Opcode ID: 253d6326d256004f7867ce1af203ea1e3e36fd56ad5e006f1cabec373c8b749b
Instruction ID: f1c33a3b45f8bdd2c60f66f5d59df1de5f3b8f095cc526fa92fd5ab64ab9069a
Opcode Fuzzy Hash: 253d6326d256004f7867ce1af203ea1e3e36fd56ad5e006f1cabec373c8b749b
Instruction Fuzzy Hash: 23319CB05047019FD720EF25D8847D7BBE8FB59309F00092EF99993240EB75AA49DB6A

Function 004CF645 Relevance: 3.0, APIs: 2, Instructions: 29sleeptimeCOMMON

Download Yara Rule

APIs

timeGetTime.WINMM ref: 004CF661

Part of subcall function 004BD730: GetInputState.USER32 ref: 004BD807

Sleep.KERNEL32(00000000), ref: 0050F2DE

Memory Dump Source

Source File: 00000000.00000002.2132574574.00000000004B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true

Associated: 00000000.00000002.2132555531.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132647663.000000000054C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132647663.0000000000572000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132705506.000000000057C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132725644.0000000000584000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b0000_file.jbxd

Similarity

API ID: InputSleepStateTimetime
String ID:
API String ID: 4149333218-0
Opcode ID: 3bbd1282728803f924ab7127f4afbcf96ae79479b7e6e2078f96ba60c8c85836
Instruction ID: 61c11c50df22007b2e336fd75323337fb50864411c73c54756170bc08a8cc21a
Opcode Fuzzy Hash: 3bbd1282728803f924ab7127f4afbcf96ae79479b7e6e2078f96ba60c8c85836
Instruction Fuzzy Hash: D0F0A735240605AFD350EF75D845F9ABBE8FF55764F00002EE85AC7360DB74A804CBA5

Function 004B4ECB Relevance: 1.6, APIs: 1, Instructions: 65libraryCOMMON

Download Yara Rule

APIs

Part of subcall function 004B4E90: LoadLibraryA.KERNEL32(kernel32.dll,?,?,004B4EDD,?,00581418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 004B4E9C
Part of subcall function 004B4E90: GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 004B4EAE
Part of subcall function 004B4E90: FreeLibrary.KERNEL32(00000000,?,?,004B4EDD,?,00581418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 004B4EC0

LoadLibraryExW.KERNEL32(?,00000000,00000002,?,00581418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 004B4EFD

Part of subcall function 004B4E59: LoadLibraryA.KERNEL32(kernel32.dll,?,?,004F3CDE,?,00581418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 004B4E62
Part of subcall function 004B4E59: GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 004B4E74
Part of subcall function 004B4E59: FreeLibrary.KERNEL32(00000000,?,?,004F3CDE,?,00581418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 004B4E87

Memory Dump Source

Source File: 00000000.00000002.2132574574.00000000004B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true

Associated: 00000000.00000002.2132555531.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132647663.000000000054C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132647663.0000000000572000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132705506.000000000057C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132725644.0000000000584000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b0000_file.jbxd

Similarity

API ID: Library$Load$AddressFreeProc
String ID:
API String ID: 2632591731-0
Opcode ID: 4597c472358e5da55d1aabe7a1fe7d223a0a34a05dd3215fdc77fc50fe137e54
Instruction ID: 044060a858a92106a38843fb8f4789181060bfc554b0f6cb64c683744dcfebb7
Opcode Fuzzy Hash: 4597c472358e5da55d1aabe7a1fe7d223a0a34a05dd3215fdc77fc50fe137e54
Instruction Fuzzy Hash: 4911C432600205AACB14BF65DC12BED77A5AF90B19F10842FF542A71C2DE78DA459768

Function 004E8402 Relevance: 1.6, APIs: 1, Instructions: 54COMMON

Download Yara Rule

APIs

__wsopen_s.LIBCMT ref: 004E8440

Memory Dump Source

Source File: 00000000.00000002.2132574574.00000000004B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true

Associated: 00000000.00000002.2132555531.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132647663.000000000054C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132647663.0000000000572000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132705506.000000000057C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132725644.0000000000584000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b0000_file.jbxd

Similarity

API ID: __wsopen_s
String ID:
API String ID: 3347428461-0
Opcode ID: 6e47d68a53ab058db1203529944273d00e00681810303b0c1d65b058a7c4b63c
Instruction ID: 65201174dd9fac45922844d969aeccf956cb1118ece0212ae25313681ecd16ab
Opcode Fuzzy Hash: 6e47d68a53ab058db1203529944273d00e00681810303b0c1d65b058a7c4b63c
Instruction Fuzzy Hash: 5611487190410AAFCF05DF59E9409AF7BF4EF48314F10405AFC08AB352EA30DA11CBA9

Function 004E5000 Relevance: 1.6, APIs: 1, Instructions: 52COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 004E4C7D: RtlAllocateHeap.NTDLL(00000008,004B1129,00000000,?,004E2E29,00000001,00000364,?,?,?,004DF2DE,004E3863,00581444,?,004CFDF5,?), ref: 004E4CBE

_free.LIBCMT ref: 004E506C

Memory Dump Source

Source File: 00000000.00000002.2132574574.00000000004B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true

Associated: 00000000.00000002.2132555531.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132647663.000000000054C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132647663.0000000000572000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132705506.000000000057C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132725644.0000000000584000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b0000_file.jbxd

Similarity

API ID: AllocateHeap_free
String ID:
API String ID: 614378929-0
Opcode ID: 9ba45ce058d1080761d5af908226540236078fd1fc19e2e0238d0ad147f07c6e
Instruction ID: d7c9261a168dcf94637ea75fd657e043bed2492c8e7b51954ae20b27d04be35e
Opcode Fuzzy Hash: 9ba45ce058d1080761d5af908226540236078fd1fc19e2e0238d0ad147f07c6e
Instruction Fuzzy Hash: B7012B722047445BE3218F66984595AFBECFB85375F25051EF184932C0E674A805C678

Function 004DE602 Relevance: 1.5, APIs: 1, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2132574574.00000000004B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true

Associated: 00000000.00000002.2132555531.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132647663.000000000054C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132647663.0000000000572000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132705506.000000000057C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132725644.0000000000584000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d6c69ec2a70ac845cc05b5f137181c3f07394ab8b33ef369e8c7ef627d5c9574
Instruction ID: 6178ebe933ec480b7fcce163225bf5b0c14bece858a98e8a6e4929d67ea4a558
Opcode Fuzzy Hash: d6c69ec2a70ac845cc05b5f137181c3f07394ab8b33ef369e8c7ef627d5c9574
Instruction Fuzzy Hash: CCF0F932511A1496C6313A678C25B57339C9F6233DF10075FF425963D2DB7CE40285AD

Function 004E4C7D Relevance: 1.5, APIs: 1, Instructions: 39memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000008,004B1129,00000000,?,004E2E29,00000001,00000364,?,?,?,004DF2DE,004E3863,00581444,?,004CFDF5,?), ref: 004E4CBE

Memory Dump Source

Source File: 00000000.00000002.2132574574.00000000004B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true

Associated: 00000000.00000002.2132555531.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132647663.000000000054C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132647663.0000000000572000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132705506.000000000057C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132725644.0000000000584000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b0000_file.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 40c7ef0e6b9f05a43b8751a1b363138430821dfe5510a32fee006e45233dc80c
Instruction ID: 8f1ecd3864752e245dbd4e74186d42952c36b44e99948766af4b8e5e659ea2b8
Opcode Fuzzy Hash: 40c7ef0e6b9f05a43b8751a1b363138430821dfe5510a32fee006e45233dc80c
Instruction Fuzzy Hash: 28F024312032A067DB201F639C05B5B3788AFC13A6B264117B80AA73C0CA38D80192E8

Function 004E3820 Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000000,?,00581444,?,004CFDF5,?,?,004BA976,00000010,00581440,004B13FC,?,004B13C6,?,004B1129), ref: 004E3852

Memory Dump Source

Source File: 00000000.00000002.2132574574.00000000004B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true

Associated: 00000000.00000002.2132555531.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132647663.000000000054C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132647663.0000000000572000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132705506.000000000057C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132725644.0000000000584000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b0000_file.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 80b23ab95b21c19588a7e42443edbe8e1d5ba6b947a94812680c86b656fb4890
Instruction ID: 02fcd37244fbaf7cb80e82e71aa0057768a4e85dd43d090a34c6e06247ce06ff
Opcode Fuzzy Hash: 80b23ab95b21c19588a7e42443edbe8e1d5ba6b947a94812680c86b656fb4890
Instruction Fuzzy Hash: E9E0A0315012A466D6323E679C09B9B36C8BB827B7B050127BC05936D0CB29DD0282ED

Function 004B4F39 Relevance: 1.5, APIs: 1, Instructions: 28COMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32(?,?,00581418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 004B4F6D

Memory Dump Source

Source File: 00000000.00000002.2132574574.00000000004B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true

Associated: 00000000.00000002.2132555531.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132647663.000000000054C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132647663.0000000000572000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132705506.000000000057C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132725644.0000000000584000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b0000_file.jbxd

Similarity

API ID: FreeLibrary
String ID:
API String ID: 3664257935-0
Opcode ID: 9a9c64b81b9582990e4144789d4302cc68d66f6aafcc5d3b2be4f48c845225ef
Instruction ID: 9df3d8cfddeaf935ef4a1b134990998210a89ce01bac3b14ef4663b67f613970
Opcode Fuzzy Hash: 9a9c64b81b9582990e4144789d4302cc68d66f6aafcc5d3b2be4f48c845225ef
Instruction Fuzzy Hash: 45F03971505752CFDB349F65D4908A2BBF4EF94329320897FE1EA87622C7399848DF28

Function 00542A55 Relevance: 1.5, APIs: 1, Instructions: 25COMMON

Download Yara Rule

APIs

IsWindow.USER32(00000000), ref: 00542A66

Memory Dump Source

Source File: 00000000.00000002.2132574574.00000000004B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true

Associated: 00000000.00000002.2132555531.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132647663.000000000054C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132647663.0000000000572000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132705506.000000000057C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132725644.0000000000584000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b0000_file.jbxd

Similarity

API ID: Window
String ID:
API String ID: 2353593579-0
Opcode ID: f7cd14a8438d81bcacbe08e1e3570164bd6f4f0c542c9971495c7060b457a72a
Instruction ID: f2cd2259cc3210eb477204f9e6c78d8cb44ce3f6436222f8f47cbf2b7894444f
Opcode Fuzzy Hash: f7cd14a8438d81bcacbe08e1e3570164bd6f4f0c542c9971495c7060b457a72a
Instruction Fuzzy Hash: 55E0DF36350126AAD710EA31EC888FE7F4CFFA1399B004836BC16C3100DB308A8686A0

Function 004B30F2 Relevance: 1.5, APIs: 1, Instructions: 24windowCOMMON

Download Yara Rule

APIs

Shell_NotifyIconW.SHELL32(00000002,?), ref: 004B314E

Memory Dump Source

Source File: 00000000.00000002.2132574574.00000000004B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true

Associated: 00000000.00000002.2132555531.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132647663.000000000054C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132647663.0000000000572000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132705506.000000000057C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132725644.0000000000584000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b0000_file.jbxd

Similarity

API ID: IconNotifyShell_
String ID:
API String ID: 1144537725-0
Opcode ID: 0620e95c30d87d638765a4178a7c6496dd793114aeec4974a51333110f5371a3
Instruction ID: 41a49df2b43c49bcbb06d2810b6526a1ad9e67820db0b9a1c459f7d4cd6034e9
Opcode Fuzzy Hash: 0620e95c30d87d638765a4178a7c6496dd793114aeec4974a51333110f5371a3
Instruction Fuzzy Hash: C1F0A7709003049FEB529F24DC467D67BBCA71170CF0000EAA548A6281DB74478DDF55

Function 004B2DA5 Relevance: 1.5, APIs: 1, Instructions: 23COMMON

Download Yara Rule

APIs

GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 004B2DC4

Part of subcall function 004B6B57: _wcslen.LIBCMT ref: 004B6B6A

Memory Dump Source

Source File: 00000000.00000002.2132574574.00000000004B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true

Associated: 00000000.00000002.2132555531.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132647663.000000000054C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132647663.0000000000572000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132705506.000000000057C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132725644.0000000000584000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b0000_file.jbxd

Similarity

API ID: LongNamePath_wcslen
String ID:
API String ID: 541455249-0
Opcode ID: 238bf233f8b7216f43773412b2640ee7a974abc65819d36946d392c058b8a8c7
Instruction ID: a9cbee0e7954c524e7995949de05ce82e72b898663ac1fa86b0b1ecd7ed42db1
Opcode Fuzzy Hash: 238bf233f8b7216f43773412b2640ee7a974abc65819d36946d392c058b8a8c7
Instruction Fuzzy Hash: 9EE07D766041245BC71092598C05FEA77EDDFC8394F000076FD09D3208D9A4AC808564

Function 004B2B3D Relevance: 1.5, APIs: 1, Instructions: 22COMMON

Download Yara Rule

APIs

Part of subcall function 004B3837: Shell_NotifyIconW.SHELL32(00000000,?), ref: 004B3908

Part of subcall function 004BD730: GetInputState.USER32 ref: 004BD807

SetCurrentDirectoryW.KERNEL32(?), ref: 004B2B6B

Part of subcall function 004B30F2: Shell_NotifyIconW.SHELL32(00000002,?), ref: 004B314E

Memory Dump Source

Source File: 00000000.00000002.2132574574.00000000004B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true

Associated: 00000000.00000002.2132555531.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132647663.000000000054C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132647663.0000000000572000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132705506.000000000057C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132725644.0000000000584000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b0000_file.jbxd

Similarity

API ID: IconNotifyShell_$CurrentDirectoryInputState
String ID:
API String ID: 3667716007-0
Opcode ID: eea9e39537abb5615e534b901ba0ff001cfd8b3bb3db0a32df86907b79340473
Instruction ID: 9739610431cf5a01d68ddc36ca4474098dee6526f138f022fa25a28a5dbd8359
Opcode Fuzzy Hash: eea9e39537abb5615e534b901ba0ff001cfd8b3bb3db0a32df86907b79340473
Instruction Fuzzy Hash: 4BE0862170424406CA04BF7798525EDB79D9BE135AF40153FF54253163DE6C494A437A

Function 004F039A Relevance: 1.5, APIs: 1, Instructions: 15fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

CreateFileW.KERNELBASE(00000000,00000000,?,004F0704,?,?,00000000,?,004F0704,00000000,0000000C), ref: 004F03B7

Memory Dump Source

Source File: 00000000.00000002.2132574574.00000000004B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true

Associated: 00000000.00000002.2132555531.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132647663.000000000054C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132647663.0000000000572000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132705506.000000000057C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132725644.0000000000584000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b0000_file.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: c42acf1f72ab98be46590a91ab88933b97dc70ebc97f4fd615b24cf95ec4eed4
Instruction ID: 0953c952cb6a919c3f20889d7e55da15f74c2ed517f68e10daa60ffc86bb6ca4
Opcode Fuzzy Hash: c42acf1f72ab98be46590a91ab88933b97dc70ebc97f4fd615b24cf95ec4eed4
Instruction Fuzzy Hash: 30D06C3204010DBBDF028F84DD06EDA3FAAFB88714F014000BE1856020C732E821EB90

Function 004B1CAD Relevance: 1.5, APIs: 1, Instructions: 8COMMON

Download Yara Rule

APIs

SystemParametersInfoW.USER32(00002001,00000000,00000002), ref: 004B1CBC

Memory Dump Source

Source File: 00000000.00000002.2132574574.00000000004B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true

Associated: 00000000.00000002.2132555531.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132647663.000000000054C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132647663.0000000000572000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132705506.000000000057C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132725644.0000000000584000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b0000_file.jbxd

Similarity

API ID: InfoParametersSystem
String ID:
API String ID: 3098949447-0
Opcode ID: 1e957eb9e1852427f6c5727ecaa33e5f2b4a0639bf3844739e28d3d3ec0aada0
Instruction ID: eeba3a8d3eea026b92044fe8ab9f0a74dcb88c04b2e81f2c880fb6cf876383a3
Opcode Fuzzy Hash: 1e957eb9e1852427f6c5727ecaa33e5f2b4a0639bf3844739e28d3d3ec0aada0
Instruction Fuzzy Hash: C4C09B352C03049FF2144780FC4AF947B54A368B05F045401FB09795E3C7A11414FB54

Non-executed Functions

Function 00549576 Relevance: 74.1, APIs: 39, Strings: 3, Instructions: 625windowkeyboardCOMMON

Download Yara Rule

APIs

Part of subcall function 004C9BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 004C9BB2

DefDlgProcW.USER32(?,0000004E,?,?,?,?,?,?), ref: 0054961A
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 0054965B
GetWindowLongW.USER32(FFFFFDD9,000000F0), ref: 0054969F
SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 005496C9
SendMessageW.USER32 ref: 005496F2
GetKeyState.USER32(00000011), ref: 0054978B
GetKeyState.USER32(00000009), ref: 00549798
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 005497AE
GetKeyState.USER32(00000010), ref: 005497B8
SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 005497E9
SendMessageW.USER32 ref: 00549810
SendMessageW.USER32(?,00001030,?,00547E95), ref: 00549918
ImageList_SetDragCursorImage.COMCTL32(00000000,00000000,00000000,?,?,?), ref: 0054992E
ImageList_BeginDrag.COMCTL32(00000000,000000F8,000000F0), ref: 00549941
SetCapture.USER32(?), ref: 0054994A
ClientToScreen.USER32(?,?), ref: 005499AF
ImageList_DragEnter.COMCTL32(00000000,?,?), ref: 005499BC
InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 005499D6
ReleaseCapture.USER32 ref: 005499E1
GetCursorPos.USER32(?), ref: 00549A19
ScreenToClient.USER32(?,?), ref: 00549A26
SendMessageW.USER32(?,00001012,00000000,?), ref: 00549A80
SendMessageW.USER32 ref: 00549AAE
SendMessageW.USER32(?,00001111,00000000,?), ref: 00549AEB
SendMessageW.USER32 ref: 00549B1A
SendMessageW.USER32(?,0000110B,00000009,00000000), ref: 00549B3B
SendMessageW.USER32(?,0000110B,00000009,?), ref: 00549B4A
GetCursorPos.USER32(?), ref: 00549B68
ScreenToClient.USER32(?,?), ref: 00549B75
GetParent.USER32(?), ref: 00549B93
SendMessageW.USER32(?,00001012,00000000,?), ref: 00549BFA
SendMessageW.USER32 ref: 00549C2B
ClientToScreen.USER32(?,?), ref: 00549C84
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000), ref: 00549CB4
SendMessageW.USER32(?,00001111,00000000,?), ref: 00549CDE
SendMessageW.USER32 ref: 00549D01
ClientToScreen.USER32(?,?), ref: 00549D4E
TrackPopupMenuEx.USER32(?,00000080,?,?,?,00000000), ref: 00549D82

Part of subcall function 004C9944: GetWindowLongW.USER32(?,000000EB), ref: 004C9952

GetWindowLongW.USER32(?,000000F0), ref: 00549E05

Strings

@GUI_DRAGID, xrefs: 0054997D
F, xrefs: 00549D07
p#X, xrefs: 00549990

Memory Dump Source

Source File: 00000000.00000002.2132574574.00000000004B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true

Associated: 00000000.00000002.2132555531.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132647663.000000000054C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132647663.0000000000572000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132705506.000000000057C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132725644.0000000000584000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b0000_file.jbxd

Similarity

API ID: MessageSend$ClientScreen$ImageLongWindow$CursorDragList_State$CaptureMenuPopupTrack$BeginEnterInvalidateParentProcRectRelease
String ID: @GUI_DRAGID$F$p#X
API String ID: 3429851547-2394512459
Opcode ID: ea4c47005e9061c7cf5eda1467a9e6f2abe27497b56fec87cd84b424043822a4
Instruction ID: 03ccf23fd57b3066d1990c03143670bf5ef1b7e3dc41ab9cab2d77f08ed88d6f
Opcode Fuzzy Hash: ea4c47005e9061c7cf5eda1467a9e6f2abe27497b56fec87cd84b424043822a4
Instruction Fuzzy Hash: 28428B34204201AFDB24CF28C846EEBBFE9FF89318F114A19F9599B2A1D731A855DF51

Function 00544873 Relevance: 60.1, APIs: 33, Strings: 1, Instructions: 566windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000408,00000000,00000000), ref: 005448F3
SendMessageW.USER32(00000000,00000188,00000000,00000000), ref: 00544908
SendMessageW.USER32(00000000,0000018A,00000000,00000000), ref: 00544927
SendMessageW.USER32(?,00000148,00000000,00000000), ref: 0054494B
SendMessageW.USER32(00000000,00000147,00000000,00000000), ref: 0054495C
SendMessageW.USER32(00000000,00000149,00000000,00000000), ref: 0054497B
SendMessageW.USER32(00000000,0000130B,00000000,00000000), ref: 005449AE
SendMessageW.USER32(00000000,0000133C,00000000,?), ref: 005449D4
SendMessageW.USER32(00000000,0000110A,00000009,00000000), ref: 00544A0F
SendMessageW.USER32(00000000,0000113E,00000000,00000004), ref: 00544A56
SendMessageW.USER32(00000000,0000113E,00000000,00000004), ref: 00544A7E
IsMenu.USER32(?), ref: 00544A97
GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00544AF2
GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00544B20
GetWindowLongW.USER32(?,000000F0), ref: 00544B94
SendMessageW.USER32(?,0000113E,00000000,00000008), ref: 00544BE3
SendMessageW.USER32(00000000,00001001,00000000,?), ref: 00544C82
wsprintfW.USER32 ref: 00544CAE
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 00544CC9
GetWindowTextW.USER32(?,00000000,00000001), ref: 00544CF1
SendMessageW.USER32(00000000,000000F0,00000000,00000000), ref: 00544D13
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 00544D33
GetWindowTextW.USER32(?,00000000,00000001), ref: 00544D5A

Strings

%d/%02d/%02d, xrefs: 00544CA8

Memory Dump Source

Source File: 00000000.00000002.2132574574.00000000004B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true

Associated: 00000000.00000002.2132555531.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132647663.000000000054C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132647663.0000000000572000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132705506.000000000057C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132725644.0000000000584000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b0000_file.jbxd

Similarity

API ID: MessageSend$MenuWindow$InfoItemText$Longwsprintf
String ID: %d/%02d/%02d
API String ID: 4054740463-328681919
Opcode ID: e1b983d89c051813a7ebfacffc3de01eca1e7932908c7769694e6da2e914f6a4
Instruction ID: e3f332c87bc870c2348345aaa3d2f5c8a5d70400fe11253bbc9417182a90733e
Opcode Fuzzy Hash: e1b983d89c051813a7ebfacffc3de01eca1e7932908c7769694e6da2e914f6a4
Instruction Fuzzy Hash: 7E12EC71640214ABEB248F29CC49FEE7FA8FF85318F104129F916EB2A1DB789945DF50

Function 004CF98E Relevance: 43.9, APIs: 24, Strings: 1, Instructions: 130keyboardthreadwindowCOMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(00000000,00000000,00000000), ref: 004CF998
FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 0050F474
IsIconic.USER32(00000000), ref: 0050F47D
ShowWindow.USER32(00000000,00000009), ref: 0050F48A
SetForegroundWindow.USER32(00000000), ref: 0050F494
GetWindowThreadProcessId.USER32(00000000,00000000), ref: 0050F4AA
GetCurrentThreadId.KERNEL32 ref: 0050F4B1
GetWindowThreadProcessId.USER32(00000000,00000000), ref: 0050F4BD
AttachThreadInput.USER32(?,00000000,00000001), ref: 0050F4CE
AttachThreadInput.USER32(?,00000000,00000001), ref: 0050F4D6
AttachThreadInput.USER32(00000000,000000FF,00000001), ref: 0050F4DE
SetForegroundWindow.USER32(00000000), ref: 0050F4E1
MapVirtualKeyW.USER32(00000012,00000000), ref: 0050F4F6
keybd_event.USER32(00000012,00000000), ref: 0050F501
MapVirtualKeyW.USER32(00000012,00000000), ref: 0050F50B
keybd_event.USER32(00000012,00000000), ref: 0050F510
MapVirtualKeyW.USER32(00000012,00000000), ref: 0050F519
keybd_event.USER32(00000012,00000000), ref: 0050F51E
MapVirtualKeyW.USER32(00000012,00000000), ref: 0050F528
keybd_event.USER32(00000012,00000000), ref: 0050F52D
SetForegroundWindow.USER32(00000000), ref: 0050F530
AttachThreadInput.USER32(?,000000FF,00000000), ref: 0050F557

Strings

Shell_TrayWnd, xrefs: 0050F46F

Memory Dump Source

Source File: 00000000.00000002.2132574574.00000000004B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true

Associated: 00000000.00000002.2132555531.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132647663.000000000054C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132647663.0000000000572000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132705506.000000000057C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132725644.0000000000584000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b0000_file.jbxd

Similarity

API ID: Window$Thread$AttachForegroundInputVirtualkeybd_event$Process$CurrentFindIconicShow
String ID: Shell_TrayWnd
API String ID: 4125248594-2988720461
Opcode ID: 2097e5d04f7d6552295a0b3b769e90c18e430650d910a632262915a3b019f346
Instruction ID: ab8b5ba92178056ba3385ba1ac1c3bf107d1c4f3a4f0f778510b4c1d43978e2c
Opcode Fuzzy Hash: 2097e5d04f7d6552295a0b3b769e90c18e430650d910a632262915a3b019f346
Instruction Fuzzy Hash: 46315075A41218BBEB306BB55C4AFFF7E6CEB85B54F100065FA01E61D1C6B06D00ABA0

Function 00511201 Relevance: 40.5, APIs: 19, Strings: 4, Instructions: 241COMMON

Download Yara Rule

APIs

Part of subcall function 005116C3: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 0051170D
Part of subcall function 005116C3: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 0051173A
Part of subcall function 005116C3: GetLastError.KERNEL32 ref: 0051174A

LogonUserW.ADVAPI32(?,?,?,00000000,00000000,?), ref: 00511286
DuplicateTokenEx.ADVAPI32(?,00000000,00000000,00000002,00000001,?), ref: 005112A8
CloseHandle.KERNEL32(?), ref: 005112B9
OpenWindowStationW.USER32(winsta0,00000000,00060000), ref: 005112D1
GetProcessWindowStation.USER32 ref: 005112EA
SetProcessWindowStation.USER32(00000000), ref: 005112F4
OpenDesktopW.USER32(default,00000000,00000000,00060081), ref: 00511310

Part of subcall function 005110BF: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,005111FC), ref: 005110D4
Part of subcall function 005110BF: CloseHandle.KERNEL32(?,?,005111FC), ref: 005110E9

Strings

winsta0, xrefs: 005112CC
default, xrefs: 0051130B
ZW, xrefs: 00511392
, xrefs: 0051125A

Memory Dump Source

Source File: 00000000.00000002.2132574574.00000000004B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true

Associated: 00000000.00000002.2132555531.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132647663.000000000054C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132647663.0000000000572000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132705506.000000000057C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132725644.0000000000584000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b0000_file.jbxd

Similarity

API ID: StationTokenWindow$AdjustCloseHandleOpenPrivilegesProcess$DesktopDuplicateErrorLastLogonLookupPrivilegeUserValue
String ID: $default$winsta0$ZW
API String ID: 22674027-113628107
Opcode ID: de3f5bda405b42f4e072e8f9f2d2cc089e9f12e8a7137184fdf1c64745a2e92e
Instruction ID: 970dfc5620ccc0927c7d10bdf07088134be7f4c07fce15240c00530aacd49e78
Opcode Fuzzy Hash: de3f5bda405b42f4e072e8f9f2d2cc089e9f12e8a7137184fdf1c64745a2e92e
Instruction Fuzzy Hash: 6281BF71900209AFEF209FA4DC49FEE7FB9FF45704F144169FA10A61A0D7B58984DB29

Function 00510B62 Relevance: 31.7, APIs: 21, Instructions: 202memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 005110F9: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00511114
Part of subcall function 005110F9: GetLastError.KERNEL32(?,00000000,00000000,?,?,00510B9B,?,?,?), ref: 00511120
Part of subcall function 005110F9: GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,00510B9B,?,?,?), ref: 0051112F
Part of subcall function 005110F9: HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,00510B9B,?,?,?), ref: 00511136
Part of subcall function 005110F9: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 0051114D

GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00510BCC
GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 00510C00
GetLengthSid.ADVAPI32(?), ref: 00510C17
GetAce.ADVAPI32(?,00000000,?), ref: 00510C51
AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 00510C6D
GetLengthSid.ADVAPI32(?), ref: 00510C84
GetProcessHeap.KERNEL32(00000008,00000008), ref: 00510C8C
HeapAlloc.KERNEL32(00000000), ref: 00510C93
GetLengthSid.ADVAPI32(?,00000008,?), ref: 00510CB4
CopySid.ADVAPI32(00000000), ref: 00510CBB
AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 00510CEA
SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 00510D0C
SetUserObjectSecurity.USER32(?,00000004,?), ref: 00510D1E
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00510D45
HeapFree.KERNEL32(00000000), ref: 00510D4C
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00510D55
HeapFree.KERNEL32(00000000), ref: 00510D5C
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00510D65
HeapFree.KERNEL32(00000000), ref: 00510D6C
GetProcessHeap.KERNEL32(00000000,?), ref: 00510D78
HeapFree.KERNEL32(00000000), ref: 00510D7F

Part of subcall function 00511193: GetProcessHeap.KERNEL32(00000008,00510BB1,?,00000000,?,00510BB1,?), ref: 005111A1
Part of subcall function 00511193: HeapAlloc.KERNEL32(00000000,?,00000000,?,00510BB1,?), ref: 005111A8
Part of subcall function 00511193: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00000000,?,00510BB1,?), ref: 005111B7

Memory Dump Source

Source File: 00000000.00000002.2132574574.00000000004B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true

Associated: 00000000.00000002.2132555531.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132647663.000000000054C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132647663.0000000000572000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132705506.000000000057C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132725644.0000000000584000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b0000_file.jbxd

Similarity

API ID: Heap$Process$Security$Free$AllocDescriptorLengthObjectUser$Dacl$CopyErrorInformationInitializeLast
String ID:
API String ID: 4175595110-0
Opcode ID: 621ddce93e605656d610e7f192ffc5ac0efd05de9ab7be896c114287484996fa
Instruction ID: 494493689d7167355b36ffe3df711f67bf0c662ce022c9e77b498b2021b0fb7c
Opcode Fuzzy Hash: 621ddce93e605656d610e7f192ffc5ac0efd05de9ab7be896c114287484996fa
Instruction Fuzzy Hash: C0719CB690120AABEF10DFE4EC48FEEBFB8BF45304F044515E914A7191D7B1A985CBA0

Function 0052EAFF Relevance: 30.2, APIs: 20, Instructions: 191clipboardfileCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32(0054CC08), ref: 0052EB29
IsClipboardFormatAvailable.USER32(0000000D), ref: 0052EB37
GetClipboardData.USER32(0000000D), ref: 0052EB43
CloseClipboard.USER32 ref: 0052EB4F
GlobalLock.KERNEL32(00000000), ref: 0052EB87
CloseClipboard.USER32 ref: 0052EB91
GlobalUnlock.KERNEL32(00000000), ref: 0052EBBC
IsClipboardFormatAvailable.USER32(00000001), ref: 0052EBC9
GetClipboardData.USER32(00000001), ref: 0052EBD1
GlobalLock.KERNEL32(00000000), ref: 0052EBE2
GlobalUnlock.KERNEL32(00000000), ref: 0052EC22
IsClipboardFormatAvailable.USER32(0000000F), ref: 0052EC38
GetClipboardData.USER32(0000000F), ref: 0052EC44
GlobalLock.KERNEL32(00000000), ref: 0052EC55
DragQueryFileW.SHELL32(00000000,000000FF,00000000,00000000), ref: 0052EC77
DragQueryFileW.SHELL32(00000000,?,?,00000104), ref: 0052EC94
DragQueryFileW.SHELL32(00000000,?,?,00000104), ref: 0052ECD2
GlobalUnlock.KERNEL32(00000000), ref: 0052ECF3
CountClipboardFormats.USER32 ref: 0052ED14
CloseClipboard.USER32 ref: 0052ED59

Memory Dump Source

Source File: 00000000.00000002.2132574574.00000000004B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true

Associated: 00000000.00000002.2132555531.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132647663.000000000054C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132647663.0000000000572000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132705506.000000000057C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132725644.0000000000584000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b0000_file.jbxd

Similarity

API ID: Clipboard$Global$AvailableCloseDataDragFileFormatLockQueryUnlock$CountFormatsOpen
String ID:
API String ID: 420908878-0
Opcode ID: 907f889476ccbd07a9eb561a0bcaf9a0fa5231d8b848bf1fd2025a53e0b54bf6
Instruction ID: 5111002e177ba46fff33638bfc5914e19a66d7d4721838259c4aae2a714031d0
Opcode Fuzzy Hash: 907f889476ccbd07a9eb561a0bcaf9a0fa5231d8b848bf1fd2025a53e0b54bf6
Instruction Fuzzy Hash: EF61F1382042119FD300EF24E88AFAA7FA4BF96708F14441DF846972E2CB71DD09DB62

Function 0052698F Relevance: 21.4, APIs: 7, Strings: 5, Instructions: 363timefileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 005269BE
FindClose.KERNEL32(00000000), ref: 00526A12
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00526A4E
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00526A75

Part of subcall function 004B9CB3: _wcslen.LIBCMT ref: 004B9CBD

FileTimeToSystemTime.KERNEL32(?,?), ref: 00526AB2
FileTimeToSystemTime.KERNEL32(?,?), ref: 00526ADF

Strings

%4d, xrefs: 00526BB1
%4d%02d%02d%02d%02d%02d, xrefs: 00526B6A
%4d%02d%02d%02d%02d%02d%03d, xrefs: 00526B32
%03d, xrefs: 00526DA2
%02d, xrefs: 00526C00, 00526C0A, 00526C5A, 00526CAA, 00526CFA, 00526D4A

Memory Dump Source

Source File: 00000000.00000002.2132574574.00000000004B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true

Associated: 00000000.00000002.2132555531.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132647663.000000000054C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132647663.0000000000572000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132705506.000000000057C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132725644.0000000000584000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b0000_file.jbxd

Similarity

API ID: Time$File$FindLocalSystem$CloseFirst_wcslen
String ID: %02d$%03d$%4d$%4d%02d%02d%02d%02d%02d$%4d%02d%02d%02d%02d%02d%03d
API String ID: 3830820486-3289030164
Opcode ID: baf1e19575f5c4855dee924a191317fd40ee6f1c1219ff8bf0dfde409eb4c712
Instruction ID: 3409f524016f36c23354ecbde0507a8fc55cef4d2315df9ef697b82ccd765552
Opcode Fuzzy Hash: baf1e19575f5c4855dee924a191317fd40ee6f1c1219ff8bf0dfde409eb4c712
Instruction Fuzzy Hash: E0D14271508300AFC714EBA5D881EABB7ECBF99708F04491EF589D7191EB78DA48C762

Function 00529642 Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 118fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,75918FB0,?,00000000), ref: 00529663
GetFileAttributesW.KERNEL32(?), ref: 005296A1
SetFileAttributesW.KERNEL32(?,?), ref: 005296BB
FindNextFileW.KERNEL32(00000000,?), ref: 005296D3
FindClose.KERNEL32(00000000), ref: 005296DE
FindFirstFileW.KERNEL32(*.*,?), ref: 005296FA
SetCurrentDirectoryW.KERNEL32(?), ref: 0052974A
SetCurrentDirectoryW.KERNEL32(00576B7C), ref: 00529768
FindNextFileW.KERNEL32(00000000,00000010), ref: 00529772
FindClose.KERNEL32(00000000), ref: 0052977F
FindClose.KERNEL32(00000000), ref: 0052978F

Strings

*.*, xrefs: 005296F5

Memory Dump Source

Source File: 00000000.00000002.2132574574.00000000004B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true

Associated: 00000000.00000002.2132555531.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132647663.000000000054C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132647663.0000000000572000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132705506.000000000057C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132725644.0000000000584000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b0000_file.jbxd

Similarity

API ID: Find$File$Close$AttributesCurrentDirectoryFirstNext
String ID: *.*
API String ID: 1409584000-438819550
Opcode ID: 01d149942f6427bdd7c58e21175064b5c139beaa40f2ae2a06bd2eccbe1a1acc
Instruction ID: 7b693c63ff624a9243f32ee69b46330bf80da1c5cd7124bcd94f8bdbf09e0c12
Opcode Fuzzy Hash: 01d149942f6427bdd7c58e21175064b5c139beaa40f2ae2a06bd2eccbe1a1acc
Instruction Fuzzy Hash: DB31CF365016296EDB10AFB5EC48ADE3FACFF4B324F14409AE915E22D0DB74D9489E14

Function 0052979D Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 111fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,75918FB0,?,00000000), ref: 005297BE
FindNextFileW.KERNEL32(00000000,?), ref: 00529819
FindClose.KERNEL32(00000000), ref: 00529824
FindFirstFileW.KERNEL32(*.*,?), ref: 00529840
SetCurrentDirectoryW.KERNEL32(?), ref: 00529890
SetCurrentDirectoryW.KERNEL32(00576B7C), ref: 005298AE
FindNextFileW.KERNEL32(00000000,00000010), ref: 005298B8
FindClose.KERNEL32(00000000), ref: 005298C5
FindClose.KERNEL32(00000000), ref: 005298D5

Part of subcall function 0051DAE5: CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000003,02000080,00000000), ref: 0051DB00

Strings

*.*, xrefs: 0052983B

Memory Dump Source

Source File: 00000000.00000002.2132574574.00000000004B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true

Associated: 00000000.00000002.2132555531.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132647663.000000000054C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132647663.0000000000572000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132705506.000000000057C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132725644.0000000000584000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b0000_file.jbxd

Similarity

API ID: Find$File$Close$CurrentDirectoryFirstNext$Create
String ID: *.*
API String ID: 2640511053-438819550
Opcode ID: a50981999f4e091cfd8e50ca7e39c4926c10f64cbfdb9c1e9b311a6d63470bb7
Instruction ID: 08a5a842f1b9be797f5dc6c56fa7d66f5147c04446bcc64c528937e8e32302ad
Opcode Fuzzy Hash: a50981999f4e091cfd8e50ca7e39c4926c10f64cbfdb9c1e9b311a6d63470bb7
Instruction Fuzzy Hash: 0E31F3365016296EDF10AFB5FC48ADE3FACBF47324F18409AE854A22D0DB70D9489E64

Function 0053BE44 Relevance: 17.0, APIs: 11, Instructions: 456registryCOMMON

Download Yara Rule

APIs

Part of subcall function 0053C998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,0053B6AE,?,?), ref: 0053C9B5
Part of subcall function 0053C998: _wcslen.LIBCMT ref: 0053C9F1
Part of subcall function 0053C998: _wcslen.LIBCMT ref: 0053CA68
Part of subcall function 0053C998: _wcslen.LIBCMT ref: 0053CA9E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0053BF3E
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?,?,?), ref: 0053BFA9
RegCloseKey.ADVAPI32(00000000), ref: 0053BFCD
RegQueryValueExW.ADVAPI32(?,?,00000000,?,00000000,?), ref: 0053C02C
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,00000008), ref: 0053C0E7
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,?,?,00000000), ref: 0053C154
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,?,?,00000000), ref: 0053C1E9
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,00000000,?,?,?,00000000), ref: 0053C23A
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,?,?,00000000), ref: 0053C2E3
RegCloseKey.ADVAPI32(?,?,00000000), ref: 0053C382
RegCloseKey.ADVAPI32(00000000), ref: 0053C38F

Memory Dump Source

Source File: 00000000.00000002.2132574574.00000000004B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true

Associated: 00000000.00000002.2132555531.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132647663.000000000054C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132647663.0000000000572000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132705506.000000000057C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132725644.0000000000584000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b0000_file.jbxd

Similarity

API ID: QueryValue$Close_wcslen$BuffCharConnectOpenRegistryUpper
String ID:
API String ID: 3102970594-0
Opcode ID: 03fc0cc47c84b1fa839e0a08f2e04427456b4e6143ffc5c2f51abeb8e9fb3d76
Instruction ID: 5d847da1f8f36c73a1a8fa13c0ca6ade38712afedd5db9cf7139af805d154d9d
Opcode Fuzzy Hash: 03fc0cc47c84b1fa839e0a08f2e04427456b4e6143ffc5c2f51abeb8e9fb3d76
Instruction Fuzzy Hash: 7E024D71604200AFD714DF24C895E2ABBE5FF89318F18889DF84ADB2A2D735ED45CB61

Function 00528195 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 186timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?), ref: 00528257
SystemTimeToFileTime.KERNEL32(?,?), ref: 00528267
LocalFileTimeToFileTime.KERNEL32(?,?), ref: 00528273
GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00528310
SetCurrentDirectoryW.KERNEL32(?), ref: 00528324
SetCurrentDirectoryW.KERNEL32(?), ref: 00528356
SetCurrentDirectoryW.KERNEL32(?,?,?,?,?), ref: 0052838C
SetCurrentDirectoryW.KERNEL32(?), ref: 00528395

Strings

*.*, xrefs: 0052839B

Memory Dump Source

Source File: 00000000.00000002.2132574574.00000000004B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true

Associated: 00000000.00000002.2132555531.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132647663.000000000054C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132647663.0000000000572000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132705506.000000000057C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132725644.0000000000584000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b0000_file.jbxd

Similarity

API ID: CurrentDirectoryTime$File$Local$System
String ID: *.*
API String ID: 1464919966-438819550
Opcode ID: ab49598e384117cca461f6f8da4795985d98d85ca1bd3f90cbec7222f27c7040
Instruction ID: 97b1343a35b20934ee88db471bfd8b71fec43654aced1d40791151b4d31f6bfc
Opcode Fuzzy Hash: ab49598e384117cca461f6f8da4795985d98d85ca1bd3f90cbec7222f27c7040
Instruction Fuzzy Hash: 54619D755043159FC710EF60D8809AEB7E8FF8A318F044C1EF98983291DB35E945CBA2

Function 0051D076 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 172fileCOMMON

Download Yara Rule

APIs

Part of subcall function 004B3AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,004B3A97,?,?,004B2E7F,?,?,?,00000000), ref: 004B3AC2

Part of subcall function 0051E199: GetFileAttributesW.KERNEL32(?,0051CF95), ref: 0051E19A

FindFirstFileW.KERNEL32(?,?), ref: 0051D122
DeleteFileW.KERNEL32(?,?,?,?,?,00000000,?,?,?), ref: 0051D1DD
MoveFileW.KERNEL32(?,?), ref: 0051D1F0
DeleteFileW.KERNEL32(?,?,?,?), ref: 0051D20D
FindNextFileW.KERNEL32(00000000,00000010), ref: 0051D237

Part of subcall function 0051D29C: CopyFileExW.KERNEL32(?,?,00000000,00000000,00000000,00000008,?,?,0051D21C,?,?), ref: 0051D2B2

FindClose.KERNEL32(00000000,?,?,?), ref: 0051D253
FindClose.KERNEL32(00000000), ref: 0051D264

Strings

\*.*, xrefs: 0051D0CD, 0051D0D6, 0051D0EB

Memory Dump Source

Source File: 00000000.00000002.2132574574.00000000004B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true

Associated: 00000000.00000002.2132555531.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132647663.000000000054C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132647663.0000000000572000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132705506.000000000057C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132725644.0000000000584000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b0000_file.jbxd

Similarity

API ID: File$Find$CloseDelete$AttributesCopyFirstFullMoveNameNextPath
String ID: \*.*
API String ID: 1946585618-1173974218
Opcode ID: bf893bd1a0e480b29e5c2ceb308a86c13e0b7bd608f07c4d0cf18b450d2d9094
Instruction ID: 784efc911c65837d1f48dce6c8e5e3be5e50c8f9b7fe94de3830f6dadd89a670
Opcode Fuzzy Hash: bf893bd1a0e480b29e5c2ceb308a86c13e0b7bd608f07c4d0cf18b450d2d9094
Instruction Fuzzy Hash: 2E619B3580110DABDF05EBE1CA929EDBBB5BF55304F24406AE81273192EB34AF49DB70

Function 0052ED6A Relevance: 13.6, APIs: 9, Instructions: 102clipboardmemoryCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32 ref: 0052ED91
EmptyClipboard.USER32 ref: 0052ED97
GlobalAlloc.KERNEL32(00000002,?), ref: 0052EDAC
CloseClipboard.USER32 ref: 0052EEA3

Memory Dump Source

Source File: 00000000.00000002.2132574574.00000000004B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true

Associated: 00000000.00000002.2132555531.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132647663.000000000054C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132647663.0000000000572000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132705506.000000000057C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132725644.0000000000584000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b0000_file.jbxd

Similarity

API ID: Clipboard$AllocCloseEmptyGlobalOpen
String ID:
API String ID: 1737998785-0
Opcode ID: 77e6c20318430a9e40785df502ddb0f34ac3c80c2442482ebbdd9ce81c079cb0
Instruction ID: bafd99d5a1d6b63f21c4f207ffc64b04ca5853684fff5ea70ea4212ac27210a0
Opcode Fuzzy Hash: 77e6c20318430a9e40785df502ddb0f34ac3c80c2442482ebbdd9ce81c079cb0
Instruction Fuzzy Hash: 0441CE39204621AFD310CF15E88AB59BFA4BF56318F15C09DE4158B7A2C775EC42CB90

Function 0051E8F6 Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 57shutdownCOMMON

Download Yara Rule

APIs

Part of subcall function 005116C3: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 0051170D
Part of subcall function 005116C3: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 0051173A
Part of subcall function 005116C3: GetLastError.KERNEL32 ref: 0051174A

ExitWindowsEx.USER32(?,00000000), ref: 0051E932

Strings

, xrefs: 0051E95C
SeShutdownPrivilege, xrefs: 0051E902
@, xrefs: 0051E925
, xrefs: 0051E920

Memory Dump Source

Source File: 00000000.00000002.2132574574.00000000004B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true

Associated: 00000000.00000002.2132555531.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132647663.000000000054C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132647663.0000000000572000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132705506.000000000057C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132725644.0000000000584000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b0000_file.jbxd

Similarity

API ID: AdjustErrorExitLastLookupPrivilegePrivilegesTokenValueWindows
String ID: $ $@$SeShutdownPrivilege
API String ID: 2234035333-3163812486
Opcode ID: 7bd623f6e1cbc9b460f496d4d61919ba740399e40b6a69901ca794fc6bc60f60
Instruction ID: 8b9a7f4ab8fe0ee4a1141f9e4ddd5581cefc14ff2a82c065e4134f2bc921c126
Opcode Fuzzy Hash: 7bd623f6e1cbc9b460f496d4d61919ba740399e40b6a69901ca794fc6bc60f60
Instruction Fuzzy Hash: 47012636A10311ABFB5422B49C8BFFF7E5CBB59744F140822FD03E21D1D6A55CC491A4

Function 00531204 Relevance: 12.1, APIs: 8, Instructions: 113networkCOMMON

Download Yara Rule

APIs

socket.WSOCK32(00000002,00000001,00000006,?,00000002,00000000), ref: 00531276
WSAGetLastError.WSOCK32 ref: 00531283
bind.WSOCK32(00000000,?,00000010), ref: 005312BA
WSAGetLastError.WSOCK32 ref: 005312C5
closesocket.WSOCK32(00000000), ref: 005312F4
listen.WSOCK32(00000000,00000005), ref: 00531303
WSAGetLastError.WSOCK32 ref: 0053130D
closesocket.WSOCK32(00000000), ref: 0053133C

Memory Dump Source

Source File: 00000000.00000002.2132574574.00000000004B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true

Associated: 00000000.00000002.2132555531.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132647663.000000000054C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132647663.0000000000572000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132705506.000000000057C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132725644.0000000000584000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b0000_file.jbxd

Similarity

API ID: ErrorLast$closesocket$bindlistensocket
String ID:
API String ID: 540024437-0
Opcode ID: b5c1f40732c16a2ae7f2413386055542a9e436d7507406c779b270f1e970eb43
Instruction ID: 5c83353ac2cdcfafb966c037d029e0751c1458171e27f7863a50a23024f5682f
Opcode Fuzzy Hash: b5c1f40732c16a2ae7f2413386055542a9e436d7507406c779b270f1e970eb43
Instruction Fuzzy Hash: 0B4190356005009FD714DF65C488B6ABFE6BF86318F188588E8568F2D6C771EC86CBE1

Function 004EB952 Relevance: 10.9, APIs: 7, Instructions: 370timeCOMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 004EB9D4
_free.LIBCMT ref: 004EB9F8
_free.LIBCMT ref: 004EBB7F
GetTimeZoneInformation.KERNEL32(?,00000000,00000000,00000000,?,00553700), ref: 004EBB91
WideCharToMultiByte.KERNEL32(00000000,00000000,0058121C,000000FF,00000000,0000003F,00000000,?,?), ref: 004EBC09
WideCharToMultiByte.KERNEL32(00000000,00000000,00581270,000000FF,?,0000003F,00000000,?), ref: 004EBC36
_free.LIBCMT ref: 004EBD4B

Memory Dump Source

Source File: 00000000.00000002.2132574574.00000000004B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true

Associated: 00000000.00000002.2132555531.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132647663.000000000054C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132647663.0000000000572000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132705506.000000000057C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132725644.0000000000584000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b0000_file.jbxd

Similarity

API ID: _free$ByteCharMultiWide$InformationTimeZone
String ID:
API String ID: 314583886-0
Opcode ID: 1bae7e1bbb8d72bcdbd874ad7613ba8e8329294c43aa6f2dd60bc4fa2c6c69f3
Instruction ID: bc910e666db8d4b81ef8f9d5dbda5452824f513ef0e3db7e29fac1718229da45
Opcode Fuzzy Hash: 1bae7e1bbb8d72bcdbd874ad7613ba8e8329294c43aa6f2dd60bc4fa2c6c69f3
Instruction Fuzzy Hash: 86C136719042849FCB20DF7B8C41AAF7BA8EF41316F1441AFE89597352E7389E4287D8

Function 0051D3A9 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 91fileCOMMON

Download Yara Rule

APIs

Part of subcall function 004B3AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,004B3A97,?,?,004B2E7F,?,?,?,00000000), ref: 004B3AC2

Part of subcall function 0051E199: GetFileAttributesW.KERNEL32(?,0051CF95), ref: 0051E19A

FindFirstFileW.KERNEL32(?,?), ref: 0051D420
DeleteFileW.KERNEL32(?,?,?,?), ref: 0051D470
FindNextFileW.KERNEL32(00000000,00000010), ref: 0051D481
FindClose.KERNEL32(00000000), ref: 0051D498
FindClose.KERNEL32(00000000), ref: 0051D4A1

Strings

\*.*, xrefs: 0051D3F2

Memory Dump Source

Source File: 00000000.00000002.2132574574.00000000004B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true

Associated: 00000000.00000002.2132555531.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132647663.000000000054C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132647663.0000000000572000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132705506.000000000057C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132725644.0000000000584000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b0000_file.jbxd

Similarity

API ID: FileFind$Close$AttributesDeleteFirstFullNameNextPath
String ID: \*.*
API String ID: 2649000838-1173974218
Opcode ID: ca8b548e2ee0eb2669d746e62a1e0542a94f8fc3dbb449a76b2229e8d41bbb8c
Instruction ID: a5eca80548af405c84bf995b6e4d47c2f83a410f2617e80da33ef4a899548fee
Opcode Fuzzy Hash: ca8b548e2ee0eb2669d746e62a1e0542a94f8fc3dbb449a76b2229e8d41bbb8c
Instruction Fuzzy Hash: BD319071009341ABC704EF65D8918EFBBE8BE96308F444E1EF4D152191EBB4AA09D777

Function 004EE4FF Relevance: 10.1, APIs: 1, Strings: 4, Instructions: 1381COMMON

Download Yara Rule

APIs

__floor_pentium4.LIBCMT ref: 004EE645

Strings

1#INF, xrefs: 004EF852
1#QNAN, xrefs: 004EF84B
1#IND, xrefs: 004EF83D
1#SNAN, xrefs: 004EF844

Memory Dump Source

Source File: 00000000.00000002.2132574574.00000000004B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true

Associated: 00000000.00000002.2132555531.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132647663.000000000054C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132647663.0000000000572000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132705506.000000000057C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132725644.0000000000584000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b0000_file.jbxd

Similarity

API ID: __floor_pentium4
String ID: 1#IND$1#INF$1#QNAN$1#SNAN
API String ID: 4168288129-2761157908
Opcode ID: 408a32cd57c91d0868b95fa9facfa8ba84f0016409df7f4ed92ff9afb14b159f
Instruction ID: cbfb35db72264cc45f1d8e2ede0c11ff5dd633cf37e8bcd18209414d2eeec2a4
Opcode Fuzzy Hash: 408a32cd57c91d0868b95fa9facfa8ba84f0016409df7f4ed92ff9afb14b159f
Instruction Fuzzy Hash: 79C25A71E046688FDB24CE2ADD407EAB7B5EB44306F1441EBD84DE7281E778AE858F44

Function 0052648E Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 367comCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 005264DC
CoInitialize.OLE32(00000000), ref: 00526639
CoCreateInstance.OLE32(0054FCF8,00000000,00000001,0054FB68,?), ref: 00526650
CoUninitialize.OLE32 ref: 005268D4

Strings

.lnk, xrefs: 005264BA, 00526524, 005265E0

Memory Dump Source

Source File: 00000000.00000002.2132574574.00000000004B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true

Associated: 00000000.00000002.2132555531.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132647663.000000000054C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132647663.0000000000572000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132705506.000000000057C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132725644.0000000000584000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b0000_file.jbxd

Similarity

API ID: CreateInitializeInstanceUninitialize_wcslen
String ID: .lnk
API String ID: 886957087-24824748
Opcode ID: c748e74142a3cfa57b6d339dc9464e9dda5b99a1d3173d60d4abf89080c361da
Instruction ID: 98adf46b4e4efe3af1b69691d5dcb7f038dd2b177fba694c0a21b5b271f4985b
Opcode Fuzzy Hash: c748e74142a3cfa57b6d339dc9464e9dda5b99a1d3173d60d4abf89080c361da
Instruction Fuzzy Hash: F1D15B71608311AFC314EF25C8819ABBBE8FF95708F50495EF5958B291EB70ED05CBA2

Function 005322DA Relevance: 9.1, APIs: 6, Instructions: 103COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(?,?,00000000), ref: 005322E8

Part of subcall function 0052E4EC: GetWindowRect.USER32(?,?), ref: 0052E504

GetDesktopWindow.USER32 ref: 00532312
GetWindowRect.USER32(00000000), ref: 00532319
mouse_event.USER32(00008001,?,?,00000002,00000002), ref: 00532355
GetCursorPos.USER32(?), ref: 00532381
mouse_event.USER32(00008001,?,?,00000000,00000000), ref: 005323DF

Memory Dump Source

Source File: 00000000.00000002.2132574574.00000000004B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true

Associated: 00000000.00000002.2132555531.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132647663.000000000054C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132647663.0000000000572000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132705506.000000000057C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132725644.0000000000584000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b0000_file.jbxd

Similarity

API ID: Window$Rectmouse_event$CursorDesktopForeground
String ID:
API String ID: 2387181109-0
Opcode ID: ceb34e9eac3bd1d376a863fee41a8ecfbf08f77a7a26c42876e1ce6752f9aea0
Instruction ID: a0414ca60c42c39d2235e7613c7dcec111430aec0c1d878c7d354a0ca3206d9b
Opcode Fuzzy Hash: ceb34e9eac3bd1d376a863fee41a8ecfbf08f77a7a26c42876e1ce6752f9aea0
Instruction Fuzzy Hash: 8A31DE72505715AFDB20DF18D849B9BBBA9FFC5314F000919F985D7181DB34EA08CB92

Function 00529B2B Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 119filesleepCOMMON

Download Yara Rule

APIs

Part of subcall function 004B9CB3: _wcslen.LIBCMT ref: 004B9CBD

FindFirstFileW.KERNEL32(00000001,?,*.*,?,?,00000000,00000000), ref: 00529B78
FindClose.KERNEL32(00000000,?,00000000,00000000), ref: 00529C8B

Part of subcall function 00523874: GetInputState.USER32 ref: 005238CB
Part of subcall function 00523874: PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00523966

Sleep.KERNEL32(0000000A,?,00000000,00000000), ref: 00529BA8
FindNextFileW.KERNEL32(?,?,?,00000000,00000000), ref: 00529C75

Strings

*.*, xrefs: 00529B5D

Memory Dump Source

Source File: 00000000.00000002.2132574574.00000000004B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true

Associated: 00000000.00000002.2132555531.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132647663.000000000054C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132647663.0000000000572000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132705506.000000000057C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132725644.0000000000584000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b0000_file.jbxd

Similarity

API ID: Find$File$CloseFirstInputMessageNextPeekSleepState_wcslen
String ID: *.*
API String ID: 1972594611-438819550
Opcode ID: ceee29ac233e93df20bfa7406d2f0aea859a89a0401f2e2dd5d8ab11c048566b
Instruction ID: f6b4a780507f9b2c7cd605f89bc3535774c0b187cb248d61df486c4e77904c39
Opcode Fuzzy Hash: ceee29ac233e93df20bfa7406d2f0aea859a89a0401f2e2dd5d8ab11c048566b
Instruction Fuzzy Hash: CB419F7190421AAFCF14DF65D885AEEBFB4FF46304F20405AE805A22D1EB309E84CF64

Function 004C997D Relevance: 7.9, APIs: 5, Instructions: 375COMMON

Download Yara Rule

APIs

Part of subcall function 004C9BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 004C9BB2

DefDlgProcW.USER32(?,?,?,?,?), ref: 004C9A4E
GetSysColor.USER32(0000000F), ref: 004C9B23
SetBkColor.GDI32(?,00000000), ref: 004C9B36

Memory Dump Source

Source File: 00000000.00000002.2132574574.00000000004B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true

Associated: 00000000.00000002.2132555531.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132647663.000000000054C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132647663.0000000000572000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132705506.000000000057C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132725644.0000000000584000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b0000_file.jbxd

Similarity

API ID: Color$LongProcWindow
String ID:
API String ID: 3131106179-0
Opcode ID: e96ec514429de4664ea7860869dda37d66d1653c37641f67af31cb6bc3b399e0
Instruction ID: afafe544a9b688418c581e3ab73224469cf2277b033719a960441395bba466e2
Opcode Fuzzy Hash: e96ec514429de4664ea7860869dda37d66d1653c37641f67af31cb6bc3b399e0
Instruction Fuzzy Hash: 9FA10B75509488BEE7659A2C8C4DFBF2E5DFB86344F14010EF402D66D1CA2AAD02D37E

Function 00531806 Relevance: 7.7, APIs: 5, Instructions: 153networkCOMMON

Download Yara Rule

APIs

Part of subcall function 0053304E: inet_addr.WSOCK32(?,?,?,?,?,00000000), ref: 0053307A
Part of subcall function 0053304E: _wcslen.LIBCMT ref: 0053309B

socket.WSOCK32(00000002,00000002,00000011,?,?,00000000), ref: 0053185D
WSAGetLastError.WSOCK32 ref: 00531884
bind.WSOCK32(00000000,?,00000010), ref: 005318DB
WSAGetLastError.WSOCK32 ref: 005318E6
closesocket.WSOCK32(00000000), ref: 00531915

Memory Dump Source

Source File: 00000000.00000002.2132574574.00000000004B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true

Associated: 00000000.00000002.2132555531.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132647663.000000000054C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132647663.0000000000572000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132705506.000000000057C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132725644.0000000000584000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b0000_file.jbxd

Similarity

API ID: ErrorLast$_wcslenbindclosesocketinet_addrsocket
String ID:
API String ID: 1601658205-0
Opcode ID: c1d7409e1355566b812c5c858817e756ff08f5c16b312ef4c5c99f4aef0ef40e
Instruction ID: ce0a0e464d07e9ebbbe4ea16298312a1120eeb6079e3002d38f47422322ebbda
Opcode Fuzzy Hash: c1d7409e1355566b812c5c858817e756ff08f5c16b312ef4c5c99f4aef0ef40e
Instruction Fuzzy Hash: AA51E675A00200AFD714AF24C886F6ABBE5AB8571CF04849DF9065F3C3C775AD418BA9

Function 00541C41 Relevance: 7.6, APIs: 5, Instructions: 83windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32 ref: 00541CC0
IsWindowEnabled.USER32 ref: 00541CCE
GetForegroundWindow.USER32(?,?,00000001,?), ref: 00541CDB
IsIconic.USER32 ref: 00541CE9
IsZoomed.USER32 ref: 00541CF7

Memory Dump Source

Source File: 00000000.00000002.2132574574.00000000004B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true

Associated: 00000000.00000002.2132555531.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132647663.000000000054C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132647663.0000000000572000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132705506.000000000057C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132725644.0000000000584000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b0000_file.jbxd

Similarity

API ID: Window$EnabledForegroundIconicVisibleZoomed
String ID:
API String ID: 292994002-0
Opcode ID: e6564a5f3fa5007bb23e9b9850ee31d5cb2ce7c759ebc63453493de0fa392ae4
Instruction ID: ff0c514c46a1956e3516d1d198620812a3e045404cb72b5fd1ccfae4ca850a48
Opcode Fuzzy Hash: e6564a5f3fa5007bb23e9b9850ee31d5cb2ce7c759ebc63453493de0fa392ae4
Instruction Fuzzy Hash: 2921B131741A115FD7208F2ADC84BAA7FA5FF95319F198068E84A8B251CB71DC82CB98

Function 004B8060 Relevance: 7.4, Strings: 5, Instructions: 1151COMMON

Download Yara Rule

Strings

VUUU, xrefs: 004B83E8
VUUU, xrefs: 004F5DF0
VUUU, xrefs: 004B843C
VUUU, xrefs: 004B83FA
ERCP, xrefs: 004B813C

Memory Dump Source

Source File: 00000000.00000002.2132574574.00000000004B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true

Associated: 00000000.00000002.2132555531.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132647663.000000000054C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132647663.0000000000572000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132705506.000000000057C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132725644.0000000000584000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b0000_file.jbxd

Similarity

API ID:
String ID: ERCP$VUUU$VUUU$VUUU$VUUU
API String ID: 0-1546025612
Opcode ID: fbe8fdc5f235c82980db778f4fef428c9a4eea527acb3f0438edd9eb822dbe24
Instruction ID: ffd65b0d831a85386fd09ea3167f9ef9a09f1d0848888ffc29be226c4b5dfbd4
Opcode Fuzzy Hash: fbe8fdc5f235c82980db778f4fef428c9a4eea527acb3f0438edd9eb822dbe24
Instruction Fuzzy Hash: 3AA27D70A0021ACBDF24CF58C9407FEB7B5BB54314F2581ABDA15A7385DB389D82CB69

Function 00518298 Relevance: 6.6, APIs: 1, Strings: 3, Instructions: 568stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,?,?,00000000), ref: 005182AA

Strings

tbW, xrefs: 005184F4
|, xrefs: 005182DA
(, xrefs: 005182F0

Memory Dump Source

Source File: 00000000.00000002.2132574574.00000000004B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true

Associated: 00000000.00000002.2132555531.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132647663.000000000054C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132647663.0000000000572000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132705506.000000000057C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132725644.0000000000584000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b0000_file.jbxd

Similarity

API ID: lstrlen
String ID: ($tbW$|
API String ID: 1659193697-2715185830
Opcode ID: f0e8535b0ff751ab67552931ca3f290a8feca4154149e234173f8fc1d176b7fb
Instruction ID: 5037f4291e8433619923a4d066b02286efe03afca91f90369cfa95d6e73e2dd3
Opcode Fuzzy Hash: f0e8535b0ff751ab67552931ca3f290a8feca4154149e234173f8fc1d176b7fb
Instruction Fuzzy Hash: DA323974A007059FD728CF59C480AAABBF0FF48710B15C96EE49ADB3A1DB70E981CB44

Function 0051AA57 Relevance: 6.1, APIs: 4, Instructions: 107keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,00000001,00000040,00000000), ref: 0051AAAC
SetKeyboardState.USER32(00000080), ref: 0051AAC8
PostMessageW.USER32(?,00000102,00000001,00000001), ref: 0051AB36
SendInput.USER32(00000001,?,0000001C,00000001,00000040,00000000), ref: 0051AB88

Memory Dump Source

Source File: 00000000.00000002.2132574574.00000000004B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true

Associated: 00000000.00000002.2132555531.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132647663.000000000054C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132647663.0000000000572000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132705506.000000000057C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132725644.0000000000584000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b0000_file.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: 3576aa3aa8a5dacec1ed0ed42821bf647d60cbe3e67c078a0a1eababe2310087
Instruction ID: c80a1e099f29c0412189287e58263e7131794ed4b725815ce76eaf071296eb63
Opcode Fuzzy Hash: 3576aa3aa8a5dacec1ed0ed42821bf647d60cbe3e67c078a0a1eababe2310087
Instruction Fuzzy Hash: 7D315B70A46288AEFF32CB64CC05BFA7FA6BF95310F04421AF081561D1D77589C5D762

Function 0052CE44 Relevance: 6.1, APIs: 4, Instructions: 75filenetworkCOMMON

Download Yara Rule

APIs

InternetReadFile.WININET(?,?,00000400,?), ref: 0052CE89
GetLastError.KERNEL32(?,00000000), ref: 0052CEEA
SetEvent.KERNEL32(?,?,00000000), ref: 0052CEFE

Memory Dump Source

Source File: 00000000.00000002.2132574574.00000000004B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true

Associated: 00000000.00000002.2132555531.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132647663.000000000054C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132647663.0000000000572000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132705506.000000000057C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132725644.0000000000584000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b0000_file.jbxd

Similarity

API ID: ErrorEventFileInternetLastRead
String ID:
API String ID: 234945975-0
Opcode ID: 4c77e929567878573ecfc12ae1281303ce3dbe6fa71d65d8eb814f63c2bd409e
Instruction ID: c036efca4d19c8f54177288963702cbf3e02b78fdb70d9b4c1ac0ab866453ff5
Opcode Fuzzy Hash: 4c77e929567878573ecfc12ae1281303ce3dbe6fa71d65d8eb814f63c2bd409e
Instruction Fuzzy Hash: C5210DB1500710ABDB20DFA5E948BAA7FFCFF52318F10481EE14692192E770EE088B50

Function 00525C97 Relevance: 4.6, APIs: 3, Instructions: 138fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 00525CC1
FindNextFileW.KERNEL32(00000000,?), ref: 00525D17
FindClose.KERNEL32(?), ref: 00525D5F

Memory Dump Source

Source File: 00000000.00000002.2132574574.00000000004B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true

Associated: 00000000.00000002.2132555531.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132647663.000000000054C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132647663.0000000000572000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132705506.000000000057C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132725644.0000000000584000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b0000_file.jbxd

Similarity

API ID: Find$File$CloseFirstNext
String ID:
API String ID: 3541575487-0
Opcode ID: f4bea1342fa1435fcd400db2eaca76a6fd3e455c32fb47bcc60c3a3d9ce7fc26
Instruction ID: b45a9f1a6ff61e951a883aaea63b994c111761eef9676a8d99c8baa94f6459e3
Opcode Fuzzy Hash: f4bea1342fa1435fcd400db2eaca76a6fd3e455c32fb47bcc60c3a3d9ce7fc26
Instruction Fuzzy Hash: 2D51AA34604A019FC714CF28D494E96BBE4FF4A318F14855EE99A8B3A2DB30ED05CFA1

Function 004E2622 Relevance: 4.6, APIs: 3, Instructions: 78COMMONLIBRARYCODE

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32 ref: 004E271A
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 004E2724
UnhandledExceptionFilter.KERNEL32(?), ref: 004E2731

Memory Dump Source

Source File: 00000000.00000002.2132574574.00000000004B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true

Associated: 00000000.00000002.2132555531.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132647663.000000000054C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132647663.0000000000572000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132705506.000000000057C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132725644.0000000000584000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b0000_file.jbxd

Similarity

API ID: ExceptionFilterUnhandled$DebuggerPresent
String ID:
API String ID: 3906539128-0
Opcode ID: 9ff12363606e0e8b4bd404dd6d474d3de3c78d4b85046917491c578bd3b39968
Instruction ID: 8e065d79124c76265f1b24c15a05b4a97e5366a312f845b780cdb56f91206143
Opcode Fuzzy Hash: 9ff12363606e0e8b4bd404dd6d474d3de3c78d4b85046917491c578bd3b39968
Instruction Fuzzy Hash: FF31D374911218ABCB21DF69DD887DDBBB8AF18310F5041EAE80CA7360E7749F858F48

Function 005251CD Relevance: 4.6, APIs: 3, Instructions: 76COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 005251DA
GetDiskFreeSpaceExW.KERNEL32(?,?,?,?), ref: 00525238
SetErrorMode.KERNEL32(00000000), ref: 005252A1

Memory Dump Source

Source File: 00000000.00000002.2132574574.00000000004B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true

Associated: 00000000.00000002.2132555531.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132647663.000000000054C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132647663.0000000000572000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132705506.000000000057C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132725644.0000000000584000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b0000_file.jbxd

Similarity

API ID: ErrorMode$DiskFreeSpace
String ID:
API String ID: 1682464887-0
Opcode ID: f4b9c2ccf66636f3b13e4549d38f0a18938b14fded9a7f3c2063b834ba3f5147
Instruction ID: 417a58a1d23aa1d82b23487e5054c44813b39de131bf332d965be1b453b8194b
Opcode Fuzzy Hash: f4b9c2ccf66636f3b13e4549d38f0a18938b14fded9a7f3c2063b834ba3f5147
Instruction Fuzzy Hash: BD311C75A00518DFDB00DF55D8C8AEDBBB4FF49318F548099E8059B392DB35E85ACB60

Function 005116C3 Relevance: 4.6, APIs: 3, Instructions: 68COMMON

Download Yara Rule

APIs

Part of subcall function 004CFDDB: __CxxThrowException@8.LIBVCRUNTIME ref: 004D0668
Part of subcall function 004CFDDB: __CxxThrowException@8.LIBVCRUNTIME ref: 004D0685

LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 0051170D
AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 0051173A
GetLastError.KERNEL32 ref: 0051174A

Memory Dump Source

Source File: 00000000.00000002.2132574574.00000000004B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true

Associated: 00000000.00000002.2132555531.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132647663.000000000054C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132647663.0000000000572000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132705506.000000000057C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132725644.0000000000584000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b0000_file.jbxd

Similarity

API ID: Exception@8Throw$AdjustErrorLastLookupPrivilegePrivilegesTokenValue
String ID:
API String ID: 577356006-0
Opcode ID: 6fbf303e672fa5c0aae740847f39cf119cb7bff467d11e369ec4b2934c069042
Instruction ID: 6e6f60b2d7cb84a1e9731964c25dd3de3234066403d7adc359b10d9864f3bd05
Opcode Fuzzy Hash: 6fbf303e672fa5c0aae740847f39cf119cb7bff467d11e369ec4b2934c069042
Instruction Fuzzy Hash: BC11C1B2400304AFE7189F54DC86EAABBB9FB44718B20856EE05657291EB74BC858A24

Function 0051D5EB Relevance: 4.6, APIs: 3, Instructions: 58fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 0051D608
DeviceIoControl.KERNEL32(00000000,002D1400,?,0000000C,?,00000028,?,00000000), ref: 0051D645
CloseHandle.KERNEL32(?,?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 0051D650

Memory Dump Source

Source File: 00000000.00000002.2132574574.00000000004B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true

Associated: 00000000.00000002.2132555531.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132647663.000000000054C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132647663.0000000000572000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132705506.000000000057C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132725644.0000000000584000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b0000_file.jbxd

Similarity

API ID: CloseControlCreateDeviceFileHandle
String ID:
API String ID: 33631002-0
Opcode ID: 0fe3f1eee291749f1f764765a66912032142c401b368fa935636ae26182d7425
Instruction ID: 4d0bb75d7d53522b9df893b6af93bcd659fef0ad28dfdbc4338d5907511ba189
Opcode Fuzzy Hash: 0fe3f1eee291749f1f764765a66912032142c401b368fa935636ae26182d7425
Instruction Fuzzy Hash: A3117C75E05228BBEB208F949C44FEFBFBCEB45B50F108111F904E7290C2B05A059BA1

Function 00511663 Relevance: 4.5, APIs: 3, Instructions: 40memoryCOMMON

Download Yara Rule

APIs

AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?,?), ref: 0051168C
CheckTokenMembership.ADVAPI32(00000000,?,?), ref: 005116A1
FreeSid.ADVAPI32(?), ref: 005116B1

Memory Dump Source

Source File: 00000000.00000002.2132574574.00000000004B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true

Associated: 00000000.00000002.2132555531.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132647663.000000000054C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132647663.0000000000572000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132705506.000000000057C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132725644.0000000000584000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b0000_file.jbxd

Similarity

API ID: AllocateCheckFreeInitializeMembershipToken
String ID:
API String ID: 3429775523-0
Opcode ID: de61adfdb4c5b9cff281ceb6dfa7cd0f255f6a4bb76cd7649fb149b6f4b2efbb
Instruction ID: 6679b2dfd8a5a8720de8a6b72452b730616c00fa17e2c934451cdca839c65651
Opcode Fuzzy Hash: de61adfdb4c5b9cff281ceb6dfa7cd0f255f6a4bb76cd7649fb149b6f4b2efbb
Instruction Fuzzy Hash: 6BF04475A41308FBEB00CFE08C89AEEBBBCFB08204F0048A0E500E2180E330AA489A54

Function 004EC2A2 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 127COMMON

Download Yara Rule

Strings

/, xrefs: 004EC36C

Memory Dump Source

Source File: 00000000.00000002.2132574574.00000000004B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true

Associated: 00000000.00000002.2132555531.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132647663.000000000054C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132647663.0000000000572000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132705506.000000000057C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132725644.0000000000584000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b0000_file.jbxd

Similarity

API ID:
String ID: /
API String ID: 0-2043925204
Opcode ID: 13a21eea4a6af93817248812b1f579ad4ab285eb206724c516b2cf1b47cceb34
Instruction ID: 1b4d37d45d7593c8a6f95f4bcaac0db6bd186a7f0e20abbd9e24782ba499e742
Opcode Fuzzy Hash: 13a21eea4a6af93817248812b1f579ad4ab285eb206724c516b2cf1b47cceb34
Instruction Fuzzy Hash: 09415B729002586FCB209FBACC88DBB7778EB84315F1042AEF905D7280E6749D82CB58

Function 0050D27A Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON

Download Yara Rule

APIs

GetUserNameW.ADVAPI32(?,?), ref: 0050D28C

Strings

X64, xrefs: 0050D2A8

Memory Dump Source

Source File: 00000000.00000002.2132574574.00000000004B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true

Associated: 00000000.00000002.2132555531.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132647663.000000000054C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132647663.0000000000572000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132705506.000000000057C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132725644.0000000000584000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b0000_file.jbxd

Similarity

API ID: NameUser
String ID: X64
API String ID: 2645101109-893830106
Opcode ID: ff4f7737ab65e60c0ac8a60d2f91e0ac144695504f04f2f71045b573821a585e
Instruction ID: ce41c94e2111820cc0bbe875be45877f5c9bd2032fe95f04d308482766e87123
Opcode Fuzzy Hash: ff4f7737ab65e60c0ac8a60d2f91e0ac144695504f04f2f71045b573821a585e
Instruction Fuzzy Hash: A0D0C9B880211DEBCB90CB90DC8CDDDB77CBB14309F100556F106A2040D73495499F20

Function 004DCAA0 Relevance: 3.5, APIs: 2, Instructions: 464COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2132574574.00000000004B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true

Associated: 00000000.00000002.2132555531.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132647663.000000000054C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132647663.0000000000572000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132705506.000000000057C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132725644.0000000000584000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2fbdbeface8d474e65e3d830227d731b015bc4fe83c76ff0107a9da6199ccf29
Instruction ID: 940315c1d4ca01158539fc9f89f3aa542382b3c0d5ee5590cd7a3682defad976
Opcode Fuzzy Hash: 2fbdbeface8d474e65e3d830227d731b015bc4fe83c76ff0107a9da6199ccf29
Instruction Fuzzy Hash: B6023D71E0011A9BDF14CFA9C9906AEFBF1EF48314F25426BD919E7384D735A941CB84

Function 004BCAF0 Relevance: 3.2, Strings: 2, Instructions: 659COMMON

Download Yara Rule

Strings

p#X, xrefs: 004BCF7F
Variable is not of type 'Object'., xrefs: 00500C40

Memory Dump Source

Source File: 00000000.00000002.2132574574.00000000004B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true

Associated: 00000000.00000002.2132555531.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132647663.000000000054C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132647663.0000000000572000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132705506.000000000057C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132725644.0000000000584000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b0000_file.jbxd

Similarity

API ID:
String ID: Variable is not of type 'Object'.$p#X
API String ID: 0-878931691
Opcode ID: e3be59343697828567172114cefc565e9fe9d638a906add8dfee07287ea20b25
Instruction ID: 2b70760337806cd7fedbbd4950d94b2cd34fce10c5e635dc22735246363efcfa
Opcode Fuzzy Hash: e3be59343697828567172114cefc565e9fe9d638a906add8dfee07287ea20b25
Instruction Fuzzy Hash: B4327C34900218DBDF14DF94C8C5BEEBBB9BF14308F14446AE806AB2D2D779AD46CB65

Function 005268EE Relevance: 3.1, APIs: 2, Instructions: 57fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 00526918
FindClose.KERNEL32(00000000), ref: 00526961

Memory Dump Source

Source File: 00000000.00000002.2132574574.00000000004B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true

Associated: 00000000.00000002.2132555531.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132647663.000000000054C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132647663.0000000000572000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132705506.000000000057C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132725644.0000000000584000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b0000_file.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID:
API String ID: 2295610775-0
Opcode ID: be1f772986246045f05ea43a5e1619eed531e4106c53cc659f3323b0774761f6
Instruction ID: 8e9db58d2e00bcb09aa718810f1242f22694a935e1068181b4e8075bb7cd0dcc
Opcode Fuzzy Hash: be1f772986246045f05ea43a5e1619eed531e4106c53cc659f3323b0774761f6
Instruction Fuzzy Hash: C211AC356042109FC710CF2AD484A26BBE0FF86328F04C699E4698B6A2CB74EC45CBA0

Function 005237B5 Relevance: 3.0, APIs: 2, Instructions: 33windowCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(00000000,?,00000FFF,00000000,?,?,?,00534891,?,?,00000035,?), ref: 005237E4
FormatMessageW.KERNEL32(00001000,00000000,?,00000000,?,00000FFF,00000000,?,?,?,00534891,?,?,00000035,?), ref: 005237F4

Memory Dump Source

Source File: 00000000.00000002.2132574574.00000000004B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true

Associated: 00000000.00000002.2132555531.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132647663.000000000054C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132647663.0000000000572000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132705506.000000000057C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132725644.0000000000584000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b0000_file.jbxd

Similarity

API ID: ErrorFormatLastMessage
String ID:
API String ID: 3479602957-0
Opcode ID: 6e7aa42193e9522f39c2f0530f86ca568a685e9d9c79a66750512fff253ec537
Instruction ID: 1cd23ef467465b684202f529a96ebd7d86b23707773dc4511a30fc12a466da23
Opcode Fuzzy Hash: 6e7aa42193e9522f39c2f0530f86ca568a685e9d9c79a66750512fff253ec537
Instruction Fuzzy Hash: 08F0EC746052286BDB5057665C4DFEB3E6DEFC5765F000165F505D21D1D5605D08C6B0

Function 0051B226 Relevance: 3.0, APIs: 2, Instructions: 29keyboardCOMMON

Download Yara Rule

APIs

SendInput.USER32(00000001,?,0000001C,?,?,00000002), ref: 0051B25D
keybd_event.USER32(?,75A8C0D0,?,00000000), ref: 0051B270

Memory Dump Source

Source File: 00000000.00000002.2132574574.00000000004B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true

Associated: 00000000.00000002.2132555531.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132647663.000000000054C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132647663.0000000000572000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132705506.000000000057C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132725644.0000000000584000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b0000_file.jbxd

Similarity

API ID: InputSendkeybd_event
String ID:
API String ID: 3536248340-0
Opcode ID: 81b43e9589e15bf20658cec717510542c50b6b2c5b3a45c9928a245095ecef57
Instruction ID: 98319621fe38bff9bb2bc9b3387fe43093d60a6be449c5375da2f5917a605603
Opcode Fuzzy Hash: 81b43e9589e15bf20658cec717510542c50b6b2c5b3a45c9928a245095ecef57
Instruction Fuzzy Hash: 67F06D7480424DABEB059FA0C805BEE7FB0FF04309F008009F961A5191C3798205DF94

Function 005110BF Relevance: 3.0, APIs: 2, Instructions: 24COMMON

Download Yara Rule

APIs

AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,005111FC), ref: 005110D4
CloseHandle.KERNEL32(?,?,005111FC), ref: 005110E9

Memory Dump Source

Source File: 00000000.00000002.2132574574.00000000004B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true

Associated: 00000000.00000002.2132555531.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132647663.000000000054C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132647663.0000000000572000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132705506.000000000057C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132725644.0000000000584000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b0000_file.jbxd

Similarity

API ID: AdjustCloseHandlePrivilegesToken
String ID:
API String ID: 81990902-0
Opcode ID: 91f189bb116f176c0d37ad5e2a258cb3f7fcfe241c1b7da56ce80ad896bf8c6f
Instruction ID: a5b513e3253be3b894681a85bd7c0213ba83543125963295c89191d9d68ee79e
Opcode Fuzzy Hash: 91f189bb116f176c0d37ad5e2a258cb3f7fcfe241c1b7da56ce80ad896bf8c6f
Instruction Fuzzy Hash: FAE04F36005610AFF7652B11FC09FB77BA9EB04314B10882EF5A6804B1DB666CD4EB14

Function 004E676B Relevance: 1.8, APIs: 1, Instructions: 269COMMONLIBRARYCODE

Download Yara Rule

APIs

RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,004E6766,?,?,00000008,?,?,004EFEFE,00000000), ref: 004E6998

Memory Dump Source

Source File: 00000000.00000002.2132574574.00000000004B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true

Associated: 00000000.00000002.2132555531.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132647663.000000000054C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132647663.0000000000572000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132705506.000000000057C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132725644.0000000000584000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b0000_file.jbxd

Similarity

API ID: ExceptionRaise
String ID:
API String ID: 3997070919-0
Opcode ID: 62e1a3be3ca1d91e0db48804c4e5d32adb86eb3cf199850112987354391a6e16
Instruction ID: 639a5400ed3b7dcbfccd1177470d740bba180ab721d86e0e55a31a096d7e4b2f
Opcode Fuzzy Hash: 62e1a3be3ca1d91e0db48804c4e5d32adb86eb3cf199850112987354391a6e16
Instruction Fuzzy Hash: FEB17C716106488FD714CF29C486B657BE0FF153A5F268699E8D9CF3A2C339E982CB44

Function 004CB119 Relevance: 1.8, Strings: 1, Instructions: 511COMMON

Download Yara Rule

Strings

, xrefs: 0050851F

Memory Dump Source

Source File: 00000000.00000002.2132574574.00000000004B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true

Associated: 00000000.00000002.2132555531.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132647663.000000000054C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132647663.0000000000572000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132705506.000000000057C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132725644.0000000000584000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b0000_file.jbxd

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: 85d8cefe76f552ca96abf4ba6bd37c97ddd7d754693c3f9d877383646b02b983
Instruction ID: 4551ad7c94f76b3e9a1ae9b216e33463298e562f1c4aa1e34e4fe9e143226c21
Opcode Fuzzy Hash: 85d8cefe76f552ca96abf4ba6bd37c97ddd7d754693c3f9d877383646b02b983
Instruction Fuzzy Hash: D3126F759002299BCB54CF58C881BFEBBB5FF48710F14819AE849EB291DB349E81CF95

Function 0052EAA2 Relevance: 1.5, APIs: 1, Instructions: 25keyboardCOMMON

Download Yara Rule

APIs

BlockInput.USER32(00000001), ref: 0052EABD

Memory Dump Source

Source File: 00000000.00000002.2132574574.00000000004B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true

Associated: 00000000.00000002.2132555531.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132647663.000000000054C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132647663.0000000000572000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132705506.000000000057C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132725644.0000000000584000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b0000_file.jbxd

Similarity

API ID: BlockInput
String ID:
API String ID: 3456056419-0
Opcode ID: dd1d819ce6efcfa77f05b84165a78c12783f5869619d1413a3762ddb30f5cc69
Instruction ID: 638beaccd22c4d38a85cb579358f142527753cdce75a3da357c2873e0103e28d
Opcode Fuzzy Hash: dd1d819ce6efcfa77f05b84165a78c12783f5869619d1413a3762ddb30f5cc69
Instruction Fuzzy Hash: 89E012352002149FC710DF5AD445D9ABBE9BFA9764F00841AFC49C7291D774A8418BA1

Function 004D09D5 Relevance: 1.5, APIs: 1, Instructions: 3COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(Function_000209E1,004D03EE), ref: 004D09DA

Memory Dump Source

Source File: 00000000.00000002.2132574574.00000000004B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true

Associated: 00000000.00000002.2132555531.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132647663.000000000054C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132647663.0000000000572000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132705506.000000000057C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132725644.0000000000584000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b0000_file.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 9f44fe323363eff1a5bd2eaa2bf584c4104fb16bdcbada924dca2def80952f78
Instruction ID: f5bc94e6d3134bd7dbef2554fe7a3afa01c3861e1b95dbf3501759566fececd4
Opcode Fuzzy Hash: 9f44fe323363eff1a5bd2eaa2bf584c4104fb16bdcbada924dca2def80952f78
Instruction Fuzzy Hash:

Function 004D781B Relevance: 1.5, Strings: 1, Instructions: 214COMMON

Download Yara Rule

Strings

0, xrefs: 004D798B

Memory Dump Source

Source File: 00000000.00000002.2132574574.00000000004B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true

Associated: 00000000.00000002.2132555531.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132647663.000000000054C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132647663.0000000000572000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132705506.000000000057C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132725644.0000000000584000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b0000_file.jbxd

Similarity

API ID:
String ID: 0
API String ID: 0-4108050209
Opcode ID: 9084b4e029052128895840c3c28e948f6724b1d83b91d22a18243ac96ad56844
Instruction ID: e5d88c21d7812fdea941c297e9ebad1eb737ec30bb4b6b0dbd8b003e8bb75ed1
Opcode Fuzzy Hash: 9084b4e029052128895840c3c28e948f6724b1d83b91d22a18243ac96ad56844
Instruction Fuzzy Hash: D8517BB260C6455BEB38662948BD7BF27859B02344F18094FF886C7382F61DDE06E35E

Function 00522046 Relevance: 1.3, Strings: 1, Instructions: 72COMMON

Download Yara Rule

Strings

0&X, xrefs: 00522053

Memory Dump Source

Source File: 00000000.00000002.2132574574.00000000004B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true

Associated: 00000000.00000002.2132555531.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132647663.000000000054C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132647663.0000000000572000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132705506.000000000057C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132725644.0000000000584000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b0000_file.jbxd

Similarity

API ID:
String ID: 0&X
API String ID: 0-2101634656
Opcode ID: ee6e1c02aeb9cf0eec43ed7b15cac7746667a5cd39d6eedbba98e881b959f06d
Instruction ID: d63f09aaca3344263ddf8e530edb059467b88846dc0e02480a0353632e701744
Opcode Fuzzy Hash: ee6e1c02aeb9cf0eec43ed7b15cac7746667a5cd39d6eedbba98e881b959f06d
Instruction Fuzzy Hash: A521B7326206118BD728CF7AC82767E77E5BB64310F15862EE4A7D77D0DE39A904DB80

Function 004E6DD9 Relevance: .6, Instructions: 637COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2132574574.00000000004B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true

Associated: 00000000.00000002.2132555531.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132647663.000000000054C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132647663.0000000000572000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132705506.000000000057C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132725644.0000000000584000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2a0ef5eea793496bfd31db8403abf973bf9798aa8e49d54e7d292785e44e067a
Instruction ID: 8b8f3d1181d42fb5dc0b01d9e2e296206d5e8f1cc727d4489f8ab6c70193ec48
Opcode Fuzzy Hash: 2a0ef5eea793496bfd31db8403abf973bf9798aa8e49d54e7d292785e44e067a
Instruction Fuzzy Hash: AE323322D29F814DD7239635D832336A249AFB73D6F15C737E81AB5EA5EB28C4835200

Function 004CCC39 Relevance: .6, Instructions: 635COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2132574574.00000000004B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true

Associated: 00000000.00000002.2132555531.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132647663.000000000054C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132647663.0000000000572000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132705506.000000000057C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132725644.0000000000584000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c08c20d93043e6e8d821bbd290d01dbf38b32aecdbb6f2eccb660a0f95ef43fd
Instruction ID: a81f42d97192ff743c00e4e44d67c6a7c3124a90fe5b47d3c37758f3440c4bf9
Opcode Fuzzy Hash: c08c20d93043e6e8d821bbd290d01dbf38b32aecdbb6f2eccb660a0f95ef43fd
Instruction Fuzzy Hash: CC32D036A001558BDF38CB29C4D4BBD7FA1FB46310F28866BD85ADB6D1D2349D81EB41

Function 004B7920 Relevance: .6, Instructions: 563COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2132574574.00000000004B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true

Associated: 00000000.00000002.2132555531.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132647663.000000000054C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132647663.0000000000572000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132705506.000000000057C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132725644.0000000000584000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f73c4012caeeba2a254d1b1f693ed262ae7ed58511468884ef75bfb9f327a379
Instruction ID: 5a519e90a03d34220da1f16121fe7811cfcf88d7d716e587648efb5c2bae8447
Opcode Fuzzy Hash: f73c4012caeeba2a254d1b1f693ed262ae7ed58511468884ef75bfb9f327a379
Instruction Fuzzy Hash: 7022D170A046099FDF14CF65C881AFEB3F1FF44304F10452AE916A7291EB39AD15DB69

Function 004B91C0 Relevance: .5, Instructions: 475COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2132574574.00000000004B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true

Associated: 00000000.00000002.2132555531.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132647663.000000000054C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132647663.0000000000572000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132705506.000000000057C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132725644.0000000000584000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e619eea6987f237e12a70dd944f334d1f656c4fd8e2547d6f9d82ba8c8bbe944
Instruction ID: 4e9ce93ab4f3423a06b83d764b41d72f76493df16925dfaebde1bef78c249f4c
Opcode Fuzzy Hash: e619eea6987f237e12a70dd944f334d1f656c4fd8e2547d6f9d82ba8c8bbe944
Instruction Fuzzy Hash: 5D02F8B0E00209EBDB04DF55D881BAEB7B1FF44304F10856AE9069B391E739EE15DB99

Function 004E9EEE Relevance: .3, Instructions: 294COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2132574574.00000000004B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true

Associated: 00000000.00000002.2132555531.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132647663.000000000054C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132647663.0000000000572000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132705506.000000000057C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132725644.0000000000584000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7d65faa2e78cfb422d520e93e3649f58ca13f24ec10ab5a650d300bea4d952ab
Instruction ID: 8b8c7f448f331d9df3b2f905e945c9625eed1759198ad8a91199c0bdb00e0fd6
Opcode Fuzzy Hash: 7d65faa2e78cfb422d520e93e3649f58ca13f24ec10ab5a650d300bea4d952ab
Instruction Fuzzy Hash: 8FB10420D2AF404DD72396398835336B75CAFBB6D6F92D71BFC1A74D22EB2185879140

Function 004D1C77 Relevance: .3, Instructions: 254COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2132574574.00000000004B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true

Associated: 00000000.00000002.2132555531.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132647663.000000000054C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132647663.0000000000572000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132705506.000000000057C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132725644.0000000000584000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 93657a121f16255c59120ad0d08fdbba6372c273009ad596b4ecdf6e8f3c6909
Instruction ID: 504b746ff1c0ab601579269dacbdbaed0237b467a1574959c92e9581e0c20535
Opcode Fuzzy Hash: 93657a121f16255c59120ad0d08fdbba6372c273009ad596b4ecdf6e8f3c6909
Instruction Fuzzy Hash: D69167722080A35ADB29463A857443FFFE15A923A131A079FDCF2CA3E5EE189954D624

Function 004D19B0 Relevance: .2, Instructions: 240COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2132574574.00000000004B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true

Associated: 00000000.00000002.2132555531.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132647663.000000000054C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132647663.0000000000572000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132705506.000000000057C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132725644.0000000000584000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 40101273f58913c3cb3bc7eb54df01d47b4121c3e67d19f11ec2cb23d33ea445
Instruction ID: 8a75b4d1f0750396c156c50d8c421b5fb08fa30aba0fef3533e19b6a1f02a3c3
Opcode Fuzzy Hash: 40101273f58913c3cb3bc7eb54df01d47b4121c3e67d19f11ec2cb23d33ea445
Instruction Fuzzy Hash: A29194722090E35ADB2D427A857403FFFE15A923A131A079FD8F2CA3E5FD28D554D624

Function 004D7A4A Relevance: .2, Instructions: 237COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2132574574.00000000004B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true

Associated: 00000000.00000002.2132555531.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132647663.000000000054C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132647663.0000000000572000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132705506.000000000057C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132725644.0000000000584000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1476d37c36496f5be63baef0b48c6d5cc4a1133df8f2cafef2332e8c4f5e179e
Instruction ID: 534c313a9a11f99a816b60832915c59c2c989ba0dd979337fe6f99f30ecdfddb
Opcode Fuzzy Hash: 1476d37c36496f5be63baef0b48c6d5cc4a1133df8f2cafef2332e8c4f5e179e
Instruction Fuzzy Hash: 9B61377130870996DA349A2888B6BBF3394DF42708F14095FE942DB382F65DAE42C75E

Function 004D7CA7 Relevance: .2, Instructions: 237COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2132574574.00000000004B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true

Associated: 00000000.00000002.2132555531.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132647663.000000000054C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132647663.0000000000572000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132705506.000000000057C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132725644.0000000000584000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: db1cb825f53fda81c20feb2f35001e9f1a9094710a0d92fb6d3aff6716a8a072
Instruction ID: b46e685c810e23edfc8b60dc033a38f1fe843902d42e737455a938542f92e674
Opcode Fuzzy Hash: db1cb825f53fda81c20feb2f35001e9f1a9094710a0d92fb6d3aff6716a8a072
Instruction Fuzzy Hash: 8B616A7170870956DE384A2898B6BBF6396DF42748F10095FE943DB381FA1EED42825E

Function 004D1706 Relevance: .2, Instructions: 232COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2132574574.00000000004B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true

Associated: 00000000.00000002.2132555531.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132647663.000000000054C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132647663.0000000000572000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132705506.000000000057C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132725644.0000000000584000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 70da388f96bbbf26b230a155b4728740b34f0d100ea60ab2bbadb9d7d0befbf0
Instruction ID: ca5c43d93f63ad3a7532d7b9fea1cc909d1588ece1aeb7da285f7c3d874bd579
Opcode Fuzzy Hash: 70da388f96bbbf26b230a155b4728740b34f0d100ea60ab2bbadb9d7d0befbf0
Instruction Fuzzy Hash: 44817A726090E319DB6D8279857443FFFE15A923A131A079FE8F2CB3E1ED28C554E624

Function 00532ADE Relevance: 77.5, APIs: 40, Strings: 4, Instructions: 486filecommemoryCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 00532B30
DeleteObject.GDI32(00000000), ref: 00532B43
DestroyWindow.USER32 ref: 00532B52
GetDesktopWindow.USER32 ref: 00532B6D
GetWindowRect.USER32(00000000), ref: 00532B74
SetRect.USER32(?,00000000,00000000,00000007,00000002), ref: 00532CA3
AdjustWindowRectEx.USER32(?,88C00000,00000000,?), ref: 00532CB1
CreateWindowExW.USER32(?,AutoIt v3,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00532CF8
GetClientRect.USER32(00000000,?), ref: 00532D04
CreateWindowExW.USER32(00000000,static,00000000,5000000E,00000000,00000000,?,?,00000000,00000000,00000000), ref: 00532D40
CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00532D62
GetFileSize.KERNEL32(00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00532D75
GlobalAlloc.KERNEL32(00000002,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00532D80
GlobalLock.KERNEL32(00000000), ref: 00532D89
ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00532D98
GlobalUnlock.KERNEL32(00000000), ref: 00532DA1
CloseHandle.KERNEL32(00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00532DA8
GlobalFree.KERNEL32(00000000), ref: 00532DB3
CreateStreamOnHGlobal.OLE32(00000000,00000001,?,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00532DC5
OleLoadPicture.OLEAUT32(?,00000000,00000000,0054FC38,00000000), ref: 00532DDB
GlobalFree.KERNEL32(00000000), ref: 00532DEB
CopyImage.USER32(00000007,00000000,00000000,00000000,00002000), ref: 00532E11
SendMessageW.USER32(00000000,00000172,00000000,00000007), ref: 00532E30
SetWindowPos.USER32(00000000,00000000,00000000,00000000,?,?,00000020,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00532E52
ShowWindow.USER32(00000004,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 0053303F

Strings

DISPLAY, xrefs: 00532EA2
AutoIt v3, xrefs: 00532CF2
, xrefs: 00532FC5
static, xrefs: 00532D3A, 00532E91

Memory Dump Source

Source File: 00000000.00000002.2132574574.00000000004B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true

Associated: 00000000.00000002.2132555531.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132647663.000000000054C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132647663.0000000000572000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132705506.000000000057C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132725644.0000000000584000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b0000_file.jbxd

Similarity

API ID: Window$Global$CreateRect$File$DeleteFreeObject$AdjustAllocClientCloseCopyDesktopDestroyHandleImageLoadLockMessagePictureReadSendShowSizeStreamUnlock
String ID: $AutoIt v3$DISPLAY$static
API String ID: 2211948467-2373415609
Opcode ID: 3b16cc3da2d840a7f577bb03df960ebe09479de942d3cc08097f913f754e0ad5
Instruction ID: 77818f4b88f435a019f3774e5c02d84c0d8bf87d81cfe7fbdd6c46571ce0bad9
Opcode Fuzzy Hash: 3b16cc3da2d840a7f577bb03df960ebe09479de942d3cc08097f913f754e0ad5
Instruction Fuzzy Hash: 7F028D75900204AFDB14DFA4CC89EAE7FB9FF89318F008559F915AB2A1CB74AD05DB60

Function 005470D5 Relevance: 49.8, APIs: 33, Instructions: 273COMMON

Download Yara Rule

APIs

SetTextColor.GDI32(?,00000000), ref: 0054712F
GetSysColorBrush.USER32(0000000F), ref: 00547160
GetSysColor.USER32(0000000F), ref: 0054716C
SetBkColor.GDI32(?,000000FF), ref: 00547186
SelectObject.GDI32(?,?), ref: 00547195
InflateRect.USER32(?,000000FF,000000FF), ref: 005471C0
GetSysColor.USER32(00000010), ref: 005471C8
CreateSolidBrush.GDI32(00000000), ref: 005471CF
FrameRect.USER32(?,?,00000000), ref: 005471DE
DeleteObject.GDI32(00000000), ref: 005471E5
InflateRect.USER32(?,000000FE,000000FE), ref: 00547230
FillRect.USER32(?,?,?), ref: 00547262
GetWindowLongW.USER32(?,000000F0), ref: 00547284

Part of subcall function 005473E8: GetSysColor.USER32(00000012), ref: 00547421
Part of subcall function 005473E8: SetTextColor.GDI32(?,?), ref: 00547425
Part of subcall function 005473E8: GetSysColorBrush.USER32(0000000F), ref: 0054743B
Part of subcall function 005473E8: GetSysColor.USER32(0000000F), ref: 00547446
Part of subcall function 005473E8: GetSysColor.USER32(00000011), ref: 00547463
Part of subcall function 005473E8: CreatePen.GDI32(00000000,00000001,00743C00), ref: 00547471
Part of subcall function 005473E8: SelectObject.GDI32(?,00000000), ref: 00547482
Part of subcall function 005473E8: SetBkColor.GDI32(?,00000000), ref: 0054748B
Part of subcall function 005473E8: SelectObject.GDI32(?,?), ref: 00547498
Part of subcall function 005473E8: InflateRect.USER32(?,000000FF,000000FF), ref: 005474B7
Part of subcall function 005473E8: RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 005474CE
Part of subcall function 005473E8: GetWindowLongW.USER32(00000000,000000F0), ref: 005474DB

Memory Dump Source

Source File: 00000000.00000002.2132574574.00000000004B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true

Associated: 00000000.00000002.2132555531.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132647663.000000000054C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132647663.0000000000572000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132705506.000000000057C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132725644.0000000000584000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b0000_file.jbxd

Similarity

API ID: Color$Rect$Object$BrushInflateSelect$CreateLongTextWindow$DeleteFillFrameRoundSolid
String ID:
API String ID: 4124339563-0
Opcode ID: 40d919fa539dc9bc594c71956170f31f769fad1ceb33dfc85089c75fe4a90eae
Instruction ID: 49217c160f15f7799147e07be41fbe03e13bb1dd4b646ccca4e5eb271cd0ac0d
Opcode Fuzzy Hash: 40d919fa539dc9bc594c71956170f31f769fad1ceb33dfc85089c75fe4a90eae
Instruction Fuzzy Hash: C1A1C07A009305AFD7509F60DC48EDF7FA9FB8A328F101A19F962961E1D770E908DB51

Function 004C8D85 Relevance: 47.7, APIs: 26, Strings: 1, Instructions: 480windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?), ref: 004C8E14
SendMessageW.USER32(?,00001308,?,00000000), ref: 00506AC5
ImageList_Remove.COMCTL32(?,000000FF,?), ref: 00506AFE
MoveWindow.USER32(?,?,?,?,?,00000000), ref: 00506F43

Part of subcall function 004C8F62: InvalidateRect.USER32(?,00000000,00000001,?,?,?,004C8BE8,?,00000000,?,?,?,?,004C8BBA,00000000,?), ref: 004C8FC5

SendMessageW.USER32(?,00001053), ref: 00506F7F
SendMessageW.USER32(?,00001008,000000FF,00000000), ref: 00506F96
ImageList_Destroy.COMCTL32(00000000,?), ref: 00506FAC
ImageList_Destroy.COMCTL32(00000000,?), ref: 00506FB7

Strings

0, xrefs: 00506DCF

Memory Dump Source

Source File: 00000000.00000002.2132574574.00000000004B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true

Associated: 00000000.00000002.2132555531.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132647663.000000000054C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132647663.0000000000572000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132705506.000000000057C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132725644.0000000000584000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b0000_file.jbxd

Similarity

API ID: DestroyImageList_MessageSend$Window$InvalidateMoveRectRemove
String ID: 0
API String ID: 2760611726-4108050209
Opcode ID: 995c758530480fa52fcd762ccdf8405667d48603f102343d5d69ef5bd30627bd
Instruction ID: f5c0ecf814310f33807529c19f1d20c47e909c34ff9f6757eefb7e9732fbdbc1
Opcode Fuzzy Hash: 995c758530480fa52fcd762ccdf8405667d48603f102343d5d69ef5bd30627bd
Instruction Fuzzy Hash: 3D12CD38201601DFD761CF14C844BAABBF5FB55304F14446DE889DB2A1CB35EC66EB95

Function 00532711 Relevance: 45.8, APIs: 22, Strings: 4, Instructions: 330windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(00000000), ref: 0053273E
SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 0053286A
SetRect.USER32(?,00000000,00000000,0000012C,?), ref: 005328A9
AdjustWindowRectEx.USER32(?,88C00000,00000000,00000008), ref: 005328B9
CreateWindowExW.USER32(00000008,AutoIt v3,?,88C00000,000000FF,?,?,?,00000000,00000000,00000000), ref: 00532900
GetClientRect.USER32(00000000,?), ref: 0053290C
CreateWindowExW.USER32(00000000,static,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000), ref: 00532955
CreateDCW.GDI32(DISPLAY,00000000,00000000,00000000), ref: 00532964
GetStockObject.GDI32(00000011), ref: 00532974
SelectObject.GDI32(00000000,00000000), ref: 00532978
GetTextFaceW.GDI32(00000000,00000040,?,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000,?,88C00000,000000FF,?), ref: 00532988
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00532991
DeleteDC.GDI32(00000000), ref: 0053299A
CreateFontW.GDI32(00000000,00000000,00000000,00000000,00000258,00000000,00000000,00000000,00000001,00000004,00000000,00000002,00000000,?), ref: 005329C6
SendMessageW.USER32(00000030,00000000,00000001), ref: 005329DD
CreateWindowExW.USER32(00000200,msctls_progress32,00000000,50000001,?,-0000001D,00000104,00000014,00000000,00000000,00000000), ref: 00532A1D
SendMessageW.USER32(00000000,00000401,00000000,00640000), ref: 00532A31
SendMessageW.USER32(00000404,00000001,00000000), ref: 00532A42
CreateWindowExW.USER32(00000000,static,?,50000000,?,00000041,00000500,-00000027,00000000,00000000,00000000), ref: 00532A77
GetStockObject.GDI32(00000011), ref: 00532A82
SendMessageW.USER32(00000030,00000000,?,50000000), ref: 00532A8D
ShowWindow.USER32(00000004,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000,?,88C00000,000000FF,?,?,?), ref: 00532A97

Strings

DISPLAY, xrefs: 0053295A
AutoIt v3, xrefs: 005328F8
msctls_progress32, xrefs: 00532A13
static, xrefs: 0053294F, 00532A71

Memory Dump Source

Source File: 00000000.00000002.2132574574.00000000004B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true

Associated: 00000000.00000002.2132555531.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132647663.000000000054C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132647663.0000000000572000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132705506.000000000057C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132725644.0000000000584000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b0000_file.jbxd

Similarity

API ID: Window$Create$MessageSend$ObjectRect$Stock$AdjustCapsClientDeleteDestroyDeviceFaceFontInfoParametersSelectShowSystemText
String ID: AutoIt v3$DISPLAY$msctls_progress32$static
API String ID: 2910397461-517079104
Opcode ID: b1b2507bcde9e90cb55103d82b2fc9552cc48ee6d33113caa242c540ef968f65
Instruction ID: f5b059e499f17719d7eed979e746636f543897ad5b480e32bc9e14c1b0ac92e6
Opcode Fuzzy Hash: b1b2507bcde9e90cb55103d82b2fc9552cc48ee6d33113caa242c540ef968f65
Instruction Fuzzy Hash: 58B18C75A00605BFEB14DFA8CC4AFAE7BA9FB48714F008519F915E7290DB74AD00DBA4

Function 00524ADF Relevance: 45.7, APIs: 3, Strings: 23, Instructions: 191COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 00524AED
GetDriveTypeW.KERNEL32(?,0054CB68,?,\\.\,0054CC08), ref: 00524BCA
SetErrorMode.KERNEL32(00000000,0054CB68,?,\\.\,0054CC08), ref: 00524D36

Strings

\\.\, xrefs: 00524B3F
ATAPI, xrefs: 00524C91
Virtual, xrefs: 00524CE5
SCSI, xrefs: 00524C8A
Network, xrefs: 00524C02
RAMDisk, xrefs: 00524BF4
SSD, xrefs: 00524C4A
RAID, xrefs: 00524CBB
Fibre, xrefs: 00524CAD
Unknown, xrefs: 00524BED, 00524C83
USB, xrefs: 00524CB4
Fixed, xrefs: 00524C09
Removable, xrefs: 00524C10, 00524C15
PhysicalDrive, xrefs: 00524B76
SAS, xrefs: 00524CC9
ATA, xrefs: 00524C98
iSCSI, xrefs: 00524CC2
SATA, xrefs: 00524CD0
FileBackedVirtual, xrefs: 00524CEC
SSA, xrefs: 00524CA6
MMC, xrefs: 00524CDE
CDROM, xrefs: 00524BFB
1394, xrefs: 00524C9F

Memory Dump Source

Source File: 00000000.00000002.2132574574.00000000004B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true

Associated: 00000000.00000002.2132555531.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132647663.000000000054C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132647663.0000000000572000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132705506.000000000057C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132725644.0000000000584000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b0000_file.jbxd

Similarity

API ID: ErrorMode$DriveType
String ID: 1394$ATA$ATAPI$CDROM$Fibre$FileBackedVirtual$Fixed$MMC$Network$PhysicalDrive$RAID$RAMDisk$Removable$SAS$SATA$SCSI$SSA$SSD$USB$Unknown$Virtual$\\.\$iSCSI
API String ID: 2907320926-4222207086
Opcode ID: de1feed9a1ca1d7a5765966e76ccb61bb490baa2104198164924e9afe22a18b1
Instruction ID: f4a083860e1b6145b88429b30ed8945367acd2d7ab58a03d73e5c2b294c1cbb7
Opcode Fuzzy Hash: de1feed9a1ca1d7a5765966e76ccb61bb490baa2104198164924e9afe22a18b1
Instruction Fuzzy Hash: 8161D3306016169BCB15DF28EA86DA87FB0BF46344B20841AF80ABB6D1DB35DD41EF51

Function 005473E8 Relevance: 39.2, APIs: 26, Instructions: 201windowCOMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000012), ref: 00547421
SetTextColor.GDI32(?,?), ref: 00547425
GetSysColorBrush.USER32(0000000F), ref: 0054743B
GetSysColor.USER32(0000000F), ref: 00547446
CreateSolidBrush.GDI32(?), ref: 0054744B
GetSysColor.USER32(00000011), ref: 00547463
CreatePen.GDI32(00000000,00000001,00743C00), ref: 00547471
SelectObject.GDI32(?,00000000), ref: 00547482
SetBkColor.GDI32(?,00000000), ref: 0054748B
SelectObject.GDI32(?,?), ref: 00547498
InflateRect.USER32(?,000000FF,000000FF), ref: 005474B7
RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 005474CE
GetWindowLongW.USER32(00000000,000000F0), ref: 005474DB
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 0054752A
GetWindowTextW.USER32(00000000,00000000,00000001), ref: 00547554
InflateRect.USER32(?,000000FD,000000FD), ref: 00547572
DrawFocusRect.USER32(?,?), ref: 0054757D
GetSysColor.USER32(00000011), ref: 0054758E
SetTextColor.GDI32(?,00000000), ref: 00547596
DrawTextW.USER32(?,005470F5,000000FF,?,00000000), ref: 005475A8
SelectObject.GDI32(?,?), ref: 005475BF
DeleteObject.GDI32(?), ref: 005475CA
SelectObject.GDI32(?,?), ref: 005475D0
DeleteObject.GDI32(?), ref: 005475D5
SetTextColor.GDI32(?,?), ref: 005475DB
SetBkColor.GDI32(?,?), ref: 005475E5

Memory Dump Source

Source File: 00000000.00000002.2132574574.00000000004B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true

Associated: 00000000.00000002.2132555531.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132647663.000000000054C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132647663.0000000000572000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132705506.000000000057C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132725644.0000000000584000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b0000_file.jbxd

Similarity

API ID: Color$Object$Text$RectSelect$BrushCreateDeleteDrawInflateWindow$FocusLongMessageRoundSendSolid
String ID:
API String ID: 1996641542-0
Opcode ID: 677c51a9c8d4884d137d649614b31d917bd18f2cfadb47acf76b7c5ced55ae9e
Instruction ID: 87bcc5838c2c3ed5f2dabe3922167322e98e085c9d06d182da5b7d48fe8f8e23
Opcode Fuzzy Hash: 677c51a9c8d4884d137d649614b31d917bd18f2cfadb47acf76b7c5ced55ae9e
Instruction Fuzzy Hash: 9A61897A901218AFDF009FA4DC48AEEBFB9FB49324F114115F912BB2A1D7749940DF90

Function 00540FF3 Relevance: 37.0, APIs: 18, Strings: 3, Instructions: 284windowCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 00541128
GetDesktopWindow.USER32 ref: 0054113D
GetWindowRect.USER32(00000000), ref: 00541144
GetWindowLongW.USER32(?,000000F0), ref: 00541199
DestroyWindow.USER32(?), ref: 005411B9
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,7FFFFFFD,80000000,80000000,80000000,80000000,00000000,00000000,00000000,00000000), ref: 005411ED
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 0054120B
SendMessageW.USER32(00000000,00000418,00000000,?), ref: 0054121D
SendMessageW.USER32(00000000,00000421,?,?), ref: 00541232
SendMessageW.USER32(00000000,0000041D,00000000,00000000), ref: 00541245
IsWindowVisible.USER32(00000000), ref: 005412A1
SendMessageW.USER32(00000000,00000412,00000000,D8F0D8F0), ref: 005412BC
SendMessageW.USER32(00000000,00000411,00000001,00000030), ref: 005412D0
GetWindowRect.USER32(00000000,?), ref: 005412E8
MonitorFromPoint.USER32(?,?,00000002), ref: 0054130E
GetMonitorInfoW.USER32(00000000,?), ref: 00541328
CopyRect.USER32(?,?), ref: 0054133F
SendMessageW.USER32(00000000,00000412,00000000), ref: 005413AA

Strings

(, xrefs: 0054131B
tooltips_class32, xrefs: 005411E6
0, xrefs: 005410D3

Memory Dump Source

Source File: 00000000.00000002.2132574574.00000000004B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true

Associated: 00000000.00000002.2132555531.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132647663.000000000054C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132647663.0000000000572000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132705506.000000000057C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132725644.0000000000584000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b0000_file.jbxd

Similarity

API ID: MessageSendWindow$Rect$Monitor$CopyCreateCursorDesktopDestroyFromInfoLongPointVisible
String ID: ($0$tooltips_class32
API String ID: 698492251-4156429822
Opcode ID: 76e3871fb9643914947ca4550bcf8f08e064662383367e49eb768685d53f1f75
Instruction ID: 903ccdc371d9a8771a3de234f76303f2da07a0124c3f8c12cd3ba2d1e19aef46
Opcode Fuzzy Hash: 76e3871fb9643914947ca4550bcf8f08e064662383367e49eb768685d53f1f75
Instruction Fuzzy Hash: 6BB19D71608741AFD714DF65C884BAABFE4FF84348F00891DF9999B261C771E844CBA6

Function 00540241 Relevance: 35.4, APIs: 7, Strings: 13, Instructions: 391windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 005402E5
_wcslen.LIBCMT ref: 0054031F
_wcslen.LIBCMT ref: 00540389
_wcslen.LIBCMT ref: 005403F1
_wcslen.LIBCMT ref: 00540475
SendMessageW.USER32(?,00001032,00000000,00000000), ref: 005404C5
SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 00540504

Part of subcall function 004CF9F2: _wcslen.LIBCMT ref: 004CF9FD

Part of subcall function 0051223F: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00512258
Part of subcall function 0051223F: SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 0051228A

Strings

GETSELECTEDCOUNT, xrefs: 00540470, 0054048B
GETSUBITEMCOUNT, xrefs: 00540384, 0054039F
SELECT, xrefs: 00540548
VIEWCHANGE, xrefs: 00540675
DESELECT, xrefs: 0054059C
FINDITEM, xrefs: 00540627
SELECTALL, xrefs: 00540515
GETTEXT, xrefs: 005403EC, 00540407
GETITEMCOUNT, xrefs: 00540316, 00540337
SELECTCLEAR, xrefs: 0054052D
ISSELECTED, xrefs: 005404DD
SELECTINVERT, xrefs: 0054057E
GETSELECTED, xrefs: 005405E1

Memory Dump Source

Source File: 00000000.00000002.2132574574.00000000004B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true

Associated: 00000000.00000002.2132555531.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132647663.000000000054C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132647663.0000000000572000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132705506.000000000057C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132725644.0000000000584000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b0000_file.jbxd

Similarity

API ID: _wcslen$MessageSend$BuffCharUpper
String ID: DESELECT$FINDITEM$GETITEMCOUNT$GETSELECTED$GETSELECTEDCOUNT$GETSUBITEMCOUNT$GETTEXT$ISSELECTED$SELECT$SELECTALL$SELECTCLEAR$SELECTINVERT$VIEWCHANGE
API String ID: 1103490817-719923060
Opcode ID: 98fb4fda0c6a2b9ed8c3aa8b88a7e10c062789aa8f4bd0b2dc9316a1b0fff7c3
Instruction ID: 83b38d300152ca4d8abe618de97b34fc1d9b0efefa69338bfc9d827e58bebff6
Opcode Fuzzy Hash: 98fb4fda0c6a2b9ed8c3aa8b88a7e10c062789aa8f4bd0b2dc9316a1b0fff7c3
Instruction Fuzzy Hash: 55E1B0312082019BCB14DF25C4909AABBE6FFC831CF24895DF9969B2E1D734ED46CB91

Function 004C8891 Relevance: 33.5, APIs: 18, Strings: 1, Instructions: 282windowtimeCOMMON

Download Yara Rule

APIs

SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 004C8968
GetSystemMetrics.USER32(00000007), ref: 004C8970
SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 004C899B
GetSystemMetrics.USER32(00000008), ref: 004C89A3
GetSystemMetrics.USER32(00000004), ref: 004C89C8
SetRect.USER32(000000FF,00000000,00000000,000000FF,000000FF), ref: 004C89E5
AdjustWindowRectEx.USER32(000000FF,?,00000000,?), ref: 004C89F5
CreateWindowExW.USER32(?,AutoIt v3 GUI,?,?,?,000000FF,000000FF,000000FF,?,00000000,00000000), ref: 004C8A28
SetWindowLongW.USER32(00000000,000000EB,00000000), ref: 004C8A3C
GetClientRect.USER32(00000000,000000FF), ref: 004C8A5A
GetStockObject.GDI32(00000011), ref: 004C8A76
SendMessageW.USER32(00000000,00000030,00000000), ref: 004C8A81

Part of subcall function 004C912D: GetCursorPos.USER32(?), ref: 004C9141
Part of subcall function 004C912D: ScreenToClient.USER32(00000000,?), ref: 004C915E
Part of subcall function 004C912D: GetAsyncKeyState.USER32(00000001), ref: 004C9183
Part of subcall function 004C912D: GetAsyncKeyState.USER32(00000002), ref: 004C919D

SetTimer.USER32(00000000,00000000,00000028,004C90FC), ref: 004C8AA8

Strings

AutoIt v3 GUI, xrefs: 004C8A20

Memory Dump Source

Source File: 00000000.00000002.2132574574.00000000004B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true

Associated: 00000000.00000002.2132555531.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132647663.000000000054C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132647663.0000000000572000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132705506.000000000057C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132725644.0000000000584000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b0000_file.jbxd

Similarity

API ID: System$MetricsRectWindow$AsyncClientInfoParametersState$AdjustCreateCursorLongMessageObjectScreenSendStockTimer
String ID: AutoIt v3 GUI
API String ID: 1458621304-248962490
Opcode ID: 1668b1a097c98a6008adfef0904631ea6afdc269ba919fb901f3028506405086
Instruction ID: 1d875b502726d3c86d0e4aab2a4f754e7f7a64b089cad18aff3192922800ed87
Opcode Fuzzy Hash: 1668b1a097c98a6008adfef0904631ea6afdc269ba919fb901f3028506405086
Instruction Fuzzy Hash: 22B17C79A0020AAFDB54DF68CC45BEE3BB5FB48314F10422EFA15A7290DB34A841DF59

Function 00510D8B Relevance: 31.7, APIs: 21, Instructions: 202memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 005110F9: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00511114
Part of subcall function 005110F9: GetLastError.KERNEL32(?,00000000,00000000,?,?,00510B9B,?,?,?), ref: 00511120
Part of subcall function 005110F9: GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,00510B9B,?,?,?), ref: 0051112F
Part of subcall function 005110F9: HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,00510B9B,?,?,?), ref: 00511136
Part of subcall function 005110F9: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 0051114D

GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00510DF5
GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 00510E29
GetLengthSid.ADVAPI32(?), ref: 00510E40
GetAce.ADVAPI32(?,00000000,?), ref: 00510E7A
AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 00510E96
GetLengthSid.ADVAPI32(?), ref: 00510EAD
GetProcessHeap.KERNEL32(00000008,00000008), ref: 00510EB5
HeapAlloc.KERNEL32(00000000), ref: 00510EBC
GetLengthSid.ADVAPI32(?,00000008,?), ref: 00510EDD
CopySid.ADVAPI32(00000000), ref: 00510EE4
AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 00510F13
SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 00510F35
SetUserObjectSecurity.USER32(?,00000004,?), ref: 00510F47
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00510F6E
HeapFree.KERNEL32(00000000), ref: 00510F75
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00510F7E
HeapFree.KERNEL32(00000000), ref: 00510F85
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00510F8E
HeapFree.KERNEL32(00000000), ref: 00510F95
GetProcessHeap.KERNEL32(00000000,?), ref: 00510FA1
HeapFree.KERNEL32(00000000), ref: 00510FA8

Part of subcall function 00511193: GetProcessHeap.KERNEL32(00000008,00510BB1,?,00000000,?,00510BB1,?), ref: 005111A1
Part of subcall function 00511193: HeapAlloc.KERNEL32(00000000,?,00000000,?,00510BB1,?), ref: 005111A8
Part of subcall function 00511193: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00000000,?,00510BB1,?), ref: 005111B7

Memory Dump Source

Source File: 00000000.00000002.2132574574.00000000004B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true

Associated: 00000000.00000002.2132555531.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132647663.000000000054C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132647663.0000000000572000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132705506.000000000057C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132725644.0000000000584000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b0000_file.jbxd

Similarity

API ID: Heap$Process$Security$Free$AllocDescriptorLengthObjectUser$Dacl$CopyErrorInformationInitializeLast
String ID:
API String ID: 4175595110-0
Opcode ID: 2d03165bedb206e862a3362eae1432269a783c90b32421b85335ecb6bbab85e6
Instruction ID: df319eced92db1b2c81d9dd683a7c72817fc1deb7e506e448c1a6f606ecf1bad
Opcode Fuzzy Hash: 2d03165bedb206e862a3362eae1432269a783c90b32421b85335ecb6bbab85e6
Instruction Fuzzy Hash: 6D718C7290120AEBEF209FA5DC49FEEBFB8BF45304F045115F919E6191D7709A8ACB60

Function 0053C3B7 Relevance: 30.2, APIs: 11, Strings: 6, Instructions: 495registryCOMMON

Download Yara Rule

APIs

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0053C4BD
RegCreateKeyExW.ADVAPI32(?,?,00000000,0054CC08,00000000,?,00000000,?,?), ref: 0053C544
RegCloseKey.ADVAPI32(00000000,00000000,00000000), ref: 0053C5A4
_wcslen.LIBCMT ref: 0053C5F4
_wcslen.LIBCMT ref: 0053C66F
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000001,?,?), ref: 0053C6B2
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000007,?,?), ref: 0053C7C1
RegSetValueExW.ADVAPI32(00000001,?,00000000,0000000B,?,00000008), ref: 0053C84D
RegCloseKey.ADVAPI32(?), ref: 0053C881
RegCloseKey.ADVAPI32(00000000), ref: 0053C88E
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000003,00000000,00000000), ref: 0053C960

Strings

REG_BINARY, xrefs: 0053C913
REG_MULTI_SZ, xrefs: 0053C6F5
REG_QWORD, xrefs: 0053C8C3
REG_EXPAND_SZ, xrefs: 0053C5CD
REG_SZ, xrefs: 0053C644
REG_DWORD, xrefs: 0053C804

Memory Dump Source

Source File: 00000000.00000002.2132574574.00000000004B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true

Associated: 00000000.00000002.2132555531.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132647663.000000000054C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132647663.0000000000572000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132705506.000000000057C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132725644.0000000000584000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b0000_file.jbxd

Similarity

API ID: Value$Close$_wcslen$ConnectCreateRegistry
String ID: REG_BINARY$REG_DWORD$REG_EXPAND_SZ$REG_MULTI_SZ$REG_QWORD$REG_SZ
API String ID: 9721498-966354055
Opcode ID: bc100a380d306d2ea77eda66a4612402c559302ecc110e4c95ae0a6876b0e9ec
Instruction ID: 330494bea898f00b67447a88e874361b072e1a50818ea550df773496cd52f4c8
Opcode Fuzzy Hash: bc100a380d306d2ea77eda66a4612402c559302ecc110e4c95ae0a6876b0e9ec
Instruction Fuzzy Hash: 94128C352042019FC714DF25C891A6ABBE5FF88718F04885DF88AAB7A2DB35FD41CB95

Function 0054091E Relevance: 30.1, APIs: 6, Strings: 11, Instructions: 372windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 005409C6
_wcslen.LIBCMT ref: 00540A01
SendMessageW.USER32(?,00001105,00000000,00000000), ref: 00540A54
_wcslen.LIBCMT ref: 00540A8A
_wcslen.LIBCMT ref: 00540B06
_wcslen.LIBCMT ref: 00540B81

Part of subcall function 004CF9F2: _wcslen.LIBCMT ref: 004CF9FD

Part of subcall function 00512BE8: SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00512BFA

Strings

UNCHECK, xrefs: 00540D3E
CHECK, xrefs: 00540A85, 00540AA0
GETTOTALCOUNT, xrefs: 005409F2, 00540A17
GETTEXT, xrefs: 00540C97
GETITEMCOUNT, xrefs: 00540C1E
COLLAPSE, xrefs: 00540B01, 00540B1C
EXISTS, xrefs: 00540B7C, 00540B97
ISCHECKED, xrefs: 00540CE1
EXPAND, xrefs: 00540BF8
GETSELECTED, xrefs: 00540C4E
SELECT, xrefs: 00540D11

Memory Dump Source

Source File: 00000000.00000002.2132574574.00000000004B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true

Associated: 00000000.00000002.2132555531.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132647663.000000000054C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132647663.0000000000572000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132705506.000000000057C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132725644.0000000000584000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b0000_file.jbxd

Similarity

API ID: _wcslen$MessageSend$BuffCharUpper
String ID: CHECK$COLLAPSE$EXISTS$EXPAND$GETITEMCOUNT$GETSELECTED$GETTEXT$GETTOTALCOUNT$ISCHECKED$SELECT$UNCHECK
API String ID: 1103490817-4258414348
Opcode ID: 7947fc1a9049bc892378019a7334f0041f0c3b8694c29a079d4d0479f333c365
Instruction ID: 505be1c26b8aae013dc245157994fe879102f7d6cd6caa4d93c6348730a14d43
Opcode Fuzzy Hash: 7947fc1a9049bc892378019a7334f0041f0c3b8694c29a079d4d0479f333c365
Instruction Fuzzy Hash: E6E1CD352083019FC714DF25C4909AABBE1FF88318F24895DF99A9B3A2D734ED49CB95

Function 0053C998 Relevance: 30.0, APIs: 7, Strings: 10, Instructions: 242COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,?,?,?,?,?,0053B6AE,?,?), ref: 0053C9B5
_wcslen.LIBCMT ref: 0053C9F1
_wcslen.LIBCMT ref: 0053CA68
_wcslen.LIBCMT ref: 0053CA9E
_wcslen.LIBCMT ref: 0053CAF9
_wcslen.LIBCMT ref: 0053CB2F
_wcslen.LIBCMT ref: 0053CB7F

Strings

HKU, xrefs: 0053CBF0
HKCC, xrefs: 0053CBAC
HKEY_CURRENT_CONFIG, xrefs: 0053CB79, 0053CB7E
HKLM, xrefs: 0053CA98, 0053CA9D
HKEY_USERS, xrefs: 0053CBDF
HKEY_LOCAL_MACHINE, xrefs: 0053CA62, 0053CA67
HKCU, xrefs: 0053CBCE
HKEY_CLASSES_ROOT, xrefs: 0053CAF3, 0053CAF8
HKCR, xrefs: 0053CB29, 0053CB2E
HKEY_CURRENT_USER, xrefs: 0053CBBD

Memory Dump Source

Source File: 00000000.00000002.2132574574.00000000004B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true

Associated: 00000000.00000002.2132555531.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132647663.000000000054C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132647663.0000000000572000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132705506.000000000057C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132725644.0000000000584000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b0000_file.jbxd

Similarity

API ID: _wcslen$BuffCharUpper
String ID: HKCC$HKCR$HKCU$HKEY_CLASSES_ROOT$HKEY_CURRENT_CONFIG$HKEY_CURRENT_USER$HKEY_LOCAL_MACHINE$HKEY_USERS$HKLM$HKU
API String ID: 1256254125-909552448
Opcode ID: a5a863bea5763df0193d19c682401616a4a637e263afddc2cec14a39641d1866
Instruction ID: 06e26b1ee41244091394e00a1c6c45e513e1d1d36b7c5cce1c6d0c1b418fed60
Opcode Fuzzy Hash: a5a863bea5763df0193d19c682401616a4a637e263afddc2cec14a39641d1866
Instruction Fuzzy Hash: 0771223260012A8BCB20DE3DDC616BE3F91BBA4754F254529F866BB284EA35CD45D3A0

Function 0054833C Relevance: 29.9, APIs: 14, Strings: 3, Instructions: 196windowlibraryCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 0054835A
_wcslen.LIBCMT ref: 0054836E
_wcslen.LIBCMT ref: 00548391
_wcslen.LIBCMT ref: 005483B4
LoadImageW.USER32(00000000,?,00000001,?,?,00002010), ref: 005483F2
LoadLibraryExW.KERNEL32(?,00000000,00000032,00000000,?,?,?,?,?,00545BF2), ref: 0054844E
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 00548487
LoadImageW.USER32(00000000,?,00000001,?,?,00000000), ref: 005484CA
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 00548501
FreeLibrary.KERNEL32(?), ref: 0054850D
ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 0054851D
DestroyIcon.USER32(?,?,?,?,?,00545BF2), ref: 0054852C
SendMessageW.USER32(?,00000170,00000000,00000000), ref: 00548549
SendMessageW.USER32(?,00000064,00000172,00000001), ref: 00548555

Strings

.dll, xrefs: 005483AB
.exe, xrefs: 00548388
.icl, xrefs: 00548368

Memory Dump Source

Source File: 00000000.00000002.2132574574.00000000004B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true

Associated: 00000000.00000002.2132555531.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132647663.000000000054C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132647663.0000000000572000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132705506.000000000057C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132725644.0000000000584000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b0000_file.jbxd

Similarity

API ID: Load$Image_wcslen$IconLibraryMessageSend$DestroyExtractFree
String ID: .dll$.exe$.icl
API String ID: 799131459-1154884017
Opcode ID: 6c635907e080f0702215f78ac9772b742e3e054b56c75b4d153d11753a0749f0
Instruction ID: 7367047035609c7aabda645ce62d9a858522a4521d5a7707e122472c79610066
Opcode Fuzzy Hash: 6c635907e080f0702215f78ac9772b742e3e054b56c75b4d153d11753a0749f0
Instruction Fuzzy Hash: EC61F171900205BBEB14CF65DC81BFE7BA8BF48B19F10454AF915DA1D1DB74AA80DBA0

Function 004B7778 Relevance: 28.3, APIs: 1, Strings: 15, Instructions: 273COMMON

Download Yara Rule

Strings

#requireadmin, xrefs: 004B77FF
#cs, xrefs: 004B7873, 004B78C5
Unterminated group of comments, xrefs: 004F528C
#comments-end, xrefs: 004B78D9
#notrayicon, xrefs: 004B77E7
#include-once, xrefs: 004B782F
Cannot parse #include, xrefs: 004F5279
", xrefs: 004F5153
Bad directive syntax error, xrefs: 004F519A
', xrefs: 004F5169
#pragma compile, xrefs: 004B77D3
#ce, xrefs: 004B78ED
#comments-start, xrefs: 004B785F, 004B78B1
#OnAutoItStartRegister, xrefs: 004B7817
#include, xrefs: 004B7847

Memory Dump Source

Source File: 00000000.00000002.2132574574.00000000004B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true

Associated: 00000000.00000002.2132555531.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132647663.000000000054C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132647663.0000000000572000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132705506.000000000057C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132725644.0000000000584000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b0000_file.jbxd

Similarity

API ID:
String ID: "$#OnAutoItStartRegister$#ce$#comments-end$#comments-start$#cs$#include$#include-once$#notrayicon$#pragma compile$#requireadmin$'$Bad directive syntax error$Cannot parse #include$Unterminated group of comments
API String ID: 0-1645009161
Opcode ID: 6e065a981b47575d1e28e860c0ad25b0dae2fc6d42a6e05ab33f9749b7758ce2
Instruction ID: da7b99af0d7d6a0ecc6104ca2cf76d0b5841279f329508ba07069f64585fbbb3
Opcode Fuzzy Hash: 6e065a981b47575d1e28e860c0ad25b0dae2fc6d42a6e05ab33f9749b7758ce2
Instruction Fuzzy Hash: AC81E971A04605BBDB10AF61DC42FFF3B64BF55304F04402BFA05AA292EB78D912D7A9

Function 00523E79 Relevance: 28.2, APIs: 8, Strings: 8, Instructions: 205COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?), ref: 00523EF8
_wcslen.LIBCMT ref: 00523F03
_wcslen.LIBCMT ref: 00523F5A
_wcslen.LIBCMT ref: 00523F98
GetDriveTypeW.KERNEL32(?), ref: 00523FD6
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0052401E
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00524059
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00524087

Strings

open, xrefs: 00523F54, 00523F59
type cdaudio alias cd wait, xrefs: 00524001
close cd wait, xrefs: 00524072
open , xrefs: 00523FE5
closed, xrefs: 00523F08, 00523F2D, 00523F46, 00523F7E, 00523F97
close, xrefs: 00523EFE, 00523F18
wait, xrefs: 00524044
set cd door , xrefs: 00524028

Memory Dump Source

Source File: 00000000.00000002.2132574574.00000000004B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true

Associated: 00000000.00000002.2132555531.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132647663.000000000054C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132647663.0000000000572000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132705506.000000000057C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132725644.0000000000584000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b0000_file.jbxd

Similarity

API ID: SendString_wcslen$BuffCharDriveLowerType
String ID: type cdaudio alias cd wait$ wait$close$close cd wait$closed$open$open $set cd door
API String ID: 1839972693-4113822522
Opcode ID: fe4113161badd8bf1ac479a6ded0f6ae3b1588ade1d96ad2c2ea49fe6345724a
Instruction ID: 1fc3ccb2386c81e41bf0d92428f9c99b2711cbc046a73fea458b8c21262f1d31
Opcode Fuzzy Hash: fe4113161badd8bf1ac479a6ded0f6ae3b1588ade1d96ad2c2ea49fe6345724a
Instruction Fuzzy Hash: DD71F4726043119FC310EF25E8808AABBF4FF95758F10492EF99597291E738DD49CB51

Function 00515A1B Relevance: 27.2, APIs: 18, Instructions: 198windowtimeCOMMON

Download Yara Rule

APIs

LoadIconW.USER32(00000063), ref: 00515A2E
SendMessageW.USER32(?,00000080,00000000,00000000), ref: 00515A40
SetWindowTextW.USER32(?,?), ref: 00515A57
GetDlgItem.USER32(?,000003EA), ref: 00515A6C
SetWindowTextW.USER32(00000000,?), ref: 00515A72
GetDlgItem.USER32(?,000003E9), ref: 00515A82
SetWindowTextW.USER32(00000000,?), ref: 00515A88
SendDlgItemMessageW.USER32(?,000003E9,000000CC,?,00000000), ref: 00515AA9
SendDlgItemMessageW.USER32(?,000003E9,000000C5,00000000,00000000), ref: 00515AC3
GetWindowRect.USER32(?,?), ref: 00515ACC
_wcslen.LIBCMT ref: 00515B33
SetWindowTextW.USER32(?,?), ref: 00515B6F
GetDesktopWindow.USER32 ref: 00515B75
GetWindowRect.USER32(00000000), ref: 00515B7C
MoveWindow.USER32(?,?,00000080,00000000,?,00000000), ref: 00515BD3
GetClientRect.USER32(?,?), ref: 00515BE0
PostMessageW.USER32(?,00000005,00000000,?), ref: 00515C05
SetTimer.USER32(?,0000040A,00000000,00000000), ref: 00515C2F

Memory Dump Source

Source File: 00000000.00000002.2132574574.00000000004B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true

Associated: 00000000.00000002.2132555531.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132647663.000000000054C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132647663.0000000000572000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132705506.000000000057C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132725644.0000000000584000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b0000_file.jbxd

Similarity

API ID: Window$ItemMessageText$RectSend$ClientDesktopIconLoadMovePostTimer_wcslen
String ID:
API String ID: 895679908-0
Opcode ID: 035f01367d2a1d00dc13c25ba4bac85978b8c170916c0044dee7dda4bab251d6
Instruction ID: 0b1af35bd6466c233800c9865c0d69f18b839e55ba8b9e6584a487f96fc03b26
Opcode Fuzzy Hash: 035f01367d2a1d00dc13c25ba4bac85978b8c170916c0044dee7dda4bab251d6
Instruction Fuzzy Hash: 7D718031900B05EFDB20DFA9CE85AAEBFF5FF88705F104918E542A25A0E775E944DB50

Function 0052FE0E Relevance: 27.1, APIs: 18, Instructions: 128COMMON

Download Yara Rule

APIs

LoadCursorW.USER32(00000000,00007F89), ref: 0052FE27
LoadCursorW.USER32(00000000,00007F8A), ref: 0052FE32
LoadCursorW.USER32(00000000,00007F00), ref: 0052FE3D
LoadCursorW.USER32(00000000,00007F03), ref: 0052FE48
LoadCursorW.USER32(00000000,00007F8B), ref: 0052FE53
LoadCursorW.USER32(00000000,00007F01), ref: 0052FE5E
LoadCursorW.USER32(00000000,00007F81), ref: 0052FE69
LoadCursorW.USER32(00000000,00007F88), ref: 0052FE74
LoadCursorW.USER32(00000000,00007F80), ref: 0052FE7F
LoadCursorW.USER32(00000000,00007F86), ref: 0052FE8A
LoadCursorW.USER32(00000000,00007F83), ref: 0052FE95
LoadCursorW.USER32(00000000,00007F85), ref: 0052FEA0
LoadCursorW.USER32(00000000,00007F82), ref: 0052FEAB
LoadCursorW.USER32(00000000,00007F84), ref: 0052FEB6
LoadCursorW.USER32(00000000,00007F04), ref: 0052FEC1
LoadCursorW.USER32(00000000,00007F02), ref: 0052FECC
GetCursorInfo.USER32(?), ref: 0052FEDC
GetLastError.KERNEL32 ref: 0052FF1E

Memory Dump Source

Source File: 00000000.00000002.2132574574.00000000004B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true

Associated: 00000000.00000002.2132555531.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132647663.000000000054C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132647663.0000000000572000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132705506.000000000057C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132725644.0000000000584000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b0000_file.jbxd

Similarity

API ID: Cursor$Load$ErrorInfoLast
String ID:
API String ID: 3215588206-0
Opcode ID: aba3962c366c2f6da1a808309a4b30b7bb903e32b8b26ff816802454a96ea2e6
Instruction ID: 91bb95ecc337612e99d400f76784297d15e22de07fb96d6f89ba18989b5351ed
Opcode Fuzzy Hash: aba3962c366c2f6da1a808309a4b30b7bb903e32b8b26ff816802454a96ea2e6
Instruction Fuzzy Hash: 114140B0D053196ADB109FBA9C8985EBFF8FF05354B50453AE119E7281DB78A9018F91

Function 005130F7 Relevance: 26.6, APIs: 8, Strings: 7, Instructions: 400COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 0051318D
_wcslen.LIBCMT ref: 005131F8

Strings

CLASSNN, xrefs: 005131F3, 00513204
TEXT, xrefs: 0051347C
REGEXPCLASS, xrefs: 00513255, 00513266
CLASS, xrefs: 00513188, 005131A5
INSTANCE, xrefs: 00513453
NAME, xrefs: 00513335, 00513346
[W, xrefs: 0051339A

Memory Dump Source

Source File: 00000000.00000002.2132574574.00000000004B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true

Associated: 00000000.00000002.2132555531.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132647663.000000000054C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132647663.0000000000572000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132705506.000000000057C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132725644.0000000000584000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b0000_file.jbxd

Similarity

API ID: _wcslen
String ID: CLASS$CLASSNN$INSTANCE$NAME$REGEXPCLASS$TEXT$[W
API String ID: 176396367-355570473
Opcode ID: 0022e6b617a01c0fe0fe654c5655d552ebc81a94d8f459cc555e6423be532733
Instruction ID: d7b6eece1c4958112cff2411138934248fb1736b5fbcbd532b5b498f737b35c6
Opcode Fuzzy Hash: 0022e6b617a01c0fe0fe654c5655d552ebc81a94d8f459cc555e6423be532733
Instruction Fuzzy Hash: 96E12631A00516ABEF149F78C461AEDFFB5BF44710F14852AE416B3240EB74AEC9D790

Function 004D00C6 Relevance: 26.3, APIs: 10, Strings: 5, Instructions: 81COMMON

Download Yara Rule

APIs

__scrt_initialize_thread_safe_statics_platform_specific.LIBCMT ref: 004D00C6

Part of subcall function 004D00ED: InitializeCriticalSectionAndSpinCount.KERNEL32(0058070C,00000FA0,FAC66F1B,?,?,?,?,004F23B3,000000FF), ref: 004D011C
Part of subcall function 004D00ED: GetModuleHandleW.KERNEL32(api-ms-win-core-synch-l1-2-0.dll,?,?,?,?,004F23B3,000000FF), ref: 004D0127
Part of subcall function 004D00ED: GetModuleHandleW.KERNEL32(kernel32.dll,?,?,?,?,004F23B3,000000FF), ref: 004D0138
Part of subcall function 004D00ED: GetProcAddress.KERNEL32(00000000,InitializeConditionVariable), ref: 004D014E
Part of subcall function 004D00ED: GetProcAddress.KERNEL32(00000000,SleepConditionVariableCS), ref: 004D015C
Part of subcall function 004D00ED: GetProcAddress.KERNEL32(00000000,WakeAllConditionVariable), ref: 004D016A
Part of subcall function 004D00ED: __crt_fast_encode_pointer.LIBVCRUNTIME ref: 004D0195
Part of subcall function 004D00ED: __crt_fast_encode_pointer.LIBVCRUNTIME ref: 004D01A0

___scrt_fastfail.LIBCMT ref: 004D00E7

Part of subcall function 004D00A3: __onexit.LIBCMT ref: 004D00A9

Strings

InitializeConditionVariable, xrefs: 004D0148
WakeAllConditionVariable, xrefs: 004D0162
kernel32.dll, xrefs: 004D0133
SleepConditionVariableCS, xrefs: 004D0154
api-ms-win-core-synch-l1-2-0.dll, xrefs: 004D0122

Memory Dump Source

Source File: 00000000.00000002.2132574574.00000000004B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true

Associated: 00000000.00000002.2132555531.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132647663.000000000054C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132647663.0000000000572000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132705506.000000000057C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132725644.0000000000584000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b0000_file.jbxd

Similarity

API ID: AddressProc$HandleModule__crt_fast_encode_pointer$CountCriticalInitializeSectionSpin___scrt_fastfail__onexit__scrt_initialize_thread_safe_statics_platform_specific
String ID: InitializeConditionVariable$SleepConditionVariableCS$WakeAllConditionVariable$api-ms-win-core-synch-l1-2-0.dll$kernel32.dll
API String ID: 66158676-1714406822
Opcode ID: 49828c8b64d207ce085a2628751cfb2bfe8ea8145f245c297593ce2a478f5565
Instruction ID: 50adf06770b2f165c00753c9cee98045e74140225840b04081ac8c22bc23c9b3
Opcode Fuzzy Hash: 49828c8b64d207ce085a2628751cfb2bfe8ea8145f245c297593ce2a478f5565
Instruction Fuzzy Hash: 15212636A413106BE7516BA8AC19BAE3BD4EB55B58F00013FFC01E33D1DB7998089B98

Function 005244C0 Relevance: 24.8, APIs: 7, Strings: 7, Instructions: 309COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(00000000,00000000,0054CC08), ref: 00524527
_wcslen.LIBCMT ref: 0052453B
_wcslen.LIBCMT ref: 00524599
_wcslen.LIBCMT ref: 005245F4
_wcslen.LIBCMT ref: 0052463F
_wcslen.LIBCMT ref: 005246A7

Part of subcall function 004CF9F2: _wcslen.LIBCMT ref: 004CF9FD

GetDriveTypeW.KERNEL32(?,00576BF0,00000061), ref: 00524743

Strings

network, xrefs: 0052469D, 005246A2
unknown, xrefs: 00524708
removable, xrefs: 005245EA, 005245EF
cdrom, xrefs: 0052458F, 00524594
fixed, xrefs: 00524635, 0052463A
all, xrefs: 00524531, 00524536
ramdisk, xrefs: 005246F1

Memory Dump Source

Source File: 00000000.00000002.2132574574.00000000004B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true

Associated: 00000000.00000002.2132555531.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132647663.000000000054C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132647663.0000000000572000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132705506.000000000057C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132725644.0000000000584000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b0000_file.jbxd

Similarity

API ID: _wcslen$BuffCharDriveLowerType
String ID: all$cdrom$fixed$network$ramdisk$removable$unknown
API String ID: 2055661098-1000479233
Opcode ID: 84a89d575481ff01b99673cfd62dc8d69a14fd4e058a89e50b9f49a33be31b4d
Instruction ID: 268bb7f636a6387f62df7adb54bee119e20bb87c50c2ff7c00d836d5c1d62cb4
Opcode Fuzzy Hash: 84a89d575481ff01b99673cfd62dc8d69a14fd4e058a89e50b9f49a33be31b4d
Instruction Fuzzy Hash: BAB1F1316083229BC710DF29E890A6ABBE5BFA6724F50491EF49A872D1D734D845CA62

Function 0054911E Relevance: 24.7, APIs: 10, Strings: 4, Instructions: 181windowfileCOMMON

Download Yara Rule

APIs

Part of subcall function 004C9BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 004C9BB2

DragQueryPoint.SHELL32(?,?), ref: 00549147

Part of subcall function 00547674: ClientToScreen.USER32(?,?), ref: 0054769A
Part of subcall function 00547674: GetWindowRect.USER32(?,?), ref: 00547710
Part of subcall function 00547674: PtInRect.USER32(?,?,00548B89), ref: 00547720

SendMessageW.USER32(?,000000B0,?,?), ref: 005491B0
DragQueryFileW.SHELL32(?,000000FF,00000000,00000000), ref: 005491BB
DragQueryFileW.SHELL32(?,00000000,?,00000104), ref: 005491DE
SendMessageW.USER32(?,000000C2,00000001,?), ref: 00549225
SendMessageW.USER32(?,000000B0,?,?), ref: 0054923E
SendMessageW.USER32(?,000000B1,?,?), ref: 00549255
SendMessageW.USER32(?,000000B1,?,?), ref: 00549277
DragFinish.SHELL32(?), ref: 0054927E
DefDlgProcW.USER32(?,00000233,?,00000000,?,?,?), ref: 00549371

Strings

@GUI_DRAGID, xrefs: 005492E9
@GUI_DROPID, xrefs: 0054929E
p#X, xrefs: 005492BB
@GUI_DRAGFILE, xrefs: 00549320

Memory Dump Source

Source File: 00000000.00000002.2132574574.00000000004B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true

Associated: 00000000.00000002.2132555531.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132647663.000000000054C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132647663.0000000000572000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132705506.000000000057C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132725644.0000000000584000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b0000_file.jbxd

Similarity

API ID: MessageSend$Drag$Query$FileRectWindow$ClientFinishLongPointProcScreen
String ID: @GUI_DRAGFILE$@GUI_DRAGID$@GUI_DROPID$p#X
API String ID: 221274066-368702875
Opcode ID: 553353d5982c8da28a6984a3b130a972f53b4c9fd95a63beccf6e68de6e1cab1
Instruction ID: a0f0bca33bb07f2c0ac83a2773046f9e1fdb2a734871406326447b2ff179737d
Opcode Fuzzy Hash: 553353d5982c8da28a6984a3b130a972f53b4c9fd95a63beccf6e68de6e1cab1
Instruction Fuzzy Hash: 80616671108301AFD701EF65D885DABBFE8FBD9358F00092EF995961A0DB309A49CB66

Function 004B326F Relevance: 23.0, APIs: 12, Strings: 1, Instructions: 214windowCOMMON

Download Yara Rule

APIs

GetMenuItemCount.USER32(00581990), ref: 004F2F8D
GetMenuItemCount.USER32(00581990), ref: 004F303D
GetCursorPos.USER32(?), ref: 004F3081
SetForegroundWindow.USER32(00000000), ref: 004F308A
TrackPopupMenuEx.USER32(00581990,00000000,?,00000000,00000000,00000000), ref: 004F309D
PostMessageW.USER32(00000000,00000000,00000000,00000000), ref: 004F30A9

Strings

0, xrefs: 004B327D

Memory Dump Source

Source File: 00000000.00000002.2132574574.00000000004B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true

Associated: 00000000.00000002.2132555531.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132647663.000000000054C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132647663.0000000000572000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132705506.000000000057C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132725644.0000000000584000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b0000_file.jbxd

Similarity

API ID: Menu$CountItem$CursorForegroundMessagePopupPostTrackWindow
String ID: 0
API String ID: 36266755-4108050209
Opcode ID: b84962944b011349e2f3d66896e0d25d6ecdd623956a5d644826e4eee050a5b9
Instruction ID: ce06945df58069a8a37569849b705a12340933107c64da5d1acccc59a2c3d15b
Opcode Fuzzy Hash: b84962944b011349e2f3d66896e0d25d6ecdd623956a5d644826e4eee050a5b9
Instruction Fuzzy Hash: 2771053064020ABEEB258F65CD49FEBBF64FB41324F204207F6146A2E0C7B5AD14DBA5

Function 00546CD9 Relevance: 22.9, APIs: 11, Strings: 2, Instructions: 194windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(00000000,?), ref: 00546DEB

Part of subcall function 004B6B57: _wcslen.LIBCMT ref: 004B6B6A

CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00000000,?), ref: 00546E5F
SendMessageW.USER32(00000000,00000433,00000000,00000030), ref: 00546E81
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00546E94
DestroyWindow.USER32(?), ref: 00546EB5
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,004B0000,00000000), ref: 00546EE4
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00546EFD
GetDesktopWindow.USER32 ref: 00546F16
GetWindowRect.USER32(00000000), ref: 00546F1D
SendMessageW.USER32(00000000,00000418,00000000,?), ref: 00546F35
SendMessageW.USER32(00000000,00000421,?,00000000), ref: 00546F4D

Part of subcall function 004C9944: GetWindowLongW.USER32(?,000000EB), ref: 004C9952

Strings

0, xrefs: 00546D98
tooltips_class32, xrefs: 00546E58, 00546EDD

Memory Dump Source

Source File: 00000000.00000002.2132574574.00000000004B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true

Associated: 00000000.00000002.2132555531.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132647663.000000000054C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132647663.0000000000572000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132705506.000000000057C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132725644.0000000000584000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b0000_file.jbxd

Similarity

API ID: Window$MessageSend$CreateDestroy$DesktopLongRect_wcslen
String ID: 0$tooltips_class32
API String ID: 2429346358-3619404913
Opcode ID: 2a6e6bf0db0461f810639750f13e77162a07af275dec8eb5e11b0e904da1f165
Instruction ID: 80bbf7e2f7aaa9af15d226124447ee793e32d3e4cd3acb2b659c243b47e9bbd8
Opcode Fuzzy Hash: 2a6e6bf0db0461f810639750f13e77162a07af275dec8eb5e11b0e904da1f165
Instruction Fuzzy Hash: 3C714874104344AFDB21CF18D894FAABFF9FB9A308F04441EF99997261C774A90ADB16

Function 0052C476 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 143networkCOMMON

Download Yara Rule

APIs

InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 0052C4B0
GetLastError.KERNEL32(?,00000003,?,?,?,?,?,?), ref: 0052C4C3
SetEvent.KERNEL32(?,?,00000003,?,?,?,?,?,?), ref: 0052C4D7
HttpOpenRequestW.WININET(00000000,00000000,?,00000000,00000000,00000000,?,00000000), ref: 0052C4F0
InternetQueryOptionW.WININET(00000000,0000001F,?,?), ref: 0052C533
InternetSetOptionW.WININET(00000000,0000001F,00000100,00000004), ref: 0052C549
HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 0052C554
HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 0052C584
GetLastError.KERNEL32(?,00000003,?,?,?,?,?,?), ref: 0052C5DC
SetEvent.KERNEL32(?,?,00000003,?,?,?,?,?,?), ref: 0052C5F0
InternetCloseHandle.WININET(00000000), ref: 0052C5FB

Strings

, xrefs: 0052C575

Memory Dump Source

Source File: 00000000.00000002.2132574574.00000000004B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true

Associated: 00000000.00000002.2132555531.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132647663.000000000054C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132647663.0000000000572000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132705506.000000000057C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132725644.0000000000584000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b0000_file.jbxd

Similarity

API ID: Internet$Http$ErrorEventLastOptionQueryRequest$CloseConnectHandleInfoOpenSend
String ID:
API String ID: 3800310941-3916222277
Opcode ID: ed3218ba709d3c20e79c41bf8702949f7911d02fc3761da6d6583eff397d9145
Instruction ID: 93ddb5d726d695147f232b32c7c8a7fa3dc7fee7b3b9c9cb4143edaf6fa4bb5d
Opcode Fuzzy Hash: ed3218ba709d3c20e79c41bf8702949f7911d02fc3761da6d6583eff397d9145
Instruction Fuzzy Hash: 76518DB4200614BFDB219F64D988AAF7FFCFF5A344F00441EF94596291DB74E908ABA0

Function 0054856F Relevance: 22.6, APIs: 15, Instructions: 131filecommemoryCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,00000000,?,?,?,?,?,00000000,?,000000EC), ref: 00548592
GetFileSize.KERNEL32(00000000,00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 005485A2
GlobalAlloc.KERNEL32(00000002,00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 005485AD
CloseHandle.KERNEL32(00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 005485BA
GlobalLock.KERNEL32(00000000), ref: 005485C8
ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 005485D7
GlobalUnlock.KERNEL32(00000000), ref: 005485E0
CloseHandle.KERNEL32(00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 005485E7
CreateStreamOnHGlobal.OLE32(00000000,00000001,000000F0,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 005485F8
OleLoadPicture.OLEAUT32(000000F0,00000000,00000000,0054FC38,?), ref: 00548611
GlobalFree.KERNEL32(00000000), ref: 00548621
GetObjectW.GDI32(?,00000018,?), ref: 00548641
CopyImage.USER32(?,00000000,00000000,?,00002000), ref: 00548671
DeleteObject.GDI32(?), ref: 00548699
SendMessageW.USER32(?,00000172,00000000,00000000), ref: 005486AF

Memory Dump Source

Source File: 00000000.00000002.2132574574.00000000004B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true

Associated: 00000000.00000002.2132555531.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132647663.000000000054C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132647663.0000000000572000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132705506.000000000057C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132725644.0000000000584000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b0000_file.jbxd

Similarity

API ID: Global$File$CloseCreateHandleObject$AllocCopyDeleteFreeImageLoadLockMessagePictureReadSendSizeStreamUnlock
String ID:
API String ID: 3840717409-0
Opcode ID: d81962e4a354a9a65a0d657d7c790e43f253167a1e3d9edc4eab8c65a2648a98
Instruction ID: 0a65eda212abbf1e52017c75d2315dbc0628dd857a8a7beb33d28845beeb0695
Opcode Fuzzy Hash: d81962e4a354a9a65a0d657d7c790e43f253167a1e3d9edc4eab8c65a2648a98
Instruction Fuzzy Hash: 9B411879601204AFDB519FA5CC48EEE7FB8FBAA719F108058F909E7260DB709905DB20

Function 005214BD Relevance: 21.4, APIs: 10, Strings: 2, Instructions: 360timeCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(00000000), ref: 00521502
VariantCopy.OLEAUT32(?,?), ref: 0052150B
VariantClear.OLEAUT32(?), ref: 00521517
VariantTimeToSystemTime.OLEAUT32(?,?,?), ref: 005215FB
VarR8FromDec.OLEAUT32(?,?), ref: 00521657
VariantInit.OLEAUT32(?), ref: 00521708
SysFreeString.OLEAUT32(?), ref: 0052178C
VariantClear.OLEAUT32(?), ref: 005217D8
VariantClear.OLEAUT32(?), ref: 005217E7
VariantInit.OLEAUT32(00000000), ref: 00521823

Strings

%4d%02d%02d%02d%02d%02d, xrefs: 00521625
Default, xrefs: 005216AF

Memory Dump Source

Source File: 00000000.00000002.2132574574.00000000004B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true

Associated: 00000000.00000002.2132555531.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132647663.000000000054C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132647663.0000000000572000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132705506.000000000057C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132725644.0000000000584000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b0000_file.jbxd

Similarity

API ID: Variant$ClearInit$Time$CopyFreeFromStringSystem
String ID: %4d%02d%02d%02d%02d%02d$Default
API String ID: 1234038744-3931177956
Opcode ID: 4f8b122ca529a2906349864f175546ca797c8e1787c981eabfec2c371c509df5
Instruction ID: bb4152d064634bf038d83825da85c4ea99a354c98676d2323455a4a3ac34097e
Opcode Fuzzy Hash: 4f8b122ca529a2906349864f175546ca797c8e1787c981eabfec2c371c509df5
Instruction Fuzzy Hash: 80D10131600925EBCB049F65F884BBABBB5BF56704F14849AF406AB1C0DB38EC45DF69

Function 0053B60E Relevance: 21.3, APIs: 10, Strings: 2, Instructions: 285registrylibraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 004B9CB3: _wcslen.LIBCMT ref: 004B9CBD

Part of subcall function 0053C998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,0053B6AE,?,?), ref: 0053C9B5
Part of subcall function 0053C998: _wcslen.LIBCMT ref: 0053C9F1
Part of subcall function 0053C998: _wcslen.LIBCMT ref: 0053CA68
Part of subcall function 0053C998: _wcslen.LIBCMT ref: 0053CA9E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0053B6F4
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 0053B772
RegDeleteValueW.ADVAPI32(?,?), ref: 0053B80A
RegCloseKey.ADVAPI32(?), ref: 0053B87E
RegCloseKey.ADVAPI32(?), ref: 0053B89C
LoadLibraryA.KERNEL32(advapi32.dll), ref: 0053B8F2
GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 0053B904
RegDeleteKeyW.ADVAPI32(?,?), ref: 0053B922
FreeLibrary.KERNEL32(00000000), ref: 0053B983
RegCloseKey.ADVAPI32(00000000), ref: 0053B994

Strings

RegDeleteKeyExW, xrefs: 0053B8FE
advapi32.dll, xrefs: 0053B8ED

Memory Dump Source

Source File: 00000000.00000002.2132574574.00000000004B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true

Associated: 00000000.00000002.2132555531.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132647663.000000000054C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132647663.0000000000572000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132705506.000000000057C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132725644.0000000000584000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b0000_file.jbxd

Similarity

API ID: _wcslen$Close$DeleteLibrary$AddressBuffCharConnectFreeLoadOpenProcRegistryUpperValue
String ID: RegDeleteKeyExW$advapi32.dll
API String ID: 146587525-4033151799
Opcode ID: ece0b347831640cfeea1ab0db69378874c01b34f900ff17e60ba5b7d492c9c05
Instruction ID: 8ba5ac47665e3cc2a3d337d56a890487208c633673101e9f3a7cb9d73978f8e8
Opcode Fuzzy Hash: ece0b347831640cfeea1ab0db69378874c01b34f900ff17e60ba5b7d492c9c05
Instruction Fuzzy Hash: A4C18D35204201AFE710DF25C495F6ABBE5FF84308F14899DF69A8B2A2CB35ED45CB91

Function 0053255C Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 169windowCOMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 005325D8
CreateCompatibleBitmap.GDI32(00000000,?,?), ref: 005325E8
CreateCompatibleDC.GDI32(?), ref: 005325F4
SelectObject.GDI32(00000000,?), ref: 00532601
StretchBlt.GDI32(?,00000000,00000000,?,?,?,00000006,?,?,?,00CC0020), ref: 0053266D
GetDIBits.GDI32(?,?,00000000,00000000,00000000,00000028,00000000), ref: 005326AC
GetDIBits.GDI32(?,?,00000000,?,00000000,00000028,00000000), ref: 005326D0
SelectObject.GDI32(?,?), ref: 005326D8
DeleteObject.GDI32(?), ref: 005326E1
DeleteDC.GDI32(?), ref: 005326E8
ReleaseDC.USER32(00000000,?), ref: 005326F3

Strings

(, xrefs: 0053268D

Memory Dump Source

Source File: 00000000.00000002.2132574574.00000000004B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true

Associated: 00000000.00000002.2132555531.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132647663.000000000054C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132647663.0000000000572000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132705506.000000000057C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132725644.0000000000584000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b0000_file.jbxd

Similarity

API ID: Object$BitsCompatibleCreateDeleteSelect$BitmapReleaseStretch
String ID: (
API String ID: 2598888154-3887548279
Opcode ID: 9eb107d5e1034208bf0eaf45022e26488a29cb0208f8c5670930289ab70df31e
Instruction ID: b7a4f743714b1465e1b947bdc59ed61ef1dc2e5f6965c2bca91223a953a1b2f9
Opcode Fuzzy Hash: 9eb107d5e1034208bf0eaf45022e26488a29cb0208f8c5670930289ab70df31e
Instruction Fuzzy Hash: 34610375D00219EFCF04CFA8D885EAEBBB5FF88314F208529E956A7250D770A951DF50

Function 004EDA5D Relevance: 19.6, APIs: 13, Instructions: 114COMMONLIBRARYCODE

Download Yara Rule

APIs

___free_lconv_mon.LIBCMT ref: 004EDAA1

Part of subcall function 004ED63C: _free.LIBCMT ref: 004ED659
Part of subcall function 004ED63C: _free.LIBCMT ref: 004ED66B
Part of subcall function 004ED63C: _free.LIBCMT ref: 004ED67D
Part of subcall function 004ED63C: _free.LIBCMT ref: 004ED68F
Part of subcall function 004ED63C: _free.LIBCMT ref: 004ED6A1
Part of subcall function 004ED63C: _free.LIBCMT ref: 004ED6B3
Part of subcall function 004ED63C: _free.LIBCMT ref: 004ED6C5
Part of subcall function 004ED63C: _free.LIBCMT ref: 004ED6D7
Part of subcall function 004ED63C: _free.LIBCMT ref: 004ED6E9
Part of subcall function 004ED63C: _free.LIBCMT ref: 004ED6FB
Part of subcall function 004ED63C: _free.LIBCMT ref: 004ED70D
Part of subcall function 004ED63C: _free.LIBCMT ref: 004ED71F
Part of subcall function 004ED63C: _free.LIBCMT ref: 004ED731

_free.LIBCMT ref: 004EDA96

Part of subcall function 004E29C8: RtlFreeHeap.NTDLL(00000000,00000000,?,004ED7D1,00000000,00000000,00000000,00000000,?,004ED7F8,00000000,00000007,00000000,?,004EDBF5,00000000), ref: 004E29DE
Part of subcall function 004E29C8: GetLastError.KERNEL32(00000000,?,004ED7D1,00000000,00000000,00000000,00000000,?,004ED7F8,00000000,00000007,00000000,?,004EDBF5,00000000,00000000), ref: 004E29F0

_free.LIBCMT ref: 004EDAB8
_free.LIBCMT ref: 004EDACD
_free.LIBCMT ref: 004EDAD8
_free.LIBCMT ref: 004EDAFA
_free.LIBCMT ref: 004EDB0D
_free.LIBCMT ref: 004EDB1B
_free.LIBCMT ref: 004EDB26
_free.LIBCMT ref: 004EDB5E
_free.LIBCMT ref: 004EDB65
_free.LIBCMT ref: 004EDB82
_free.LIBCMT ref: 004EDB9A

Memory Dump Source

Source File: 00000000.00000002.2132574574.00000000004B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true

Associated: 00000000.00000002.2132555531.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132647663.000000000054C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132647663.0000000000572000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132705506.000000000057C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132725644.0000000000584000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b0000_file.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast___free_lconv_mon
String ID:
API String ID: 161543041-0
Opcode ID: 57c74513a814cbe66080db9bad410d0d40d29adcc1e1b2ca76c84eec08365103
Instruction ID: 428810898a4730429f327d6baf39aae9efd1bde37c9bde88ae50acdd3013f2db
Opcode Fuzzy Hash: 57c74513a814cbe66080db9bad410d0d40d29adcc1e1b2ca76c84eec08365103
Instruction Fuzzy Hash: 49317FB1A042889FDB21AA37E942B5777E8FF00316F11446FE059D7292DA7DAD40C728

Function 0051365B Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 267windowtimeCOMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000100), ref: 0051369C
_wcslen.LIBCMT ref: 005136A7
SendMessageTimeoutW.USER32(?,?,00000101,00000000,00000002,00001388,?), ref: 00513797
GetClassNameW.USER32(?,?,00000400), ref: 0051380C
GetDlgCtrlID.USER32(?), ref: 0051385D
GetWindowRect.USER32(?,?), ref: 00513882
GetParent.USER32(?), ref: 005138A0
ScreenToClient.USER32(00000000), ref: 005138A7
GetClassNameW.USER32(?,?,00000100), ref: 00513921
GetWindowTextW.USER32(?,?,00000400), ref: 0051395D

Strings

%s%u, xrefs: 00513734

Memory Dump Source

Source File: 00000000.00000002.2132574574.00000000004B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true

Associated: 00000000.00000002.2132555531.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132647663.000000000054C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132647663.0000000000572000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132705506.000000000057C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132725644.0000000000584000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b0000_file.jbxd

Similarity

API ID: ClassName$Window$ClientCtrlMessageParentRectScreenSendTextTimeout_wcslen
String ID: %s%u
API String ID: 4010501982-679674701
Opcode ID: 9d0fa36d644643c554742c45e35897bf74831620ef8d32a19b93ecde765e3b3f
Instruction ID: 5b9fb02c5c149866858631365d57f2dc5090c157d93c385f99c53af7e69d2e5b
Opcode Fuzzy Hash: 9d0fa36d644643c554742c45e35897bf74831620ef8d32a19b93ecde765e3b3f
Instruction Fuzzy Hash: F691D971205606AFE714DF24C8A5FEAFBA8FF44354F00851DF999D2190DB34EA89CB91

Function 00514954 Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 253COMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000400), ref: 00514994
GetWindowTextW.USER32(?,?,00000400), ref: 005149DA
_wcslen.LIBCMT ref: 005149EB
CharUpperBuffW.USER32(?,00000000), ref: 005149F7
_wcsstr.LIBVCRUNTIME ref: 00514A2C
GetClassNameW.USER32(00000018,?,00000400), ref: 00514A64
GetWindowTextW.USER32(?,?,00000400), ref: 00514A9D
GetClassNameW.USER32(00000018,?,00000400), ref: 00514AE6
GetClassNameW.USER32(?,?,00000400), ref: 00514B20
GetWindowRect.USER32(?,?), ref: 00514B8B

Strings

ThumbnailClass, xrefs: 00514A6F, 00514AF1

Memory Dump Source

Source File: 00000000.00000002.2132574574.00000000004B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true

Associated: 00000000.00000002.2132555531.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132647663.000000000054C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132647663.0000000000572000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132705506.000000000057C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132725644.0000000000584000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b0000_file.jbxd

Similarity

API ID: ClassName$Window$Text$BuffCharRectUpper_wcslen_wcsstr
String ID: ThumbnailClass
API String ID: 1311036022-1241985126
Opcode ID: 654bf5e4178b9cc076b0da48c424f5ca71d13dee2d93143328ff6a909058a178
Instruction ID: cca18f27b54d4bb08bf0e3f815e2894cf0e4c19acc4b3276ec3973f65333bdd5
Opcode Fuzzy Hash: 654bf5e4178b9cc076b0da48c424f5ca71d13dee2d93143328ff6a909058a178
Instruction Fuzzy Hash: BD91CE710082069BEB04DF14C885BEA7BE8FF84358F04946AFD859A196DB34ED85CFA1

Function 00548D0E Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 221windowCOMMON

Download Yara Rule

APIs

Part of subcall function 004C9BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 004C9BB2

PostMessageW.USER32(?,00000111,00000000,00000000), ref: 00548D5A
GetFocus.USER32 ref: 00548D6A
GetDlgCtrlID.USER32(00000000), ref: 00548D75
DefDlgProcW.USER32(?,00000111,?,?,00000000,?,?,?,?,?,?,?), ref: 00548E1D
GetMenuItemInfoW.USER32(?,00000000,00000000,?), ref: 00548ECF
GetMenuItemCount.USER32(?), ref: 00548EEC
GetMenuItemID.USER32(?,00000000), ref: 00548EFC
GetMenuItemInfoW.USER32(?,-00000001,00000001,?), ref: 00548F2E
GetMenuItemInfoW.USER32(?,?,00000001,?), ref: 00548F70
CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 00548FA1

Strings

0, xrefs: 00548E9F

Memory Dump Source

Source File: 00000000.00000002.2132574574.00000000004B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true

Associated: 00000000.00000002.2132555531.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132647663.000000000054C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132647663.0000000000572000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132705506.000000000057C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132725644.0000000000584000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b0000_file.jbxd

Similarity

API ID: ItemMenu$Info$CheckCountCtrlFocusLongMessagePostProcRadioWindow
String ID: 0
API String ID: 1026556194-4108050209
Opcode ID: b4c25a79eab3495c9a1ea55aa244bef2d40bd04e088bf76bfb37125fec5f3109
Instruction ID: 9c555a7cb9227d5d33da2aa6eaec5fb876b993b858f817790ea1f2c46cfe8c9a
Opcode Fuzzy Hash: b4c25a79eab3495c9a1ea55aa244bef2d40bd04e088bf76bfb37125fec5f3109
Instruction Fuzzy Hash: 1F818B71508301ABDB10CF24C884AFF7FE9BB99758F04091EF99597291DB30D909DB62

Function 0051DC0E Relevance: 19.4, APIs: 6, Strings: 5, Instructions: 178COMMON

Download Yara Rule

APIs

GetFileVersionInfoSizeW.VERSION(?,?), ref: 0051DC20
GetFileVersionInfoW.VERSION(?,00000000,00000000,00000000,?,?), ref: 0051DC46
_wcslen.LIBCMT ref: 0051DC50
_wcsstr.LIBVCRUNTIME ref: 0051DCA0
VerQueryValueW.VERSION(?,\VarFileInfo\Translation,?,?,?,?,?,?,00000000,?,?), ref: 0051DCBC

Strings

StringFileInfo\, xrefs: 0051DC8F
DefaultLangCodepage, xrefs: 0051DD1F
%u.%u.%u.%u, xrefs: 0051DD9A
\VarFileInfo\Translation, xrefs: 0051DCB4
04090000, xrefs: 0051DCF2

Memory Dump Source

Source File: 00000000.00000002.2132574574.00000000004B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true

Associated: 00000000.00000002.2132555531.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132647663.000000000054C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132647663.0000000000572000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132705506.000000000057C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132725644.0000000000584000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b0000_file.jbxd

Similarity

API ID: FileInfoVersion$QuerySizeValue_wcslen_wcsstr
String ID: %u.%u.%u.%u$04090000$DefaultLangCodepage$StringFileInfo\$\VarFileInfo\Translation
API String ID: 1939486746-1459072770
Opcode ID: 57b53314faa93ee6d08be4de70970a978bc50b33b5ba2621c05bcd17da4f42e5
Instruction ID: e990f1f47edb8cd39eb2fe777a7dcc011005e65e866bfd4ca2c6c57df0c71d63
Opcode Fuzzy Hash: 57b53314faa93ee6d08be4de70970a978bc50b33b5ba2621c05bcd17da4f42e5
Instruction Fuzzy Hash: 3C4108769402047AEB00A766AC43EFF7B7CEF51718F10446FF900A6282EB78990097B9

Function 0053CC34 Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 104registryCOMMON

Download Yara Rule

APIs

RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?,00000000), ref: 0053CC64
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?,?,?,00000000), ref: 0053CC8D
FreeLibrary.KERNEL32(00000000,?,?,00000000), ref: 0053CD48

Part of subcall function 0053CC34: RegCloseKey.ADVAPI32(?,?,?,00000000), ref: 0053CCAA
Part of subcall function 0053CC34: LoadLibraryA.KERNEL32(advapi32.dll,?,?,00000000), ref: 0053CCBD
Part of subcall function 0053CC34: GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 0053CCCF
Part of subcall function 0053CC34: FreeLibrary.KERNEL32(00000000,?,?,00000000), ref: 0053CD05
Part of subcall function 0053CC34: RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?,00000000), ref: 0053CD28

RegDeleteKeyW.ADVAPI32(?,?), ref: 0053CCF3

Strings

RegDeleteKeyExW, xrefs: 0053CCC9
advapi32.dll, xrefs: 0053CCB8

Memory Dump Source

Source File: 00000000.00000002.2132574574.00000000004B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true

Associated: 00000000.00000002.2132555531.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132647663.000000000054C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132647663.0000000000572000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132705506.000000000057C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132725644.0000000000584000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b0000_file.jbxd

Similarity

API ID: Library$EnumFree$AddressCloseDeleteLoadOpenProc
String ID: RegDeleteKeyExW$advapi32.dll
API String ID: 2734957052-4033151799
Opcode ID: 05b500bda0b40a63088c47c7168bb84e4b08e3d4a0989a8c09758567045a841a
Instruction ID: 6448fc761c09f5898d4260f02782dac2dc7cabafa87009fffbdb8c0692675b17
Opcode Fuzzy Hash: 05b500bda0b40a63088c47c7168bb84e4b08e3d4a0989a8c09758567045a841a
Instruction Fuzzy Hash: B4318E75902129BBDB208B91DC88EFFBF7CFF56744F000565B905E6240DA349E49EBA0

Function 00523D1E Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 101fileCOMMON

Download Yara Rule

APIs

GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 00523D40
_wcslen.LIBCMT ref: 00523D6D
CreateDirectoryW.KERNEL32(?,00000000), ref: 00523D9D
CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000003,02200000,00000000), ref: 00523DBE
RemoveDirectoryW.KERNEL32(?), ref: 00523DCE
DeviceIoControl.KERNEL32(00000000,000900A4,?,?,00000000,00000000,?,00000000), ref: 00523E55
CloseHandle.KERNEL32(00000000), ref: 00523E60
CloseHandle.KERNEL32(00000000), ref: 00523E6B

Strings

:, xrefs: 00523D82
\??\%s, xrefs: 00523D5B
\, xrefs: 00523D77

Memory Dump Source

Source File: 00000000.00000002.2132574574.00000000004B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true

Associated: 00000000.00000002.2132555531.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132647663.000000000054C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132647663.0000000000572000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132705506.000000000057C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132725644.0000000000584000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b0000_file.jbxd

Similarity

API ID: CloseCreateDirectoryHandle$ControlDeviceFileFullNamePathRemove_wcslen
String ID: :$\$\??\%s
API String ID: 1149970189-3457252023
Opcode ID: 1ed21adf7f1735c4f9adf74bcc66b98062393df219811c3fe7012b8fb2f46953
Instruction ID: 8bf033a6115692e5b34ed5f14fedd8f43306efad38e738ca009c15f11f132aac
Opcode Fuzzy Hash: 1ed21adf7f1735c4f9adf74bcc66b98062393df219811c3fe7012b8fb2f46953
Instruction Fuzzy Hash: 4631A5B6A04119ABDB209FA1DC45FEB3BBCFF8A744F1041B6F505D61A0E77897448B24

Function 0051E6B0 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 72sleepwindowtimeCOMMON

Download Yara Rule

APIs

timeGetTime.WINMM ref: 0051E6B4

Part of subcall function 004CE551: timeGetTime.WINMM(?,?,0051E6D4), ref: 004CE555

Sleep.KERNEL32(0000000A), ref: 0051E6E1
EnumThreadWindows.USER32(?,Function_0006E665,00000000), ref: 0051E705
FindWindowExW.USER32(00000000,00000000,BUTTON,00000000), ref: 0051E727
SetActiveWindow.USER32 ref: 0051E746
SendMessageW.USER32(00000000,000000F5,00000000,00000000), ref: 0051E754
SendMessageW.USER32(00000010,00000000,00000000), ref: 0051E773
Sleep.KERNEL32(000000FA), ref: 0051E77E
IsWindow.USER32 ref: 0051E78A
EndDialog.USER32(00000000), ref: 0051E79B

Strings

BUTTON, xrefs: 0051E719

Memory Dump Source

Source File: 00000000.00000002.2132574574.00000000004B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true

Associated: 00000000.00000002.2132555531.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132647663.000000000054C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132647663.0000000000572000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132705506.000000000057C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132725644.0000000000584000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b0000_file.jbxd

Similarity

API ID: Window$MessageSendSleepTimetime$ActiveDialogEnumFindThreadWindows
String ID: BUTTON
API String ID: 1194449130-3405671355
Opcode ID: f6fd8cdc31295541b2b82c6d0cfcbd49dd997be561a1591c133a27212d3e9e24
Instruction ID: 20679d7563f99c1f8a58e3058be9c6b390851cbb28f41efa48006671063e17b4
Opcode Fuzzy Hash: f6fd8cdc31295541b2b82c6d0cfcbd49dd997be561a1591c133a27212d3e9e24
Instruction Fuzzy Hash: 4A21A474201241AFFB006F22FC8AEA53FA9F7B634CF046424FC01911A1EF719C48AB14

Function 0051E9FC Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 71COMMON

Download Yara Rule

APIs

Part of subcall function 004B9CB3: _wcslen.LIBCMT ref: 004B9CBD

mciSendStringW.WINMM(status PlayMe mode,?,00000100,00000000), ref: 0051EA5D
mciSendStringW.WINMM(close PlayMe,00000000,00000000,00000000), ref: 0051EA73
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0051EA84
mciSendStringW.WINMM(play PlayMe wait,00000000,00000000,00000000), ref: 0051EA96
mciSendStringW.WINMM(play PlayMe,00000000,00000000,00000000), ref: 0051EAA7

Strings

play PlayMe, xrefs: 0051EAA2
open , xrefs: 0051EA0C
play PlayMe wait, xrefs: 0051EA91
status PlayMe mode, xrefs: 0051EA58
alias PlayMe, xrefs: 0051EA36
close PlayMe, xrefs: 0051EA6E, 0051EA9B

Memory Dump Source

Source File: 00000000.00000002.2132574574.00000000004B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true

Associated: 00000000.00000002.2132555531.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132647663.000000000054C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132647663.0000000000572000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132705506.000000000057C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132725644.0000000000584000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b0000_file.jbxd

Similarity

API ID: SendString$_wcslen
String ID: alias PlayMe$close PlayMe$open $play PlayMe$play PlayMe wait$status PlayMe mode
API String ID: 2420728520-1007645807
Opcode ID: 0d24d5efa6370ee27e970e2a1bff2cd68a883635d531baf421ce2b7023379d2b
Instruction ID: daaee5b7c083f28b88c047ca79dad17963088b8639c65a2a81914230fc5a1112
Opcode Fuzzy Hash: 0d24d5efa6370ee27e970e2a1bff2cd68a883635d531baf421ce2b7023379d2b
Instruction Fuzzy Hash: 43115171A5025979E720A7A2EC4BDFF6EBCFFD1F04F44442AB905A20D1EA700D45C5B0

Function 00515CC6 Relevance: 18.2, APIs: 12, Instructions: 173COMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,00000001), ref: 00515CE2
GetWindowRect.USER32(00000000,?), ref: 00515CFB
MoveWindow.USER32(?,0000000A,00000004,?,?,00000004,00000000), ref: 00515D59
GetDlgItem.USER32(?,00000002), ref: 00515D69
GetWindowRect.USER32(00000000,?), ref: 00515D7B
MoveWindow.USER32(?,?,00000004,00000000,?,00000004,00000000), ref: 00515DCF
GetDlgItem.USER32(?,000003E9), ref: 00515DDD
GetWindowRect.USER32(00000000,?), ref: 00515DEF
MoveWindow.USER32(?,0000000A,00000000,?,00000004,00000000), ref: 00515E31
GetDlgItem.USER32(?,000003EA), ref: 00515E44
MoveWindow.USER32(00000000,0000000A,0000000A,?,-00000005,00000000), ref: 00515E5A
InvalidateRect.USER32(?,00000000,00000001), ref: 00515E67

Memory Dump Source

Source File: 00000000.00000002.2132574574.00000000004B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true

Associated: 00000000.00000002.2132555531.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132647663.000000000054C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132647663.0000000000572000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132705506.000000000057C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132725644.0000000000584000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b0000_file.jbxd

Similarity

API ID: Window$ItemMoveRect$Invalidate
String ID:
API String ID: 3096461208-0
Opcode ID: 104fda454a913187dfd2ef3dacbd527fa609e720137871537a8bb8de99e4270b
Instruction ID: bc70779d14033fc72e182b9ee45057ddca912a2fb9a3fa169141994c45c6930e
Opcode Fuzzy Hash: 104fda454a913187dfd2ef3dacbd527fa609e720137871537a8bb8de99e4270b
Instruction Fuzzy Hash: E2511074B00605AFDB18CF68DD89AEE7FB9FB99300F148229F915E6290D7709E44CB50

Function 004C8BCD Relevance: 18.2, APIs: 12, Instructions: 168timeCOMMON

Download Yara Rule

APIs

Part of subcall function 004C8F62: InvalidateRect.USER32(?,00000000,00000001,?,?,?,004C8BE8,?,00000000,?,?,?,?,004C8BBA,00000000,?), ref: 004C8FC5

DestroyWindow.USER32(?), ref: 004C8C81
KillTimer.USER32(00000000,?,?,?,?,004C8BBA,00000000,?), ref: 004C8D1B
DestroyAcceleratorTable.USER32(00000000), ref: 00506973
ImageList_Destroy.COMCTL32(00000000,?,?,?,?,?,?,00000000,?,?,?,?,004C8BBA,00000000,?), ref: 005069A1
ImageList_Destroy.COMCTL32(?,?,?,?,?,?,?,00000000,?,?,?,?,004C8BBA,00000000,?), ref: 005069B8
ImageList_Destroy.COMCTL32(00000000,?,?,?,?,?,?,?,?,00000000,?,?,?,?,004C8BBA,00000000), ref: 005069D4
DeleteObject.GDI32(00000000), ref: 005069E6

Memory Dump Source

Source File: 00000000.00000002.2132574574.00000000004B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true

Associated: 00000000.00000002.2132555531.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132647663.000000000054C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132647663.0000000000572000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132705506.000000000057C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132725644.0000000000584000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b0000_file.jbxd

Similarity

API ID: Destroy$ImageList_$AcceleratorDeleteInvalidateKillObjectRectTableTimerWindow
String ID:
API String ID: 641708696-0
Opcode ID: 17b301cba8c685b92fc5d32890d9587a7e7ffcc8e1ec4664fce7c8241e6ccb86
Instruction ID: f2c2e18d56327156c145bba24713f96dabaf0287fb33289c9584809cfec7a9c3
Opcode Fuzzy Hash: 17b301cba8c685b92fc5d32890d9587a7e7ffcc8e1ec4664fce7c8241e6ccb86
Instruction Fuzzy Hash: A361E438102B00DFCB719F14D948B6A7BF1FB61316F10541EE442A7AA0CB39AC96EF59

Function 004C9838 Relevance: 18.1, APIs: 12, Instructions: 137COMMON

Download Yara Rule

APIs

Part of subcall function 004C9944: GetWindowLongW.USER32(?,000000EB), ref: 004C9952

GetSysColor.USER32(0000000F), ref: 004C9862

Memory Dump Source

Source File: 00000000.00000002.2132574574.00000000004B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true

Associated: 00000000.00000002.2132555531.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132647663.000000000054C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132647663.0000000000572000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132705506.000000000057C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132725644.0000000000584000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b0000_file.jbxd

Similarity

API ID: ColorLongWindow
String ID:
API String ID: 259745315-0
Opcode ID: a6961919821352f225ac60b2626ef3c1900345b095fddbc76d3ced8364ecd1ab
Instruction ID: 42394b87e4745d64b153d27fe2eb455240dede66a6c10681582c52cf5b63efd8
Opcode Fuzzy Hash: a6961919821352f225ac60b2626ef3c1900345b095fddbc76d3ced8364ecd1ab
Instruction Fuzzy Hash: 3C41F539501604AFDB606F389C48FFA3B65BB57330F14464AF9A2872E1C7349C46EB24

Function 004E8D45 Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 300COMMONLIBRARYCODE

Download Yara Rule

Strings

.M, xrefs: 004E903A, 004E8FD0, 004E8FF2

Memory Dump Source

Source File: 00000000.00000002.2132574574.00000000004B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true

Associated: 00000000.00000002.2132555531.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132647663.000000000054C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132647663.0000000000572000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132705506.000000000057C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132725644.0000000000584000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b0000_file.jbxd

Similarity

API ID:
String ID: .M
API String ID: 0-2714461155
Opcode ID: dc4da8820c0d1ca652f434d72e68d5e60697463899fa248bdb853866021f6ad2
Instruction ID: 17239b850214f3880bb0fd8eaceec3e2be3982e60e146fe9b6caba48bbab8af8
Opcode Fuzzy Hash: dc4da8820c0d1ca652f434d72e68d5e60697463899fa248bdb853866021f6ad2
Instruction Fuzzy Hash: 4FC12874904289AFCF21DFAAC841BAE7BB0AF09315F04419FE955A73D2C7388D45CB69

Function 005196E2 Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 137windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,00000FFF,00000001,00000000,?,?,004FF7F8,00000001,0000138C,00000001,?,00000001,00000000,?,?), ref: 00519717
LoadStringW.USER32(00000000,?,004FF7F8,00000001), ref: 00519720

Part of subcall function 004B9CB3: _wcslen.LIBCMT ref: 004B9CBD

GetModuleHandleW.KERNEL32(00000000,00000001,?,00000FFF,?,?,004FF7F8,00000001,0000138C,00000001,?,00000001,00000000,?,?,00000000), ref: 00519742
LoadStringW.USER32(00000000,?,004FF7F8,00000001), ref: 00519745
MessageBoxW.USER32(00000000,00000000,?,00011010), ref: 00519866

Strings

Line %d (File "%s"):, xrefs: 0051978F
Line %d:, xrefs: 005197A0
Error: , xrefs: 0051981D
%s (%d) : ==> %s: %s %s, xrefs: 0051984A
^ ERROR, xrefs: 005197FB

Memory Dump Source

Source File: 00000000.00000002.2132574574.00000000004B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true

Associated: 00000000.00000002.2132555531.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132647663.000000000054C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132647663.0000000000572000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132705506.000000000057C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132725644.0000000000584000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b0000_file.jbxd

Similarity

API ID: HandleLoadModuleString$Message_wcslen
String ID: Error: $%s (%d) : ==> %s: %s %s$Line %d (File "%s"):$Line %d:$^ ERROR
API String ID: 747408836-2268648507
Opcode ID: 3a8218d51ee587e5bbe5576579ef7c1d26f5706d37a507965e5b84a20982ab5e
Instruction ID: f0d1f8b27029ed096fcefaa98318adf803dba55f11d4765ad29d7e043685db78
Opcode Fuzzy Hash: 3a8218d51ee587e5bbe5576579ef7c1d26f5706d37a507965e5b84a20982ab5e
Instruction Fuzzy Hash: 79418E72800209AADF04FBE1DD96DEE7B79AF55344F60002AF60572092EB396F48CB75

Function 005106DE Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 127registryshareCOMMON

Download Yara Rule

APIs

Part of subcall function 004B6B57: _wcslen.LIBCMT ref: 004B6B6A

WNetAddConnection2W.MPR(?,?,?,00000000), ref: 005107A2
RegConnectRegistryW.ADVAPI32(?,80000002,?), ref: 005107BE
RegOpenKeyExW.ADVAPI32(?,?,00000000,00020019,?,?,SOFTWARE\Classes\), ref: 005107DA
RegQueryValueExW.ADVAPI32(?,00000000,00000000,00000000,?,?,?,SOFTWARE\Classes\), ref: 00510804
CLSIDFromString.OLE32(?,000001FE,?,SOFTWARE\Classes\), ref: 0051082C
RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 00510837
RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 0051083C

Strings

SOFTWARE\Classes\, xrefs: 0051070E
\CLSID, xrefs: 00510724
\IPC$, xrefs: 00510784

Memory Dump Source

Source File: 00000000.00000002.2132574574.00000000004B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true

Associated: 00000000.00000002.2132555531.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132647663.000000000054C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132647663.0000000000572000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132705506.000000000057C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132725644.0000000000584000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b0000_file.jbxd

Similarity

API ID: Close$ConnectConnection2FromOpenQueryRegistryStringValue_wcslen
String ID: SOFTWARE\Classes\$\CLSID$\IPC$
API String ID: 323675364-22481851
Opcode ID: 9a3929d30c4cfe49fb02638d529127c165512c3376ea71b7413bb2400a22ed6f
Instruction ID: fa91bbd2874b240c1ed87002103fd1a496cee53500a1bd412ba76a9b4d6c981d
Opcode Fuzzy Hash: 9a3929d30c4cfe49fb02638d529127c165512c3376ea71b7413bb2400a22ed6f
Instruction Fuzzy Hash: 00414C72C10228ABDF11EFA5DC95CEDBB78FF54344F04412AE905A31A1EB74AE44DBA0

Function 00533C30 Relevance: 16.8, APIs: 11, Instructions: 344fileCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00533C5C
CoInitialize.OLE32(00000000), ref: 00533C8A
CoUninitialize.OLE32 ref: 00533C94
_wcslen.LIBCMT ref: 00533D2D
GetRunningObjectTable.OLE32(00000000,?), ref: 00533DB1
SetErrorMode.KERNEL32(00000001,00000029), ref: 00533ED5
CoGetInstanceFromFile.OLE32(00000000,?,00000000,00000015,00000002,?,00000001,?), ref: 00533F0E
CoGetObject.OLE32(?,00000000,0054FB98,?), ref: 00533F2D
SetErrorMode.KERNEL32(00000000), ref: 00533F40
SetErrorMode.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 00533FC4
VariantClear.OLEAUT32(?), ref: 00533FD8

Memory Dump Source

Source File: 00000000.00000002.2132574574.00000000004B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true

Associated: 00000000.00000002.2132555531.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132647663.000000000054C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132647663.0000000000572000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132705506.000000000057C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132725644.0000000000584000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b0000_file.jbxd

Similarity

API ID: ErrorMode$ObjectVariant$ClearFileFromInitInitializeInstanceRunningTableUninitialize_wcslen
String ID:
API String ID: 429561992-0
Opcode ID: 4b37b78d640b6c9ff15213d9979e44ff21d74f879044038121aa66a2d7322f9b
Instruction ID: b7d451cb8a0b7fa8dd2603c9540b3aa273fcc8acb9284926b1c76f9d2b68b906
Opcode Fuzzy Hash: 4b37b78d640b6c9ff15213d9979e44ff21d74f879044038121aa66a2d7322f9b
Instruction Fuzzy Hash: 23C15771608305AFD700DF68C88496BBBE9FF89748F14491DF98A9B260D731EE45CB62

Function 00527A96 Relevance: 16.8, APIs: 11, Instructions: 298comCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 00527AF3
SHGetSpecialFolderLocation.SHELL32(00000000,00000000,?), ref: 00527B8F
SHGetDesktopFolder.SHELL32(?), ref: 00527BA3
CoCreateInstance.OLE32(0054FD08,00000000,00000001,00576E6C,?), ref: 00527BEF
SHCreateShellItem.SHELL32(00000000,00000000,?,00000003), ref: 00527C74
CoTaskMemFree.OLE32(?,?), ref: 00527CCC
SHBrowseForFolderW.SHELL32(?), ref: 00527D57
SHGetPathFromIDListW.SHELL32(00000000,?), ref: 00527D7A
CoTaskMemFree.OLE32(00000000), ref: 00527D81
CoTaskMemFree.OLE32(00000000), ref: 00527DD6
CoUninitialize.OLE32 ref: 00527DDC

Memory Dump Source

Source File: 00000000.00000002.2132574574.00000000004B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true

Associated: 00000000.00000002.2132555531.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132647663.000000000054C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132647663.0000000000572000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132705506.000000000057C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132725644.0000000000584000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b0000_file.jbxd

Similarity

API ID: FolderFreeTask$Create$BrowseDesktopFromInitializeInstanceItemListLocationPathShellSpecialUninitialize
String ID:
API String ID: 2762341140-0
Opcode ID: 365a626b7dc63caa90ba4bc24c76b3f22251bd9a173f79cc706ccba242ce73ce
Instruction ID: 0febfb127f281f9e41ed74a44ad63e1df8b24df8c1edf67d8d1c63c7187ca693
Opcode Fuzzy Hash: 365a626b7dc63caa90ba4bc24c76b3f22251bd9a173f79cc706ccba242ce73ce
Instruction Fuzzy Hash: EDC13C75A04119AFCB14DFA4D888DAEBFF9FF49308B148499E8169B361D730EE45CB90

Function 0054541D Relevance: 16.7, APIs: 11, Instructions: 191windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000158,000000FF,00000158), ref: 00545504
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00545515
CharNextW.USER32(00000158), ref: 00545544
SendMessageW.USER32(?,0000014B,00000000,00000000), ref: 00545585
SendMessageW.USER32(?,00000158,000000FF,0000014E), ref: 0054559B
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 005455AC

Memory Dump Source

Source File: 00000000.00000002.2132574574.00000000004B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true

Associated: 00000000.00000002.2132555531.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132647663.000000000054C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132647663.0000000000572000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132705506.000000000057C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132725644.0000000000584000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b0000_file.jbxd

Similarity

API ID: MessageSend$CharNext
String ID:
API String ID: 1350042424-0
Opcode ID: 83b0a58a3c4373da197302d764a71ac9a85e18f336c642e58549d355784dd0a3
Instruction ID: 42fee5485b752b59332e576faa25a09e3af45bda373a34b745a634eb827d3fe0
Opcode Fuzzy Hash: 83b0a58a3c4373da197302d764a71ac9a85e18f336c642e58549d355784dd0a3
Instruction Fuzzy Hash: 6E61B134905608EFDF109F64CC849FE3F79FB0A328F108545F925AB292E7748A84EB60

Function 0050FA88 Relevance: 16.6, APIs: 11, Instructions: 122memoryCOMMON

Download Yara Rule

APIs

SafeArrayAllocDescriptorEx.OLEAUT32(0000000C,?,?), ref: 0050FAAF
SafeArrayAllocData.OLEAUT32(?), ref: 0050FB08
VariantInit.OLEAUT32(?), ref: 0050FB1A
SafeArrayAccessData.OLEAUT32(?,?), ref: 0050FB3A
VariantCopy.OLEAUT32(?,?), ref: 0050FB8D
SafeArrayUnaccessData.OLEAUT32(?), ref: 0050FBA1
VariantClear.OLEAUT32(?), ref: 0050FBB6
SafeArrayDestroyData.OLEAUT32(?), ref: 0050FBC3
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 0050FBCC
VariantClear.OLEAUT32(?), ref: 0050FBDE
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 0050FBE9

Memory Dump Source

Source File: 00000000.00000002.2132574574.00000000004B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true

Associated: 00000000.00000002.2132555531.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132647663.000000000054C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132647663.0000000000572000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132705506.000000000057C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132725644.0000000000584000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b0000_file.jbxd

Similarity

API ID: ArraySafe$DataVariant$DescriptorDestroy$AllocClear$AccessCopyInitUnaccess
String ID:
API String ID: 2706829360-0
Opcode ID: 220e58fadd0251cb98a3c81ff268761ef45c17a66c09bcfaff2bb007d85fd07b
Instruction ID: 2ec1f94605880bd35b531a1b0e2190692bcc068444b620c1f1ace94850866d62
Opcode Fuzzy Hash: 220e58fadd0251cb98a3c81ff268761ef45c17a66c09bcfaff2bb007d85fd07b
Instruction Fuzzy Hash: C0417F35A01219DFCF10DF64C8589EEBFB9FF58359F008069E905A72A1CB34A945DFA0

Function 00519C79 Relevance: 16.6, APIs: 11, Instructions: 119keyboardCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?), ref: 00519CA1
GetAsyncKeyState.USER32(000000A0), ref: 00519D22
GetKeyState.USER32(000000A0), ref: 00519D3D
GetAsyncKeyState.USER32(000000A1), ref: 00519D57
GetKeyState.USER32(000000A1), ref: 00519D6C
GetAsyncKeyState.USER32(00000011), ref: 00519D84
GetKeyState.USER32(00000011), ref: 00519D96
GetAsyncKeyState.USER32(00000012), ref: 00519DAE
GetKeyState.USER32(00000012), ref: 00519DC0
GetAsyncKeyState.USER32(0000005B), ref: 00519DD8
GetKeyState.USER32(0000005B), ref: 00519DEA

Memory Dump Source

Source File: 00000000.00000002.2132574574.00000000004B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true

Associated: 00000000.00000002.2132555531.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132647663.000000000054C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132647663.0000000000572000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132705506.000000000057C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132725644.0000000000584000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b0000_file.jbxd

Similarity

API ID: State$Async$Keyboard
String ID:
API String ID: 541375521-0
Opcode ID: fcf0a02795cd2450b411a7de6b52484c8ab0a2eddfb80734494c7413a43eb02a
Instruction ID: 257ce23988b510ce4b528c895a0acf3e9246bfb3272aa41f418f85133d6358e6
Opcode Fuzzy Hash: fcf0a02795cd2450b411a7de6b52484c8ab0a2eddfb80734494c7413a43eb02a
Instruction Fuzzy Hash: F641D6346047C96AFF709664D8243F5BEF07F62348F08805ADAC6565C2DBA49DC8C7E2

Function 0053055B Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 207networkfileCOMMON

Download Yara Rule

APIs

WSAStartup.WSOCK32(00000101,?), ref: 005305BC
inet_addr.WSOCK32(?), ref: 0053061C
gethostbyname.WSOCK32(?), ref: 00530628
IcmpCreateFile.IPHLPAPI ref: 00530636
IcmpSendEcho.IPHLPAPI(?,?,?,00000005,00000000,?,00000029,00000FA0), ref: 005306C6
IcmpSendEcho.IPHLPAPI(00000000,00000000,?,00000005,00000000,?,00000029,00000FA0), ref: 005306E5
IcmpCloseHandle.IPHLPAPI(?), ref: 005307B9
WSACleanup.WSOCK32 ref: 005307BF

Strings

Ping, xrefs: 00530676

Memory Dump Source

Source File: 00000000.00000002.2132574574.00000000004B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true

Associated: 00000000.00000002.2132555531.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132647663.000000000054C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132647663.0000000000572000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132705506.000000000057C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132725644.0000000000584000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b0000_file.jbxd

Similarity

API ID: Icmp$EchoSend$CleanupCloseCreateFileHandleStartupgethostbynameinet_addr
String ID: Ping
API String ID: 1028309954-2246546115
Opcode ID: 774501bd596625b8197001a63cc1daddccd455702301e6ad5f5f12c038120a5e
Instruction ID: 3aa2e493e1d17ba48590926abeb2b40c5c3c1131d8b5d2ac067845c661576bb2
Opcode Fuzzy Hash: 774501bd596625b8197001a63cc1daddccd455702301e6ad5f5f12c038120a5e
Instruction Fuzzy Hash: A2916835604301AFD720DF15C899B1ABFE0FB85318F1499A9E46A8B6A2C734EC45CF91

Function 00538CD3 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 193COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?,00000000,?), ref: 00538CF3

Part of subcall function 00518E54: _wcslen.LIBCMT ref: 00518E77

_wcslen.LIBCMT ref: 00538D4E
_wcslen.LIBCMT ref: 00538D9C
_wcslen.LIBCMT ref: 00538DDC
_wcslen.LIBCMT ref: 00538E6E

Strings

stdcall, xrefs: 00538DD6, 00538DDB
winapi, xrefs: 00538D96, 00538D9B
none, xrefs: 00538E65, 00538E6A
cdecl, xrefs: 00538D48, 00538D4D

Memory Dump Source

Source File: 00000000.00000002.2132574574.00000000004B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true

Associated: 00000000.00000002.2132555531.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132647663.000000000054C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132647663.0000000000572000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132705506.000000000057C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132725644.0000000000584000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b0000_file.jbxd

Similarity

API ID: _wcslen$BuffCharLower
String ID: cdecl$none$stdcall$winapi
API String ID: 707087890-567219261
Opcode ID: e89ecbee0a022f3e83614cbaeaca534911da496b90279fd06ac2580a44a4bd55
Instruction ID: 49c5f551b4bc0c8b3b5102904064c3f126c544c5e265bf216dee5abd0bf60de5
Opcode Fuzzy Hash: e89ecbee0a022f3e83614cbaeaca534911da496b90279fd06ac2580a44a4bd55
Instruction Fuzzy Hash: D051A171A002169BCF18DF69C9508BEBBA5BF64724F20462AF826E73C4DB34DD44D790

Function 0053372C Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 187comCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32 ref: 00533774
CoUninitialize.OLE32 ref: 0053377F
CoCreateInstance.OLE32(?,00000000,00000017,0054FB78,?), ref: 005337D9
IIDFromString.OLE32(?,?), ref: 0053384C
VariantInit.OLEAUT32(?), ref: 005338E4
VariantClear.OLEAUT32(?), ref: 00533936

Strings

Failed to create object, xrefs: 005337E4, 0053389A
Invalid parameter, xrefs: 00533865
NULL Pointer assignment, xrefs: 0053381E

Memory Dump Source

Source File: 00000000.00000002.2132574574.00000000004B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true

Associated: 00000000.00000002.2132555531.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132647663.000000000054C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132647663.0000000000572000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132705506.000000000057C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132725644.0000000000584000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b0000_file.jbxd

Similarity

API ID: Variant$ClearCreateFromInitInitializeInstanceStringUninitialize
String ID: Failed to create object$Invalid parameter$NULL Pointer assignment
API String ID: 636576611-1287834457
Opcode ID: e2208580741cc9061f8c70dcedbb95a1576f2e6383c7136c34824bae4163eb36
Instruction ID: 72877605f7966fb4a3975209143da68da7ef44d45964921b312c5ea7de6f3065
Opcode Fuzzy Hash: e2208580741cc9061f8c70dcedbb95a1576f2e6383c7136c34824bae4163eb36
Instruction Fuzzy Hash: 65618A75609301AFD310DF54D889BAABFE8FF89714F004819F9859B291C770EE48CBA6

Function 00548B02 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 149windowCOMMON

Download Yara Rule

APIs

Part of subcall function 004C9BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 004C9BB2

Part of subcall function 004C912D: GetCursorPos.USER32(?), ref: 004C9141
Part of subcall function 004C912D: ScreenToClient.USER32(00000000,?), ref: 004C915E
Part of subcall function 004C912D: GetAsyncKeyState.USER32(00000001), ref: 004C9183
Part of subcall function 004C912D: GetAsyncKeyState.USER32(00000002), ref: 004C919D

ImageList_DragLeave.COMCTL32(00000000,00000000,00000001,?,?,?,?), ref: 00548B6B
ImageList_EndDrag.COMCTL32 ref: 00548B71
ReleaseCapture.USER32 ref: 00548B77
SetWindowTextW.USER32(?,00000000), ref: 00548C12
SendMessageW.USER32(?,000000B1,00000000,000000FF), ref: 00548C25
DefDlgProcW.USER32(?,00000202,?,?,00000000,00000001,?,?,?,?), ref: 00548CFF

Strings

@GUI_DROPID, xrefs: 00548C51
@GUI_DRAGFILE, xrefs: 00548C9A
p#X, xrefs: 00548C71

Memory Dump Source

Source File: 00000000.00000002.2132574574.00000000004B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true

Associated: 00000000.00000002.2132555531.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132647663.000000000054C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132647663.0000000000572000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132705506.000000000057C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132725644.0000000000584000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b0000_file.jbxd

Similarity

API ID: AsyncDragImageList_StateWindow$CaptureClientCursorLeaveLongMessageProcReleaseScreenSendText
String ID: @GUI_DRAGFILE$@GUI_DROPID$p#X
API String ID: 1924731296-423097835
Opcode ID: 70b00411d56a2d94e302e13fda44a5f0682e8e3bc36384321e5e761a01ca5195
Instruction ID: 15c33a12a034ab24ebc30ddb7aa779e9d0686c9a88ad68dd6e11280e43d1088b
Opcode Fuzzy Hash: 70b00411d56a2d94e302e13fda44a5f0682e8e3bc36384321e5e761a01ca5195
Instruction Fuzzy Hash: FF517B74105204AFD704EF14DC9ABAE7BE4FB98718F00062DF9566B2E1CB749D08DB66

Function 00523388 Relevance: 15.9, APIs: 3, Strings: 6, Instructions: 149COMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000066,?,00000FFF,?), ref: 005233CF

Part of subcall function 004B9CB3: _wcslen.LIBCMT ref: 004B9CBD

LoadStringW.USER32(00000072,?,00000FFF,?), ref: 005233F0

Strings

Line %d (File "%s"):, xrefs: 00523443, 0052345C
Error: , xrefs: 005234D1
"%s" (%d) : ==> %s:, xrefs: 00523522
Incorrect parameters to object property !, xrefs: 005234AB
"%s" (%d) : ==> %s:%s%s, xrefs: 00523504
^ ERROR , xrefs: 0052349E

Memory Dump Source

Source File: 00000000.00000002.2132574574.00000000004B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true

Associated: 00000000.00000002.2132555531.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132647663.000000000054C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132647663.0000000000572000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132705506.000000000057C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132725644.0000000000584000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b0000_file.jbxd

Similarity

API ID: LoadString$_wcslen
String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Incorrect parameters to object property !$Line %d (File "%s"):$^ ERROR
API String ID: 4099089115-3080491070
Opcode ID: 743e19374893b79402ff2a91e82c63073e6381d9653380da9d5a1be5424e0892
Instruction ID: 39b63378f0dad48334905e7ff15a89302ed9d9e83383e10e6821d8ad0ea530b0
Opcode Fuzzy Hash: 743e19374893b79402ff2a91e82c63073e6381d9653380da9d5a1be5424e0892
Instruction Fuzzy Hash: 9F51D331900219AADF14EBA1DD46EEEBB79BF14344F10446AF50972091EB392F58DB74

Function 0051B5C8 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 142COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 0051B5FC
_wcslen.LIBCMT ref: 0051B608
_wcslen.LIBCMT ref: 0051B64D
_wcslen.LIBCMT ref: 0051B68C
_wcslen.LIBCMT ref: 0051B6C7

Strings

APPEND, xrefs: 0051B6C1, 0051B6C6
EXISTS, xrefs: 0051B686, 0051B68B
KEYS, xrefs: 0051B647, 0051B64C
REMOVE, xrefs: 0051B602, 0051B607

Memory Dump Source

Source File: 00000000.00000002.2132574574.00000000004B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true

Associated: 00000000.00000002.2132555531.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132647663.000000000054C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132647663.0000000000572000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132705506.000000000057C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132725644.0000000000584000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b0000_file.jbxd

Similarity

API ID: _wcslen$BuffCharUpper
String ID: APPEND$EXISTS$KEYS$REMOVE
API String ID: 1256254125-769500911
Opcode ID: b7babea546974e2afb2d9c7ce2254836de9824b89fcd65fe006403195326cb52
Instruction ID: be7af0ffc319f5a9ca706190c25d2863fe63faa920f61dca4c97397fe81563ab
Opcode Fuzzy Hash: b7babea546974e2afb2d9c7ce2254836de9824b89fcd65fe006403195326cb52
Instruction Fuzzy Hash: 9441C932A001269BEB105F7EC9A05FE7FA5FBB0798B24452AE465D7284E735CDC1C790

Function 00525393 Relevance: 15.9, APIs: 4, Strings: 5, Instructions: 103COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 005253A0
GetDiskFreeSpaceW.KERNEL32(?,?,?,?,?,00000002,00000001), ref: 00525416
GetLastError.KERNEL32 ref: 00525420
SetErrorMode.KERNEL32(00000000,READY), ref: 005254A7

Strings

READY, xrefs: 00525460, 00525468
UNKNOWN, xrefs: 00525444
READONLY, xrefs: 00525452
NOTREADY, xrefs: 0052544B
INVALID, xrefs: 00525459

Memory Dump Source

Source File: 00000000.00000002.2132574574.00000000004B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true

Associated: 00000000.00000002.2132555531.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132647663.000000000054C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132647663.0000000000572000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132705506.000000000057C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132725644.0000000000584000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b0000_file.jbxd

Similarity

API ID: Error$Mode$DiskFreeLastSpace
String ID: INVALID$NOTREADY$READONLY$READY$UNKNOWN
API String ID: 4194297153-14809454
Opcode ID: 2f7323bcc800bd0c5002321ba5bc98958f2c146fb4d72fa15b9e41dc46470075
Instruction ID: a75768adc7a787ed8d6e7629c67923d8750e32bc45014edfb3821cb3bcaf310c
Opcode Fuzzy Hash: 2f7323bcc800bd0c5002321ba5bc98958f2c146fb4d72fa15b9e41dc46470075
Instruction Fuzzy Hash: 6F31A435A005149FDB10EF68D488AEABFB4FF56309F54805AE505CB292E771DD86CBE0

Function 00543C46 Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 101windowCOMMON

Download Yara Rule

APIs

CreateMenu.USER32 ref: 00543C79
SetMenu.USER32(?,00000000), ref: 00543C88
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00543D10
IsMenu.USER32(?), ref: 00543D24
CreatePopupMenu.USER32 ref: 00543D2E
InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 00543D5B
DrawMenuBar.USER32 ref: 00543D63

Strings

0, xrefs: 00543C54
F, xrefs: 00543D4E

Memory Dump Source

Source File: 00000000.00000002.2132574574.00000000004B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true

Associated: 00000000.00000002.2132555531.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132647663.000000000054C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132647663.0000000000572000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132705506.000000000057C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132725644.0000000000584000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b0000_file.jbxd

Similarity

API ID: Menu$CreateItem$DrawInfoInsertPopup
String ID: 0$F
API String ID: 161812096-3044882817
Opcode ID: 4aff153264889888af68235ece19ff4d1ad00abca9ec4cdb46dc1af431b9a5b8
Instruction ID: 96b9b3752dc982bdf57e0abc40f2a61d9d9eee560c86bf45b7ab39fb9c1240ec
Opcode Fuzzy Hash: 4aff153264889888af68235ece19ff4d1ad00abca9ec4cdb46dc1af431b9a5b8
Instruction Fuzzy Hash: 6A416B79A02209AFDB14CF64D884AEE7FB5FF59358F140029F946A7360D730AA14DF94

Function 00511EDF Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 78windowCOMMON

Download Yara Rule

APIs

Part of subcall function 004B9CB3: _wcslen.LIBCMT ref: 004B9CBD

Part of subcall function 00513CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00513CCA

SendMessageW.USER32(?,0000018C,000000FF,00020000), ref: 00511F64
GetDlgCtrlID.USER32 ref: 00511F6F
GetParent.USER32 ref: 00511F8B
SendMessageW.USER32(00000000,?,00000111,?), ref: 00511F8E
GetDlgCtrlID.USER32(?), ref: 00511F97
GetParent.USER32(?), ref: 00511FAB
SendMessageW.USER32(00000000,?,00000111,?), ref: 00511FAE

Strings

ListBox, xrefs: 00511F21
ComboBox, xrefs: 00511EEC

Memory Dump Source

Source File: 00000000.00000002.2132574574.00000000004B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true

Associated: 00000000.00000002.2132555531.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132647663.000000000054C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132647663.0000000000572000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132705506.000000000057C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132725644.0000000000584000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b0000_file.jbxd

Similarity

API ID: MessageSend$CtrlParent$ClassName_wcslen
String ID: ComboBox$ListBox
API String ID: 711023334-1403004172
Opcode ID: a305a1fc7015ebb9eaf2708272dc33b1257387f5221c938bae28a8f84e90ef7b
Instruction ID: da9c8a3561fef0c95e46b41b091687a3e1692d25bc7d3f2d760afb6314ddd14a
Opcode Fuzzy Hash: a305a1fc7015ebb9eaf2708272dc33b1257387f5221c938bae28a8f84e90ef7b
Instruction Fuzzy Hash: CA21D074900214BBDF00AFA4CC84DEEBFB8BF56344F10414ABA656B291DB784949DB74

Function 00543A23 Relevance: 15.2, APIs: 10, Instructions: 182windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000101F,00000000,00000000), ref: 00543A9D
SendMessageW.USER32(00000000,?,0000101F,00000000), ref: 00543AA0
GetWindowLongW.USER32(?,000000F0), ref: 00543AC7
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00543AEA
SendMessageW.USER32(?,0000104D,00000000,00000007), ref: 00543B62
SendMessageW.USER32(?,00001074,00000000,00000007), ref: 00543BAC
SendMessageW.USER32(?,00001057,00000000,00000000), ref: 00543BC7
SendMessageW.USER32(?,0000101D,00001004,00000000), ref: 00543BE2
SendMessageW.USER32(?,0000101E,00001004,00000000), ref: 00543BF6
SendMessageW.USER32(?,00001008,00000000,00000007), ref: 00543C13

Memory Dump Source

Source File: 00000000.00000002.2132574574.00000000004B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true

Associated: 00000000.00000002.2132555531.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132647663.000000000054C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132647663.0000000000572000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132705506.000000000057C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132725644.0000000000584000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b0000_file.jbxd

Similarity

API ID: MessageSend$LongWindow
String ID:
API String ID: 312131281-0
Opcode ID: ffc74615c7abb76a7dc0fa6c513f011251485277cf5a74344d86a17fefe560e6
Instruction ID: 5be2cdc044af849b305bd1398817e6467de81ffb11913286ead021674db06c89
Opcode Fuzzy Hash: ffc74615c7abb76a7dc0fa6c513f011251485277cf5a74344d86a17fefe560e6
Instruction Fuzzy Hash: BB615875900208AFDB10DFA8CC81EEE7BB8FB49704F104199FA15AB2A1C774AE45DF54

Function 0051B12F Relevance: 15.1, APIs: 10, Instructions: 88threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 0051B151
GetForegroundWindow.USER32(00000000,?,?,?,?,?,0051A1E1,?,00000001), ref: 0051B165
GetWindowThreadProcessId.USER32(00000000), ref: 0051B16C
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,0051A1E1,?,00000001), ref: 0051B17B
GetWindowThreadProcessId.USER32(?,00000000), ref: 0051B18D
AttachThreadInput.USER32(?,00000000,00000001,?,?,?,?,?,0051A1E1,?,00000001), ref: 0051B1A6
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,0051A1E1,?,00000001), ref: 0051B1B8
AttachThreadInput.USER32(00000000,00000000,?,?,?,?,?,0051A1E1,?,00000001), ref: 0051B1FD
AttachThreadInput.USER32(?,?,00000000,?,?,?,?,?,0051A1E1,?,00000001), ref: 0051B212
AttachThreadInput.USER32(00000000,?,00000000,?,?,?,?,?,0051A1E1,?,00000001), ref: 0051B21D

Memory Dump Source

Source File: 00000000.00000002.2132574574.00000000004B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true

Associated: 00000000.00000002.2132555531.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132647663.000000000054C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132647663.0000000000572000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132705506.000000000057C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132725644.0000000000584000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b0000_file.jbxd

Similarity

API ID: Thread$AttachInput$Window$Process$CurrentForeground
String ID:
API String ID: 2156557900-0
Opcode ID: 0c0eac908073b31ebe6f99593d2576230911a4a2757de92572a1ee1b84c3a482
Instruction ID: 4a913c9f8a7c7888561cf150b1de18b1cce1e64cc584c5ea989503bbd4add5c0
Opcode Fuzzy Hash: 0c0eac908073b31ebe6f99593d2576230911a4a2757de92572a1ee1b84c3a482
Instruction Fuzzy Hash: 35319C79541204FFFB109F64DC58FED7FA9BBA1715F118044FA10E6190E7B49A889B60

Function 004E2C80 Relevance: 15.1, APIs: 10, Instructions: 54COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 004E2C94

Part of subcall function 004E29C8: RtlFreeHeap.NTDLL(00000000,00000000,?,004ED7D1,00000000,00000000,00000000,00000000,?,004ED7F8,00000000,00000007,00000000,?,004EDBF5,00000000), ref: 004E29DE
Part of subcall function 004E29C8: GetLastError.KERNEL32(00000000,?,004ED7D1,00000000,00000000,00000000,00000000,?,004ED7F8,00000000,00000007,00000000,?,004EDBF5,00000000,00000000), ref: 004E29F0

_free.LIBCMT ref: 004E2CA0
_free.LIBCMT ref: 004E2CAB
_free.LIBCMT ref: 004E2CB6
_free.LIBCMT ref: 004E2CC1
_free.LIBCMT ref: 004E2CCC
_free.LIBCMT ref: 004E2CD7
_free.LIBCMT ref: 004E2CE2
_free.LIBCMT ref: 004E2CED
_free.LIBCMT ref: 004E2CFB

Memory Dump Source

Source File: 00000000.00000002.2132574574.00000000004B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true

Associated: 00000000.00000002.2132555531.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132647663.000000000054C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132647663.0000000000572000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132705506.000000000057C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132725644.0000000000584000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b0000_file.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 8e41a36830d0c097e0b019641f4226c7c61b0264bcd836e0c49f3dc85db48eae
Instruction ID: 66a73477e273e30ada045e0add75bc0ffac9c9cfad6fb5e21703a69ce9a3169f
Opcode Fuzzy Hash: 8e41a36830d0c097e0b019641f4226c7c61b0264bcd836e0c49f3dc85db48eae
Instruction Fuzzy Hash: 9C111CB520004CBFCB02EF56DA42CDD3BA9FF05345F42509AF9485F222D679EE509B54

Function 00527DF0 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 230COMMON

Download Yara Rule

APIs

GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00527FAD
SetCurrentDirectoryW.KERNEL32(?), ref: 00527FC1
GetFileAttributesW.KERNEL32(?), ref: 00527FEB
SetFileAttributesW.KERNEL32(?,00000000), ref: 00528005
SetCurrentDirectoryW.KERNEL32(?), ref: 00528017
SetCurrentDirectoryW.KERNEL32(?), ref: 00528060
SetCurrentDirectoryW.KERNEL32(?,?,?,?,?), ref: 005280B0

Strings

*.*, xrefs: 00528066

Memory Dump Source

Source File: 00000000.00000002.2132574574.00000000004B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true

Associated: 00000000.00000002.2132555531.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132647663.000000000054C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132647663.0000000000572000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132705506.000000000057C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132725644.0000000000584000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b0000_file.jbxd

Similarity

API ID: CurrentDirectory$AttributesFile
String ID: *.*
API String ID: 769691225-438819550
Opcode ID: 82007e7e81f5edac578568a3f61a1cfe0b6aca2e327819283f9fa91144726312
Instruction ID: 72808853aee2a6226fa7248cb3422910d0de2d549bd63b427420495e353f0318
Opcode Fuzzy Hash: 82007e7e81f5edac578568a3f61a1cfe0b6aca2e327819283f9fa91144726312
Instruction Fuzzy Hash: 5081F3725082159BCB20EF65D4849BEBBE8BF8A314F144C5EF885C7290DB34ED49CB62

Function 004B5BEA Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 184windowCOMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(?,000000EB), ref: 004B5C7A

Part of subcall function 004B5D0A: GetClientRect.USER32(?,?), ref: 004B5D30
Part of subcall function 004B5D0A: GetWindowRect.USER32(?,?), ref: 004B5D71
Part of subcall function 004B5D0A: ScreenToClient.USER32(?,?), ref: 004B5D99

GetDC.USER32 ref: 004F46F5
SendMessageW.USER32(?,00000031,00000000,00000000), ref: 004F4708
SelectObject.GDI32(00000000,00000000), ref: 004F4716
SelectObject.GDI32(00000000,00000000), ref: 004F472B
ReleaseDC.USER32(?,00000000), ref: 004F4733
MoveWindow.USER32(?,?,?,?,?,?,?,00000031,00000000,00000000), ref: 004F47C4

Strings

U, xrefs: 004F4693

Memory Dump Source

Source File: 00000000.00000002.2132574574.00000000004B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true

Associated: 00000000.00000002.2132555531.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132647663.000000000054C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132647663.0000000000572000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132705506.000000000057C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132725644.0000000000584000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b0000_file.jbxd

Similarity

API ID: Window$ClientObjectRectSelect$LongMessageMoveReleaseScreenSend
String ID: U
API String ID: 4009187628-3372436214
Opcode ID: 5a87c2158267e9180f8d975709c47714028ba9000c27a7a9cfec0b7af012480e
Instruction ID: 35bf89e368832f0581c235844ee7e2fb10fdda53c501aae4569916e859088ecb
Opcode Fuzzy Hash: 5a87c2158267e9180f8d975709c47714028ba9000c27a7a9cfec0b7af012480e
Instruction Fuzzy Hash: EC71F234400209DFCF219F64C984AFB7BB6FF86364F14426BEE515A266CB388842DF65

Function 0052359C Relevance: 14.2, APIs: 3, Strings: 5, Instructions: 150COMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000066,?,00000FFF,00000000), ref: 005235E4

Part of subcall function 004B9CB3: _wcslen.LIBCMT ref: 004B9CBD

LoadStringW.USER32(00582390,?,00000FFF,?), ref: 0052360A

Strings

Line %d (File "%s"):, xrefs: 0052366B
Error: , xrefs: 005236EF
^ ERROR, xrefs: 005236C9
"%s" (%d) : ==> %s:, xrefs: 00523742
"%s" (%d) : ==> %s:%s%s, xrefs: 00523724

Memory Dump Source

Source File: 00000000.00000002.2132574574.00000000004B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true

Associated: 00000000.00000002.2132555531.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132647663.000000000054C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132647663.0000000000572000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132705506.000000000057C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132725644.0000000000584000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b0000_file.jbxd

Similarity

API ID: LoadString$_wcslen
String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Line %d (File "%s"):$^ ERROR
API String ID: 4099089115-2391861430
Opcode ID: 89e394c88b8e609f2c08f0e6db680c7c6fb0315d6d1a3e6554a85610a0b09351
Instruction ID: 74fbd155024000b782508061f1dd10eb9997c95da98289eb2af2588f9ee6eada
Opcode Fuzzy Hash: 89e394c88b8e609f2c08f0e6db680c7c6fb0315d6d1a3e6554a85610a0b09351
Instruction Fuzzy Hash: 4C516D7180021AAADF14EBA1DC82EEEBF79FF15305F14512AF505720A1DB382B99DF64

Function 0052C253 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 94networkCOMMON

Download Yara Rule

APIs

InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 0052C272
HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 0052C29A
HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 0052C2CA
GetLastError.KERNEL32 ref: 0052C322
SetEvent.KERNEL32(?), ref: 0052C336
InternetCloseHandle.WININET(00000000), ref: 0052C341

Strings

, xrefs: 0052C2BB

Memory Dump Source

Source File: 00000000.00000002.2132574574.00000000004B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true

Associated: 00000000.00000002.2132555531.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132647663.000000000054C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132647663.0000000000572000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132705506.000000000057C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132725644.0000000000584000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b0000_file.jbxd

Similarity

API ID: HttpInternet$CloseErrorEventHandleInfoLastOpenQueryRequestSend
String ID:
API String ID: 3113390036-3916222277
Opcode ID: a5575c5d10bcb4d063a1d54573047b2b04774d5eb7b010b165dd5537ecdcb13a
Instruction ID: 7ae3b94e177740830aeebfbb68c26d953f5e93e0865cc62011c3a259bee42a99
Opcode Fuzzy Hash: a5575c5d10bcb4d063a1d54573047b2b04774d5eb7b010b165dd5537ecdcb13a
Instruction Fuzzy Hash: 25319E75500614AFD721DF64A888AAF7FFCFFAA744B10891EA48692282DB70DD049B60

Function 0051989B Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 74windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000FFF,00000000,?,004F3AAF,?,?,Bad directive syntax error,0054CC08,00000000,00000010,?,?,>>>AUTOIT SCRIPT<<<), ref: 005198BC
LoadStringW.USER32(00000000,?,004F3AAF,?), ref: 005198C3

Part of subcall function 004B9CB3: _wcslen.LIBCMT ref: 004B9CBD

MessageBoxW.USER32(00000000,00000001,00000001,00011010), ref: 00519987

Strings

Line %d (File "%s"):, xrefs: 0051992D
Line %d:, xrefs: 00519912
Error: , xrefs: 00519955
., xrefs: 0051996D
%s (%d) : ==> %s.: %s %s, xrefs: 005198F1

Memory Dump Source

Source File: 00000000.00000002.2132574574.00000000004B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true

Associated: 00000000.00000002.2132555531.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132647663.000000000054C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132647663.0000000000572000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132705506.000000000057C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132725644.0000000000584000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b0000_file.jbxd

Similarity

API ID: HandleLoadMessageModuleString_wcslen
String ID: Error: $%s (%d) : ==> %s.: %s %s$.$Line %d (File "%s"):$Line %d:
API String ID: 858772685-4153970271
Opcode ID: 21ca0095148ced711204c1fb4eb5f6d3e10550a3519081c8ab92eed85eae506a
Instruction ID: af6dbba4ef1f6123da92598796d1edf6c72dd3ebc0bb3c1e62288516a5814345
Opcode Fuzzy Hash: 21ca0095148ced711204c1fb4eb5f6d3e10550a3519081c8ab92eed85eae506a
Instruction Fuzzy Hash: 6221B13180021EBBDF11AF91CC5AEEE7F75FF18708F04441AF519620A2EB359A68DB20

Function 0051209F Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 71windowCOMMON

Download Yara Rule

APIs

GetParent.USER32 ref: 005120AB
GetClassNameW.USER32(00000000,?,00000100), ref: 005120C0
SendMessageW.USER32(00000000,00000111,0000702B,00000000), ref: 0051214D

Strings

largeicons, xrefs: 005120E1
smallicons, xrefs: 00512115
details, xrefs: 005120FB
SHELLDLL_DefView, xrefs: 005120CC
list, xrefs: 0051212F

Memory Dump Source

Source File: 00000000.00000002.2132574574.00000000004B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true

Associated: 00000000.00000002.2132555531.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132647663.000000000054C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132647663.0000000000572000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132705506.000000000057C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132725644.0000000000584000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b0000_file.jbxd

Similarity

API ID: ClassMessageNameParentSend
String ID: SHELLDLL_DefView$details$largeicons$list$smallicons
API String ID: 1290815626-3381328864
Opcode ID: 165e4cdb22622f22f7aa14f1eb3e0f5ed01cee6e4d8dc7eb390a44477dc391c1
Instruction ID: 418852baf362c0e8a61912c9b54d8a3095eee9903fd4c281108a7417ed8b4c83
Opcode Fuzzy Hash: 165e4cdb22622f22f7aa14f1eb3e0f5ed01cee6e4d8dc7eb390a44477dc391c1
Instruction Fuzzy Hash: EB113D7A6C4706BAF605A221EC06DFA3F9CEB15328F20401BFB09A81D1FFA55C95A518

Function 004ECE90 Relevance: 13.7, APIs: 9, Instructions: 209COMMON

Download Yara Rule

APIs

___from_strstr_to_strchr.LIBCMT ref: 004ECEB7
_free.LIBCMT ref: 004ECF22
_free.LIBCMT ref: 004ECF48
_free.LIBCMT ref: 004ECF71
_free.LIBCMT ref: 004ECFA9
_free.LIBCMT ref: 004ECFDA
_free.LIBCMT ref: 004ED01B
SetEnvironmentVariableA.KERNEL32(00000000,00000000), ref: 004ED09C
_free.LIBCMT ref: 004ED0B5

Memory Dump Source

Source File: 00000000.00000002.2132574574.00000000004B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true

Associated: 00000000.00000002.2132555531.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132647663.000000000054C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132647663.0000000000572000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132705506.000000000057C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132725644.0000000000584000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b0000_file.jbxd

Similarity

API ID: _free$EnvironmentVariable___from_strstr_to_strchr
String ID:
API String ID: 1282221369-0
Opcode ID: 30953fc7958a90ceee3ee82a9282c0a01588633b00a79e2ded6b369abe7ad56e
Instruction ID: 8dffd2644291e9f33e00c05cb02f47164b6910147fe7940624eb6b8ed06414d7
Opcode Fuzzy Hash: 30953fc7958a90ceee3ee82a9282c0a01588633b00a79e2ded6b369abe7ad56e
Instruction Fuzzy Hash: E2616EB1A05384AFDB21AFB79CC266A7B95EF05319F04416FF900A73C2D63D9D068758

Function 004C8B06 Relevance: 13.7, APIs: 9, Instructions: 155windowCOMMON

Download Yara Rule

APIs

LoadImageW.USER32(00000000,?,?,00000010,00000010,00000010), ref: 00506890
ExtractIconExW.SHELL32(?,?,00000000,00000000,00000001), ref: 005068A9
LoadImageW.USER32(00000000,?,00000001,00000000,00000000,00000050), ref: 005068B9
ExtractIconExW.SHELL32(?,?,?,00000000,00000001), ref: 005068D1
SendMessageW.USER32(00000000,00000080,00000000,00000000), ref: 005068F2
DestroyIcon.USER32(00000000,?,00000010,00000010,00000010,?,?,?,?,?,004C8874,00000000,00000000,00000000,000000FF,00000000), ref: 00506901
SendMessageW.USER32(00000000,00000080,00000001,00000000), ref: 0050691E
DestroyIcon.USER32(00000000,?,00000010,00000010,00000010,?,?,?,?,?,004C8874,00000000,00000000,00000000,000000FF,00000000), ref: 0050692D

Memory Dump Source

Source File: 00000000.00000002.2132574574.00000000004B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true

Associated: 00000000.00000002.2132555531.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132647663.000000000054C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132647663.0000000000572000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132705506.000000000057C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132725644.0000000000584000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b0000_file.jbxd

Similarity

API ID: Icon$DestroyExtractImageLoadMessageSend
String ID:
API String ID: 1268354404-0
Opcode ID: f7361e10d1229b26592fc1700439edac331711fe3403d38969fb353096d57873
Instruction ID: af20ed98d315b534c3a3a875dd775b3eea4ba7d9665a436fae3e6d39b0e75e5c
Opcode Fuzzy Hash: f7361e10d1229b26592fc1700439edac331711fe3403d38969fb353096d57873
Instruction Fuzzy Hash: B9518578600609AFDB208F24CC55FAA7BB5FB98714F10452DF902A72A0EB74AD91EB54

Function 0052C143 Relevance: 13.6, APIs: 9, Instructions: 95networkCOMMON

Download Yara Rule

APIs

InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 0052C182
GetLastError.KERNEL32 ref: 0052C195
SetEvent.KERNEL32(?), ref: 0052C1A9

Part of subcall function 0052C253: InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 0052C272
Part of subcall function 0052C253: GetLastError.KERNEL32 ref: 0052C322
Part of subcall function 0052C253: SetEvent.KERNEL32(?), ref: 0052C336
Part of subcall function 0052C253: InternetCloseHandle.WININET(00000000), ref: 0052C341

Memory Dump Source

Source File: 00000000.00000002.2132574574.00000000004B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true

Associated: 00000000.00000002.2132555531.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132647663.000000000054C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132647663.0000000000572000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132705506.000000000057C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132725644.0000000000584000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b0000_file.jbxd

Similarity

API ID: Internet$ErrorEventLast$CloseConnectHandleOpen
String ID:
API String ID: 337547030-0
Opcode ID: a3ab9ba31a0c0054184adabed63c87a1c702d4622a7a759c9db285badcb1dc4c
Instruction ID: 573dddb08cb40f0c86381b81f38ee08c4b5ccc82a1251a79a4d02dc003bc303c
Opcode Fuzzy Hash: a3ab9ba31a0c0054184adabed63c87a1c702d4622a7a759c9db285badcb1dc4c
Instruction Fuzzy Hash: DE31A379101711EFDB219FA5EC04AAA7FF8FF56304B00441DF59683652DB31E814EB60

Function 005125A2 Relevance: 13.6, APIs: 9, Instructions: 60sleepkeyboardwindowCOMMON

Download Yara Rule

APIs

Part of subcall function 00513A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 00513A57
Part of subcall function 00513A3D: GetCurrentThreadId.KERNEL32 ref: 00513A5E
Part of subcall function 00513A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,005125B3), ref: 00513A65

MapVirtualKeyW.USER32(00000025,00000000), ref: 005125BD
PostMessageW.USER32(?,00000100,00000025,00000000), ref: 005125DB
Sleep.KERNEL32(00000000,?,00000100,00000025,00000000), ref: 005125DF
MapVirtualKeyW.USER32(00000025,00000000), ref: 005125E9
PostMessageW.USER32(?,00000100,00000027,00000000), ref: 00512601
Sleep.KERNEL32(00000000,?,00000100,00000027,00000000), ref: 00512605
MapVirtualKeyW.USER32(00000025,00000000), ref: 0051260F
PostMessageW.USER32(?,00000101,00000027,00000000), ref: 00512623
Sleep.KERNEL32(00000000,?,00000101,00000027,00000000,?,00000100,00000027,00000000), ref: 00512627

Memory Dump Source

Source File: 00000000.00000002.2132574574.00000000004B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true

Associated: 00000000.00000002.2132555531.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132647663.000000000054C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132647663.0000000000572000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132705506.000000000057C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132725644.0000000000584000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b0000_file.jbxd

Similarity

API ID: MessagePostSleepThreadVirtual$AttachCurrentInputProcessWindow
String ID:
API String ID: 2014098862-0
Opcode ID: 2b9736ad516fedcc9ed709b1094dc28631b4ad4e09fb444741229056752403fe
Instruction ID: 44eb93661ae4b96c96721b08cd001fd831c2844c81b8d216b6edc4589522023e
Opcode Fuzzy Hash: 2b9736ad516fedcc9ed709b1094dc28631b4ad4e09fb444741229056752403fe
Instruction Fuzzy Hash: 4F01D430391210BBFB1067699C8EF993F59EFDEB16F110001F318AE0D1C9E22488DAA9

Function 00511803 Relevance: 13.5, APIs: 9, Instructions: 49memorythreadCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000008,0000000C,?,00000000,?,00511449,?,?,00000000), ref: 0051180C
HeapAlloc.KERNEL32(00000000,?,00511449,?,?,00000000), ref: 00511813
GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,00511449,?,?,00000000), ref: 00511828
GetCurrentProcess.KERNEL32(?,00000000,?,00511449,?,?,00000000), ref: 00511830
DuplicateHandle.KERNEL32(00000000,?,00511449,?,?,00000000), ref: 00511833
GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,00511449,?,?,00000000), ref: 00511843
GetCurrentProcess.KERNEL32(00511449,00000000,?,00511449,?,?,00000000), ref: 0051184B
DuplicateHandle.KERNEL32(00000000,?,00511449,?,?,00000000), ref: 0051184E
CreateThread.KERNEL32(00000000,00000000,00511874,00000000,00000000,00000000), ref: 00511868

Memory Dump Source

Source File: 00000000.00000002.2132574574.00000000004B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true

Associated: 00000000.00000002.2132555531.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132647663.000000000054C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132647663.0000000000572000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132705506.000000000057C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132725644.0000000000584000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b0000_file.jbxd

Similarity

API ID: Process$Current$DuplicateHandleHeap$AllocCreateThread
String ID:
API String ID: 1957940570-0
Opcode ID: 60fbae34522950751e8cbd1b6a0aeb8579ae87087a1fcffa0bbddd55d5d03dff
Instruction ID: c4e093b8a909474d0d5d5af1a529ab02f508a8881848a08b58817b5ff16afb1b
Opcode Fuzzy Hash: 60fbae34522950751e8cbd1b6a0aeb8579ae87087a1fcffa0bbddd55d5d03dff
Instruction Fuzzy Hash: 1A01BF75241304BFE750AFA5DC4DF973F6CEB9AB15F004411FA05DB191C6709804DB20

Function 004E3E80 Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 305COMMON

Download Yara Rule

APIs

_strrchr.LIBCMT ref: 004E3F0B
__alldvrm.LIBCMT ref: 004E410C
__alldvrm.LIBCMT ref: 004E412E

Strings

}}M, xrefs: 004E40CD
}}M, xrefs: 004E3E96, 004E3EF1, 004E3F0A, 004E4090
}}M, xrefs: 004E3E8A

Memory Dump Source

Source File: 00000000.00000002.2132574574.00000000004B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true

Associated: 00000000.00000002.2132555531.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132647663.000000000054C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132647663.0000000000572000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132705506.000000000057C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132725644.0000000000584000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b0000_file.jbxd

Similarity

API ID: __alldvrm$_strrchr
String ID: }}M$}}M$}}M
API String ID: 1036877536-1954734652
Opcode ID: 190bec492484a18a97fe5f025dcdb3e473ceac46589bc02d4dbe4f94f5be8f6e
Instruction ID: af766dced8d80b0125a60ef27d9ce25307ec7ab1014cba2c28a97895ad7c1e22
Opcode Fuzzy Hash: 190bec492484a18a97fe5f025dcdb3e473ceac46589bc02d4dbe4f94f5be8f6e
Instruction Fuzzy Hash: 99A16631E002C69FDB22CF1AC8917AAFBE4EFA1356F1441AFE5859B381C23C8941C758

Function 0053A0E2 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 160COMMON

Download Yara Rule

APIs

Part of subcall function 0051D4DC: CreateToolhelp32Snapshot.KERNEL32 ref: 0051D501
Part of subcall function 0051D4DC: Process32FirstW.KERNEL32(00000000,?), ref: 0051D50F
Part of subcall function 0051D4DC: CloseHandle.KERNELBASE(00000000), ref: 0051D5DC

OpenProcess.KERNEL32(00000001,00000000,?), ref: 0053A16D
GetLastError.KERNEL32 ref: 0053A180
OpenProcess.KERNEL32(00000001,00000000,?), ref: 0053A1B3
TerminateProcess.KERNEL32(00000000,00000000), ref: 0053A268
GetLastError.KERNEL32(00000000), ref: 0053A273
CloseHandle.KERNEL32(00000000), ref: 0053A2C4

Strings

SeDebugPrivilege, xrefs: 0053A18F

Memory Dump Source

Source File: 00000000.00000002.2132574574.00000000004B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true

Associated: 00000000.00000002.2132555531.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132647663.000000000054C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132647663.0000000000572000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132705506.000000000057C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132725644.0000000000584000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b0000_file.jbxd

Similarity

API ID: Process$CloseErrorHandleLastOpen$CreateFirstProcess32SnapshotTerminateToolhelp32
String ID: SeDebugPrivilege
API String ID: 2533919879-2896544425
Opcode ID: 9084535fa05d0c075372007339c89ab7ed9186a86881b9124707895d6febdcbb
Instruction ID: c0c113bb6e9b955a1f74b6867bce3ffbcda31a7a7a13018c3e0482d19db83ea9
Opcode Fuzzy Hash: 9084535fa05d0c075372007339c89ab7ed9186a86881b9124707895d6febdcbb
Instruction Fuzzy Hash: 1E617A342042429FD720DF19C494F66BFA1BF94318F18848CF4A68B6A2C776EC49CB92

Function 00543886 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 141windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00001036,00000010,00000010), ref: 00543925
SendMessageW.USER32(00000000,00001036,00000000,?), ref: 0054393A
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000013), ref: 00543954
_wcslen.LIBCMT ref: 00543999
SendMessageW.USER32(?,00001057,00000000,?), ref: 005439C6
SendMessageW.USER32(?,00001061,?,0000000F), ref: 005439F4

Strings

SysListView32, xrefs: 005438F7

Memory Dump Source

Source File: 00000000.00000002.2132574574.00000000004B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true

Associated: 00000000.00000002.2132555531.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132647663.000000000054C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132647663.0000000000572000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132705506.000000000057C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132725644.0000000000584000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b0000_file.jbxd

Similarity

API ID: MessageSend$Window_wcslen
String ID: SysListView32
API String ID: 2147712094-78025650
Opcode ID: e66df31d7f8a5770d0eccd319f394fdd2b1a614cfe74f0ada300e53ee96a220c
Instruction ID: f8a581e4f26be0a8ce0d5c3860b9d13a5c5b923ecbe4df5375b531f05feee556
Opcode Fuzzy Hash: e66df31d7f8a5770d0eccd319f394fdd2b1a614cfe74f0ada300e53ee96a220c
Instruction Fuzzy Hash: 9B41D571A00219ABEF219F64CC49FEA7FA9FF48358F10052AF958E7291D7719D84CB90

Function 0051BC5E Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 137windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 0051BCFD
IsMenu.USER32(00000000), ref: 0051BD1D
CreatePopupMenu.USER32 ref: 0051BD53
GetMenuItemCount.USER32(009E57D0), ref: 0051BDA4
InsertMenuItemW.USER32(009E57D0,?,00000001,00000030), ref: 0051BDCC

Strings

0, xrefs: 0051BCA8
2, xrefs: 0051BD37

Memory Dump Source

Source File: 00000000.00000002.2132574574.00000000004B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true

Associated: 00000000.00000002.2132555531.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132647663.000000000054C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132647663.0000000000572000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132705506.000000000057C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132725644.0000000000584000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b0000_file.jbxd

Similarity

API ID: Menu$Item$CountCreateInfoInsertPopup
String ID: 0$2
API String ID: 93392585-3793063076
Opcode ID: fb1fa81a3650148fb8c5e0ed124e29d8e388638f6bb79afdb655b78970073e83
Instruction ID: b2972e94fc0ea1bdefc57f6efece9adb4ebeb870530142d6fce1b84f64400f19
Opcode Fuzzy Hash: fb1fa81a3650148fb8c5e0ed124e29d8e388638f6bb79afdb655b78970073e83
Instruction Fuzzy Hash: 61519C70A002059BFB28DFA8E888BEEBFF4BF9A314F144659E411D7290D7719985CB61

Function 004D2D20 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 117COMMON

Download Yara Rule

APIs

_ValidateLocalCookies.LIBCMT ref: 004D2D4B
___except_validate_context_record.LIBVCRUNTIME ref: 004D2D53
_ValidateLocalCookies.LIBCMT ref: 004D2DE1
__IsNonwritableInCurrentImage.LIBCMT ref: 004D2E0C
_ValidateLocalCookies.LIBCMT ref: 004D2E61

Strings

csm, xrefs: 004D2DF6
&HM, xrefs: 004D2DFE, 004D2E07, 004D2E18

Memory Dump Source

Source File: 00000000.00000002.2132574574.00000000004B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true

Associated: 00000000.00000002.2132555531.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132647663.000000000054C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132647663.0000000000572000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132705506.000000000057C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132725644.0000000000584000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b0000_file.jbxd

Similarity

API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
String ID: &HM$csm
API String ID: 1170836740-3229897379
Opcode ID: 937a8102a4279dece41726045d071ba90a9cb92adf497fcd6bb1de3d501c27fa
Instruction ID: 5c92eddbfb7ed7ddf398544c7035b478af0937186ce05cf7ba97dbffe3c09199
Opcode Fuzzy Hash: 937a8102a4279dece41726045d071ba90a9cb92adf497fcd6bb1de3d501c27fa
Instruction Fuzzy Hash: 0A41E334A00208ABCF10DF69C964A9FBFB5BF54329F14805BF8146B392D779AA05CBD5

Function 0051C874 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 81windowCOMMON

Download Yara Rule

APIs

LoadIconW.USER32(00000000,00007F03), ref: 0051C913

Strings

warning, xrefs: 0051C8FC
blank, xrefs: 0051C895
stop, xrefs: 0051C8E4
info, xrefs: 0051C8B4
question, xrefs: 0051C8CC

Memory Dump Source

Source File: 00000000.00000002.2132574574.00000000004B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true

Associated: 00000000.00000002.2132555531.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132647663.000000000054C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132647663.0000000000572000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132705506.000000000057C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132725644.0000000000584000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b0000_file.jbxd

Similarity

API ID: IconLoad
String ID: blank$info$question$stop$warning
API String ID: 2457776203-404129466
Opcode ID: 59bd0bb9702f08e1e84b289b29159e28da4b26d18cca823c87bd6e7e11c71807
Instruction ID: 699f88a7152a95400ef5f4a7c9770fba3a4556993ba2bd2d283889f5847db8e6
Opcode Fuzzy Hash: 59bd0bb9702f08e1e84b289b29159e28da4b26d18cca823c87bd6e7e11c71807
Instruction Fuzzy Hash: 511108317C9706BAB7045B54ACC3CEE2F9CFF15768B10442FF504AA282D7766D806268

Function 0051DE27 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 70networkCOMMON

Download Yara Rule

APIs

WSAStartup.WSOCK32(00000101,?), ref: 0051DE42
gethostname.WSOCK32(?,00000100), ref: 0051DE5C
gethostbyname.WSOCK32(?), ref: 0051DE69
inet_ntoa.WSOCK32(?), ref: 0051DEAB
_strcat.LIBCMT ref: 0051DEB9
WSACleanup.WSOCK32 ref: 0051DEDE

Strings

0.0.0.0, xrefs: 0051DE87

Memory Dump Source

Source File: 00000000.00000002.2132574574.00000000004B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true

Associated: 00000000.00000002.2132555531.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132647663.000000000054C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132647663.0000000000572000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132705506.000000000057C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132725644.0000000000584000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b0000_file.jbxd

Similarity

API ID: CleanupStartup_strcatgethostbynamegethostnameinet_ntoa
String ID: 0.0.0.0
API String ID: 642191829-3771769585
Opcode ID: fbe08c01b2530dead4ec2d62fe6ee05f8826606f544e946696aa712524d57319
Instruction ID: f04c30a16288ef0f85a54eea3956fbb961a5dc69db96f85ab7eb93002d38fb7f
Opcode Fuzzy Hash: fbe08c01b2530dead4ec2d62fe6ee05f8826606f544e946696aa712524d57319
Instruction Fuzzy Hash: 46113A75904104ABDB64AB319C0AEDE7FBCEF51319F0002AEF40596191EF788AC59E60

Function 0051ED19 Relevance: 12.1, APIs: 8, Instructions: 137timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32 ref: 0051ED2A
_wcslen.LIBCMT ref: 0051ED3B
_wcslen.LIBCMT ref: 0051ED79
_wcslen.LIBCMT ref: 0051EDAF
_wcslen.LIBCMT ref: 0051EDDF
_wcslen.LIBCMT ref: 0051EDEF
_wcslen.LIBCMT ref: 0051EE2B
_wcslen.LIBCMT ref: 0051EE5A

Memory Dump Source

Source File: 00000000.00000002.2132574574.00000000004B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true

Associated: 00000000.00000002.2132555531.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132647663.000000000054C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132647663.0000000000572000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132705506.000000000057C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132725644.0000000000584000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b0000_file.jbxd

Similarity

API ID: _wcslen$LocalTime
String ID:
API String ID: 952045576-0
Opcode ID: 9b626834b749ca9662f2163371cb8d5c9a9bf9da5777d168089292a6c6aedfe7
Instruction ID: 9da3d43739e76d72583bfdb99a08b337f819fd293e286a506aefbcf79ea9ad8a
Opcode Fuzzy Hash: 9b626834b749ca9662f2163371cb8d5c9a9bf9da5777d168089292a6c6aedfe7
Instruction Fuzzy Hash: B241B365C1011866DB11EBB58C8B9CF77ACAF45300F0045ABE914E3222EB38E285C3E9

Function 004CF8D8 Relevance: 12.1, APIs: 8, Instructions: 124COMMON

Download Yara Rule

APIs

ShowWindow.USER32(FFFFFFFF,000000FF,?,00000000,?,0050682C,00000004,00000000,00000000), ref: 004CF953
ShowWindow.USER32(FFFFFFFF,00000006,?,00000000,?,0050682C,00000004,00000000,00000000), ref: 0050F3D1
ShowWindow.USER32(FFFFFFFF,000000FF,?,00000000,?,0050682C,00000004,00000000,00000000), ref: 0050F454

Memory Dump Source

Source File: 00000000.00000002.2132574574.00000000004B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true

Associated: 00000000.00000002.2132555531.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132647663.000000000054C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132647663.0000000000572000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132705506.000000000057C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132725644.0000000000584000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b0000_file.jbxd

Similarity

API ID: ShowWindow
String ID:
API String ID: 1268545403-0
Opcode ID: 336750bbe5628c2312369715af76a6c1773b75bf6effa16ccc4ef4c468b5a5d6
Instruction ID: 9261149fd91f4404c551188e19fedb324f74b20cce8e6c3f136e16e5888b7929
Opcode Fuzzy Hash: 336750bbe5628c2312369715af76a6c1773b75bf6effa16ccc4ef4c468b5a5d6
Instruction Fuzzy Hash: 48413E78104640BBCFF89B298888F6F7F93BB96314F14543EE447526A0C63DA889DB15

Function 00542D03 Relevance: 12.1, APIs: 8, Instructions: 95windowCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 00542D1B
GetDC.USER32(00000000), ref: 00542D23
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00542D2E
ReleaseDC.USER32(00000000,00000000), ref: 00542D3A
CreateFontW.GDI32(?,00000000,00000000,00000000,?,00000000,00000000,00000000,00000001,00000004,00000000,?,00000000,?), ref: 00542D76
SendMessageW.USER32(?,00000030,00000000,00000001), ref: 00542D87
MoveWindow.USER32(?,?,?,?,?,00000000,?,?,00545A65,?,?,000000FF,00000000,?,000000FF,?), ref: 00542DC2
SendMessageW.USER32(?,00000142,00000000,00000000), ref: 00542DE1

Memory Dump Source

Source File: 00000000.00000002.2132574574.00000000004B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true

Associated: 00000000.00000002.2132555531.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132647663.000000000054C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132647663.0000000000572000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132705506.000000000057C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132725644.0000000000584000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b0000_file.jbxd

Similarity

API ID: MessageSend$CapsCreateDeleteDeviceFontMoveObjectReleaseWindow
String ID:
API String ID: 3864802216-0
Opcode ID: 4a5a02501381af9316a8d53f1f89d50597cbd259677232051f8b7eb3dcf02ea0
Instruction ID: 2ef19b403f65298106eb13b630a76c4e63ad3d66d3dbb7e62ab1f1e4ad39c545
Opcode Fuzzy Hash: 4a5a02501381af9316a8d53f1f89d50597cbd259677232051f8b7eb3dcf02ea0
Instruction Fuzzy Hash: 23318D76202624BBEB214F548C89FEB3FA9FB5A719F044055FE089A291C6759C51CBA0

Function 00515622 Relevance: 12.1, APIs: 8, Instructions: 92COMMON

Download Yara Rule

APIs

_memcmp.LIBVCRUNTIME ref: 00515637
_memcmp.LIBVCRUNTIME ref: 00515659
_memcmp.LIBVCRUNTIME ref: 00515671
_memcmp.LIBVCRUNTIME ref: 00515684
_memcmp.LIBVCRUNTIME ref: 0051569E
_memcmp.LIBVCRUNTIME ref: 005156B1
_memcmp.LIBVCRUNTIME ref: 005156C9
_memcmp.LIBVCRUNTIME ref: 005156E4

Memory Dump Source

Source File: 00000000.00000002.2132574574.00000000004B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true

Associated: 00000000.00000002.2132555531.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132647663.000000000054C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132647663.0000000000572000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132705506.000000000057C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132725644.0000000000584000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b0000_file.jbxd

Similarity

API ID: _memcmp
String ID:
API String ID: 2931989736-0
Opcode ID: f1c05e0ef505a4cafbf7818b192e35519b59bc05629ff16fb4b33d6899342ff3
Instruction ID: ad4e368fe5011bc7e963989ce14176a227f8c62f511b100e5aefa19e642445a8
Opcode Fuzzy Hash: f1c05e0ef505a4cafbf7818b192e35519b59bc05629ff16fb4b33d6899342ff3
Instruction Fuzzy Hash: FF21C971644A09FBF21455259D92FFA3B5CFFA2388F440026FD059AA82F774ED50C2E9

Function 00534FAE Relevance: 10.9, APIs: 4, Strings: 2, Instructions: 359COMMON

Download Yara Rule

Strings

Not an Object type, xrefs: 00535007
NULL Pointer assignment, xrefs: 0053502E, 00535383

Memory Dump Source

Source File: 00000000.00000002.2132574574.00000000004B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true

Associated: 00000000.00000002.2132555531.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132647663.000000000054C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132647663.0000000000572000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132705506.000000000057C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132725644.0000000000584000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b0000_file.jbxd

Similarity

API ID:
String ID: NULL Pointer assignment$Not an Object type
API String ID: 0-572801152
Opcode ID: 024c4fb5573bfa0587580cc23bd3b039c780bfa8870f513b1347828a4b104170
Instruction ID: 5c8f930c3860b919f518d651bb207a17be7261f3cb18b0c6262f27bbdff0064b
Opcode Fuzzy Hash: 024c4fb5573bfa0587580cc23bd3b039c780bfa8870f513b1347828a4b104170
Instruction Fuzzy Hash: 14D1F375A0060A9FDF14CFA8C884FAEBBB5FF48304F149469E915AB281E771DD45CB90

Function 004F1522 Relevance: 10.8, APIs: 7, Instructions: 268COMMON

Download Yara Rule

APIs

GetCPInfo.KERNEL32(00000000,00000000,?,7FFFFFFF,?,?,004F17FB,00000000,00000000,?,00000000,?,?,?,?,00000000), ref: 004F15CE
MultiByteToWideChar.KERNEL32(00000000,00000009,00000000,00000000,00000000,00000000,?,004F17FB,00000000,00000000,?,00000000,?,?,?,?), ref: 004F1651
MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00000000,00000000,004F17FB,?,004F17FB,00000000,00000000,?,00000000,?,?,?,?), ref: 004F16E4
MultiByteToWideChar.KERNEL32(00000000,00000009,00000000,00000000,00000000,00000000,?,004F17FB,00000000,00000000,?,00000000,?,?,?,?), ref: 004F16FB

Part of subcall function 004E3820: RtlAllocateHeap.NTDLL(00000000,?,00581444,?,004CFDF5,?,?,004BA976,00000010,00581440,004B13FC,?,004B13C6,?,004B1129), ref: 004E3852

MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00000000,00000000,00000000,?,004F17FB,00000000,00000000,?,00000000,?,?,?,?), ref: 004F1777
__freea.LIBCMT ref: 004F17A2
__freea.LIBCMT ref: 004F17AE

Memory Dump Source

Source File: 00000000.00000002.2132574574.00000000004B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true

Associated: 00000000.00000002.2132555531.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132647663.000000000054C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132647663.0000000000572000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132705506.000000000057C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132725644.0000000000584000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b0000_file.jbxd

Similarity

API ID: ByteCharMultiWide$__freea$AllocateHeapInfo
String ID:
API String ID: 2829977744-0
Opcode ID: 6577ca8f5c9b9b8ddef631c862c143f94e9e2f2631358ee307750d55a7d17921
Instruction ID: d20725ba600368b09d481b571370541c557b6349353021ece0e2662bcaec5209
Opcode Fuzzy Hash: 6577ca8f5c9b9b8ddef631c862c143f94e9e2f2631358ee307750d55a7d17921
Instruction Fuzzy Hash: 6391C271E0020AEADB209E75C881AFF7BF59F49314F18065BEA05E7261D729CC45CB69

Function 00534523 Relevance: 10.8, APIs: 4, Strings: 2, Instructions: 262COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00534648
VariantInit.OLEAUT32(?), ref: 00534749
VariantClear.OLEAUT32(?), ref: 00534753
VariantClear.OLEAUT32(?), ref: 005347B0

Strings

Null Object assignment in FOR..IN loop, xrefs: 005345D8, 00534706, 005347BE
Incorrect Object type in FOR..IN loop, xrefs: 0053472C

Memory Dump Source

Source File: 00000000.00000002.2132574574.00000000004B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true

Associated: 00000000.00000002.2132555531.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132647663.000000000054C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132647663.0000000000572000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132705506.000000000057C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132725644.0000000000584000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b0000_file.jbxd

Similarity

API ID: Variant$ClearInit
String ID: Incorrect Object type in FOR..IN loop$Null Object assignment in FOR..IN loop
API String ID: 2610073882-625585964
Opcode ID: dc2090e9ac3b8308591df518b3d40b79d1584f16e77a7482092e5496b51c076f
Instruction ID: 519662d093436f590020cb65c6798adc1fb4bb172617fe923bee3f4f4099c0fc
Opcode Fuzzy Hash: dc2090e9ac3b8308591df518b3d40b79d1584f16e77a7482092e5496b51c076f
Instruction Fuzzy Hash: 58918171A00219ABDF20CFA5D889FAEBFB8FF46714F108559F505AB281D770A945CFA0

Function 00521187 Relevance: 10.8, APIs: 7, Instructions: 254COMMON

Download Yara Rule

APIs

SafeArrayGetVartype.OLEAUT32(00000001,?), ref: 0052125C
SafeArrayAccessData.OLEAUT32(00000000,?), ref: 00521284
SafeArrayUnaccessData.OLEAUT32(00000001), ref: 005212A8
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 005212D8
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 0052135F
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 005213C4
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 00521430

Memory Dump Source

Source File: 00000000.00000002.2132574574.00000000004B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true

Associated: 00000000.00000002.2132555531.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132647663.000000000054C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132647663.0000000000572000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132705506.000000000057C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132725644.0000000000584000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b0000_file.jbxd

Similarity

API ID: ArraySafe$Data$Access$UnaccessVartype
String ID:
API String ID: 2550207440-0
Opcode ID: f0aad55ead232369abd7bd238f1dadf25aa26563213162a75a6742c96c20c736
Instruction ID: fb685ffb7ffa1b171b798b1989ea2175eaa740e30a81c58b19c5d88059e1e40b
Opcode Fuzzy Hash: f0aad55ead232369abd7bd238f1dadf25aa26563213162a75a6742c96c20c736
Instruction Fuzzy Hash: 459134759006299FDB00DF95E884BBFBBB5FF56315F104429E500EB2D1D778A801CB98

Function 004C948A Relevance: 10.8, APIs: 7, Instructions: 254COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2132574574.00000000004B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true

Associated: 00000000.00000002.2132555531.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132647663.000000000054C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132647663.0000000000572000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132705506.000000000057C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132725644.0000000000584000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b0000_file.jbxd

Similarity

API ID: ObjectSelect$BeginCreatePath
String ID:
API String ID: 3225163088-0
Opcode ID: de0257fe1fcdac117663c5898962d837da75d4e09bda8bb135cdad22a8291a3f
Instruction ID: 58a5bda566f7dfd48477f19c677d97dc291d2172d8b2e750320e8641f630223e
Opcode Fuzzy Hash: de0257fe1fcdac117663c5898962d837da75d4e09bda8bb135cdad22a8291a3f
Instruction Fuzzy Hash: 9C912875D00219EFCB50CFA9C848AEEBBB8FF49320F14445AE515B7291D378AD42CB64

Function 00533947 Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 240COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 0053396B
CharUpperBuffW.USER32(?,?), ref: 00533A7A
_wcslen.LIBCMT ref: 00533A8A
VariantClear.OLEAUT32(?), ref: 00533C1F

Part of subcall function 00520CDF: VariantInit.OLEAUT32(00000000), ref: 00520D1F
Part of subcall function 00520CDF: VariantCopy.OLEAUT32(?,?), ref: 00520D28
Part of subcall function 00520CDF: VariantClear.OLEAUT32(?), ref: 00520D34

Strings

AUTOIT.ERROR, xrefs: 00533A80, 00533A85
Incorrect Parameter format, xrefs: 005339A6, 00533BA1

Memory Dump Source

Source File: 00000000.00000002.2132574574.00000000004B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true

Associated: 00000000.00000002.2132555531.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132647663.000000000054C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132647663.0000000000572000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132705506.000000000057C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132725644.0000000000584000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b0000_file.jbxd

Similarity

API ID: Variant$ClearInit$BuffCharCopyUpper_wcslen
String ID: AUTOIT.ERROR$Incorrect Parameter format
API String ID: 4137639002-1221869570
Opcode ID: cee99cc557f21dd7a0a6003e388cc728d1b3cd09b27b39a12c3f05f3b33dbe49
Instruction ID: 18b4c6375e040d23bdb74b4277806b586de452607c2869c959a6710ff7ef01f0
Opcode Fuzzy Hash: cee99cc557f21dd7a0a6003e388cc728d1b3cd09b27b39a12c3f05f3b33dbe49
Instruction Fuzzy Hash: 489157756083059FC700EF25C49596ABBE4FF89318F14886EF88A9B351DB34EE45CB92

Function 00534BAD Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 236COMMON

Download Yara Rule

APIs

Part of subcall function 0051000E: CLSIDFromProgID.OLE32(?,?,?,00000000,?,?,?,-C000001E,00000001,?,0050FF41,80070057,?,?,?,0051035E), ref: 0051002B
Part of subcall function 0051000E: ProgIDFromCLSID.OLE32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0050FF41,80070057,?,?), ref: 00510046
Part of subcall function 0051000E: lstrcmpiW.KERNEL32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0050FF41,80070057,?,?), ref: 00510054
Part of subcall function 0051000E: CoTaskMemFree.OLE32(00000000,?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0050FF41,80070057,?), ref: 00510064

CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000002,00000003,00000000,00000000,00000000,00000001,?,?), ref: 00534C51
_wcslen.LIBCMT ref: 00534D59
CoCreateInstanceEx.OLE32(?,00000000,00000015,?,00000001,?), ref: 00534DCF
CoTaskMemFree.OLE32(?), ref: 00534DDA

Strings

NULL Pointer assignment, xrefs: 00534E23, 00534E52

Memory Dump Source

Source File: 00000000.00000002.2132574574.00000000004B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true

Associated: 00000000.00000002.2132555531.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132647663.000000000054C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132647663.0000000000572000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132705506.000000000057C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132725644.0000000000584000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b0000_file.jbxd

Similarity

API ID: FreeFromProgTask$CreateInitializeInstanceSecurity_wcslenlstrcmpi
String ID: NULL Pointer assignment
API String ID: 614568839-2785691316
Opcode ID: 8365dd3f34302981cb13b4749a64db07ffce24b59730f1caf05c74d0151b6881
Instruction ID: a1b18395b9154c1f8f44f6056276201d9f3d36ecce8f5b4be81bd2186104e0fe
Opcode Fuzzy Hash: 8365dd3f34302981cb13b4749a64db07ffce24b59730f1caf05c74d0151b6881
Instruction Fuzzy Hash: 28912671D0021DAFDF10DFA5C891AEEBBB8BF48304F10456AE915A7291EB34AE45DF60

Function 005420FD Relevance: 10.7, APIs: 7, Instructions: 196windowCOMMON

Download Yara Rule

APIs

GetMenu.USER32(?), ref: 00542183
GetMenuItemCount.USER32(00000000), ref: 005421B5
GetMenuStringW.USER32(00000000,00000000,?,00007FFF,00000400), ref: 005421DD
_wcslen.LIBCMT ref: 00542213
GetMenuItemID.USER32(?,?), ref: 0054224D
GetSubMenu.USER32(?,?), ref: 0054225B

Part of subcall function 00513A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 00513A57
Part of subcall function 00513A3D: GetCurrentThreadId.KERNEL32 ref: 00513A5E
Part of subcall function 00513A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,005125B3), ref: 00513A65

PostMessageW.USER32(?,00000111,00000000,00000000), ref: 005422E3

Part of subcall function 0051E97B: Sleep.KERNEL32 ref: 0051E9F3

Memory Dump Source

Source File: 00000000.00000002.2132574574.00000000004B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true

Associated: 00000000.00000002.2132555531.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132647663.000000000054C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132647663.0000000000572000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132705506.000000000057C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132725644.0000000000584000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b0000_file.jbxd

Similarity

API ID: Menu$Thread$Item$AttachCountCurrentInputMessagePostProcessSleepStringWindow_wcslen
String ID:
API String ID: 4196846111-0
Opcode ID: 69d1455da9623e1274873fdcc542d5c283e01f5d2fe867a3ef9254adfda9d35e
Instruction ID: 78a55e3dd3054a46f56898cbbf66ee67f8adf5ae815f1189bb0821870b169314
Opcode Fuzzy Hash: 69d1455da9623e1274873fdcc542d5c283e01f5d2fe867a3ef9254adfda9d35e
Instruction Fuzzy Hash: EB718E79A00215AFCB10DF65C885AEEBBF1BF88318F508499F816EB341D774AD41CBA0

Function 00547E9E Relevance: 10.7, APIs: 7, Instructions: 193windowCOMMON

Download Yara Rule

APIs

IsWindow.USER32(009E5550), ref: 00547F37
IsWindowEnabled.USER32(009E5550), ref: 00547F43
SendMessageW.USER32(00000000,0000041C,00000000,00000000), ref: 0054801E
SendMessageW.USER32(009E5550,000000B0,?,?), ref: 00548051
IsDlgButtonChecked.USER32(?,?), ref: 00548089
GetWindowLongW.USER32(009E5550,000000EC), ref: 005480AB
SendMessageW.USER32(?,000000A1,00000002,00000000), ref: 005480C3

Memory Dump Source

Source File: 00000000.00000002.2132574574.00000000004B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true

Associated: 00000000.00000002.2132555531.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132647663.000000000054C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132647663.0000000000572000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132705506.000000000057C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132725644.0000000000584000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b0000_file.jbxd

Similarity

API ID: MessageSendWindow$ButtonCheckedEnabledLong
String ID:
API String ID: 4072528602-0
Opcode ID: 2f5d191c09e85c12cfa71b87022c927366e6758b183ab683ff556444d7e8ef17
Instruction ID: 97ec41b18685337271a76fb608412bd5caab76ce20efba122a1a434d53181703
Opcode Fuzzy Hash: 2f5d191c09e85c12cfa71b87022c927366e6758b183ab683ff556444d7e8ef17
Instruction Fuzzy Hash: 07717C34608248BFEB259F64C888FFA7FB9FF59308F14445AE95597261CB31AC49DB10

Function 0051AEBA Relevance: 10.7, APIs: 7, Instructions: 162windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(?), ref: 0051AEF9
GetKeyboardState.USER32(?), ref: 0051AF0E
SetKeyboardState.USER32(?), ref: 0051AF6F
PostMessageW.USER32(?,00000101,00000010,?), ref: 0051AF9D
PostMessageW.USER32(?,00000101,00000011,?), ref: 0051AFBC
PostMessageW.USER32(?,00000101,00000012,?), ref: 0051AFFD
PostMessageW.USER32(?,00000101,0000005B,?), ref: 0051B020

Memory Dump Source

Source File: 00000000.00000002.2132574574.00000000004B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true

Associated: 00000000.00000002.2132555531.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132647663.000000000054C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132647663.0000000000572000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132705506.000000000057C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132725644.0000000000584000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b0000_file.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: 9016caaf3ec9d6bcee28990681dde41c9b61b589a4e4183b321a5a2407053a0f
Instruction ID: 8bb2c404dd28785c99808d4f21cf614ab68349e8bdb1238e61331a89b576bbb9
Opcode Fuzzy Hash: 9016caaf3ec9d6bcee28990681dde41c9b61b589a4e4183b321a5a2407053a0f
Instruction Fuzzy Hash: 8E51B3A06057D53DFB3782348C49BFA7EA96B46304F088589F1E9554C3D3A8ACC9D761

Function 0051ACDA Relevance: 10.7, APIs: 7, Instructions: 161windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(00000000), ref: 0051AD19
GetKeyboardState.USER32(?), ref: 0051AD2E
SetKeyboardState.USER32(?), ref: 0051AD8F
PostMessageW.USER32(00000000,00000100,00000010,?), ref: 0051ADBB
PostMessageW.USER32(00000000,00000100,00000011,?), ref: 0051ADD8
PostMessageW.USER32(00000000,00000100,00000012,?), ref: 0051AE17
PostMessageW.USER32(00000000,00000100,0000005B,?), ref: 0051AE38

Memory Dump Source

Source File: 00000000.00000002.2132574574.00000000004B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true

Associated: 00000000.00000002.2132555531.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132647663.000000000054C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132647663.0000000000572000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132705506.000000000057C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132725644.0000000000584000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b0000_file.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: d5ed26d675414eb1c2879bbe75cc84b8cfdcc6c4934c93541fc4d6144391c724
Instruction ID: aef594349af589d6bf3d99cecf6e3bb5cb272290ed6f776bf2acfc028ef33d2c
Opcode Fuzzy Hash: d5ed26d675414eb1c2879bbe75cc84b8cfdcc6c4934c93541fc4d6144391c724
Instruction Fuzzy Hash: E951D4A15067D53DFB3783348C55BFA7EA97B46304F088588E1D5468C2D2A4ECD8E762

Function 004E542E Relevance: 10.7, APIs: 7, Instructions: 152fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetConsoleCP.KERNEL32(004F3CD6,?,?,?,?,?,?,?,?,004E5BA3,?,?,004F3CD6,?,?), ref: 004E5470
__fassign.LIBCMT ref: 004E54EB
__fassign.LIBCMT ref: 004E5506
WideCharToMultiByte.KERNEL32(?,00000000,?,00000001,004F3CD6,00000005,00000000,00000000), ref: 004E552C
WriteFile.KERNEL32(?,004F3CD6,00000000,004E5BA3,00000000,?,?,?,?,?,?,?,?,?,004E5BA3,?), ref: 004E554B
WriteFile.KERNEL32(?,?,00000001,004E5BA3,00000000,?,?,?,?,?,?,?,?,?,004E5BA3,?), ref: 004E5584

Memory Dump Source

Source File: 00000000.00000002.2132574574.00000000004B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true

Associated: 00000000.00000002.2132555531.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132647663.000000000054C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132647663.0000000000572000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132705506.000000000057C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132725644.0000000000584000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b0000_file.jbxd

Similarity

API ID: FileWrite__fassign$ByteCharConsoleMultiWide
String ID:
API String ID: 1324828854-0
Opcode ID: 75105b23638fe1e9658cf10fb8a5d27f82b3a6143b4cc9ce451d8925c493237b
Instruction ID: 49e751b8b603a3f5d6897c022cf1b09500b6d5d3a62fa8aaa41e58b83f0cae55
Opcode Fuzzy Hash: 75105b23638fe1e9658cf10fb8a5d27f82b3a6143b4cc9ce451d8925c493237b
Instruction Fuzzy Hash: C95113B0A00688AFCB10CFA9D845AEEBBF9EF09305F24415BF945E7391D3349A41CB64

Function 005310B8 Relevance: 10.6, APIs: 7, Instructions: 110networkCOMMON

Download Yara Rule

APIs

Part of subcall function 0053304E: inet_addr.WSOCK32(?,?,?,?,?,00000000), ref: 0053307A
Part of subcall function 0053304E: _wcslen.LIBCMT ref: 0053309B

socket.WSOCK32(00000002,00000001,00000006,?,?,00000000), ref: 00531112
WSAGetLastError.WSOCK32 ref: 00531121
WSAGetLastError.WSOCK32 ref: 005311C9
closesocket.WSOCK32(00000000), ref: 005311F9

Memory Dump Source

Source File: 00000000.00000002.2132574574.00000000004B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true

Associated: 00000000.00000002.2132555531.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132647663.000000000054C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132647663.0000000000572000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132705506.000000000057C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132725644.0000000000584000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b0000_file.jbxd

Similarity

API ID: ErrorLast$_wcslenclosesocketinet_addrsocket
String ID:
API String ID: 2675159561-0
Opcode ID: 0aa546a4ccd940677e8acba174b4bbdc4a7df0806f0ca2902259ae8f736c5f1a
Instruction ID: 82453ea61564f357a0cb5c98e09b0680bd384d5fb8d6b92149a6398e7e39ce9e
Opcode Fuzzy Hash: 0aa546a4ccd940677e8acba174b4bbdc4a7df0806f0ca2902259ae8f736c5f1a
Instruction Fuzzy Hash: 8741F035600604AFDB109F24C884BEABFE9FF86368F148059FD069B291C774AD45CBE5

Function 0051CF00 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 108filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 0051DDE0: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,0051CF22,?), ref: 0051DDFD

Part of subcall function 0051DDE0: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,0051CF22,?), ref: 0051DE16

lstrcmpiW.KERNEL32(?,?), ref: 0051CF45
MoveFileW.KERNEL32(?,?), ref: 0051CF7F
_wcslen.LIBCMT ref: 0051D005
_wcslen.LIBCMT ref: 0051D01B
SHFileOperationW.SHELL32(?), ref: 0051D061

Strings

\*.*, xrefs: 0051CFF3

Memory Dump Source

Source File: 00000000.00000002.2132574574.00000000004B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true

Associated: 00000000.00000002.2132555531.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132647663.000000000054C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132647663.0000000000572000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132705506.000000000057C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132725644.0000000000584000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b0000_file.jbxd

Similarity

API ID: FileFullNamePath_wcslen$MoveOperationlstrcmpi
String ID: \*.*
API String ID: 3164238972-1173974218
Opcode ID: 406f15364837bd0e181b1bd0c4812affb282649d2480ce6e3bcc9d5825ea7cee
Instruction ID: 840ec4241d9ab361d33e1c26d97e28db3cf43038239de6d3751afe345030d451
Opcode Fuzzy Hash: 406f15364837bd0e181b1bd0c4812affb282649d2480ce6e3bcc9d5825ea7cee
Instruction Fuzzy Hash: BA4187718452195FEF12EFA4D985ADDBFB9BF48380F1000EAE505EB141EB35AAC9CB50

Function 00542DFD Relevance: 10.6, APIs: 7, Instructions: 99windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,000000F0,00000000,00000000), ref: 00542E1C
GetWindowLongW.USER32(?,000000F0), ref: 00542E4F
GetWindowLongW.USER32(?,000000F0), ref: 00542E84
SendMessageW.USER32(?,000000F1,00000000,00000000), ref: 00542EB6
SendMessageW.USER32(?,000000F1,00000001,00000000), ref: 00542EE0
GetWindowLongW.USER32(?,000000F0), ref: 00542EF1
SetWindowLongW.USER32(?,000000F0,00000000), ref: 00542F0B

Memory Dump Source

Source File: 00000000.00000002.2132574574.00000000004B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true

Associated: 00000000.00000002.2132555531.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132647663.000000000054C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132647663.0000000000572000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132705506.000000000057C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132725644.0000000000584000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b0000_file.jbxd

Similarity

API ID: LongWindow$MessageSend
String ID:
API String ID: 2178440468-0
Opcode ID: 0cbd4c12d32ed2968888dac9d101a6a23716b7b22a90366d1b9d6398df6a50ee
Instruction ID: 506d9d8628b3447ab8e82e7a3b0448c4b2f9ab83ae91122db470d6e72e8ddfa7
Opcode Fuzzy Hash: 0cbd4c12d32ed2968888dac9d101a6a23716b7b22a90366d1b9d6398df6a50ee
Instruction Fuzzy Hash: CA313534605260AFDB20CF58DC84FA53BE8FBAA718F955164F9149F2B2CB71AC55EB00

Function 00517726 Relevance: 10.6, APIs: 7, Instructions: 94memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00517769
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 0051778F
SysAllocString.OLEAUT32(00000000), ref: 00517792
SysAllocString.OLEAUT32(?), ref: 005177B0
SysFreeString.OLEAUT32(?), ref: 005177B9
StringFromGUID2.OLE32(?,?,00000028), ref: 005177DE
SysAllocString.OLEAUT32(?), ref: 005177EC

Memory Dump Source

Source File: 00000000.00000002.2132574574.00000000004B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true

Associated: 00000000.00000002.2132555531.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132647663.000000000054C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132647663.0000000000572000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132705506.000000000057C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132725644.0000000000584000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b0000_file.jbxd

Similarity

API ID: String$Alloc$ByteCharMultiWide$FreeFrom
String ID:
API String ID: 3761583154-0
Opcode ID: 454d8a306df3fd2f0024fa1c390ce3083d3977729527da04efe30014a6211cff
Instruction ID: 2093d79cbc97cb6b9ebc8c2867fd30f05419c00245687630b939ca9e21b85845
Opcode Fuzzy Hash: 454d8a306df3fd2f0024fa1c390ce3083d3977729527da04efe30014a6211cff
Instruction Fuzzy Hash: FF21BF3A604209AFEF00DFACCC88CFA7BACFB09364B008425B915CB190D6749C858764

Function 005177FD Relevance: 10.6, APIs: 7, Instructions: 89memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00517842
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00517868
SysAllocString.OLEAUT32(00000000), ref: 0051786B
SysAllocString.OLEAUT32 ref: 0051788C
SysFreeString.OLEAUT32 ref: 00517895
StringFromGUID2.OLE32(?,?,00000028), ref: 005178AF
SysAllocString.OLEAUT32(?), ref: 005178BD

Memory Dump Source

Source File: 00000000.00000002.2132574574.00000000004B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true

Associated: 00000000.00000002.2132555531.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132647663.000000000054C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132647663.0000000000572000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132705506.000000000057C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132725644.0000000000584000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b0000_file.jbxd

Similarity

API ID: String$Alloc$ByteCharMultiWide$FreeFrom
String ID:
API String ID: 3761583154-0
Opcode ID: 6bfdf377d923463b6bef4b60e7320f11a108e288926a34d52294bb5231f2a5eb
Instruction ID: 7feb176aa69924a13243947488859f3e181885597c928cdbd59923e99f214dee
Opcode Fuzzy Hash: 6bfdf377d923463b6bef4b60e7320f11a108e288926a34d52294bb5231f2a5eb
Instruction Fuzzy Hash: 18219C35608208BFAB10AFACCC88DEA7BA8FB493647108425B915CB2A1D664DC85DB64

Function 005204D2 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 80pipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(0000000C), ref: 005204F2
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 0052052E

Strings

nul, xrefs: 00520567

Memory Dump Source

Source File: 00000000.00000002.2132574574.00000000004B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true

Associated: 00000000.00000002.2132555531.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132647663.000000000054C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132647663.0000000000572000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132705506.000000000057C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132725644.0000000000584000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b0000_file.jbxd

Similarity

API ID: CreateHandlePipe
String ID: nul
API String ID: 1424370930-2873401336
Opcode ID: 1f5a0c8ece1ce882e97d8a8cdb465e8b244f6c2ae5cbf70bc5841c23431c336c
Instruction ID: c62f5ba511b0487c61b3d918dafe3ae7552fc04e02525617f9f063ede51a69f0
Opcode Fuzzy Hash: 1f5a0c8ece1ce882e97d8a8cdb465e8b244f6c2ae5cbf70bc5841c23431c336c
Instruction Fuzzy Hash: 5721A2746013259BCF208F28EC44A9A7FF4BF96724F204A18F8A1D31E1D7B09940DF60

Function 005205A7 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 80pipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(000000F6), ref: 005205C6
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 00520601

Strings

nul, xrefs: 00520639

Memory Dump Source

Source File: 00000000.00000002.2132574574.00000000004B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true

Associated: 00000000.00000002.2132555531.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132647663.000000000054C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132647663.0000000000572000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132705506.000000000057C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132725644.0000000000584000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b0000_file.jbxd

Similarity

API ID: CreateHandlePipe
String ID: nul
API String ID: 1424370930-2873401336
Opcode ID: 735c3c1b1230f6a15a1af10b44dd000308e12bbbc8d6ca86bb811dbce5df0e3b
Instruction ID: 4e6928b8362d07ca0bf6d7be08ba99736a21a84c2eba7c68221695a2c8f93a83
Opcode Fuzzy Hash: 735c3c1b1230f6a15a1af10b44dd000308e12bbbc8d6ca86bb811dbce5df0e3b
Instruction Fuzzy Hash: 34219A755013159FDB209F69EC44A9A7FE4BF96724F201A19F8A1D72E1D7B0A850CB10

Function 005440AD Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 75windowCOMMON

Download Yara Rule

APIs

Part of subcall function 004B600E: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 004B604C
Part of subcall function 004B600E: GetStockObject.GDI32(00000011), ref: 004B6060
Part of subcall function 004B600E: SendMessageW.USER32(00000000,00000030,00000000), ref: 004B606A

SendMessageW.USER32(00000000,00002001,00000000,FF000000), ref: 00544112
SendMessageW.USER32(?,00000409,00000000,FF000000), ref: 0054411F
SendMessageW.USER32(?,00000402,00000000,00000000), ref: 0054412A
SendMessageW.USER32(?,00000401,00000000,00640000), ref: 00544139
SendMessageW.USER32(?,00000404,00000001,00000000), ref: 00544145

Strings

Msctls_Progress32, xrefs: 005440E3

Memory Dump Source

Source File: 00000000.00000002.2132574574.00000000004B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true

Associated: 00000000.00000002.2132555531.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132647663.000000000054C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132647663.0000000000572000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132705506.000000000057C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132725644.0000000000584000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b0000_file.jbxd

Similarity

API ID: MessageSend$CreateObjectStockWindow
String ID: Msctls_Progress32
API String ID: 1025951953-3636473452
Opcode ID: 8310b6195119e5be1e8799e57242c471fbc6f83ed38505d3403bcca1c87211e3
Instruction ID: 8074cc0f2cc3b61cfc662c3821250b12b7ab05f1be309f54f5d72c1012bd4d2b
Opcode Fuzzy Hash: 8310b6195119e5be1e8799e57242c471fbc6f83ed38505d3403bcca1c87211e3
Instruction Fuzzy Hash: 441190B214021DBEEF119E64CC86EE77F5DFF18798F015111BA18A6050C6769C21DBA4

Function 004ED7DF Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 004ED7A3: _free.LIBCMT ref: 004ED7CC

_free.LIBCMT ref: 004ED82D

Part of subcall function 004E29C8: RtlFreeHeap.NTDLL(00000000,00000000,?,004ED7D1,00000000,00000000,00000000,00000000,?,004ED7F8,00000000,00000007,00000000,?,004EDBF5,00000000), ref: 004E29DE
Part of subcall function 004E29C8: GetLastError.KERNEL32(00000000,?,004ED7D1,00000000,00000000,00000000,00000000,?,004ED7F8,00000000,00000007,00000000,?,004EDBF5,00000000,00000000), ref: 004E29F0

_free.LIBCMT ref: 004ED838
_free.LIBCMT ref: 004ED843
_free.LIBCMT ref: 004ED897
_free.LIBCMT ref: 004ED8A2
_free.LIBCMT ref: 004ED8AD
_free.LIBCMT ref: 004ED8B8

Memory Dump Source

Source File: 00000000.00000002.2132574574.00000000004B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true

Associated: 00000000.00000002.2132555531.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132647663.000000000054C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132647663.0000000000572000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132705506.000000000057C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132725644.0000000000584000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b0000_file.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: d5e9bbcb1dbdafe4c8d3bd98f36014f41f46dc5d4a3df644b036f3c2391e0fc8
Instruction ID: 4db276408f6a9c31f9df531d96ee20e21844e5f62f73b2d2d03a0a07e931e6b0
Opcode Fuzzy Hash: d5e9bbcb1dbdafe4c8d3bd98f36014f41f46dc5d4a3df644b036f3c2391e0fc8
Instruction Fuzzy Hash: 461151B1A40B88AAD521BFB3CC47FCB7BDC6F00706F40082EB6D9A6093DA6DB5054654

Function 0051DA5A Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 46windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000100,00000000), ref: 0051DA74
LoadStringW.USER32(00000000), ref: 0051DA7B
GetModuleHandleW.KERNEL32(00000000,00001389,?,00000100), ref: 0051DA91
LoadStringW.USER32(00000000), ref: 0051DA98
MessageBoxW.USER32(00000000,?,?,00011010), ref: 0051DADC

Strings

%s (%d) : ==> %s: %s %s, xrefs: 0051DAB9

Memory Dump Source

Source File: 00000000.00000002.2132574574.00000000004B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true

Associated: 00000000.00000002.2132555531.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132647663.000000000054C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132647663.0000000000572000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132705506.000000000057C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132725644.0000000000584000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b0000_file.jbxd

Similarity

API ID: HandleLoadModuleString$Message
String ID: %s (%d) : ==> %s: %s %s
API String ID: 4072794657-3128320259
Opcode ID: 2995ef265ff0e9fb4d983d83ad0bab7c8b393e6f30a527fbc4ba60ee5db5e38e
Instruction ID: 7d680940df5ba802dd300cf1804b1ff499792f8b737317764927cc561cb63c68
Opcode Fuzzy Hash: 2995ef265ff0e9fb4d983d83ad0bab7c8b393e6f30a527fbc4ba60ee5db5e38e
Instruction Fuzzy Hash: 2E0186F65002087FFB50DBA49D8DEEB3B6CEB49305F404895B706E2041EA749E889F74

Function 0052096B Relevance: 10.5, APIs: 7, Instructions: 35synchronizationthreadCOMMON

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(009DD508,009DD508), ref: 0052097B
EnterCriticalSection.KERNEL32(009DD4E8,00000000), ref: 0052098D
TerminateThread.KERNEL32(?,000001F6), ref: 0052099B
WaitForSingleObject.KERNEL32(?,000003E8), ref: 005209A9
CloseHandle.KERNEL32(?), ref: 005209B8
InterlockedExchange.KERNEL32(009DD508,000001F6), ref: 005209C8
LeaveCriticalSection.KERNEL32(009DD4E8), ref: 005209CF

Memory Dump Source

Source File: 00000000.00000002.2132574574.00000000004B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true

Associated: 00000000.00000002.2132555531.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132647663.000000000054C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132647663.0000000000572000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132705506.000000000057C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132725644.0000000000584000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b0000_file.jbxd

Similarity

API ID: CriticalExchangeInterlockedSection$CloseEnterHandleLeaveObjectSingleTerminateThreadWait
String ID:
API String ID: 3495660284-0
Opcode ID: 03f1e1a4aea76628dda75be0a5c3428d19fddb9a22481e1ace9a2cc7d8fa9e53
Instruction ID: 256b04ef560f8fdcd0ccffd6aff904fe7201b52e161daedbb5f5288d7dfdd975
Opcode Fuzzy Hash: 03f1e1a4aea76628dda75be0a5c3428d19fddb9a22481e1ace9a2cc7d8fa9e53
Instruction Fuzzy Hash: 33F08136147912BBD7811F90EE8CBD67F34FF52706F402011F102518A1C7B09469DF90

Function 00531C60 Relevance: 9.3, APIs: 6, Instructions: 298networkCOMMON

Download Yara Rule

APIs

__WSAFDIsSet.WSOCK32(00000000,?,00000000,00000000,?,00000064,00000000), ref: 00531DC0
#17.WSOCK32(00000000,?,?,00000000,?,00000010), ref: 00531DE1
WSAGetLastError.WSOCK32 ref: 00531DF2
htons.WSOCK32(?,?,?,?,?), ref: 00531EDB
inet_ntoa.WSOCK32(?), ref: 00531E8C

Part of subcall function 005139E8: _strlen.LIBCMT ref: 005139F2

Part of subcall function 00533224: MultiByteToWideChar.KERNEL32(00000000,00000001,?,?,00000000,00000000,00000000,?,?,?,?,0052EC0C), ref: 00533240

_strlen.LIBCMT ref: 00531F35

Memory Dump Source

Source File: 00000000.00000002.2132574574.00000000004B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true

Associated: 00000000.00000002.2132555531.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132647663.000000000054C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132647663.0000000000572000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132705506.000000000057C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132725644.0000000000584000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b0000_file.jbxd

Similarity

API ID: _strlen$ByteCharErrorLastMultiWidehtonsinet_ntoa
String ID:
API String ID: 3203458085-0
Opcode ID: 7cdc49b1de244a8a54e60b6463879616dbeb2c5f3ff35f164d2b37a66895cf50
Instruction ID: b02860f9eb2b97c7ef979da54034dc3c2b5854c14c9da3dd0d4126b081005a4b
Opcode Fuzzy Hash: 7cdc49b1de244a8a54e60b6463879616dbeb2c5f3ff35f164d2b37a66895cf50
Instruction Fuzzy Hash: EAB1ED34204700AFC324EF35C885E6A7BA5BF85318F54894DF4564B2E2CB35ED46CBA6

Function 004B5D0A Relevance: 9.3, APIs: 6, Instructions: 276COMMON

Download Yara Rule

APIs

GetClientRect.USER32(?,?), ref: 004B5D30
GetWindowRect.USER32(?,?), ref: 004B5D71
ScreenToClient.USER32(?,?), ref: 004B5D99
GetClientRect.USER32(?,?), ref: 004B5ED7
GetWindowRect.USER32(?,?), ref: 004B5EF8

Memory Dump Source

Source File: 00000000.00000002.2132574574.00000000004B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true

Associated: 00000000.00000002.2132555531.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132647663.000000000054C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132647663.0000000000572000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132705506.000000000057C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132725644.0000000000584000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b0000_file.jbxd

Similarity

API ID: Rect$Client$Window$Screen
String ID:
API String ID: 1296646539-0
Opcode ID: 30cef4b4347d38c7c1ee5c3ea9ff352b83e9d5955a07aa6a696a40920df8a201
Instruction ID: 705ed92b9c25aaa2e7fd542ac840be083f36fec09ae9ceae025acb1fa05f47ce
Opcode Fuzzy Hash: 30cef4b4347d38c7c1ee5c3ea9ff352b83e9d5955a07aa6a696a40920df8a201
Instruction Fuzzy Hash: 87B18A78A0064ADBDB10DFA8C4407FAB7F1FF58310F14851AE8A9D7250DB38EA41DB69

Function 004E01B7 Relevance: 9.3, APIs: 6, Instructions: 269COMMON

Download Yara Rule

APIs

__allrem.LIBCMT ref: 004E00BA
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 004E00D6
__allrem.LIBCMT ref: 004E00ED
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 004E010B
__allrem.LIBCMT ref: 004E0122
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 004E0140

Memory Dump Source

Source File: 00000000.00000002.2132574574.00000000004B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true

Associated: 00000000.00000002.2132555531.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132647663.000000000054C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132647663.0000000000572000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132705506.000000000057C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132725644.0000000000584000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b0000_file.jbxd

Similarity

API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@
String ID:
API String ID: 1992179935-0
Opcode ID: 8fbb49ba762f8ece8e29681380aa111ddf72d6c7443a1a5a7b6c612577c50f6c
Instruction ID: 1476fb4900cbd7f3d94e6427835713443beb94b6edd0f109bca2ab3f0badcee9
Opcode Fuzzy Hash: 8fbb49ba762f8ece8e29681380aa111ddf72d6c7443a1a5a7b6c612577c50f6c
Instruction Fuzzy Hash: D88105716007469BE7209B2ACC41B6BB3E8EF41329F24463FF561DB381E7B9D9408798

Function 004E61FE Relevance: 9.2, APIs: 6, Instructions: 216COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000001,00000000,?,?,00000000,00000000,?,004D82D9,004D82D9,?,?,?,004E644F,00000001,00000001,8BE85006), ref: 004E6258
MultiByteToWideChar.KERNEL32(00000001,00000001,?,?,00000000,?,?,?,?,004E644F,00000001,00000001,8BE85006,?,?,?), ref: 004E62DE
WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,?,8BE85006,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 004E63D8
__freea.LIBCMT ref: 004E63E5

Part of subcall function 004E3820: RtlAllocateHeap.NTDLL(00000000,?,00581444,?,004CFDF5,?,?,004BA976,00000010,00581440,004B13FC,?,004B13C6,?,004B1129), ref: 004E3852

__freea.LIBCMT ref: 004E63EE
__freea.LIBCMT ref: 004E6413

Memory Dump Source

Source File: 00000000.00000002.2132574574.00000000004B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true

Associated: 00000000.00000002.2132555531.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132647663.000000000054C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132647663.0000000000572000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132705506.000000000057C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132725644.0000000000584000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b0000_file.jbxd

Similarity

API ID: ByteCharMultiWide__freea$AllocateHeap
String ID:
API String ID: 1414292761-0
Opcode ID: f2c10ef21a3cea11e77bf764049c31df4de27a963981bfb75afa92a3d9111494
Instruction ID: 5b6ff0fb8d204ea4515d286387753311e40d4a58f4c42f36b4e308098d7f6fd4
Opcode Fuzzy Hash: f2c10ef21a3cea11e77bf764049c31df4de27a963981bfb75afa92a3d9111494
Instruction Fuzzy Hash: EA513772600246ABDB258F66CC81EBF37A9EB60796F16066FFD05D7240DB38DC40C668

Function 0053BBDB Relevance: 9.2, APIs: 6, Instructions: 191registryCOMMON

Download Yara Rule

APIs

Part of subcall function 004B9CB3: _wcslen.LIBCMT ref: 004B9CBD

Part of subcall function 0053C998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,0053B6AE,?,?), ref: 0053C9B5
Part of subcall function 0053C998: _wcslen.LIBCMT ref: 0053C9F1
Part of subcall function 0053C998: _wcslen.LIBCMT ref: 0053CA68
Part of subcall function 0053C998: _wcslen.LIBCMT ref: 0053CA9E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0053BCCA
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 0053BD25
RegCloseKey.ADVAPI32(00000000), ref: 0053BD6A
RegEnumValueW.ADVAPI32(?,-00000001,?,?,00000000,?,00000000,00000000), ref: 0053BD99
RegCloseKey.ADVAPI32(?,?,00000000), ref: 0053BDF3
RegCloseKey.ADVAPI32(?), ref: 0053BDFF

Memory Dump Source

Source File: 00000000.00000002.2132574574.00000000004B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true

Associated: 00000000.00000002.2132555531.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132647663.000000000054C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132647663.0000000000572000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132705506.000000000057C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132725644.0000000000584000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b0000_file.jbxd

Similarity

API ID: _wcslen$Close$BuffCharConnectEnumOpenRegistryUpperValue
String ID:
API String ID: 1120388591-0
Opcode ID: d32c603e56823f279cda4b4d0bf54a6135a859ed5d93dc073efb4d936e50752f
Instruction ID: aac66e5a6d12671e6a2944f6793a5c2eb1a79c3dd00ea8d589d54e8a24a50c9c
Opcode Fuzzy Hash: d32c603e56823f279cda4b4d0bf54a6135a859ed5d93dc073efb4d936e50752f
Instruction Fuzzy Hash: D781AD70208241EFD714DF24C885E6ABBE5FF84308F14895DF55A8B2A2DB36ED45CB92

Function 0050F7AD Relevance: 9.2, APIs: 6, Instructions: 183memoryCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(00000035), ref: 0050F7B9
SysAllocString.OLEAUT32(00000001), ref: 0050F860
VariantCopy.OLEAUT32(0050FA64,00000000), ref: 0050F889
VariantClear.OLEAUT32(0050FA64), ref: 0050F8AD
VariantCopy.OLEAUT32(0050FA64,00000000), ref: 0050F8B1
VariantClear.OLEAUT32(?), ref: 0050F8BB

Memory Dump Source

Source File: 00000000.00000002.2132574574.00000000004B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true

Associated: 00000000.00000002.2132555531.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132647663.000000000054C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132647663.0000000000572000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132705506.000000000057C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132725644.0000000000584000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b0000_file.jbxd

Similarity

API ID: Variant$ClearCopy$AllocInitString
String ID:
API String ID: 3859894641-0
Opcode ID: c0836a7a59f20c9fda990a1cab31944293267d5df9213cdfcf586deab7da6b95
Instruction ID: b6ba2db96a6d23296542f14d9a36b937e35de30839985fa9e159013f129bd1f3
Opcode Fuzzy Hash: c0836a7a59f20c9fda990a1cab31944293267d5df9213cdfcf586deab7da6b95
Instruction Fuzzy Hash: 54510835600310BACF70AB65D895B6DBBA8FF85314B24986BE902DF6D1DB748C40C7A6

Function 0052910C Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 383COMMON

Download Yara Rule

APIs

Part of subcall function 004B7620: _wcslen.LIBCMT ref: 004B7625

Part of subcall function 004B6B57: _wcslen.LIBCMT ref: 004B6B6A

GetOpenFileNameW.COMDLG32(00000058), ref: 005294E5
_wcslen.LIBCMT ref: 00529506
_wcslen.LIBCMT ref: 0052952D
GetSaveFileNameW.COMDLG32(00000058), ref: 00529585

Strings

X, xrefs: 00529412

Memory Dump Source

Source File: 00000000.00000002.2132574574.00000000004B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true

Associated: 00000000.00000002.2132555531.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132647663.000000000054C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132647663.0000000000572000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132705506.000000000057C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132725644.0000000000584000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b0000_file.jbxd

Similarity

API ID: _wcslen$FileName$OpenSave
String ID: X
API String ID: 83654149-3081909835
Opcode ID: cc22df5e1a2ca4047e10bc4f1066ba45a179623a560da661d1586369aa79d5ae
Instruction ID: 804ae7bd4481ea701d1493d2750243b3987ec8ac824301b6267430ed4b8d8ebb
Opcode Fuzzy Hash: cc22df5e1a2ca4047e10bc4f1066ba45a179623a560da661d1586369aa79d5ae
Instruction Fuzzy Hash: D6E1C631604310DFD724DF25D481AAABBE4BF85318F14896EF8899B392DB34DD05CBA6

Function 004C920C Relevance: 9.1, APIs: 6, Instructions: 113COMMON

Download Yara Rule

APIs

Part of subcall function 004C9BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 004C9BB2

BeginPaint.USER32(?,?,?), ref: 004C9241
GetWindowRect.USER32(?,?), ref: 004C92A5
ScreenToClient.USER32(?,?), ref: 004C92C2
SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 004C92D3
EndPaint.USER32(?,?,?,?,?), ref: 004C9321
Rectangle.GDI32(00000000,00000000,00000000,?,?), ref: 005071EA

Part of subcall function 004C9339: BeginPath.GDI32(00000000), ref: 004C9357

Memory Dump Source

Source File: 00000000.00000002.2132574574.00000000004B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true

Associated: 00000000.00000002.2132555531.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132647663.000000000054C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132647663.0000000000572000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132705506.000000000057C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132725644.0000000000584000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b0000_file.jbxd

Similarity

API ID: BeginPaintWindow$ClientLongPathRectRectangleScreenViewport
String ID:
API String ID: 3050599898-0
Opcode ID: 6ce4cd563f525e861fe697235af03ef8bb8d2f9420e65538b5c568aac9af774a
Instruction ID: 0d6d7993941fa8f84b66ea77936a11f37bd5399a9fc613efb1de4d3ac00e99e5
Opcode Fuzzy Hash: 6ce4cd563f525e861fe697235af03ef8bb8d2f9420e65538b5c568aac9af774a
Instruction Fuzzy Hash: 5341B034105200AFD710DF15CC88FAA7BA8FB9A324F04066EF994962E1C7349C4AEB65

Function 005207EF Relevance: 9.1, APIs: 6, Instructions: 107fileCOMMON

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(?,000001F5), ref: 0052080C
ReadFile.KERNEL32(?,?,0000FFFF,?,00000000), ref: 00520847
EnterCriticalSection.KERNEL32(?), ref: 00520863
LeaveCriticalSection.KERNEL32(?), ref: 005208DC
ReadFile.KERNEL32(?,?,0000FFFF,00000000,00000000), ref: 005208F3
InterlockedExchange.KERNEL32(?,000001F6), ref: 00520921

Memory Dump Source

Source File: 00000000.00000002.2132574574.00000000004B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true

Associated: 00000000.00000002.2132555531.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132647663.000000000054C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132647663.0000000000572000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132705506.000000000057C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132725644.0000000000584000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b0000_file.jbxd

Similarity

API ID: CriticalExchangeFileInterlockedReadSection$EnterLeave
String ID:
API String ID: 3368777196-0
Opcode ID: 36ef39f42f184e83885f1b747868762346799bfb50fd3aec2e9570033948144e
Instruction ID: 0e80695e08aa598d9c28bd5f258188fedf105573cf27bd73c9c6d0bcbbeb6a08
Opcode Fuzzy Hash: 36ef39f42f184e83885f1b747868762346799bfb50fd3aec2e9570033948144e
Instruction Fuzzy Hash: CA41BD35900205EFDF04AF54EC85AAA7BB9FF45304F1040AAED009B297DB74DE64EBA4

Function 005481DB Relevance: 9.1, APIs: 6, Instructions: 104windowCOMMON

Download Yara Rule

APIs

ShowWindow.USER32(FFFFFFFF,00000000,?,00000000,00000000,?,0050F3AB,00000000,?,?,00000000,?,0050682C,00000004,00000000,00000000), ref: 0054824C
EnableWindow.USER32(?,00000000), ref: 00548272
ShowWindow.USER32(FFFFFFFF,00000000), ref: 005482D1
ShowWindow.USER32(?,00000004), ref: 005482E5
EnableWindow.USER32(?,00000001), ref: 0054830B
SendMessageW.USER32(?,0000130C,00000000,00000000), ref: 0054832F

Memory Dump Source

Source File: 00000000.00000002.2132574574.00000000004B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true

Associated: 00000000.00000002.2132555531.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132647663.000000000054C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132647663.0000000000572000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132705506.000000000057C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132725644.0000000000584000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b0000_file.jbxd

Similarity

API ID: Window$Show$Enable$MessageSend
String ID:
API String ID: 642888154-0
Opcode ID: 9d675ccef5181245eed913a613b1d396ed684cf8ed6949e80bec92c8688b73aa
Instruction ID: 9e8cfc62af4c401e041b4220b6c576b5ea4227aba4c7321cbd2236854df536cd
Opcode Fuzzy Hash: 9d675ccef5181245eed913a613b1d396ed684cf8ed6949e80bec92c8688b73aa
Instruction Fuzzy Hash: AD41D538605A40AFDB15CF14CC99BF87FE0FB5AB18F185268E9085F262CB71AC45DB40

Function 00514C7D Relevance: 9.1, APIs: 6, Instructions: 87windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32(?), ref: 00514C95
SendMessageW.USER32(?,0000000E,00000000,00000000), ref: 00514CB2
SendMessageW.USER32(?,0000000D,00000001,00000000), ref: 00514CEA
_wcslen.LIBCMT ref: 00514D08
CharUpperBuffW.USER32(00000000,00000000,?,?,?,?), ref: 00514D10
_wcsstr.LIBVCRUNTIME ref: 00514D1A

Memory Dump Source

Source File: 00000000.00000002.2132574574.00000000004B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true

Associated: 00000000.00000002.2132555531.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132647663.000000000054C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132647663.0000000000572000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132705506.000000000057C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132725644.0000000000584000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b0000_file.jbxd

Similarity

API ID: MessageSend$BuffCharUpperVisibleWindow_wcslen_wcsstr
String ID:
API String ID: 72514467-0
Opcode ID: 051d69368db57f8cecc0df674088a4b39a5b3af5d017382abf62b39904d49745
Instruction ID: 775cf8ad8d87b34aabcdc4795a1d74faf6b20a27bfb8ef32f6a071e52560b1e4
Opcode Fuzzy Hash: 051d69368db57f8cecc0df674088a4b39a5b3af5d017382abf62b39904d49745
Instruction Fuzzy Hash: 5C2129752052007BFB555B3AAC09EBB7F9CEF45754F10902EF805CE192EA65CC409AA0

Function 0052581E Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 336comCOMMON

Download Yara Rule

APIs

Part of subcall function 004B3AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,004B3A97,?,?,004B2E7F,?,?,?,00000000), ref: 004B3AC2

_wcslen.LIBCMT ref: 0052587B
CoInitialize.OLE32(00000000), ref: 00525995
CoCreateInstance.OLE32(0054FCF8,00000000,00000001,0054FB68,?), ref: 005259AE
CoUninitialize.OLE32 ref: 005259CC

Strings

.lnk, xrefs: 00525876, 005258C1, 00525985

Memory Dump Source

Source File: 00000000.00000002.2132574574.00000000004B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true

Associated: 00000000.00000002.2132555531.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132647663.000000000054C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132647663.0000000000572000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132705506.000000000057C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132725644.0000000000584000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b0000_file.jbxd

Similarity

API ID: CreateFullInitializeInstanceNamePathUninitialize_wcslen
String ID: .lnk
API String ID: 3172280962-24824748
Opcode ID: ee4da611067b12c973e8d8949fa6bff03c47731c535f4235e6643e577ad1f5a1
Instruction ID: e14136af122dce6861e98bd5159c26ad8e5b52c998ac17d46e9aa4545df529e3
Opcode Fuzzy Hash: ee4da611067b12c973e8d8949fa6bff03c47731c535f4235e6643e577ad1f5a1
Instruction Fuzzy Hash: 3DD177706047119FC714DF25D484A6ABBE1FF8A718F10885DF88A9B3A1E731EC45CBA2

Function 0051175D Relevance: 9.1, APIs: 6, Instructions: 68memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00510FB4: GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 00510FCA
Part of subcall function 00510FB4: GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 00510FD6
Part of subcall function 00510FB4: GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 00510FE5
Part of subcall function 00510FB4: HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 00510FEC
Part of subcall function 00510FB4: GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 00511002

GetLengthSid.ADVAPI32(?,00000000,00511335), ref: 005117AE
GetProcessHeap.KERNEL32(00000008,00000000), ref: 005117BA
HeapAlloc.KERNEL32(00000000), ref: 005117C1
CopySid.ADVAPI32(00000000,00000000,?), ref: 005117DA
GetProcessHeap.KERNEL32(00000000,00000000,00511335), ref: 005117EE
HeapFree.KERNEL32(00000000), ref: 005117F5

Memory Dump Source

Source File: 00000000.00000002.2132574574.00000000004B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true

Associated: 00000000.00000002.2132555531.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132647663.000000000054C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132647663.0000000000572000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132705506.000000000057C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132725644.0000000000584000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b0000_file.jbxd

Similarity

API ID: Heap$Process$AllocInformationToken$CopyErrorFreeLastLength
String ID:
API String ID: 3008561057-0
Opcode ID: 2353c59093fe66e333604e190bc6556db2dd6ad50f65db068147de6df39bdc71
Instruction ID: 4872cbbb82f005d2efdab1e2ae32f6e5725e6aaf1efad4330fbf29d0e2ef0e58
Opcode Fuzzy Hash: 2353c59093fe66e333604e190bc6556db2dd6ad50f65db068147de6df39bdc71
Instruction Fuzzy Hash: D611BE35502A05FFEB149FA4CC49BEE7FA9FB82359F104098F54197290C735A984DB68

Function 005114CE Relevance: 9.1, APIs: 6, Instructions: 64processCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(0000000A,00000004), ref: 005114FF
OpenProcessToken.ADVAPI32(00000000), ref: 00511506
CreateEnvironmentBlock.USERENV(?,00000004,00000001), ref: 00511515
CloseHandle.KERNEL32(00000004), ref: 00511520
CreateProcessWithLogonW.ADVAPI32(?,?,?,00000000,00000000,?,?,00000000,?,?,?), ref: 0051154F
DestroyEnvironmentBlock.USERENV(00000000), ref: 00511563

Memory Dump Source

Source File: 00000000.00000002.2132574574.00000000004B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true

Associated: 00000000.00000002.2132555531.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132647663.000000000054C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132647663.0000000000572000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132705506.000000000057C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132725644.0000000000584000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b0000_file.jbxd

Similarity

API ID: Process$BlockCreateEnvironment$CloseCurrentDestroyHandleLogonOpenTokenWith
String ID:
API String ID: 1413079979-0
Opcode ID: 74684eb758e5f340944368e15613c6444b6b9eba463a1d62a075fcbf5de227c8
Instruction ID: a746dbc0923f3983559e64df780cceaf67f9530d7b19e5a406d9328ddc28e458
Opcode Fuzzy Hash: 74684eb758e5f340944368e15613c6444b6b9eba463a1d62a075fcbf5de227c8
Instruction Fuzzy Hash: 08115C76601209ABEF118F94DD49FDE7FA9FF49708F044054FA05A2060C3758EA4EB64

Function 004D3382 Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,004D3379,004D2FE5), ref: 004D3390
___vcrt_FlsGetValue.LIBVCRUNTIME ref: 004D339E
___vcrt_FlsSetValue.LIBVCRUNTIME ref: 004D33B7
SetLastError.KERNEL32(00000000,?,004D3379,004D2FE5), ref: 004D3409

Memory Dump Source

Source File: 00000000.00000002.2132574574.00000000004B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true

Associated: 00000000.00000002.2132555531.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132647663.000000000054C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132647663.0000000000572000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132705506.000000000057C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132725644.0000000000584000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b0000_file.jbxd

Similarity

API ID: ErrorLastValue___vcrt_
String ID:
API String ID: 3852720340-0
Opcode ID: 19d23eef2a6628aeb85cdc0ef18743d3d641312b9ed5a1ce055e105b7d3be098
Instruction ID: 0c5e65fb431cd0511a76925ed1f58784493e9729e7d5012c402320d3760f0f0f
Opcode Fuzzy Hash: 19d23eef2a6628aeb85cdc0ef18743d3d641312b9ed5a1ce055e105b7d3be098
Instruction Fuzzy Hash: 80012832309311BEA6242F767DA995B2E54EB2577F320022FF810803F1EF195D15B18E

Function 004E2D74 Relevance: 9.0, APIs: 6, Instructions: 50COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,004E5686,004F3CD6,?,00000000,?,004E5B6A,?,?,?,?,?,004DE6D1,?,00578A48), ref: 004E2D78
_free.LIBCMT ref: 004E2DAB
_free.LIBCMT ref: 004E2DD3
SetLastError.KERNEL32(00000000,?,?,?,?,004DE6D1,?,00578A48,00000010,004B4F4A,?,?,00000000,004F3CD6), ref: 004E2DE0
SetLastError.KERNEL32(00000000,?,?,?,?,004DE6D1,?,00578A48,00000010,004B4F4A,?,?,00000000,004F3CD6), ref: 004E2DEC
_abort.LIBCMT ref: 004E2DF2

Memory Dump Source

Source File: 00000000.00000002.2132574574.00000000004B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true

Associated: 00000000.00000002.2132555531.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132647663.000000000054C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132647663.0000000000572000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132705506.000000000057C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132725644.0000000000584000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b0000_file.jbxd

Similarity

API ID: ErrorLast$_free$_abort
String ID:
API String ID: 3160817290-0
Opcode ID: deabe50e76fc011b991e122289ef4b47918bd57cb37cc351af4a80471edbdd00
Instruction ID: 203d993b24dd90f92b687a2f7a3835156828289468ba1156dd7ba95e628997fc
Opcode Fuzzy Hash: deabe50e76fc011b991e122289ef4b47918bd57cb37cc351af4a80471edbdd00
Instruction Fuzzy Hash: B3F02D7550558027C2523B377E0AE5B1B5DAFD27ABF31451FFA24D32D2EEAC88056128

Function 00548A24 Relevance: 9.0, APIs: 6, Instructions: 49COMMON

Download Yara Rule

APIs

Part of subcall function 004C9639: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 004C9693
Part of subcall function 004C9639: SelectObject.GDI32(?,00000000), ref: 004C96A2
Part of subcall function 004C9639: BeginPath.GDI32(?), ref: 004C96B9
Part of subcall function 004C9639: SelectObject.GDI32(?,00000000), ref: 004C96E2

MoveToEx.GDI32(?,-00000002,00000000,00000000), ref: 00548A4E
LineTo.GDI32(?,00000003,00000000), ref: 00548A62
MoveToEx.GDI32(?,00000000,-00000002,00000000), ref: 00548A70
LineTo.GDI32(?,00000000,00000003), ref: 00548A80
EndPath.GDI32(?), ref: 00548A90
StrokePath.GDI32(?), ref: 00548AA0

Memory Dump Source

Source File: 00000000.00000002.2132574574.00000000004B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true

Associated: 00000000.00000002.2132555531.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132647663.000000000054C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132647663.0000000000572000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132705506.000000000057C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132725644.0000000000584000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b0000_file.jbxd

Similarity

API ID: Path$LineMoveObjectSelect$BeginCreateStroke
String ID:
API String ID: 43455801-0
Opcode ID: d344d398cf67c5ffe6a83c9ba1bf55e3811f018d5866342e7a6f4588ff048171
Instruction ID: fd5640fc923f796bc1bd74edb3d7f68cccad66e52b91f448716fac601c56ed6f
Opcode Fuzzy Hash: d344d398cf67c5ffe6a83c9ba1bf55e3811f018d5866342e7a6f4588ff048171
Instruction Fuzzy Hash: E3110976001108FFDB129F91DC88EEE7F6CEB19358F048052FA199A1A1C7719D59EBA0

Function 005151FD Relevance: 9.0, APIs: 6, Instructions: 49COMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 00515218
GetDeviceCaps.GDI32(00000000,00000058), ref: 00515229
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00515230
ReleaseDC.USER32(00000000,00000000), ref: 00515238
MulDiv.KERNEL32(000009EC,?,00000000), ref: 0051524F
MulDiv.KERNEL32(000009EC,00000001,?), ref: 00515261

Memory Dump Source

Source File: 00000000.00000002.2132574574.00000000004B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true

Associated: 00000000.00000002.2132555531.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132647663.000000000054C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132647663.0000000000572000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132705506.000000000057C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132725644.0000000000584000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b0000_file.jbxd

Similarity

API ID: CapsDevice$Release
String ID:
API String ID: 1035833867-0
Opcode ID: d6719d0e08f73961aaee3a545840530d474d558321cff6f0314fa7f1a05db8ba
Instruction ID: 3d7bed95902015d4c1b02f36e7e9c5b36f8ad4b4a2a22f80d96a10434bbbcb1b
Opcode Fuzzy Hash: d6719d0e08f73961aaee3a545840530d474d558321cff6f0314fa7f1a05db8ba
Instruction Fuzzy Hash: 5F018F79A01709BBEB109BA59C49A8EBFB8FB99351F044065FA04A7290D6709804DBA0

Function 004B1BC3 Relevance: 9.0, APIs: 6, Instructions: 44keyboardCOMMON

Download Yara Rule

APIs

MapVirtualKeyW.USER32(0000005B,00000000), ref: 004B1BF4
MapVirtualKeyW.USER32(00000010,00000000), ref: 004B1BFC
MapVirtualKeyW.USER32(000000A0,00000000), ref: 004B1C07
MapVirtualKeyW.USER32(000000A1,00000000), ref: 004B1C12
MapVirtualKeyW.USER32(00000011,00000000), ref: 004B1C1A
MapVirtualKeyW.USER32(00000012,00000000), ref: 004B1C22

Memory Dump Source

Source File: 00000000.00000002.2132574574.00000000004B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true

Associated: 00000000.00000002.2132555531.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132647663.000000000054C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132647663.0000000000572000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132705506.000000000057C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132725644.0000000000584000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b0000_file.jbxd

Similarity

API ID: Virtual
String ID:
API String ID: 4278518827-0
Opcode ID: 70c063362693600adf8fdaa3863c8e019a6251b434ead47274b8bd7332029678
Instruction ID: 2762951c20ad37d955211996360145699a11fc2d656f46af673038660d4347c3
Opcode Fuzzy Hash: 70c063362693600adf8fdaa3863c8e019a6251b434ead47274b8bd7332029678
Instruction Fuzzy Hash: F7016CB09027597DE3008F5A8C85B52FFA8FF59354F00411B915C4B941C7F5A864CFE5

Function 0051EB20 Relevance: 9.0, APIs: 6, Instructions: 42windowtimethreadCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,00000000), ref: 0051EB30
SendMessageTimeoutW.USER32(?,00000010,00000000,00000000,00000002,000001F4,?), ref: 0051EB46
GetWindowThreadProcessId.USER32(?,?), ref: 0051EB55
OpenProcess.KERNEL32(001F0FFF,00000000,?,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 0051EB64
TerminateProcess.KERNEL32(00000000,00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 0051EB6E
CloseHandle.KERNEL32(00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 0051EB75

Memory Dump Source

Source File: 00000000.00000002.2132574574.00000000004B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true

Associated: 00000000.00000002.2132555531.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132647663.000000000054C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132647663.0000000000572000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132705506.000000000057C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132725644.0000000000584000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b0000_file.jbxd

Similarity

API ID: Process$Message$CloseHandleOpenPostSendTerminateThreadTimeoutWindow
String ID:
API String ID: 839392675-0
Opcode ID: 014f92cdd39cea9798db12b164c88308879dd3ba129868a520fcdad346266cb9
Instruction ID: 32b15ea84bca572f7c620160d8066e5ede0585fdce90344d8565291334eb141a
Opcode Fuzzy Hash: 014f92cdd39cea9798db12b164c88308879dd3ba129868a520fcdad346266cb9
Instruction Fuzzy Hash: E4F0BE7A202158BBE7205B629C0EEEF3E7CEFDBB19F004158FA01D2090D7A01A05E6B4

Function 00507439 Relevance: 9.0, APIs: 6, Instructions: 37windowCOMMON

Download Yara Rule

APIs

GetClientRect.USER32(?), ref: 00507452
SendMessageW.USER32(?,00001328,00000000,?), ref: 00507469
GetWindowDC.USER32(?), ref: 00507475
GetPixel.GDI32(00000000,?,?), ref: 00507484
ReleaseDC.USER32(?,00000000), ref: 00507496
GetSysColor.USER32(00000005), ref: 005074B0

Memory Dump Source

Source File: 00000000.00000002.2132574574.00000000004B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true

Associated: 00000000.00000002.2132555531.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132647663.000000000054C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132647663.0000000000572000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132705506.000000000057C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132725644.0000000000584000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b0000_file.jbxd

Similarity

API ID: ClientColorMessagePixelRectReleaseSendWindow
String ID:
API String ID: 272304278-0
Opcode ID: 8fd2c7d6471db9be0efeaf611580c30bad4337382c4239081d648f44cf691b44
Instruction ID: a8fbafe4d2a73af6164ea70c508285ca160ce05506449aa55a172510efb11745
Opcode Fuzzy Hash: 8fd2c7d6471db9be0efeaf611580c30bad4337382c4239081d648f44cf691b44
Instruction Fuzzy Hash: D4017835801209EFDB905F64DC08BEE7FB5FB59315F1140A4F916A20A1CB312E45BB10

Function 00511874 Relevance: 9.0, APIs: 6, Instructions: 23memorysynchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(?,000000FF), ref: 0051187F
UnloadUserProfile.USERENV(?,?), ref: 0051188B
CloseHandle.KERNEL32(?), ref: 00511894
CloseHandle.KERNEL32(?), ref: 0051189C
GetProcessHeap.KERNEL32(00000000,?), ref: 005118A5
HeapFree.KERNEL32(00000000), ref: 005118AC

Memory Dump Source

Source File: 00000000.00000002.2132574574.00000000004B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true

Associated: 00000000.00000002.2132555531.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132647663.000000000054C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132647663.0000000000572000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132705506.000000000057C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132725644.0000000000584000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b0000_file.jbxd

Similarity

API ID: CloseHandleHeap$FreeObjectProcessProfileSingleUnloadUserWait
String ID:
API String ID: 146765662-0
Opcode ID: 1922954cc6d5521277afc138acef58f851a46f33a050864b34969447cdba61b5
Instruction ID: 273c1bf3a90a6257d222f9235fdea20a6663da95547a6a763775ff1a5b0554f1
Opcode Fuzzy Hash: 1922954cc6d5521277afc138acef58f851a46f33a050864b34969447cdba61b5
Instruction Fuzzy Hash: 1EE0ED3A105101BBD7415FA1ED0C985BF39FFAA7257108624F22582070CB325424EF50

Function 004BBBE0 Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 232COMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 004BBEB3

Strings

D%X, xrefs: 004BBDED, 004BBD91, 004BBD1B
D%XD%X, xrefs: 004BBCA5
D%X, xrefs: 004BBCA2
D%X, xrefs: 004BBE9A

Memory Dump Source

Source File: 00000000.00000002.2132574574.00000000004B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true

Associated: 00000000.00000002.2132555531.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132647663.000000000054C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132647663.0000000000572000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132705506.000000000057C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132725644.0000000000584000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b0000_file.jbxd

Similarity

API ID: Init_thread_footer
String ID: D%X$D%X$D%X$D%XD%X
API String ID: 1385522511-3291585684
Opcode ID: 5413231ceda5b2ac2be4751e2e7b75b624c5d779e3017aaaab9f49bac0cd218e
Instruction ID: 6c7b1b2fefc849fe8969ddbe122d1906eab506d51732b541468ecdc6bc26bfef
Opcode Fuzzy Hash: 5413231ceda5b2ac2be4751e2e7b75b624c5d779e3017aaaab9f49bac0cd218e
Instruction Fuzzy Hash: E9912875A002068FCB14CF59C4906EABBF1FB58310F24856ED945AB350D7B9E981DBE4

Function 00537B7E Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 230COMMON

Download Yara Rule

APIs

Part of subcall function 004D0242: EnterCriticalSection.KERNEL32(0058070C,00581884,?,?,004C198B,00582518,?,?,?,004B12F9,00000000), ref: 004D024D
Part of subcall function 004D0242: LeaveCriticalSection.KERNEL32(0058070C,?,004C198B,00582518,?,?,?,004B12F9,00000000), ref: 004D028A

Part of subcall function 004B9CB3: _wcslen.LIBCMT ref: 004B9CBD

Part of subcall function 004D00A3: __onexit.LIBCMT ref: 004D00A9

__Init_thread_footer.LIBCMT ref: 00537BFB

Part of subcall function 004D01F8: EnterCriticalSection.KERNEL32(0058070C,?,?,004C8747,00582514), ref: 004D0202
Part of subcall function 004D01F8: LeaveCriticalSection.KERNEL32(0058070C,?,004C8747,00582514), ref: 004D0235

Strings

Variable must be of type 'Object'., xrefs: 00537C3A
5, xrefs: 00537C78
+TP, xrefs: 00537E2E
G, xrefs: 00537C7F

Memory Dump Source

Source File: 00000000.00000002.2132574574.00000000004B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true

Associated: 00000000.00000002.2132555531.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132647663.000000000054C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132647663.0000000000572000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132705506.000000000057C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132725644.0000000000584000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b0000_file.jbxd

Similarity

API ID: CriticalSection$EnterLeave$Init_thread_footer__onexit_wcslen
String ID: +TP$5$G$Variable must be of type 'Object'.
API String ID: 535116098-1585483997
Opcode ID: ece057337986aef11928eeb138140bca84aa6c36e5152fa340c04d06382177cf
Instruction ID: 55ed02c34e1377ef4a457a0ffdccb1e48bae9d1f59aa2c043c6954f1dd74b2a4
Opcode Fuzzy Hash: ece057337986aef11928eeb138140bca84aa6c36e5152fa340c04d06382177cf
Instruction Fuzzy Hash: 82918BB4A0420DEFCB24EF55D8949ADBFB1BF48304F108459F806AB292DB31AE45CB60

Function 0051C5D0 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 191windowCOMMON

Download Yara Rule

APIs

Part of subcall function 004B7620: _wcslen.LIBCMT ref: 004B7625

GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 0051C6EE
_wcslen.LIBCMT ref: 0051C735
SetMenuItemInfoW.USER32(?,?,00000000,?), ref: 0051C79C
SetMenuDefaultItem.USER32(?,000000FF,00000000), ref: 0051C7CA

Strings

0, xrefs: 0051C6AF

Memory Dump Source

Source File: 00000000.00000002.2132574574.00000000004B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true

Associated: 00000000.00000002.2132555531.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132647663.000000000054C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132647663.0000000000572000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132705506.000000000057C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132725644.0000000000584000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b0000_file.jbxd

Similarity

API ID: ItemMenu$Info_wcslen$Default
String ID: 0
API String ID: 1227352736-4108050209
Opcode ID: a199a5b7b3784aaf4dde1836aee64055676e45b5c133fc57bb23578db13edbc4
Instruction ID: 4accc4940f40f02bd2e79b72337ffc148993852a88c5c2dbcb8884054f9d706b
Opcode Fuzzy Hash: a199a5b7b3784aaf4dde1836aee64055676e45b5c133fc57bb23578db13edbc4
Instruction Fuzzy Hash: 1C51C1716843009BE754AF28C885BEA7FE8FF85314F040A2DF995E21D0DBA6D884DB56

Function 0053AD64 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 176COMMON

Download Yara Rule

APIs

ShellExecuteExW.SHELL32(0000003C), ref: 0053AEA3

Part of subcall function 004B7620: _wcslen.LIBCMT ref: 004B7625

GetProcessId.KERNEL32(00000000), ref: 0053AF38
CloseHandle.KERNEL32(00000000), ref: 0053AF67

Strings

@, xrefs: 0053AE72
<, xrefs: 0053AE6B

Memory Dump Source

Source File: 00000000.00000002.2132574574.00000000004B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true

Associated: 00000000.00000002.2132555531.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132647663.000000000054C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132647663.0000000000572000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132705506.000000000057C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132725644.0000000000584000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b0000_file.jbxd

Similarity

API ID: CloseExecuteHandleProcessShell_wcslen
String ID: <$@
API String ID: 146682121-1426351568
Opcode ID: 55b7a9315587a6481c2d67c4dda6b37006f548cb3119bbedc68ee38c1767e9e2
Instruction ID: 980d21697d2793dcd8709493d7b31b6e0ec0359aef91635a6cd182fdfc34b59b
Opcode Fuzzy Hash: 55b7a9315587a6481c2d67c4dda6b37006f548cb3119bbedc68ee38c1767e9e2
Instruction Fuzzy Hash: 2F717974A00214DFCB14DF95C485A9EBBF4BF08318F04849EE856AB7A2C778ED45CBA5

Function 0051719E Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 120comlibraryloaderCOMMON

Download Yara Rule

APIs

CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 00517206
SetErrorMode.KERNEL32(00000001,?,?,?,?,?,?,?,?,?), ref: 0051723C
GetProcAddress.KERNEL32(?,DllGetClassObject), ref: 0051724D
SetErrorMode.KERNEL32(00000000,?,?,?,?,?,?,?,?,?), ref: 005172CF

Strings

DllGetClassObject, xrefs: 00517242

Memory Dump Source

Source File: 00000000.00000002.2132574574.00000000004B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true

Associated: 00000000.00000002.2132555531.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132647663.000000000054C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132647663.0000000000572000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132705506.000000000057C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132725644.0000000000584000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b0000_file.jbxd

Similarity

API ID: ErrorMode$AddressCreateInstanceProc
String ID: DllGetClassObject
API String ID: 753597075-1075368562
Opcode ID: 010aa07c2bb83a25617d847bd62b4de92e111d80b6b8dde56583c5dd1a18bcb4
Instruction ID: 5537049e6c4bff581589afa066594c85c67215144acd8894174a67e7516b13e6
Opcode Fuzzy Hash: 010aa07c2bb83a25617d847bd62b4de92e111d80b6b8dde56583c5dd1a18bcb4
Instruction Fuzzy Hash: BA4193755042089FEB15CF58C884ADA7FB9FF8C314F1084A9BD059F20AD7B1D985DBA0

Function 00543D7C Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 101windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00543E35
IsMenu.USER32(?), ref: 00543E4A
InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 00543E92
DrawMenuBar.USER32 ref: 00543EA5

Strings

0, xrefs: 00543D89

Memory Dump Source

Source File: 00000000.00000002.2132574574.00000000004B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true

Associated: 00000000.00000002.2132555531.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132647663.000000000054C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132647663.0000000000572000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132705506.000000000057C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132725644.0000000000584000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b0000_file.jbxd

Similarity

API ID: Menu$Item$DrawInfoInsert
String ID: 0
API String ID: 3076010158-4108050209
Opcode ID: 41ef3427a71ae786bb1b68b1cf4d9fca9362c28e278f04a03948b7adc9a8e8b2
Instruction ID: a1ab902a8f823876597e5b5c2fc0dbe6560879b8b3184a2d91d9488adb4fd261
Opcode Fuzzy Hash: 41ef3427a71ae786bb1b68b1cf4d9fca9362c28e278f04a03948b7adc9a8e8b2
Instruction Fuzzy Hash: 22413B75A02209EFDB10DF50D884EEABBB9FF49358F044129F915A7260D730AE65DF50

Function 00511DE2 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 93windowCOMMON

Download Yara Rule

APIs

Part of subcall function 004B9CB3: _wcslen.LIBCMT ref: 004B9CBD

Part of subcall function 00513CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00513CCA

SendMessageW.USER32(?,00000188,00000000,00000000), ref: 00511E66
SendMessageW.USER32(?,0000018A,00000000,00000000), ref: 00511E79
SendMessageW.USER32(?,00000189,?,00000000), ref: 00511EA9

Part of subcall function 004B6B57: _wcslen.LIBCMT ref: 004B6B6A

Strings

ListBox, xrefs: 00511E25
ComboBox, xrefs: 00511DF0

Memory Dump Source

Source File: 00000000.00000002.2132574574.00000000004B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true

Associated: 00000000.00000002.2132555531.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132647663.000000000054C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132647663.0000000000572000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132705506.000000000057C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132725644.0000000000584000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b0000_file.jbxd

Similarity

API ID: MessageSend$_wcslen$ClassName
String ID: ComboBox$ListBox
API String ID: 2081771294-1403004172
Opcode ID: 79da9d1a49483e1a014b1d52872230675a49b2c6f6babc8a6c17bc0f92cf1417
Instruction ID: 12745c6120bfe32eaa7bae325e1d58fa7cd3691a221213c2c09f6bb70cdbc36f
Opcode Fuzzy Hash: 79da9d1a49483e1a014b1d52872230675a49b2c6f6babc8a6c17bc0f92cf1417
Instruction Fuzzy Hash: B6215A75900104BAEB046BA5DC45CFF7FBDEF41398B10451EF916A71D0DB380D499624

Function 00542F17 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 78windowlibraryCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000467,00000000,?), ref: 00542F8D
LoadLibraryW.KERNEL32(?), ref: 00542F94
SendMessageW.USER32(?,00000467,00000000,00000000), ref: 00542FA9
DestroyWindow.USER32(?), ref: 00542FB1

Strings

SysAnimate32, xrefs: 00542F68

Memory Dump Source

Source File: 00000000.00000002.2132574574.00000000004B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true

Associated: 00000000.00000002.2132555531.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132647663.000000000054C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132647663.0000000000572000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132705506.000000000057C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132725644.0000000000584000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b0000_file.jbxd

Similarity

API ID: MessageSend$DestroyLibraryLoadWindow
String ID: SysAnimate32
API String ID: 3529120543-1011021900
Opcode ID: d40eba216e12a2e353096a982839c85080a3755fd71055c2200403b08c2bfbb5
Instruction ID: 556c4cbc6c398a949540d3c1e77946e25dfdc36d2683c69d7650df58b88f1033
Opcode Fuzzy Hash: d40eba216e12a2e353096a982839c85080a3755fd71055c2200403b08c2bfbb5
Instruction Fuzzy Hash: CC21BB71200219BBEB104E649C86EFB3BB9FBA9368F904218F954D6090C271DC45AB60

Function 004D4D6D Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,004D4D1E,004E28E9,?,004D4CBE,004E28E9,005788B8,0000000C,004D4E15,004E28E9,00000002), ref: 004D4D8D
GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 004D4DA0
FreeLibrary.KERNEL32(00000000,?,?,?,004D4D1E,004E28E9,?,004D4CBE,004E28E9,005788B8,0000000C,004D4E15,004E28E9,00000002,00000000), ref: 004D4DC3

Strings

mscoree.dll, xrefs: 004D4D86
CorExitProcess, xrefs: 004D4D98

Memory Dump Source

Source File: 00000000.00000002.2132574574.00000000004B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true

Associated: 00000000.00000002.2132555531.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132647663.000000000054C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132647663.0000000000572000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132705506.000000000057C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132725644.0000000000584000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b0000_file.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: 797f8530070a1ea1f5e4129e2da290ba1404766ef699a453e1126e0b713775bd
Instruction ID: 4490478144c0a2ce2924b93449afff04cd981ec7338f927a459e406367b03b0d
Opcode Fuzzy Hash: 797f8530070a1ea1f5e4129e2da290ba1404766ef699a453e1126e0b713775bd
Instruction Fuzzy Hash: A4F0C834501208BBDB505F90DC19BDEBFB5EF94716F00005AF805A6350CB345D44DF94

Function 004B4E90 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 24libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,?,004B4EDD,?,00581418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 004B4E9C
GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 004B4EAE
FreeLibrary.KERNEL32(00000000,?,?,004B4EDD,?,00581418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 004B4EC0

Strings

Wow64DisableWow64FsRedirection, xrefs: 004B4EA8
kernel32.dll, xrefs: 004B4E94

Memory Dump Source

Source File: 00000000.00000002.2132574574.00000000004B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true

Associated: 00000000.00000002.2132555531.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132647663.000000000054C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132647663.0000000000572000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132705506.000000000057C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132725644.0000000000584000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b0000_file.jbxd

Similarity

API ID: Library$AddressFreeLoadProc
String ID: Wow64DisableWow64FsRedirection$kernel32.dll
API String ID: 145871493-3689287502
Opcode ID: 46a9e3f8ba4ceb6003e77dacbef90bd243fb76d7f395d44226073ac8aabd58c5
Instruction ID: 04df354cf2ffb75458f48c239f9d763fc1a6024b8962805292c19d1da6e5818f
Opcode Fuzzy Hash: 46a9e3f8ba4ceb6003e77dacbef90bd243fb76d7f395d44226073ac8aabd58c5
Instruction Fuzzy Hash: FBE08639A036225BD26117296C18ADB6E54AFD3B677050116FC04D2302DB64CD05D5B5

Function 004B4E59 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 22libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,?,004F3CDE,?,00581418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 004B4E62
GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 004B4E74
FreeLibrary.KERNEL32(00000000,?,?,004F3CDE,?,00581418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 004B4E87

Strings

kernel32.dll, xrefs: 004B4E5B
Wow64RevertWow64FsRedirection, xrefs: 004B4E6E

Memory Dump Source

Source File: 00000000.00000002.2132574574.00000000004B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true

Associated: 00000000.00000002.2132555531.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132647663.000000000054C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132647663.0000000000572000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132705506.000000000057C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132725644.0000000000584000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b0000_file.jbxd

Similarity

API ID: Library$AddressFreeLoadProc
String ID: Wow64RevertWow64FsRedirection$kernel32.dll
API String ID: 145871493-1355242751
Opcode ID: 0d3d37ddcc02588f0f6ed03a634beaf0ac6b68004f17731f01ebba40d2df4823
Instruction ID: 1739fc541cc3e38f4fc4093323736af170bc3845e3f9cd4d00fcbb44ca5a61bd
Opcode Fuzzy Hash: 0d3d37ddcc02588f0f6ed03a634beaf0ac6b68004f17731f01ebba40d2df4823
Instruction Fuzzy Hash: 32D0C239503A215786621B247C0CDCB2F18BFC2B393050112B804A6211CF24CD01E5F4

Function 00522947 Relevance: 7.8, APIs: 5, Instructions: 313fileCOMMON

Download Yara Rule

APIs

DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00522C05
DeleteFileW.KERNEL32(?), ref: 00522C87
CopyFileW.KERNEL32(?,?,00000000,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 00522C9D
DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00522CAE
DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00522CC0

Memory Dump Source

Source File: 00000000.00000002.2132574574.00000000004B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true

Associated: 00000000.00000002.2132555531.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132647663.000000000054C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132647663.0000000000572000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132705506.000000000057C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132725644.0000000000584000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b0000_file.jbxd

Similarity

API ID: File$Delete$Copy
String ID:
API String ID: 3226157194-0
Opcode ID: ec62419af69f91b19633d31ae12c300b2a139fb6dd4769cd4e6d064a67dbe4eb
Instruction ID: 8b6bce313cfe2a348e22246add3e33e62df9aff9bd3c3b52bd4e0b436ce7fea2
Opcode Fuzzy Hash: ec62419af69f91b19633d31ae12c300b2a139fb6dd4769cd4e6d064a67dbe4eb
Instruction Fuzzy Hash: 10B16D76D00129BBDF21EBA5DC85EDEBB7DFF49304F0040AAF509E6181EA349A448F65

Function 0053A387 Relevance: 7.8, APIs: 5, Instructions: 256COMMON

Download Yara Rule

APIs

GetCurrentProcessId.KERNEL32 ref: 0053A427
OpenProcess.KERNEL32(00000410,00000000,00000000), ref: 0053A435
GetProcessIoCounters.KERNEL32(00000000,?), ref: 0053A468
CloseHandle.KERNEL32(?), ref: 0053A63D

Memory Dump Source

Source File: 00000000.00000002.2132574574.00000000004B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true

Associated: 00000000.00000002.2132555531.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132647663.000000000054C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132647663.0000000000572000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132705506.000000000057C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132725644.0000000000584000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b0000_file.jbxd

Similarity

API ID: Process$CloseCountersCurrentHandleOpen
String ID:
API String ID: 3488606520-0
Opcode ID: 313a3110c9b34cb2f41a5785318658ec11b62946ef463ad7005b222a9be5b39c
Instruction ID: aa84b9955bb267dd5e637a6e48e24e8185666231234d4d9ab494ad75c5522664
Opcode Fuzzy Hash: 313a3110c9b34cb2f41a5785318658ec11b62946ef463ad7005b222a9be5b39c
Instruction Fuzzy Hash: E1A1C3716043009FD720DF25C882F2ABBE5AF84718F14885DF59A9B2D2D7B4EC418B96

Function 004EBB27 Relevance: 7.7, APIs: 5, Instructions: 171timeCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetTimeZoneInformation.KERNEL32(?,00000000,00000000,00000000,?,00553700), ref: 004EBB91
WideCharToMultiByte.KERNEL32(00000000,00000000,0058121C,000000FF,00000000,0000003F,00000000,?,?), ref: 004EBC09
WideCharToMultiByte.KERNEL32(00000000,00000000,00581270,000000FF,?,0000003F,00000000,?), ref: 004EBC36
_free.LIBCMT ref: 004EBB7F

Part of subcall function 004E29C8: RtlFreeHeap.NTDLL(00000000,00000000,?,004ED7D1,00000000,00000000,00000000,00000000,?,004ED7F8,00000000,00000007,00000000,?,004EDBF5,00000000), ref: 004E29DE
Part of subcall function 004E29C8: GetLastError.KERNEL32(00000000,?,004ED7D1,00000000,00000000,00000000,00000000,?,004ED7F8,00000000,00000007,00000000,?,004EDBF5,00000000,00000000), ref: 004E29F0

_free.LIBCMT ref: 004EBD4B

Memory Dump Source

Source File: 00000000.00000002.2132574574.00000000004B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true

Associated: 00000000.00000002.2132555531.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132647663.000000000054C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132647663.0000000000572000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132705506.000000000057C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132725644.0000000000584000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b0000_file.jbxd

Similarity

API ID: ByteCharMultiWide_free$ErrorFreeHeapInformationLastTimeZone
String ID:
API String ID: 1286116820-0
Opcode ID: c7fcab8b0d1c4117131bfc170c307e31daa335528b8e40b6dc80a1ee335d258e
Instruction ID: a2b2860848fb2be67a747f949d19e1c018a3f6e25cfec6734b5e8ee7e81a64ce
Opcode Fuzzy Hash: c7fcab8b0d1c4117131bfc170c307e31daa335528b8e40b6dc80a1ee335d258e
Instruction Fuzzy Hash: B1512671804248AFCB10EF679C819AFBBBCEF40315B10026FE915E7291EB349E459BD8

Function 0051E3FB Relevance: 7.7, APIs: 5, Instructions: 167filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 0051DDE0: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,0051CF22,?), ref: 0051DDFD

Part of subcall function 0051DDE0: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,0051CF22,?), ref: 0051DE16

Part of subcall function 0051E199: GetFileAttributesW.KERNEL32(?,0051CF95), ref: 0051E19A

lstrcmpiW.KERNEL32(?,?), ref: 0051E473
MoveFileW.KERNEL32(?,?), ref: 0051E4AC
_wcslen.LIBCMT ref: 0051E5EB
_wcslen.LIBCMT ref: 0051E603
SHFileOperationW.SHELL32(?,?,?,?,?,?), ref: 0051E650

Memory Dump Source

Source File: 00000000.00000002.2132574574.00000000004B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true

Associated: 00000000.00000002.2132555531.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132647663.000000000054C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132647663.0000000000572000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132705506.000000000057C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132725644.0000000000584000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b0000_file.jbxd

Similarity

API ID: File$FullNamePath_wcslen$AttributesMoveOperationlstrcmpi
String ID:
API String ID: 3183298772-0
Opcode ID: c828384a75b61831ac090fd30c4545bb45229081cfe8104d179465003c39a456
Instruction ID: 24e5e14084e6cee4074827e1c43973abeeaa79f91114b9bd8880190f51953aec
Opcode Fuzzy Hash: c828384a75b61831ac090fd30c4545bb45229081cfe8104d179465003c39a456
Instruction Fuzzy Hash: A75183B24083459BDB24EB90DC919DF7BECAF84344F00491FF689D3151EF75A588876A

Function 0053B9C9 Relevance: 7.7, APIs: 5, Instructions: 167registryCOMMON

Download Yara Rule

APIs

Part of subcall function 004B9CB3: _wcslen.LIBCMT ref: 004B9CBD

Part of subcall function 0053C998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,0053B6AE,?,?), ref: 0053C9B5
Part of subcall function 0053C998: _wcslen.LIBCMT ref: 0053C9F1
Part of subcall function 0053C998: _wcslen.LIBCMT ref: 0053CA68
Part of subcall function 0053C998: _wcslen.LIBCMT ref: 0053CA9E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0053BAA5
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 0053BB00
RegEnumKeyExW.ADVAPI32(?,-00000001,?,?,00000000,00000000,00000000,?), ref: 0053BB63
RegCloseKey.ADVAPI32(?,?), ref: 0053BBA6
RegCloseKey.ADVAPI32(00000000), ref: 0053BBB3

Memory Dump Source

Source File: 00000000.00000002.2132574574.00000000004B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true

Associated: 00000000.00000002.2132555531.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132647663.000000000054C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132647663.0000000000572000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132705506.000000000057C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132725644.0000000000584000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b0000_file.jbxd

Similarity

API ID: _wcslen$Close$BuffCharConnectEnumOpenRegistryUpper
String ID:
API String ID: 826366716-0
Opcode ID: 8b43d5ff60ac04ec9de44328e535b4a13041f876dd32575307924317567d7a2e
Instruction ID: b43e3c52031344b2f3a90a2153101b34664a59116022a60efc0576c19edea478
Opcode Fuzzy Hash: 8b43d5ff60ac04ec9de44328e535b4a13041f876dd32575307924317567d7a2e
Instruction Fuzzy Hash: 8C61B031208241AFD314DF14C494E6ABFE5FF84348F14895DF5998B2A2DB31ED45CBA2

Function 00518BB0 Relevance: 7.7, APIs: 5, Instructions: 159COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00518BCD
VariantClear.OLEAUT32 ref: 00518C3E
VariantClear.OLEAUT32 ref: 00518C9D
VariantClear.OLEAUT32(?), ref: 00518D10
VariantChangeType.OLEAUT32(?,?,00000000,00000013), ref: 00518D3B

Memory Dump Source

Source File: 00000000.00000002.2132574574.00000000004B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true

Associated: 00000000.00000002.2132555531.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132647663.000000000054C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132647663.0000000000572000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132705506.000000000057C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132725644.0000000000584000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b0000_file.jbxd

Similarity

API ID: Variant$Clear$ChangeInitType
String ID:
API String ID: 4136290138-0
Opcode ID: c41ea1fc768627c6526c69f958b61f0dea772998c201c859d285f90303910b2b
Instruction ID: bc24e088f477f91ce960aa00564d90924bf44ce549f4e2f9e019b619cb00b9e5
Opcode Fuzzy Hash: c41ea1fc768627c6526c69f958b61f0dea772998c201c859d285f90303910b2b
Instruction Fuzzy Hash: 1B5168B5A00219EFDB10CF68D894AEABBF8FF89314B158559E909DB350E730E911CF90

Function 00528AFB Relevance: 7.6, APIs: 5, Instructions: 143COMMON

Download Yara Rule

APIs

GetPrivateProfileSectionW.KERNEL32(00000003,?,00007FFF,?), ref: 00528BAE
GetPrivateProfileSectionW.KERNEL32(?,00000003,00000003,?), ref: 00528BDA
WritePrivateProfileSectionW.KERNEL32(?,?,?), ref: 00528C32
WritePrivateProfileStringW.KERNEL32(00000003,00000000,00000000,?), ref: 00528C57
WritePrivateProfileStringW.KERNEL32(00000000,00000000,00000000,?), ref: 00528C5F

Memory Dump Source

Source File: 00000000.00000002.2132574574.00000000004B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true

Associated: 00000000.00000002.2132555531.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132647663.000000000054C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132647663.0000000000572000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132705506.000000000057C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132725644.0000000000584000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b0000_file.jbxd

Similarity

API ID: PrivateProfile$SectionWrite$String
String ID:
API String ID: 2832842796-0
Opcode ID: 6383e84a7249ab769417e6dc47970aa53842775dab8270ce352f916b786eec43
Instruction ID: 632d0bc15805460c5eaaf09148ac095c38d05765550e9e534469dfdf22ab1144
Opcode Fuzzy Hash: 6383e84a7249ab769417e6dc47970aa53842775dab8270ce352f916b786eec43
Instruction Fuzzy Hash: BF516035A00214AFCB10DF55C881EADBBF5FF49318F048059E8496B3A2CB35ED51CBA4

Function 00538EE4 Relevance: 7.6, APIs: 5, Instructions: 143libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32(?,00000000,?), ref: 00538F40
GetProcAddress.KERNEL32(00000000,?), ref: 00538FD0
GetProcAddress.KERNEL32(00000000,00000000), ref: 00538FEC
GetProcAddress.KERNEL32(00000000,?), ref: 00539032
FreeLibrary.KERNEL32(00000000), ref: 00539052

Part of subcall function 004CF6C9: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,00000000,?,?,?,00521043,?,7529E610), ref: 004CF6E6
Part of subcall function 004CF6C9: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,0050FA64,00000000,00000000,?,?,00521043,?,7529E610,?,0050FA64), ref: 004CF70D

Memory Dump Source

Source File: 00000000.00000002.2132574574.00000000004B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true

Associated: 00000000.00000002.2132555531.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132647663.000000000054C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132647663.0000000000572000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132705506.000000000057C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132725644.0000000000584000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b0000_file.jbxd

Similarity

API ID: AddressProc$ByteCharLibraryMultiWide$FreeLoad
String ID:
API String ID: 666041331-0
Opcode ID: 4b2cb02482c7310397b5fed3628c6c163a311513cbcb3b6c8221016ebb001269
Instruction ID: e3986ab0e552270ce54ee9a2c45f97d2bcd629d8bb6aae5da855c47f9f18201d
Opcode Fuzzy Hash: 4b2cb02482c7310397b5fed3628c6c163a311513cbcb3b6c8221016ebb001269
Instruction Fuzzy Hash: 01513978605205DFCB15DF69C4848EDBBB1FF49318F048099E80A9B362DB75ED85CB91

Function 00546B76 Relevance: 7.6, APIs: 5, Instructions: 131windowCOMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(00000002,000000F0,?), ref: 00546C33
SetWindowLongW.USER32(?,000000EC,?), ref: 00546C4A
SendMessageW.USER32(00000002,00001036,00000000,?), ref: 00546C73
ShowWindow.USER32(00000002,00000000,00000002,00000002,?,?,?,?,?,?,?,0052AB79,00000000,00000000), ref: 00546C98
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000027,00000002,?,00000001,00000002,00000002,?,?,?), ref: 00546CC7

Memory Dump Source

Source File: 00000000.00000002.2132574574.00000000004B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true

Associated: 00000000.00000002.2132555531.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132647663.000000000054C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132647663.0000000000572000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132705506.000000000057C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132725644.0000000000584000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b0000_file.jbxd

Similarity

API ID: Window$Long$MessageSendShow
String ID:
API String ID: 3688381893-0
Opcode ID: ba5e2283792fee02b96673e33c41cfcb741c616aa3766f728bd37cfd8b13f93d
Instruction ID: f8f9f8dcf217a943c51177d2db09b240197efcc0126c7b21dc5533391661a270
Opcode Fuzzy Hash: ba5e2283792fee02b96673e33c41cfcb741c616aa3766f728bd37cfd8b13f93d
Instruction Fuzzy Hash: 2F419239A04104AFD724CF68CC98FE97FA5FB4B358F150268F895AB2E0C771AD41DA51

Function 004E2051 Relevance: 7.6, APIs: 5, Instructions: 129COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 004E20C3
_free.LIBCMT ref: 004E20E3

Memory Dump Source

Source File: 00000000.00000002.2132574574.00000000004B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true

Associated: 00000000.00000002.2132555531.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132647663.000000000054C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132647663.0000000000572000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132705506.000000000057C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132725644.0000000000584000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b0000_file.jbxd

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: cae99f4d66cd7eb23c29b21cb70be4e475cf7c342bc2d967116846f2b2c4af2d
Instruction ID: 2e03a7932445d6e234b936284f0e55d88e4fe5518600cfecbfd8509f41131f8d
Opcode Fuzzy Hash: cae99f4d66cd7eb23c29b21cb70be4e475cf7c342bc2d967116846f2b2c4af2d
Instruction Fuzzy Hash: E8413872A002009FCB20DF7AC980A5EB7F9EF89314F15416EE605EB392D774AD01CB84

Function 004C912D Relevance: 7.6, APIs: 5, Instructions: 121keyboardCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 004C9141
ScreenToClient.USER32(00000000,?), ref: 004C915E
GetAsyncKeyState.USER32(00000001), ref: 004C9183
GetAsyncKeyState.USER32(00000002), ref: 004C919D

Memory Dump Source

Source File: 00000000.00000002.2132574574.00000000004B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true

Associated: 00000000.00000002.2132555531.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132647663.000000000054C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132647663.0000000000572000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132705506.000000000057C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132725644.0000000000584000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b0000_file.jbxd

Similarity

API ID: AsyncState$ClientCursorScreen
String ID:
API String ID: 4210589936-0
Opcode ID: b3adcf7e143a6f52bdce8d87db1372f2d04631fa91eafe017a07f0ccfc171803
Instruction ID: 0b8d3e9d1aa0bb5ee6d41389eeed53d1c9a538524a5457426204968fa1d596bb
Opcode Fuzzy Hash: b3adcf7e143a6f52bdce8d87db1372f2d04631fa91eafe017a07f0ccfc171803
Instruction Fuzzy Hash: DD417035A0851BFBDF059F64C849BEEBB74FB49324F24821AE425A32D0CB346D54DB91

Function 00523874 Relevance: 7.6, APIs: 5, Instructions: 101windowCOMMON

Download Yara Rule

APIs

GetInputState.USER32 ref: 005238CB
TranslateAcceleratorW.USER32(?,00000000,?), ref: 00523922
TranslateMessage.USER32(?), ref: 0052394B
DispatchMessageW.USER32(?), ref: 00523955
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00523966

Memory Dump Source

Source File: 00000000.00000002.2132574574.00000000004B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true

Associated: 00000000.00000002.2132555531.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132647663.000000000054C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132647663.0000000000572000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132705506.000000000057C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132725644.0000000000584000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b0000_file.jbxd

Similarity

API ID: Message$Translate$AcceleratorDispatchInputPeekState
String ID:
API String ID: 2256411358-0
Opcode ID: 4b2f8c42d2c54f1ad4543c74fffcc8ebe66f869d4d5a9cb2cae12ddb3eac4f93
Instruction ID: 27e2559dce8470b54003763761e3f7355b0ea81e5716282f38d68df7203c3866
Opcode Fuzzy Hash: 4b2f8c42d2c54f1ad4543c74fffcc8ebe66f869d4d5a9cb2cae12ddb3eac4f93
Instruction Fuzzy Hash: E731C8705057519EEB25CF34A849BB63FA8FF17304F04096DE852961E0E7B896C9EB11

Function 0052CF1A Relevance: 7.6, APIs: 5, Instructions: 93networkfileCOMMON

Download Yara Rule

APIs

InternetQueryDataAvailable.WININET(?,?,00000000,00000000,00000000,?,00000000,?,?,?,0052C21E,00000000), ref: 0052CF38
InternetReadFile.WININET(?,00000000,?,?), ref: 0052CF6F
GetLastError.KERNEL32(?,00000000,?,?,?,0052C21E,00000000), ref: 0052CFB4
SetEvent.KERNEL32(?,?,00000000,?,?,?,0052C21E,00000000), ref: 0052CFC8
SetEvent.KERNEL32(?,?,00000000,?,?,?,0052C21E,00000000), ref: 0052CFF2

Memory Dump Source

Source File: 00000000.00000002.2132574574.00000000004B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true

Associated: 00000000.00000002.2132555531.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132647663.000000000054C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132647663.0000000000572000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132705506.000000000057C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132725644.0000000000584000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b0000_file.jbxd

Similarity

API ID: EventInternet$AvailableDataErrorFileLastQueryRead
String ID:
API String ID: 3191363074-0
Opcode ID: c6a049f4f4740aca5cf0030e7300c39e831b82c3dcc08ef281835314f10a7db7
Instruction ID: ea6b3d2b24cd3db570dca889de910a8d19920948c7826669fef0dd18f17afc8e
Opcode Fuzzy Hash: c6a049f4f4740aca5cf0030e7300c39e831b82c3dcc08ef281835314f10a7db7
Instruction Fuzzy Hash: 76319C75500215EFDB20DFA5E984AAFBFF9FF16354B10442EF506D2182EB30AE449B60

Function 00511901 Relevance: 7.6, APIs: 5, Instructions: 93sleepwindowCOMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 00511915
PostMessageW.USER32(00000001,00000201,00000001), ref: 005119C1
Sleep.KERNEL32(00000000,?,?,?), ref: 005119C9
PostMessageW.USER32(00000001,00000202,00000000), ref: 005119DA
Sleep.KERNEL32(00000000,?,?,?,?), ref: 005119E2

Memory Dump Source

Source File: 00000000.00000002.2132574574.00000000004B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true

Associated: 00000000.00000002.2132555531.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132647663.000000000054C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132647663.0000000000572000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132705506.000000000057C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132725644.0000000000584000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b0000_file.jbxd

Similarity

API ID: MessagePostSleep$RectWindow
String ID:
API String ID: 3382505437-0
Opcode ID: 55252ddb7ed3aeb9395ef1eda4b7b04ce2878df7e22f9e79a52f4a4d22d00262
Instruction ID: 67fa28d714f7eb48412e3cf2fd1dbad8086f96fa5dd13220867dd28e437a0eaa
Opcode Fuzzy Hash: 55252ddb7ed3aeb9395ef1eda4b7b04ce2878df7e22f9e79a52f4a4d22d00262
Instruction Fuzzy Hash: 6731DF71A00219EFDB00CFA8CD98ADE3FB5FB45314F108269FA21AB2D0C7709984DB90

Function 00545706 Relevance: 7.6, APIs: 5, Instructions: 82windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001053,000000FF,?), ref: 00545745
SendMessageW.USER32(?,00001074,?,00000001), ref: 0054579D
_wcslen.LIBCMT ref: 005457AF
_wcslen.LIBCMT ref: 005457BA
SendMessageW.USER32(?,00001002,00000000,?), ref: 00545816

Memory Dump Source

Source File: 00000000.00000002.2132574574.00000000004B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true

Associated: 00000000.00000002.2132555531.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132647663.000000000054C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132647663.0000000000572000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132705506.000000000057C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132725644.0000000000584000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b0000_file.jbxd

Similarity

API ID: MessageSend$_wcslen
String ID:
API String ID: 763830540-0
Opcode ID: 30c04b22575aaaa33e330c073977fb22d1fbf00171258765b187b4168a4519c5
Instruction ID: fab097b43ab8d8c005d0571ddb35cbcdd81ca90730d2d149fa15a97a0499dd90
Opcode Fuzzy Hash: 30c04b22575aaaa33e330c073977fb22d1fbf00171258765b187b4168a4519c5
Instruction Fuzzy Hash: 2421A2759046189BDF209FA5CC85AEE7FB8FF55328F108226E929EE181E7708985CF50

Function 00530930 Relevance: 7.6, APIs: 5, Instructions: 69COMMON

Download Yara Rule

APIs

IsWindow.USER32(00000000), ref: 00530951
GetForegroundWindow.USER32 ref: 00530968
GetDC.USER32(00000000), ref: 005309A4
GetPixel.GDI32(00000000,?,00000003), ref: 005309B0
ReleaseDC.USER32(00000000,00000003), ref: 005309E8

Memory Dump Source

Source File: 00000000.00000002.2132574574.00000000004B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true

Associated: 00000000.00000002.2132555531.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132647663.000000000054C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132647663.0000000000572000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132705506.000000000057C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132725644.0000000000584000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b0000_file.jbxd

Similarity

API ID: Window$ForegroundPixelRelease
String ID:
API String ID: 4156661090-0
Opcode ID: feaf00045ab11903c197f639d1d015039093c9887e04e5efb6a8521441639f50
Instruction ID: ba795a833d7e6b48b0019e9d27c6c989f18cc79bf323bb6bef70ce8855cc6383
Opcode Fuzzy Hash: feaf00045ab11903c197f639d1d015039093c9887e04e5efb6a8521441639f50
Instruction Fuzzy Hash: 30219535600214AFD714EF65D884A9EBFE9FF95704F04806DE84697392CB70AD04DB50

Function 004ECDBD Relevance: 7.6, APIs: 5, Instructions: 68COMMON

Download Yara Rule

APIs

GetEnvironmentStringsW.KERNEL32 ref: 004ECDC6
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 004ECDE9

Part of subcall function 004E3820: RtlAllocateHeap.NTDLL(00000000,?,00581444,?,004CFDF5,?,?,004BA976,00000010,00581440,004B13FC,?,004B13C6,?,004B1129), ref: 004E3852

WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 004ECE0F
_free.LIBCMT ref: 004ECE22
FreeEnvironmentStringsW.KERNEL32(00000000), ref: 004ECE31

Memory Dump Source

Source File: 00000000.00000002.2132574574.00000000004B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true

Associated: 00000000.00000002.2132555531.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132647663.000000000054C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132647663.0000000000572000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132705506.000000000057C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132725644.0000000000584000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b0000_file.jbxd

Similarity

API ID: ByteCharEnvironmentMultiStringsWide$AllocateFreeHeap_free
String ID:
API String ID: 336800556-0
Opcode ID: 4deb1bf7017af527f0e1216ffc153c429a3c15ea661922bdb4c88b32da1e228d
Instruction ID: f7d3715db8d49ee05f9126556ce6a40b2bf731fa4b3f0ef3e65deabce3263720
Opcode Fuzzy Hash: 4deb1bf7017af527f0e1216ffc153c429a3c15ea661922bdb4c88b32da1e228d
Instruction Fuzzy Hash: 9701B1726022957F23211ABB6CC8C7B6D6DEBC7BA6315012AF905D7201EA698D0391B8

Function 004C9639 Relevance: 7.6, APIs: 5, Instructions: 66COMMON

Download Yara Rule

APIs

ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 004C9693
SelectObject.GDI32(?,00000000), ref: 004C96A2
BeginPath.GDI32(?), ref: 004C96B9
SelectObject.GDI32(?,00000000), ref: 004C96E2

Memory Dump Source

Source File: 00000000.00000002.2132574574.00000000004B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true

Associated: 00000000.00000002.2132555531.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132647663.000000000054C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132647663.0000000000572000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132705506.000000000057C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132725644.0000000000584000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b0000_file.jbxd

Similarity

API ID: ObjectSelect$BeginCreatePath
String ID:
API String ID: 3225163088-0
Opcode ID: 29645cf6afee21a05a5eaf864a7419804c840f916da1f9acca2c7a1db85b2191
Instruction ID: e2c101b550f88aed8d4a475638658510abe509796b55641968d3e11bb7fa08ff
Opcode Fuzzy Hash: 29645cf6afee21a05a5eaf864a7419804c840f916da1f9acca2c7a1db85b2191
Instruction Fuzzy Hash: 46217134902709EBDB519F64EC08BAE3BA8BB61315F10121AF811B62E0D3745C5AEB9C

Function 00515711 Relevance: 7.6, APIs: 5, Instructions: 61COMMON

Download Yara Rule

APIs

_memcmp.LIBVCRUNTIME ref: 00515726
_memcmp.LIBVCRUNTIME ref: 00515744
_memcmp.LIBVCRUNTIME ref: 00515757
_memcmp.LIBVCRUNTIME ref: 0051576F
_memcmp.LIBVCRUNTIME ref: 00515787

Memory Dump Source

Source File: 00000000.00000002.2132574574.00000000004B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true

Associated: 00000000.00000002.2132555531.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132647663.000000000054C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132647663.0000000000572000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132705506.000000000057C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132725644.0000000000584000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b0000_file.jbxd

Similarity

API ID: _memcmp
String ID:
API String ID: 2931989736-0
Opcode ID: 24b51a3f3b5c2acad6daad9ceb129255110a9125a23b86a8b63cb42d96a3c4ea
Instruction ID: dfd5c861f2846fd334d55960e7baf0c366e5f2a36486107b5ef596679d16b9b5
Opcode Fuzzy Hash: 24b51a3f3b5c2acad6daad9ceb129255110a9125a23b86a8b63cb42d96a3c4ea
Instruction Fuzzy Hash: 4501D2B5241609FBF20851159D83EFA7B4CFBA23E8B000026FE049A682F630ED5082A4

Function 004E2DF8 Relevance: 7.6, APIs: 5, Instructions: 53COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,?,004DF2DE,004E3863,00581444,?,004CFDF5,?,?,004BA976,00000010,00581440,004B13FC,?,004B13C6), ref: 004E2DFD
_free.LIBCMT ref: 004E2E32
_free.LIBCMT ref: 004E2E59
SetLastError.KERNEL32(00000000,004B1129), ref: 004E2E66
SetLastError.KERNEL32(00000000,004B1129), ref: 004E2E6F

Memory Dump Source

Source File: 00000000.00000002.2132574574.00000000004B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true

Associated: 00000000.00000002.2132555531.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132647663.000000000054C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132647663.0000000000572000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132705506.000000000057C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132725644.0000000000584000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b0000_file.jbxd

Similarity

API ID: ErrorLast$_free
String ID:
API String ID: 3170660625-0
Opcode ID: 48b1bb42c219b6f93c0c96dc9680863467dd61caec75de683856af86da6654e8
Instruction ID: 1cfd65600d4ac01a570f1723382faaae5ebc57aa820aac0a1cfa69cfd8edee28
Opcode Fuzzy Hash: 48b1bb42c219b6f93c0c96dc9680863467dd61caec75de683856af86da6654e8
Instruction Fuzzy Hash: 76014E7620259027C6122B3F2E45D2B1A5DAFD137B721442FF414A32D3DAEC8C055028

Function 0051000E Relevance: 7.5, APIs: 5, Instructions: 47stringCOMMON

Download Yara Rule

APIs

CLSIDFromProgID.OLE32(?,?,?,00000000,?,?,?,-C000001E,00000001,?,0050FF41,80070057,?,?,?,0051035E), ref: 0051002B
ProgIDFromCLSID.OLE32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0050FF41,80070057,?,?), ref: 00510046
lstrcmpiW.KERNEL32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0050FF41,80070057,?,?), ref: 00510054
CoTaskMemFree.OLE32(00000000,?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0050FF41,80070057,?), ref: 00510064
CLSIDFromString.OLE32(?,?,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0050FF41,80070057,?,?), ref: 00510070

Memory Dump Source

Source File: 00000000.00000002.2132574574.00000000004B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true

Associated: 00000000.00000002.2132555531.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132647663.000000000054C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132647663.0000000000572000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132705506.000000000057C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132725644.0000000000584000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b0000_file.jbxd

Similarity

API ID: From$Prog$FreeStringTasklstrcmpi
String ID:
API String ID: 3897988419-0
Opcode ID: b08e3ebd0d67f62641a5d6e17430bff67fc449c8f0df34a8d0c05ffc0142d372
Instruction ID: 1e87267e6f4d4ea8f39c6406bb8f1cc1a59d939060dc58fddf5897c53a3b95ba
Opcode Fuzzy Hash: b08e3ebd0d67f62641a5d6e17430bff67fc449c8f0df34a8d0c05ffc0142d372
Instruction Fuzzy Hash: 3501DF7A601204BFEB105F69DC08BEA7EADFB88795F105024F801D2250E7B1DE84ABA0

Function 0051E97B Relevance: 7.5, APIs: 5, Instructions: 47sleepCOMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?), ref: 0051E997
QueryPerformanceFrequency.KERNEL32(?), ref: 0051E9A5
Sleep.KERNEL32(00000000), ref: 0051E9AD
QueryPerformanceCounter.KERNEL32(?), ref: 0051E9B7
Sleep.KERNEL32 ref: 0051E9F3

Memory Dump Source

Source File: 00000000.00000002.2132574574.00000000004B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true

Associated: 00000000.00000002.2132555531.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132647663.000000000054C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132647663.0000000000572000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132705506.000000000057C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132725644.0000000000584000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b0000_file.jbxd

Similarity

API ID: PerformanceQuery$CounterSleep$Frequency
String ID:
API String ID: 2833360925-0
Opcode ID: c3446e4c21c13c219a4f0576d96eb16180f38db03f212c3a7c4a3f1ebf88b7ea
Instruction ID: 72194db1795e96fd60a98de7170eb6f5f514789157f3b8ef1031b53effd75625
Opcode Fuzzy Hash: c3446e4c21c13c219a4f0576d96eb16180f38db03f212c3a7c4a3f1ebf88b7ea
Instruction Fuzzy Hash: 84015735C0262DDBDF40ABE5D84AAEDBF78BB59700F000546E902B2241DB749598DBA5

Function 005110F9 Relevance: 7.5, APIs: 5, Instructions: 46memoryCOMMON

Download Yara Rule

APIs

GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00511114
GetLastError.KERNEL32(?,00000000,00000000,?,?,00510B9B,?,?,?), ref: 00511120
GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,00510B9B,?,?,?), ref: 0051112F
HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,00510B9B,?,?,?), ref: 00511136
GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 0051114D

Memory Dump Source

Source File: 00000000.00000002.2132574574.00000000004B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true

Associated: 00000000.00000002.2132555531.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132647663.000000000054C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132647663.0000000000572000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132705506.000000000057C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132725644.0000000000584000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b0000_file.jbxd

Similarity

API ID: HeapObjectSecurityUser$AllocErrorLastProcess
String ID:
API String ID: 842720411-0
Opcode ID: 73781f8bab5231d3d6aa3cb393be254c9291e5b4f1832432c2600852e93ac104
Instruction ID: f1fadcafeb721583faef7333b79565738590de854427508d68ca2bc8617f206a
Opcode Fuzzy Hash: 73781f8bab5231d3d6aa3cb393be254c9291e5b4f1832432c2600852e93ac104
Instruction Fuzzy Hash: C1016D79101605BFDB514FA5DC49AAA3F6EFFC6368B100458FA41C3360DB31DC40DA60

Function 00510FB4 Relevance: 7.5, APIs: 5, Instructions: 43memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 00510FCA
GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 00510FD6
GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 00510FE5
HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 00510FEC
GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 00511002

Memory Dump Source

Source File: 00000000.00000002.2132574574.00000000004B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true

Associated: 00000000.00000002.2132555531.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132647663.000000000054C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132647663.0000000000572000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132705506.000000000057C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132725644.0000000000584000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b0000_file.jbxd

Similarity

API ID: HeapInformationToken$AllocErrorLastProcess
String ID:
API String ID: 44706859-0
Opcode ID: 694516bf18e5740a5c6590366e269f539702055e5a7ece813b0454d5dd824bde
Instruction ID: 3a782d122042801c7829f961148d6b7c904d58c045f40c554300e44f0c478b63
Opcode Fuzzy Hash: 694516bf18e5740a5c6590366e269f539702055e5a7ece813b0454d5dd824bde
Instruction Fuzzy Hash: 5DF0A939202301ABEB210FA59C4DF9A3FADFFDA7A6F100414FA09C7250DA30DC809A60

Function 00511014 Relevance: 7.5, APIs: 5, Instructions: 43memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 0051102A
GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 00511036
GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00511045
HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 0051104C
GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00511062

Memory Dump Source

Source File: 00000000.00000002.2132574574.00000000004B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true

Associated: 00000000.00000002.2132555531.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132647663.000000000054C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132647663.0000000000572000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132705506.000000000057C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132725644.0000000000584000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b0000_file.jbxd

Similarity

API ID: HeapInformationToken$AllocErrorLastProcess
String ID:
API String ID: 44706859-0
Opcode ID: 236ae41f57d69e2dc4ffadd203ab697a6fb4eac0ab60a2bdc3a8c5467b837273
Instruction ID: b5f93103c172bc51421b08c4b602b3344fe134338a58ec057673da09ca8469c4
Opcode Fuzzy Hash: 236ae41f57d69e2dc4ffadd203ab697a6fb4eac0ab60a2bdc3a8c5467b837273
Instruction Fuzzy Hash: D8F04939602701ABEB215FA6EC4DF9A3FADFFDA765F100414FA49C7250CA70D884DA60

Function 0052030F Relevance: 7.5, APIs: 6, Instructions: 41COMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32(?,?,?,?,0052017D,?,005232FC,?,00000001,004F2592,?), ref: 00520324
CloseHandle.KERNEL32(?,?,?,?,0052017D,?,005232FC,?,00000001,004F2592,?), ref: 00520331
CloseHandle.KERNEL32(?,?,?,?,0052017D,?,005232FC,?,00000001,004F2592,?), ref: 0052033E
CloseHandle.KERNEL32(?,?,?,?,0052017D,?,005232FC,?,00000001,004F2592,?), ref: 0052034B
CloseHandle.KERNEL32(?,?,?,?,0052017D,?,005232FC,?,00000001,004F2592,?), ref: 00520358
CloseHandle.KERNEL32(?,?,?,?,0052017D,?,005232FC,?,00000001,004F2592,?), ref: 00520365

Memory Dump Source

Source File: 00000000.00000002.2132574574.00000000004B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true

Associated: 00000000.00000002.2132555531.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132647663.000000000054C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132647663.0000000000572000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132705506.000000000057C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132725644.0000000000584000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b0000_file.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: 89f243d5b90279bccaab3cde07882baf1bd4f66a0db5bdc67f7860f9c95bef18
Instruction ID: cf209aa099f773e4d151dd0662ef77cc4420abd458e143042f0f98e04c5457f9
Opcode Fuzzy Hash: 89f243d5b90279bccaab3cde07882baf1bd4f66a0db5bdc67f7860f9c95bef18
Instruction Fuzzy Hash: D301A272802B259FC7309F66E880416FBF5BF613153159E3FD196529B2C371A958DF80

Function 004ED73A Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 004ED752

Part of subcall function 004E29C8: RtlFreeHeap.NTDLL(00000000,00000000,?,004ED7D1,00000000,00000000,00000000,00000000,?,004ED7F8,00000000,00000007,00000000,?,004EDBF5,00000000), ref: 004E29DE
Part of subcall function 004E29C8: GetLastError.KERNEL32(00000000,?,004ED7D1,00000000,00000000,00000000,00000000,?,004ED7F8,00000000,00000007,00000000,?,004EDBF5,00000000,00000000), ref: 004E29F0

_free.LIBCMT ref: 004ED764
_free.LIBCMT ref: 004ED776
_free.LIBCMT ref: 004ED788
_free.LIBCMT ref: 004ED79A

Memory Dump Source

Source File: 00000000.00000002.2132574574.00000000004B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true

Associated: 00000000.00000002.2132555531.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132647663.000000000054C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132647663.0000000000572000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132705506.000000000057C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132725644.0000000000584000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b0000_file.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 2a4d04368fe926d337f7e7d4eba8935acb0ca012feabeeddafc61624f8052c94
Instruction ID: 0ae19003e520f84a12fffc376e2f2cb4dc29a59edd2bd31795a1cf7b75d2e307
Opcode Fuzzy Hash: 2a4d04368fe926d337f7e7d4eba8935acb0ca012feabeeddafc61624f8052c94
Instruction Fuzzy Hash: 93F031B2A002886BC611EB56F9C2C177BDDBB04312B95180EF049D7602C72CFC805668

Function 00515C44 Relevance: 7.5, APIs: 5, Instructions: 40windowtimeCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003E9), ref: 00515C58
GetWindowTextW.USER32(00000000,?,00000100), ref: 00515C6F
MessageBeep.USER32(00000000), ref: 00515C87
KillTimer.USER32(?,0000040A), ref: 00515CA3
EndDialog.USER32(?,00000001), ref: 00515CBD

Memory Dump Source

Source File: 00000000.00000002.2132574574.00000000004B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true

Associated: 00000000.00000002.2132555531.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132647663.000000000054C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132647663.0000000000572000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132705506.000000000057C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132725644.0000000000584000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b0000_file.jbxd

Similarity

API ID: BeepDialogItemKillMessageTextTimerWindow
String ID:
API String ID: 3741023627-0
Opcode ID: df4560644d984303cd3e6fb7b8b9715bab636faf7b055fdfd55139e367c08fd5
Instruction ID: 5b32fcc6f5170f726f6c6c64d3a22a7fdb1e443cffeda86e75dac3c4aa75dedb
Opcode Fuzzy Hash: df4560644d984303cd3e6fb7b8b9715bab636faf7b055fdfd55139e367c08fd5
Instruction Fuzzy Hash: FE018634501B04EBFB205F14DD4EFE67FB8BB51B09F010559A693A10E1EBF4AD889A90

Function 004E22A0 Relevance: 7.5, APIs: 5, Instructions: 30COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 004E22BE

Part of subcall function 004E29C8: RtlFreeHeap.NTDLL(00000000,00000000,?,004ED7D1,00000000,00000000,00000000,00000000,?,004ED7F8,00000000,00000007,00000000,?,004EDBF5,00000000), ref: 004E29DE
Part of subcall function 004E29C8: GetLastError.KERNEL32(00000000,?,004ED7D1,00000000,00000000,00000000,00000000,?,004ED7F8,00000000,00000007,00000000,?,004EDBF5,00000000,00000000), ref: 004E29F0

_free.LIBCMT ref: 004E22D0
_free.LIBCMT ref: 004E22E3
_free.LIBCMT ref: 004E22F4
_free.LIBCMT ref: 004E2305

Memory Dump Source

Source File: 00000000.00000002.2132574574.00000000004B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true

Associated: 00000000.00000002.2132555531.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132647663.000000000054C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132647663.0000000000572000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132705506.000000000057C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132725644.0000000000584000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b0000_file.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 83088ad36eb80bd756f13c6c1614d3291ae4292bfdcdfa673f372527dddcd374
Instruction ID: 07adb71c3d41dcad40b17c719b12786aca8f9b5e658bb382b209fdb8eb802154
Opcode Fuzzy Hash: 83088ad36eb80bd756f13c6c1614d3291ae4292bfdcdfa673f372527dddcd374
Instruction Fuzzy Hash: ADF090F95005508BC622AF57BD028083F6CB738762701718FF815E62B2C778044ABBAD

Function 004C95C5 Relevance: 7.5, APIs: 5, Instructions: 29COMMON

Download Yara Rule

APIs

EndPath.GDI32(?), ref: 004C95D4
StrokeAndFillPath.GDI32(?,?,005071F7,00000000,?,?,?), ref: 004C95F0
SelectObject.GDI32(?,00000000), ref: 004C9603
DeleteObject.GDI32 ref: 004C9616
StrokePath.GDI32(?), ref: 004C9631

Memory Dump Source

Source File: 00000000.00000002.2132574574.00000000004B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true

Associated: 00000000.00000002.2132555531.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132647663.000000000054C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132647663.0000000000572000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132705506.000000000057C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132725644.0000000000584000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b0000_file.jbxd

Similarity

API ID: Path$ObjectStroke$DeleteFillSelect
String ID:
API String ID: 2625713937-0
Opcode ID: f3179b49665a6a4f3671972c219d1c26483bf6e970337eed8c374f09e23c3fd8
Instruction ID: a73b3acf6b5d0cfb5bf521d149c38bca7942960faacb8536a64062a3cfc538d8
Opcode Fuzzy Hash: f3179b49665a6a4f3671972c219d1c26483bf6e970337eed8c374f09e23c3fd8
Instruction Fuzzy Hash: 1CF0A439006A04FBD7564F54EC0CBA93F68B761326F009218F819651F0C734495AFF28

Function 004E0F47 Relevance: 7.4, APIs: 2, Strings: 2, Instructions: 389COMMONLIBRARYCODE

Download Yara Rule

APIs

__freea.LIBCMT ref: 004E10F9
__freea.LIBCMT ref: 004E1117

Part of subcall function 004E1537: _free.LIBCMT ref: 004E154F

Strings

a/p, xrefs: 004E11DE
am/pm, xrefs: 004E117A

Memory Dump Source

Source File: 00000000.00000002.2132574574.00000000004B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true

Associated: 00000000.00000002.2132555531.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132647663.000000000054C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132647663.0000000000572000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132705506.000000000057C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132725644.0000000000584000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b0000_file.jbxd

Similarity

API ID: __freea$_free
String ID: a/p$am/pm
API String ID: 3432400110-3206640213
Opcode ID: bdbc33269b7731fb41bee86fec8f17149909a82ce08412c26499bcf8c29dea04
Instruction ID: 4adda6d957c076bb465de8f50f31962483fd400efb7880987f45e0481d485558
Opcode Fuzzy Hash: bdbc33269b7731fb41bee86fec8f17149909a82ce08412c26499bcf8c29dea04
Instruction Fuzzy Hash: 14D1E231980285CAEB249F6AC855BFFB7B0EF05302F14415BEA01ABB64D37D9D81CB59

Function 005361D0 Relevance: 7.3, APIs: 1, Strings: 3, Instructions: 324COMMON

Download Yara Rule

APIs

Part of subcall function 004D0242: EnterCriticalSection.KERNEL32(0058070C,00581884,?,?,004C198B,00582518,?,?,?,004B12F9,00000000), ref: 004D024D
Part of subcall function 004D0242: LeaveCriticalSection.KERNEL32(0058070C,?,004C198B,00582518,?,?,?,004B12F9,00000000), ref: 004D028A

Part of subcall function 004D00A3: __onexit.LIBCMT ref: 004D00A9

__Init_thread_footer.LIBCMT ref: 00536238

Part of subcall function 004D01F8: EnterCriticalSection.KERNEL32(0058070C,?,?,004C8747,00582514), ref: 004D0202
Part of subcall function 004D01F8: LeaveCriticalSection.KERNEL32(0058070C,?,004C8747,00582514), ref: 004D0235

Part of subcall function 0052359C: LoadStringW.USER32(00000066,?,00000FFF,00000000), ref: 005235E4
Part of subcall function 0052359C: LoadStringW.USER32(00582390,?,00000FFF,?), ref: 0052360A

Strings

x#X, xrefs: 00536353
x#X, xrefs: 0053636F
x#X, xrefs: 0053633A

Memory Dump Source

Source File: 00000000.00000002.2132574574.00000000004B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true

Associated: 00000000.00000002.2132555531.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132647663.000000000054C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132647663.0000000000572000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132705506.000000000057C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132725644.0000000000584000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b0000_file.jbxd

Similarity

API ID: CriticalSection$EnterLeaveLoadString$Init_thread_footer__onexit
String ID: x#X$x#X$x#X
API String ID: 1072379062-3352164275
Opcode ID: e8620c2e4994f16e22865e4e2ddca515323be8ab2ef338253f44aa2527d201e2
Instruction ID: 6c62b9cbd572c090df454a8df82abfbf53d32711b66826e0445d88d1e6f038a4
Opcode Fuzzy Hash: e8620c2e4994f16e22865e4e2ddca515323be8ab2ef338253f44aa2527d201e2
Instruction Fuzzy Hash: 18C15C75A00105AFCB14DF98C895EAABBB9FF48304F14846EF905AB291DB74ED45CBA0

Function 004E5AA9 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 186COMMONLIBRARYCODE

Download Yara Rule

Strings

JOK, xrefs: 004E5BA8, 004E5C6C

Memory Dump Source

Source File: 00000000.00000002.2132574574.00000000004B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true

Associated: 00000000.00000002.2132555531.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132647663.000000000054C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132647663.0000000000572000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132705506.000000000057C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132725644.0000000000584000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b0000_file.jbxd

Similarity

API ID:
String ID: JOK
API String ID: 0-346233558
Opcode ID: 68de409d745c6d6aeea2ea857b4f1fd1209b54995e335218d3768a62fb861385
Instruction ID: 4ca717f70fd1226ef28dca8c707ae6fe9e9b1c7a43a751e6f8c69738027f6487
Opcode Fuzzy Hash: 68de409d745c6d6aeea2ea857b4f1fd1209b54995e335218d3768a62fb861385
Instruction Fuzzy Hash: AB510375D006899FCB209FA7C845FAF7BB8AF0531EF20005BF405A7392D6799901CB6A

Function 004E8A61 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 124COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,00000002,00000000,?,?,?,00000000,?,?,?,?), ref: 004E8B6E
GetLastError.KERNEL32(?,?,00000000,?,?,?,?,?,?,?,?,00000000,00001000,?), ref: 004E8B7A
__dosmaperr.LIBCMT ref: 004E8B81

Strings

.M, xrefs: 004E8A63

Memory Dump Source

Source File: 00000000.00000002.2132574574.00000000004B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true

Associated: 00000000.00000002.2132555531.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132647663.000000000054C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132647663.0000000000572000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132705506.000000000057C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132725644.0000000000584000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b0000_file.jbxd

Similarity

API ID: ByteCharErrorLastMultiWide__dosmaperr
String ID: .M
API String ID: 2434981716-2714461155
Opcode ID: b04c7cbd18bf3b907ec8e352edb7521268172cbd808c457d20191468d1224d82
Instruction ID: be3edad326cf20936266a1bf359e363c4cb04a3be0a5272ca48b5810417b7c4b
Opcode Fuzzy Hash: b04c7cbd18bf3b907ec8e352edb7521268172cbd808c457d20191468d1224d82
Instruction Fuzzy Hash: EA4180705040C5AFCF249F16CC80A7A7F96DF86305B1881AFF88D87242DE359C02D758

Function 00512716 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 121windowCOMMON

Download Yara Rule

APIs

Part of subcall function 0051B403: WriteProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,005121D0,?,?,00000034,00000800,?,00000034), ref: 0051B42D

SendMessageW.USER32(?,00001104,00000000,00000000), ref: 00512760

Part of subcall function 0051B3CE: ReadProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,005121FF,?,?,00000800,?,00001073,00000000,?,?), ref: 0051B3F8

Part of subcall function 0051B32A: GetWindowThreadProcessId.USER32(?,?), ref: 0051B355
Part of subcall function 0051B32A: OpenProcess.KERNEL32(00000438,00000000,?,?,?,00512194,00000034,?,?,00001004,00000000,00000000), ref: 0051B365
Part of subcall function 0051B32A: VirtualAllocEx.KERNEL32(00000000,00000000,?,00001000,00000004,?,?,00512194,00000034,?,?,00001004,00000000,00000000), ref: 0051B37B

SendMessageW.USER32(?,00001111,00000000,00000000), ref: 005127CD
SendMessageW.USER32(?,00001111,00000000,00000000), ref: 0051281A

Strings

@, xrefs: 00512832

Memory Dump Source

Source File: 00000000.00000002.2132574574.00000000004B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true

Associated: 00000000.00000002.2132555531.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132647663.000000000054C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132647663.0000000000572000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132705506.000000000057C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132725644.0000000000584000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b0000_file.jbxd

Similarity

API ID: Process$MessageSend$Memory$AllocOpenReadThreadVirtualWindowWrite
String ID: @
API String ID: 4150878124-2766056989
Opcode ID: 6e367266bc3e77b643354c341c8662dc45083fa5c39cefd08297312f3f68ffdf
Instruction ID: 37ba00e82bae4b053a0f19695de192e0194cfa89206059843087ec87cfc69aa5
Opcode Fuzzy Hash: 6e367266bc3e77b643354c341c8662dc45083fa5c39cefd08297312f3f68ffdf
Instruction Fuzzy Hash: 7F413D76900219BFEB10DBA4CD85ADEBBB8FF45300F108499FA55B7181DB706E85CB60

Function 004E172E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 115COMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\Desktop\file.exe,00000104), ref: 004E1769
_free.LIBCMT ref: 004E1834
_free.LIBCMT ref: 004E183E

Strings

C:\Users\user\Desktop\file.exe, xrefs: 004E1760, 004E1767, 004E1796, 004E17CE

Memory Dump Source

Source File: 00000000.00000002.2132574574.00000000004B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true

Associated: 00000000.00000002.2132555531.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132647663.000000000054C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132647663.0000000000572000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132705506.000000000057C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132725644.0000000000584000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b0000_file.jbxd

Similarity

API ID: _free$FileModuleName
String ID: C:\Users\user\Desktop\file.exe
API String ID: 2506810119-517116171
Opcode ID: 4934aa32a129c53fbee2198fb93f9986b89257ad2ac3604d7ff244fb92cf57d6
Instruction ID: 8810be123e46383f8b7b181e488cfeec96f9825cddfebab933d4f8be23049723
Opcode Fuzzy Hash: 4934aa32a129c53fbee2198fb93f9986b89257ad2ac3604d7ff244fb92cf57d6
Instruction Fuzzy Hash: FC31E275A40298ABCB21DB9B8C81D9FBBFCEB94711B1001ABF80197321D6748E45CB98

Function 0051C27D Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 114windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(00000004,00000000,00000000,?), ref: 0051C306
DeleteMenu.USER32(?,00000007,00000000), ref: 0051C34C
DeleteMenu.USER32(?,00000000,00000000,?,00000000,00000000,00581990,009E57D0), ref: 0051C395

Strings

0, xrefs: 0051C2DF

Memory Dump Source

Source File: 00000000.00000002.2132574574.00000000004B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true

Associated: 00000000.00000002.2132555531.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132647663.000000000054C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132647663.0000000000572000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132705506.000000000057C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132725644.0000000000584000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b0000_file.jbxd

Similarity

API ID: Menu$Delete$InfoItem
String ID: 0
API String ID: 135850232-4108050209
Opcode ID: a08e4b6c80b1553d97f7250c8d5504f0725379b931925ae3f2809e8575061a70
Instruction ID: e796a879a6e42f935c3d3f7d78a92e299839bdbe03da60dc02f0fff2a2e2471f
Opcode Fuzzy Hash: a08e4b6c80b1553d97f7250c8d5504f0725379b931925ae3f2809e8575061a70
Instruction Fuzzy Hash: 2641CE312443029FE720DF25D884B9ABFE4BF85324F108E1EF9A597291C731A944CB66

Function 00544416 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 106COMMON

Download Yara Rule

APIs

SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000013,?,?,SysTreeView32,0054CC08,00000000,?,?,?,?), ref: 005444AA
GetWindowLongW.USER32 ref: 005444C7
SetWindowLongW.USER32(?,000000F0,00000000), ref: 005444D7

Strings

SysTreeView32, xrefs: 0054447C

Memory Dump Source

Source File: 00000000.00000002.2132574574.00000000004B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true

Associated: 00000000.00000002.2132555531.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132647663.000000000054C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132647663.0000000000572000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132705506.000000000057C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132725644.0000000000584000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b0000_file.jbxd

Similarity

API ID: Window$Long
String ID: SysTreeView32
API String ID: 847901565-1698111956
Opcode ID: 90542913d053215906d97d45a0d8117cc85b4c1c3c088a4ea15d9a7d1d13fe65
Instruction ID: c6489ccc56e14a6a71c93efd971a106c7b6d29182c241960db27fa22060364ec
Opcode Fuzzy Hash: 90542913d053215906d97d45a0d8117cc85b4c1c3c088a4ea15d9a7d1d13fe65
Instruction Fuzzy Hash: B8318D32250605AFDF209E38DC45BEA7BA9FB49338F208719F979A21D0D774EC519B50

Function 00516E71 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 92memoryCOMMON

Download Yara Rule

APIs

SysReAllocString.OLEAUT32(?,?), ref: 00516EED
VariantCopyInd.OLEAUT32(?,?), ref: 00516F08
VariantClear.OLEAUT32(?), ref: 00516F12

Strings

*jQ, xrefs: 00516E8B, 00516E90, 00516EF8

Memory Dump Source

Source File: 00000000.00000002.2132574574.00000000004B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true

Associated: 00000000.00000002.2132555531.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132647663.000000000054C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132647663.0000000000572000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132705506.000000000057C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132725644.0000000000584000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b0000_file.jbxd

Similarity

API ID: Variant$AllocClearCopyString
String ID: *jQ
API String ID: 2173805711-1239808107
Opcode ID: efc67733052cdf70fdf1198b02be7d3748385e6b62bcab8ae3a7487f94f3688f
Instruction ID: 28ed2804e85af712b162d106a89989144e3c8c739e3d8c3636f3cb5113e75113
Opcode Fuzzy Hash: efc67733052cdf70fdf1198b02be7d3748385e6b62bcab8ae3a7487f94f3688f
Instruction Fuzzy Hash: 8631AF71604205DFDB04AFA5E8919FE3BB9FF85308B1008A9F9024B2B5C7749992DBE5

Function 0053304E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 90networkCOMMON

Download Yara Rule

APIs

Part of subcall function 0053335B: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,?,?,?,?,00533077,?,?), ref: 00533378

inet_addr.WSOCK32(?,?,?,?,?,00000000), ref: 0053307A
_wcslen.LIBCMT ref: 0053309B
htons.WSOCK32(00000000,?,?,00000000), ref: 00533106

Strings

255.255.255.255, xrefs: 00533095, 0053309A

Memory Dump Source

Source File: 00000000.00000002.2132574574.00000000004B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true

Associated: 00000000.00000002.2132555531.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132647663.000000000054C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132647663.0000000000572000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132705506.000000000057C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132725644.0000000000584000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b0000_file.jbxd

Similarity

API ID: ByteCharMultiWide_wcslenhtonsinet_addr
String ID: 255.255.255.255
API String ID: 946324512-2422070025
Opcode ID: f79d75ea75d0e0f3f5c2e7ae5c81361754bcd2deb76b04d241cda5b8d7cb49cd
Instruction ID: 72d23e95774c80dd4e86617a69aeec28969f1da51b08f997ccb4d68311b71c54
Opcode Fuzzy Hash: f79d75ea75d0e0f3f5c2e7ae5c81361754bcd2deb76b04d241cda5b8d7cb49cd
Instruction Fuzzy Hash: B831C1396042019FCB24CF69C589EAA7BE0FF54318F248499E9158B3A2DB72EE45C760

Function 00544653 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 87windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000469,?,00000000), ref: 00544705
SendMessageW.USER32(00000000,00000465,00000000,80017FFF), ref: 00544713
DestroyWindow.USER32(00000000,00000000,?,?,?,00000000,msctls_updown32,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 0054471A

Strings

msctls_updown32, xrefs: 00544684

Memory Dump Source

Source File: 00000000.00000002.2132574574.00000000004B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true

Associated: 00000000.00000002.2132555531.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132647663.000000000054C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132647663.0000000000572000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132705506.000000000057C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132725644.0000000000584000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b0000_file.jbxd

Similarity

API ID: MessageSend$DestroyWindow
String ID: msctls_updown32
API String ID: 4014797782-2298589950
Opcode ID: 2bd864ecb9fd24533152a663df7907dbbf8e1c93e3196ab8365ac1b0e3a23b18
Instruction ID: 803bbcbde16a820e6b7a38aeaa3aa0710221d73b9505befea05c5942dda4c111
Opcode Fuzzy Hash: 2bd864ecb9fd24533152a663df7907dbbf8e1c93e3196ab8365ac1b0e3a23b18
Instruction Fuzzy Hash: F7214CB5600209AFDB10DF68DC81DA63BADFB9A398B05045AFA059B351CB70EC12DB64

Function 005195AD Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 85COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 0051961D

Strings

#requireadmin, xrefs: 005195D9
#notrayicon, xrefs: 005195B7
#OnAutoItStartRegister, xrefs: 005195F3

Memory Dump Source

Source File: 00000000.00000002.2132574574.00000000004B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true

Associated: 00000000.00000002.2132555531.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132647663.000000000054C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132647663.0000000000572000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132705506.000000000057C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132725644.0000000000584000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b0000_file.jbxd

Similarity

API ID: _wcslen
String ID: #OnAutoItStartRegister$#notrayicon$#requireadmin
API String ID: 176396367-2734436370
Opcode ID: 19b5e3614bfc7670e0e669eecaacd33a86892c5b3011b4b34a5d17c4e8b37bf6
Instruction ID: 20066c7bfe464ede9da7fb84b230924197eb5ea3b5ec78dc429f6a0071127732
Opcode Fuzzy Hash: 19b5e3614bfc7670e0e669eecaacd33a86892c5b3011b4b34a5d17c4e8b37bf6
Instruction Fuzzy Hash: EB21267220411066E331AA2A9822FF77BD9BF91318F11442FF949A7141EB59AD81C2A9

Function 005437B7 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000180,00000000,?), ref: 00543840
SendMessageW.USER32(?,00000186,00000000,00000000), ref: 00543850
MoveWindow.USER32(00000000,?,?,?,?,00000000,?,?,Listbox,00000000,00000000,?,?,?,?,?), ref: 00543876

Strings

Listbox, xrefs: 0054380F

Memory Dump Source

Source File: 00000000.00000002.2132574574.00000000004B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true

Associated: 00000000.00000002.2132555531.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132647663.000000000054C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132647663.0000000000572000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132705506.000000000057C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132725644.0000000000584000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b0000_file.jbxd

Similarity

API ID: MessageSend$MoveWindow
String ID: Listbox
API String ID: 3315199576-2633736733
Opcode ID: 89dc0887e4fdf274b12fa44700d328bd4d5391efb3f7bfaa8d64487eff33bc7c
Instruction ID: bb94cd6887c00721d4e939e9c76275a0e394303b75c25df6f69aa0e16b095e56
Opcode Fuzzy Hash: 89dc0887e4fdf274b12fa44700d328bd4d5391efb3f7bfaa8d64487eff33bc7c
Instruction Fuzzy Hash: 8A21D072601118BBEB118F64CC41EFB3B6EFF99758F008124F9449B1A0C671DD1287A0

Function 005249F4 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 78COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 00524A08
GetVolumeInformationW.KERNEL32(?,?,00007FFF,?,00000000,00000000,00000000,00000000), ref: 00524A5C
SetErrorMode.KERNEL32(00000000,?,?,0054CC08), ref: 00524AD0

Strings

%lu, xrefs: 00524A6F

Memory Dump Source

Source File: 00000000.00000002.2132574574.00000000004B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true

Associated: 00000000.00000002.2132555531.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132647663.000000000054C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132647663.0000000000572000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132705506.000000000057C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132725644.0000000000584000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b0000_file.jbxd

Similarity

API ID: ErrorMode$InformationVolume
String ID: %lu
API String ID: 2507767853-685833217
Opcode ID: 88d8a58a90981c8ff58805862c242aa78193c98a65fa848263ca400ed436c870
Instruction ID: a07371bedf7da7caf4debb82a83312dbe9e2ff49577d28ba3dff38a512e9ccb4
Opcode Fuzzy Hash: 88d8a58a90981c8ff58805862c242aa78193c98a65fa848263ca400ed436c870
Instruction Fuzzy Hash: 3F318E75A00208AFDB10DF54C885EAA7BF8EF49308F1480A9E909DB252D775ED45CB61

Function 005441EB Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 67windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000405,00000000,00000000), ref: 0054424F
SendMessageW.USER32(?,00000406,00000000,00640000), ref: 00544264
SendMessageW.USER32(?,00000414,0000000A,00000000), ref: 00544271

Strings

msctls_trackbar32, xrefs: 00544226

Memory Dump Source

Source File: 00000000.00000002.2132574574.00000000004B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true

Associated: 00000000.00000002.2132555531.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132647663.000000000054C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132647663.0000000000572000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132705506.000000000057C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132725644.0000000000584000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b0000_file.jbxd

Similarity

API ID: MessageSend
String ID: msctls_trackbar32
API String ID: 3850602802-1010561917
Opcode ID: eaeefd89bef0bb99c52e70bb64096c8c8b9d33f8c464d9ef3fbc0446853a2184
Instruction ID: a4117d73b7ae68b059efe8e8018f42670e47e278c536ac37af876f0eaf7c471f
Opcode Fuzzy Hash: eaeefd89bef0bb99c52e70bb64096c8c8b9d33f8c464d9ef3fbc0446853a2184
Instruction Fuzzy Hash: 2B11E331280208BEEF205E39CC06FEB3BACFF95B58F010524FA55E6090D6B1D8119B20

Function 00512F52 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 67windowCOMMON

Download Yara Rule

APIs

Part of subcall function 004B6B57: _wcslen.LIBCMT ref: 004B6B6A

Part of subcall function 00512DA7: SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,?), ref: 00512DC5
Part of subcall function 00512DA7: GetWindowThreadProcessId.USER32(?,00000000), ref: 00512DD6
Part of subcall function 00512DA7: GetCurrentThreadId.KERNEL32 ref: 00512DDD
Part of subcall function 00512DA7: AttachThreadInput.USER32(00000000,?,00000000,00000000), ref: 00512DE4

GetFocus.USER32 ref: 00512F78

Part of subcall function 00512DEE: GetParent.USER32(00000000), ref: 00512DF9

GetClassNameW.USER32(?,?,00000100), ref: 00512FC3
EnumChildWindows.USER32(?,0051303B), ref: 00512FEB

Strings

%s%d, xrefs: 00512FFF

Memory Dump Source

Source File: 00000000.00000002.2132574574.00000000004B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true

Associated: 00000000.00000002.2132555531.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132647663.000000000054C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132647663.0000000000572000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132705506.000000000057C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132725644.0000000000584000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b0000_file.jbxd

Similarity

API ID: Thread$AttachChildClassCurrentEnumFocusInputMessageNameParentProcessSendTimeoutWindowWindows_wcslen
String ID: %s%d
API String ID: 1272988791-1110647743
Opcode ID: 595e7a6d7e4a87791796d315b744a2b0ca518849e7de5240b60429ebb6e50191
Instruction ID: b3687e860e1d68677c8c2dfafab0e33e621e31684cbacf217f674807f033e949
Opcode Fuzzy Hash: 595e7a6d7e4a87791796d315b744a2b0ca518849e7de5240b60429ebb6e50191
Instruction Fuzzy Hash: DC11E7752002056BEF44BF74DC99EED3BAABFD4308F048079F9099B152DE3459899B70

Function 00545882 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(?,?,?,00000030), ref: 005458C1
SetMenuItemInfoW.USER32(?,?,?,00000030), ref: 005458EE
DrawMenuBar.USER32(?), ref: 005458FD

Strings

0, xrefs: 0054588F

Memory Dump Source

Source File: 00000000.00000002.2132574574.00000000004B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true

Associated: 00000000.00000002.2132555531.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132647663.000000000054C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132647663.0000000000572000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132705506.000000000057C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132725644.0000000000584000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b0000_file.jbxd

Similarity

API ID: Menu$InfoItem$Draw
String ID: 0
API String ID: 3227129158-4108050209
Opcode ID: ca5f2a4f686c1873ad1e369ca47af0c40abc50857baabdeb8d1b7ac275456828
Instruction ID: 1276b07dcdf9186ae7a0c40f4035f20c20dd7278acd144a1707a7b1928a583b4
Opcode Fuzzy Hash: ca5f2a4f686c1873ad1e369ca47af0c40abc50857baabdeb8d1b7ac275456828
Instruction Fuzzy Hash: CF016135501218EFDB619F11DC44BEEBFB5FB45768F108099F849D6152EB348A84EF21

Function 0050D3A0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 30libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32(?,GetSystemWow64DirectoryW), ref: 0050D3BF
FreeLibrary.KERNEL32 ref: 0050D3E5

Strings

GetSystemWow64DirectoryW, xrefs: 0050D3B9
X64, xrefs: 0050D2A8

Memory Dump Source

Source File: 00000000.00000002.2132574574.00000000004B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true

Associated: 00000000.00000002.2132555531.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132647663.000000000054C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132647663.0000000000572000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132705506.000000000057C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132725644.0000000000584000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b0000_file.jbxd

Similarity

API ID: AddressFreeLibraryProc
String ID: GetSystemWow64DirectoryW$X64
API String ID: 3013587201-2590602151
Opcode ID: ab4ae290f644cda8e106e0dd0f096b1aaa9fdc8ac61499a0f7185fa1c420fa9f
Instruction ID: 5c9da77e7aab5b9a68d9c0804abbd681e68be57eb60c7127b0d98ca049f28e3b
Opcode Fuzzy Hash: ab4ae290f644cda8e106e0dd0f096b1aaa9fdc8ac61499a0f7185fa1c420fa9f
Instruction Fuzzy Hash: BCF02739802A12EBC7B116504C54AED7F347F10701B949819B402E5188D714CD44C7BA

Function 0051007F Relevance: 6.3, APIs: 4, Instructions: 322COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2132574574.00000000004B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true

Associated: 00000000.00000002.2132555531.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132647663.000000000054C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132647663.0000000000572000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132705506.000000000057C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132725644.0000000000584000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4972efb93273256171760c6f4f62d5ac1b583603580de28b5d86dd0fd8d2ec47
Instruction ID: 900419fc3fa2ac66cc54eeed5d27a0e05aac094214fa12c0bba41cfc221c516a
Opcode Fuzzy Hash: 4972efb93273256171760c6f4f62d5ac1b583603580de28b5d86dd0fd8d2ec47
Instruction Fuzzy Hash: 02C17D75A0020AEFDB14CF94C898AAEBBB5FF48314F209998E415EB291D771DDC1DB90

Function 0053342E Relevance: 6.3, APIs: 4, Instructions: 257COMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 00533459
CoUninitialize.OLE32 ref: 00533463
VariantInit.OLEAUT32(?), ref: 0053346E
VariantClear.OLEAUT32(?), ref: 0053371B

Memory Dump Source

Source File: 00000000.00000002.2132574574.00000000004B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true

Associated: 00000000.00000002.2132555531.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132647663.000000000054C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132647663.0000000000572000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132705506.000000000057C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132725644.0000000000584000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b0000_file.jbxd

Similarity

API ID: Variant$ClearInitInitializeUninitialize
String ID:
API String ID: 1998397398-0
Opcode ID: c2a744bdbc502c71e53b5c6ed825252008947cc8d0202dabfd5af3a13ec97ca3
Instruction ID: 4a4324c81173a255e5f586f1e5357029b11e5e90281929c5ffcddb5183a7a534
Opcode Fuzzy Hash: c2a744bdbc502c71e53b5c6ed825252008947cc8d0202dabfd5af3a13ec97ca3
Instruction Fuzzy Hash: D5A16075604300AFC710DF29C485A6ABBE5FF88758F04885DF98A9B362DB34EE05CB65

Function 00510436 Relevance: 6.2, APIs: 4, Instructions: 230COMMON

Download Yara Rule

APIs

ProgIDFromCLSID.OLE32(?,00000000,?,00000000,00000800,00000000,?,0054FC08,?), ref: 005105F0
CoTaskMemFree.OLE32(00000000,00000000,?,00000000,00000800,00000000,?,0054FC08,?), ref: 00510608
CLSIDFromProgID.OLE32(?,?,00000000,0054CC40,000000FF,?,00000000,00000800,00000000,?,0054FC08,?), ref: 0051062D
_memcmp.LIBVCRUNTIME ref: 0051064E

Memory Dump Source

Source File: 00000000.00000002.2132574574.00000000004B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true

Associated: 00000000.00000002.2132555531.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132647663.000000000054C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132647663.0000000000572000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132705506.000000000057C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132725644.0000000000584000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b0000_file.jbxd

Similarity

API ID: FromProg$FreeTask_memcmp
String ID:
API String ID: 314563124-0
Opcode ID: e3188929052755bddbb75b420d2126137b2683816895ecb846a872b2a3608b0e
Instruction ID: 4e8f13e5934e14cdf49e610414ddf8d77156398c4f6e018fe496b9f7b0c80f54
Opcode Fuzzy Hash: e3188929052755bddbb75b420d2126137b2683816895ecb846a872b2a3608b0e
Instruction Fuzzy Hash: B8811B75A00109EFDB04DF94C984DEEBBB9FF89315F204558E506AB290DB71AE86CB60

Function 0053A67C Relevance: 6.2, APIs: 4, Instructions: 175processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 0053A6AC
Process32FirstW.KERNEL32(00000000,?), ref: 0053A6BA

Part of subcall function 004B9CB3: _wcslen.LIBCMT ref: 004B9CBD

Process32NextW.KERNEL32(00000000,?), ref: 0053A79C
CloseHandle.KERNEL32(00000000), ref: 0053A7AB

Part of subcall function 004CCE60: CompareStringW.KERNEL32(00000409,00000001,?,00000000,00000000,?,?,00000000,?,004F3303,?), ref: 004CCE8A

Memory Dump Source

Source File: 00000000.00000002.2132574574.00000000004B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true

Associated: 00000000.00000002.2132555531.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132647663.000000000054C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132647663.0000000000572000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132705506.000000000057C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132725644.0000000000584000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b0000_file.jbxd

Similarity

API ID: Process32$CloseCompareCreateFirstHandleNextSnapshotStringToolhelp32_wcslen
String ID:
API String ID: 1991900642-0
Opcode ID: da9e83df44f9fdf101c3bbd5f13698841dfba20eeb6fa2a36dbdfa24c6cb21e0
Instruction ID: eb2b3af1990823e915ed37e8f9da07d61222460c27842e5c612f808e17152803
Opcode Fuzzy Hash: da9e83df44f9fdf101c3bbd5f13698841dfba20eeb6fa2a36dbdfa24c6cb21e0
Instruction Fuzzy Hash: 66515E75508300AFD710EF25C886EABBBE8FF89758F00491EF58597251EB34E904CBA6

Function 004F1391 Relevance: 6.2, APIs: 4, Instructions: 152COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 004F14C0

Memory Dump Source

Source File: 00000000.00000002.2132574574.00000000004B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true

Associated: 00000000.00000002.2132555531.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132647663.000000000054C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132647663.0000000000572000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132705506.000000000057C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132725644.0000000000584000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b0000_file.jbxd

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: d2d6c46b3fc7488ee78f9e95eaecb77231296289ddd65a61f611fe7f4daabfb2
Instruction ID: 5eccbfe3f992db245d0d9780e1af233d17e7430c850cd47b58256fe8da874e5f
Opcode Fuzzy Hash: d2d6c46b3fc7488ee78f9e95eaecb77231296289ddd65a61f611fe7f4daabfb2
Instruction Fuzzy Hash: 4C413031500148EBDB256BBB9C456BF3AA4EF81378F14026BFA19D63F1E63C4841567A

Function 00546278 Relevance: 6.1, APIs: 4, Instructions: 138COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 005462E2
ScreenToClient.USER32(?,?), ref: 00546315
MoveWindow.USER32(?,?,?,?,000000FF,00000001,?,?,?,?,?), ref: 00546382

Memory Dump Source

Source File: 00000000.00000002.2132574574.00000000004B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true

Associated: 00000000.00000002.2132555531.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132647663.000000000054C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132647663.0000000000572000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132705506.000000000057C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132725644.0000000000584000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b0000_file.jbxd

Similarity

API ID: Window$ClientMoveRectScreen
String ID:
API String ID: 3880355969-0
Opcode ID: 93b023d61d576051e9c6ac1486ae04928203018e2d217cae3f19ef810f1c05e1
Instruction ID: 4b8638feda8d4e624b8827f2ca7c1331c3fe2de71d020d7949e1dd10ff2b79b0
Opcode Fuzzy Hash: 93b023d61d576051e9c6ac1486ae04928203018e2d217cae3f19ef810f1c05e1
Instruction Fuzzy Hash: E2512A74A00249AFCF14DF68D880AEE7BB5FB96368F108659F8159B290D730ED81DB91

Function 00531AD6 Relevance: 6.1, APIs: 4, Instructions: 138networkCOMMON

Download Yara Rule

APIs

socket.WSOCK32(00000002,00000002,00000011), ref: 00531AFD
WSAGetLastError.WSOCK32 ref: 00531B0B
#21.WSOCK32(?,0000FFFF,00000020,00000002,00000004), ref: 00531B8A
WSAGetLastError.WSOCK32 ref: 00531B94

Memory Dump Source

Source File: 00000000.00000002.2132574574.00000000004B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true

Associated: 00000000.00000002.2132555531.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132647663.000000000054C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132647663.0000000000572000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132705506.000000000057C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132725644.0000000000584000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b0000_file.jbxd

Similarity

API ID: ErrorLast$socket
String ID:
API String ID: 1881357543-0
Opcode ID: 654249b36b76203ccdab41eee53856daf3dc2231d35b739b81747d815702e212
Instruction ID: 7297cc9f699dea1ea133ffb67748f26150a46be9d14277c36e28c1b54ab1826c
Opcode Fuzzy Hash: 654249b36b76203ccdab41eee53856daf3dc2231d35b739b81747d815702e212
Instruction Fuzzy Hash: 6841E534600600AFE724AF21C886F667BE5AB4471CF54848DF9169F3D2D776ED418BA4

Function 004EB41F Relevance: 6.1, APIs: 4, Instructions: 133COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2132574574.00000000004B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true

Associated: 00000000.00000002.2132555531.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132647663.000000000054C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132647663.0000000000572000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132705506.000000000057C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132725644.0000000000584000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ec953c8371509b32d751a258d8a3d4f7d96b2da7bb9a9db0d2a771c065187f91
Instruction ID: cd4c2eb791235bce62befa75a4795ab2c5191301bd9b0b9822f7792afe01d6f1
Opcode Fuzzy Hash: ec953c8371509b32d751a258d8a3d4f7d96b2da7bb9a9db0d2a771c065187f91
Instruction Fuzzy Hash: 3641F471A00244BFD7249F3ACC41B6BBBA9EB84715F10452FF541DB2D1D379A90187C4

Function 005256D9 Relevance: 6.1, APIs: 4, Instructions: 110fileCOMMON

Download Yara Rule

APIs

CreateHardLinkW.KERNEL32(00000002,?,00000000), ref: 00525783
GetLastError.KERNEL32(?,00000000), ref: 005257A9
DeleteFileW.KERNEL32(00000002,?,00000000), ref: 005257CE
CreateHardLinkW.KERNEL32(00000002,?,00000000,?,00000000), ref: 005257FA

Memory Dump Source

Source File: 00000000.00000002.2132574574.00000000004B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true

Associated: 00000000.00000002.2132555531.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132647663.000000000054C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132647663.0000000000572000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132705506.000000000057C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132725644.0000000000584000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b0000_file.jbxd

Similarity

API ID: CreateHardLink$DeleteErrorFileLast
String ID:
API String ID: 3321077145-0
Opcode ID: a4fc70a59203cd6c7ebc5d2734982cc6f68442d2c8004151600b7f00d8bee2e1
Instruction ID: a867110b2e1f4e58a0c563ad4b1703220cc19dc5774626b1051728c639996a47
Opcode Fuzzy Hash: a4fc70a59203cd6c7ebc5d2734982cc6f68442d2c8004151600b7f00d8bee2e1
Instruction Fuzzy Hash: DF413D39200610DFCB20DF15C485A5DBBF1EF89358B188489E84A5B7A1DB74FD01CBA5

Function 004ED8C3 Relevance: 6.1, APIs: 4, Instructions: 110COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,00000000,?,004D6D71,00000000,00000000,004D82D9,?,004D82D9,?,00000001,004D6D71,?,00000001,004D82D9,004D82D9), ref: 004ED910
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 004ED999
GetStringTypeW.KERNEL32(?,00000000,00000000,?), ref: 004ED9AB
__freea.LIBCMT ref: 004ED9B4

Part of subcall function 004E3820: RtlAllocateHeap.NTDLL(00000000,?,00581444,?,004CFDF5,?,?,004BA976,00000010,00581440,004B13FC,?,004B13C6,?,004B1129), ref: 004E3852

Memory Dump Source

Source File: 00000000.00000002.2132574574.00000000004B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true

Associated: 00000000.00000002.2132555531.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132647663.000000000054C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132647663.0000000000572000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132705506.000000000057C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132725644.0000000000584000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b0000_file.jbxd

Similarity

API ID: ByteCharMultiWide$AllocateHeapStringType__freea
String ID:
API String ID: 2652629310-0
Opcode ID: 15d7352c3ccab3fabf8b3603c2530fe92ce5d68d414e0cb956e040cf09d7e34f
Instruction ID: 04bdd8b5de36ca8378e708be10e152924f18b37dc7c2045b08f2c599b1145661
Opcode Fuzzy Hash: 15d7352c3ccab3fabf8b3603c2530fe92ce5d68d414e0cb956e040cf09d7e34f
Instruction Fuzzy Hash: 0131EDB2A0024AABDB24DF66DC45EAF7BA5EF40315F05016AFC04D7252EB39CD54CBA4

Function 005452C1 Relevance: 6.1, APIs: 4, Instructions: 104windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001024,00000000,?), ref: 00545352
GetWindowLongW.USER32(?,000000F0), ref: 00545375
SetWindowLongW.USER32(?,000000F0,00000000), ref: 00545382
InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 005453A8

Memory Dump Source

Source File: 00000000.00000002.2132574574.00000000004B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true

Associated: 00000000.00000002.2132555531.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132647663.000000000054C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132647663.0000000000572000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132705506.000000000057C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132725644.0000000000584000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b0000_file.jbxd

Similarity

API ID: LongWindow$InvalidateMessageRectSend
String ID:
API String ID: 3340791633-0
Opcode ID: 9755f041a17a9b0b37bd7ae2dc79d61821ea8530a190329260920ba6fb2255e9
Instruction ID: c2b6c955266b272d97942f143eee754669db59c062323af12598115e20b517ed
Opcode Fuzzy Hash: 9755f041a17a9b0b37bd7ae2dc79d61821ea8530a190329260920ba6fb2255e9
Instruction Fuzzy Hash: 9431C334A55A0CEFEF349E14CC05FE83FA5BB05398F984942FA11961E2E7B4AD44EB41

Function 0051AB9C Relevance: 6.1, APIs: 4, Instructions: 103keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,75A8C0D0,?,00008000), ref: 0051ABF1
SetKeyboardState.USER32(00000080,?,00008000), ref: 0051AC0D
PostMessageW.USER32(00000000,00000101,00000000), ref: 0051AC74
SendInput.USER32(00000001,?,0000001C,75A8C0D0,?,00008000), ref: 0051ACC6

Memory Dump Source

Source File: 00000000.00000002.2132574574.00000000004B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true

Associated: 00000000.00000002.2132555531.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132647663.000000000054C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132647663.0000000000572000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132705506.000000000057C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132725644.0000000000584000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b0000_file.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: 21ff8e65c53e7dcc053199897a524e3866bac029baf5733a2b2294d49452c3b1
Instruction ID: 05636050a033dd21bd45a7a2da2692c81a71fdd50afc9e67f80d107fdea45ef8
Opcode Fuzzy Hash: 21ff8e65c53e7dcc053199897a524e3866bac029baf5733a2b2294d49452c3b1
Instruction Fuzzy Hash: 0D31F430A01618AFFF36CB6588087FA7FA5BB89318F04471AF485962D1D3758DC597D2

Function 00547674 Relevance: 6.1, APIs: 4, Instructions: 102windowCOMMON

Download Yara Rule

APIs

ClientToScreen.USER32(?,?), ref: 0054769A
GetWindowRect.USER32(?,?), ref: 00547710
PtInRect.USER32(?,?,00548B89), ref: 00547720
MessageBeep.USER32(00000000), ref: 0054778C

Memory Dump Source

Source File: 00000000.00000002.2132574574.00000000004B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true

Associated: 00000000.00000002.2132555531.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132647663.000000000054C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132647663.0000000000572000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132705506.000000000057C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132725644.0000000000584000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b0000_file.jbxd

Similarity

API ID: Rect$BeepClientMessageScreenWindow
String ID:
API String ID: 1352109105-0
Opcode ID: b014e899c0edb3381610519414b23b7ece9ad674815970b07b61de52ad9a1ca1
Instruction ID: 418d79b4ec221f2440aa10582c150545b38c67208fb64caaeb8dfa5b07e8415a
Opcode Fuzzy Hash: b014e899c0edb3381610519414b23b7ece9ad674815970b07b61de52ad9a1ca1
Instruction Fuzzy Hash: F3419A38A05219DFCB11CF58C894EE9BFF9FF9D318F5580A8E8149B261C730A946DB90

Function 005416DA Relevance: 6.1, APIs: 4, Instructions: 101COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32 ref: 005416EB

Part of subcall function 00513A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 00513A57
Part of subcall function 00513A3D: GetCurrentThreadId.KERNEL32 ref: 00513A5E
Part of subcall function 00513A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,005125B3), ref: 00513A65

GetCaretPos.USER32(?), ref: 005416FF
ClientToScreen.USER32(00000000,?), ref: 0054174C
GetForegroundWindow.USER32 ref: 00541752

Memory Dump Source

Source File: 00000000.00000002.2132574574.00000000004B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true

Associated: 00000000.00000002.2132555531.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132647663.000000000054C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132647663.0000000000572000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132705506.000000000057C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132725644.0000000000584000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b0000_file.jbxd

Similarity

API ID: ThreadWindow$Foreground$AttachCaretClientCurrentInputProcessScreen
String ID:
API String ID: 2759813231-0
Opcode ID: 401b2eb8bb26196ebc3fb603579ce28fee187a2c38d56acc0acd32c54bfea784
Instruction ID: 44bcde172ebd956e54497dcb89df489a1cb1666f2a22a2148013e4c7e76920b1
Opcode Fuzzy Hash: 401b2eb8bb26196ebc3fb603579ce28fee187a2c38d56acc0acd32c54bfea784
Instruction Fuzzy Hash: DF315075D00109AFCB00EFA6C8C1CEEBBF9FF89308B5040AAE415E7251D6359E45CBA4

Function 00548FC9 Relevance: 6.1, APIs: 4, Instructions: 78windowCOMMON

Download Yara Rule

APIs

Part of subcall function 004C9BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 004C9BB2

GetCursorPos.USER32(?), ref: 00549001
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000,?,00507711,?,?,?,?,?), ref: 00549016
GetCursorPos.USER32(?), ref: 0054905E
DefDlgProcW.USER32(?,0000007B,?,?,?,?,?,?,?,?,?,?,00507711,?,?,?), ref: 00549094

Memory Dump Source

Source File: 00000000.00000002.2132574574.00000000004B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true

Associated: 00000000.00000002.2132555531.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132647663.000000000054C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132647663.0000000000572000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132705506.000000000057C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132725644.0000000000584000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b0000_file.jbxd

Similarity

API ID: Cursor$LongMenuPopupProcTrackWindow
String ID:
API String ID: 2864067406-0
Opcode ID: 35e7e47f3810b38f1d0bdb19b82add9f13c1942f3266a98365d914474e07e0bc
Instruction ID: c9c1e07982eef7a1eba6d8bcd3ac90702351d550837c440e1332a23d99cf5140
Opcode Fuzzy Hash: 35e7e47f3810b38f1d0bdb19b82add9f13c1942f3266a98365d914474e07e0bc
Instruction Fuzzy Hash: BC21AB35601018AFDB25CF94C85AEEB3FB9FB8A354F004069F9099B261C731AD91EB60

Function 0051D2C1 Relevance: 6.1, APIs: 4, Instructions: 78COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNEL32(?,0054CB68), ref: 0051D2FB
GetLastError.KERNEL32 ref: 0051D30A
CreateDirectoryW.KERNEL32(?,00000000), ref: 0051D319
CreateDirectoryW.KERNEL32(?,00000000,00000000,000000FF,0054CB68), ref: 0051D376

Memory Dump Source

Source File: 00000000.00000002.2132574574.00000000004B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true

Associated: 00000000.00000002.2132555531.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132647663.000000000054C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132647663.0000000000572000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132705506.000000000057C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132725644.0000000000584000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b0000_file.jbxd

Similarity

API ID: CreateDirectory$AttributesErrorFileLast
String ID:
API String ID: 2267087916-0
Opcode ID: 30b0ba8268d6e5201a013c51b9699faee3f614f91bed555b1dd4d1f104d48309
Instruction ID: 34ccd7024d743c179e78e2016e566b4b02e2a5c80b82bda80b405e91e65c8b6f
Opcode Fuzzy Hash: 30b0ba8268d6e5201a013c51b9699faee3f614f91bed555b1dd4d1f104d48309
Instruction Fuzzy Hash: 11217E745092019F9714DF29C8814EA7BE4BE96368F504E1EF4A9C32A1D730998ACBA3

Function 00511571 Relevance: 6.1, APIs: 4, Instructions: 78memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00511014: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 0051102A
Part of subcall function 00511014: GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 00511036
Part of subcall function 00511014: GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00511045
Part of subcall function 00511014: HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 0051104C
Part of subcall function 00511014: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00511062

LookupPrivilegeValueW.ADVAPI32(00000000,?,?), ref: 005115BE
_memcmp.LIBVCRUNTIME ref: 005115E1
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00511617
HeapFree.KERNEL32(00000000), ref: 0051161E

Memory Dump Source

Source File: 00000000.00000002.2132574574.00000000004B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true

Associated: 00000000.00000002.2132555531.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132647663.000000000054C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132647663.0000000000572000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132705506.000000000057C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132725644.0000000000584000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b0000_file.jbxd

Similarity

API ID: Heap$InformationProcessToken$AllocErrorFreeLastLookupPrivilegeValue_memcmp
String ID:
API String ID: 1592001646-0
Opcode ID: b29bdea5b2a40a1868c0692683c4cd61f52a52837e59e806b7b3993478dcdd6f
Instruction ID: 4fad89dda907de5c34bb2846dfaf41a34a1713af551e9a7b28c91d38ed23d6f7
Opcode Fuzzy Hash: b29bdea5b2a40a1868c0692683c4cd61f52a52837e59e806b7b3993478dcdd6f
Instruction Fuzzy Hash: 0B21B031E01508EFEF00DFA4C948BEEBBB9FF85344F094499E501AB241D731AA84DB54

Function 00542782 Relevance: 6.1, APIs: 4, Instructions: 75COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000EC), ref: 0054280A
SetWindowLongW.USER32(?,000000EC,00000000), ref: 00542824
SetWindowLongW.USER32(?,000000EC,00000000), ref: 00542832
SetLayeredWindowAttributes.USER32(?,00000000,?,00000002), ref: 00542840

Memory Dump Source

Source File: 00000000.00000002.2132574574.00000000004B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true

Associated: 00000000.00000002.2132555531.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132647663.000000000054C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132647663.0000000000572000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132705506.000000000057C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132725644.0000000000584000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b0000_file.jbxd

Similarity

API ID: Window$Long$AttributesLayered
String ID:
API String ID: 2169480361-0
Opcode ID: f44e5f83ee0d62097e922fb3bcbf1517a806a4dd9d8e297560922a20bb1bde9d
Instruction ID: 616a5c8dadd044ac6699bbc6352173765c723c368720a6c94275e6ddbc8317b6
Opcode Fuzzy Hash: f44e5f83ee0d62097e922fb3bcbf1517a806a4dd9d8e297560922a20bb1bde9d
Instruction Fuzzy Hash: 4821B035205221AFD7149B25C844FEA7F99FF9632CF148158F4268B6E2CB75EC42CBA0

Function 005178F5 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 71stringCOMMON

Download Yara Rule

APIs

Part of subcall function 00518D7D: lstrlenW.KERNEL32(?,00000002,000000FF,?,?,?,0051790A,?,000000FF,?,00518754,00000000,?,0000001C,?,?), ref: 00518D8C
Part of subcall function 00518D7D: lstrcpyW.KERNEL32(00000000,?,?,0051790A,?,000000FF,?,00518754,00000000,?,0000001C,?,?,00000000), ref: 00518DB2
Part of subcall function 00518D7D: lstrcmpiW.KERNEL32(00000000,?,0051790A,?,000000FF,?,00518754,00000000,?,0000001C,?,?), ref: 00518DE3

lstrlenW.KERNEL32(?,00000002,000000FF,?,000000FF,?,00518754,00000000,?,0000001C,?,?,00000000), ref: 00517923
lstrcpyW.KERNEL32(00000000,?,?,00518754,00000000,?,0000001C,?,?,00000000), ref: 00517949
lstrcmpiW.KERNEL32(00000002,cdecl,?,00518754,00000000,?,0000001C,?,?,00000000), ref: 00517984

Strings

cdecl, xrefs: 0051797B

Memory Dump Source

Source File: 00000000.00000002.2132574574.00000000004B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true

Associated: 00000000.00000002.2132555531.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132647663.000000000054C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132647663.0000000000572000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132705506.000000000057C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132725644.0000000000584000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b0000_file.jbxd

Similarity

API ID: lstrcmpilstrcpylstrlen
String ID: cdecl
API String ID: 4031866154-3896280584
Opcode ID: 1d57f9314b07870077724f8e9e051a2b2fd90283f3468b13ed27d7383e5ddb07
Instruction ID: 3362ca27e0ddc97fc2ca2b94c2f8654421953021aa979301a19fc1227f2e71a2
Opcode Fuzzy Hash: 1d57f9314b07870077724f8e9e051a2b2fd90283f3468b13ed27d7383e5ddb07
Instruction Fuzzy Hash: 0011293E200706ABDB15AF39D848EBA7BB5FFD9354B10402EF906C72A4EB319845D791

Function 00547CC2 Relevance: 6.1, APIs: 4, Instructions: 70COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000F0), ref: 00547D0B
SetWindowLongW.USER32(00000000,000000F0,?), ref: 00547D2A
SetWindowLongW.USER32(00000000,000000EC,000000FF), ref: 00547D42
SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,?,?,?,?,?,?,?,?,0052B7AD,00000000), ref: 00547D6B

Part of subcall function 004C9BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 004C9BB2

Memory Dump Source

Source File: 00000000.00000002.2132574574.00000000004B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true

Associated: 00000000.00000002.2132555531.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132647663.000000000054C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132647663.0000000000572000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132705506.000000000057C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132725644.0000000000584000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b0000_file.jbxd

Similarity

API ID: Window$Long
String ID:
API String ID: 847901565-0
Opcode ID: 2e19b24852b855dda63dbafa3e897d872a770544abc8b1700461f2ab6866aa92
Instruction ID: d049e119773c292e2163bcbb06956a3b2ce8d23fcae6b1d244ba5f609a948c38
Opcode Fuzzy Hash: 2e19b24852b855dda63dbafa3e897d872a770544abc8b1700461f2ab6866aa92
Instruction Fuzzy Hash: C711C035615618AFCB109F28CC04AEA3FA9BF4A368B118724F839D72F0E7309D15DB80

Function 00545660 Relevance: 6.1, APIs: 4, Instructions: 67windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001060,?,00000004), ref: 005456BB
_wcslen.LIBCMT ref: 005456CD
_wcslen.LIBCMT ref: 005456D8
SendMessageW.USER32(?,00001002,00000000,?), ref: 00545816

Memory Dump Source

Source File: 00000000.00000002.2132574574.00000000004B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true

Associated: 00000000.00000002.2132555531.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132647663.000000000054C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132647663.0000000000572000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132705506.000000000057C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132725644.0000000000584000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b0000_file.jbxd

Similarity

API ID: MessageSend_wcslen
String ID:
API String ID: 455545452-0
Opcode ID: 7b5875c8a267b98a3ea1babfeb96611e280cd4741b01d06cc80d1dc3973c3e08
Instruction ID: 53270457f725e0a7608d633d946b2e5ec2d57f9263e3916eca98bdf760e2f83c
Opcode Fuzzy Hash: 7b5875c8a267b98a3ea1babfeb96611e280cd4741b01d06cc80d1dc3973c3e08
Instruction Fuzzy Hash: 9611B175600608A7DF209F75CC85AEE7FACFF51768B10442AF915DA182FB708A84CB64

Function 004E1D09 Relevance: 6.1, APIs: 4, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2132574574.00000000004B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true

Associated: 00000000.00000002.2132555531.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132647663.000000000054C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132647663.0000000000572000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132705506.000000000057C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132725644.0000000000584000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5edd958eb178b8bf31bb766084e4ac349c8ee459e98128554e83f8b4403702c0
Instruction ID: 1d91b418357334dc5b64e6053f01a1e75bd0bfb22106cc4a93d1f292683cd1fa
Opcode Fuzzy Hash: 5edd958eb178b8bf31bb766084e4ac349c8ee459e98128554e83f8b4403702c0
Instruction Fuzzy Hash: CD01F7F22456863EF610167A6CC1F67661CDF813BEB31132BF521512E2DB789C005128

Function 00511A27 Relevance: 6.1, APIs: 4, Instructions: 56windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,000000B0,?,?), ref: 00511A47
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00511A59
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00511A6F
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00511A8A

Memory Dump Source

Source File: 00000000.00000002.2132574574.00000000004B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true

Associated: 00000000.00000002.2132555531.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132647663.000000000054C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132647663.0000000000572000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132705506.000000000057C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132725644.0000000000584000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b0000_file.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 73d8b8d6f3eba1f212d8defcc3949c950146391dbf7c184d8b00daf7344c9c69
Instruction ID: 207e02bcabff97d928be0a53174e3e4ee4e907d97fe91c17f8685c244bdf2373
Opcode Fuzzy Hash: 73d8b8d6f3eba1f212d8defcc3949c950146391dbf7c184d8b00daf7344c9c69
Instruction Fuzzy Hash: 9211F73A901219FFEB119BA5C985FEDBB78FF08750F200091EA05B7290D6716E50DB98

Function 0051E1D6 Relevance: 6.1, APIs: 4, Instructions: 55synchronizationthreadwindowCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 0051E1FD
MessageBoxW.USER32(?,?,?,?), ref: 0051E230
WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?), ref: 0051E246
CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 0051E24D

Memory Dump Source

Source File: 00000000.00000002.2132574574.00000000004B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true

Associated: 00000000.00000002.2132555531.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132647663.000000000054C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132647663.0000000000572000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132705506.000000000057C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132725644.0000000000584000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b0000_file.jbxd

Similarity

API ID: CloseCurrentHandleMessageObjectSingleThreadWait
String ID:
API String ID: 2880819207-0
Opcode ID: 79ca6f2e09c121573fac4424ba2496e1e52cd5334158d86f87d005450f053ef0
Instruction ID: c48f9714ebca1ade1a306754d4dc7f4da50436c516d0df6fc79801d7fdd77961
Opcode Fuzzy Hash: 79ca6f2e09c121573fac4424ba2496e1e52cd5334158d86f87d005450f053ef0
Instruction Fuzzy Hash: 1C112B7AE04254BBD7019FA8DC0AADE7FACEB96314F004659FC25E3291D6B0CD0897A0

Function 004DD1CC Relevance: 6.1, APIs: 4, Instructions: 55threadCOMMON

Download Yara Rule

APIs

CreateThread.KERNEL32(00000000,?,004DCFF9,00000000,00000004,00000000), ref: 004DD218
GetLastError.KERNEL32 ref: 004DD224
__dosmaperr.LIBCMT ref: 004DD22B
ResumeThread.KERNEL32(00000000), ref: 004DD249

Memory Dump Source

Source File: 00000000.00000002.2132574574.00000000004B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true

Associated: 00000000.00000002.2132555531.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132647663.000000000054C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132647663.0000000000572000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132705506.000000000057C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132725644.0000000000584000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b0000_file.jbxd

Similarity

API ID: Thread$CreateErrorLastResume__dosmaperr
String ID:
API String ID: 173952441-0
Opcode ID: 2fc40a82aaddd4886018539d827b3045d38bd3c13577a9ea6b7e47ad601afa10
Instruction ID: 5689101691addf6ab0bbaf6366ea5fb72fe174980b491251f457e0b5982dcd31
Opcode Fuzzy Hash: 2fc40a82aaddd4886018539d827b3045d38bd3c13577a9ea6b7e47ad601afa10
Instruction Fuzzy Hash: 6B0104368051047BCB215BA6DC15BAF7A6CDF82334F10025FF825923D0CB758905C6A5

Function 00549EF3 Relevance: 6.1, APIs: 4, Instructions: 55COMMON

Download Yara Rule

APIs

Part of subcall function 004C9BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 004C9BB2

GetClientRect.USER32(?,?), ref: 00549F31
GetCursorPos.USER32(?), ref: 00549F3B
ScreenToClient.USER32(?,?), ref: 00549F46
DefDlgProcW.USER32(?,00000020,?,00000000,?,?,?), ref: 00549F7A

Memory Dump Source

Source File: 00000000.00000002.2132574574.00000000004B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true

Associated: 00000000.00000002.2132555531.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132647663.000000000054C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132647663.0000000000572000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132705506.000000000057C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132725644.0000000000584000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b0000_file.jbxd

Similarity

API ID: Client$CursorLongProcRectScreenWindow
String ID:
API String ID: 4127811313-0
Opcode ID: 408e6d7b7a9734a438776206928395621c79f780b969ee9497658d667eacea49
Instruction ID: d86d8557dacb2cff6ab1b3868e662bea2d7a4bb3987dc6842e55dfaf0d6ff559
Opcode Fuzzy Hash: 408e6d7b7a9734a438776206928395621c79f780b969ee9497658d667eacea49
Instruction Fuzzy Hash: 8A114C3550111ABBDB01DF58D84A9EE7BB8FB85319F000455F901E3140D734BE8ADBA5

Function 004B600E Relevance: 6.1, APIs: 4, Instructions: 53windowCOMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 004B604C
GetStockObject.GDI32(00000011), ref: 004B6060
SendMessageW.USER32(00000000,00000030,00000000), ref: 004B606A

Memory Dump Source

Source File: 00000000.00000002.2132574574.00000000004B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true

Associated: 00000000.00000002.2132555531.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132647663.000000000054C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132647663.0000000000572000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132705506.000000000057C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132725644.0000000000584000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b0000_file.jbxd

Similarity

API ID: CreateMessageObjectSendStockWindow
String ID:
API String ID: 3970641297-0
Opcode ID: d79ad619beb278365a44d7a9e3971491c5f6e083d9ffd64bf8c0e0782cb2045d
Instruction ID: 71b85379f5cecc4d10fee6f4bc7aa10476ef10f8cde1f4c070705b686a548d32
Opcode Fuzzy Hash: d79ad619beb278365a44d7a9e3971491c5f6e083d9ffd64bf8c0e0782cb2045d
Instruction Fuzzy Hash: DF11A172502508BFEF129FA58C44EFB7F69EF59368F010106FA0556110D73A9C60EBA4

Function 004D3B3C Relevance: 6.1, APIs: 4, Instructions: 53COMMONLIBRARYCODE

Download Yara Rule

APIs

___BuildCatchObject.LIBVCRUNTIME ref: 004D3B56

Part of subcall function 004D3AA3: BuildCatchObjectHelperInternal.LIBVCRUNTIME ref: 004D3AD2
Part of subcall function 004D3AA3: ___AdjustPointer.LIBCMT ref: 004D3AED

_UnwindNestedFrames.LIBCMT ref: 004D3B6B
__FrameHandler3::FrameUnwindToState.LIBVCRUNTIME ref: 004D3B7C
CallCatchBlock.LIBVCRUNTIME ref: 004D3BA4

Memory Dump Source

Source File: 00000000.00000002.2132574574.00000000004B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true

Associated: 00000000.00000002.2132555531.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132647663.000000000054C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132647663.0000000000572000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132705506.000000000057C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132725644.0000000000584000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b0000_file.jbxd

Similarity

API ID: Catch$BuildFrameObjectUnwind$AdjustBlockCallFramesHandler3::HelperInternalNestedPointerState
String ID:
API String ID: 737400349-0
Opcode ID: 12ea49abee573113f57dbd3ec3a577afcc9c348439d29e6cbe32e78011ac24d3
Instruction ID: 7ec33f3fd7ac2acd04313da781b34126d634740783039e96696216aa2784b3d1
Opcode Fuzzy Hash: 12ea49abee573113f57dbd3ec3a577afcc9c348439d29e6cbe32e78011ac24d3
Instruction Fuzzy Hash: 91012D32100148BBDF125F96CC46DEB3B69EF88799F04401BFE4856221C73AE961DBA5

Function 004E3073 Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(00000000,00000000,00000800,004B13C6,00000000,00000000,?,004E301A,004B13C6,00000000,00000000,00000000,?,004E328B,00000006,FlsSetValue), ref: 004E30A5
GetLastError.KERNEL32(?,004E301A,004B13C6,00000000,00000000,00000000,?,004E328B,00000006,FlsSetValue,00552290,FlsSetValue,00000000,00000364,?,004E2E46), ref: 004E30B1
LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,004E301A,004B13C6,00000000,00000000,00000000,?,004E328B,00000006,FlsSetValue,00552290,FlsSetValue,00000000), ref: 004E30BF

Memory Dump Source

Source File: 00000000.00000002.2132574574.00000000004B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true

Associated: 00000000.00000002.2132555531.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132647663.000000000054C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132647663.0000000000572000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132705506.000000000057C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132725644.0000000000584000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b0000_file.jbxd

Similarity

API ID: LibraryLoad$ErrorLast
String ID:
API String ID: 3177248105-0
Opcode ID: ba2c4830b0ce33377ef01a2fd8ef1a13b4967d91b6e7d873f1acad8599994e7f
Instruction ID: dd1619896aec2bd8673ddb0678ac7ffe8ddd0523605aa61ad59998eb96a8c765
Opcode Fuzzy Hash: ba2c4830b0ce33377ef01a2fd8ef1a13b4967d91b6e7d873f1acad8599994e7f
Instruction Fuzzy Hash: C301FC36306262ABCB328F7A9C489677B989F95B67B100621F905E7244C725D905C6D4

Function 00517464 Relevance: 6.1, APIs: 4, Instructions: 51registryCOMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(?,?,00000104,00000000), ref: 0051747F
LoadTypeLibEx.OLEAUT32(?,00000002,?), ref: 00517497
RegisterTypeLib.OLEAUT32(?,?,00000000), ref: 005174AC
RegisterTypeLibForUser.OLEAUT32(?,?,00000000), ref: 005174CA

Memory Dump Source

Source File: 00000000.00000002.2132574574.00000000004B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true

Associated: 00000000.00000002.2132555531.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132647663.000000000054C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132647663.0000000000572000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132705506.000000000057C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132725644.0000000000584000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b0000_file.jbxd

Similarity

API ID: Type$Register$FileLoadModuleNameUser
String ID:
API String ID: 1352324309-0
Opcode ID: 1dfdd7c23f3e298bc8c04681eba9bcc71882c8d6e5fc615ceb5d49003e809ed7
Instruction ID: 9c3835dcf250a2290033cd81c81be1f69f53e1d9f0dd43f30577f30fab6901b6
Opcode Fuzzy Hash: 1dfdd7c23f3e298bc8c04681eba9bcc71882c8d6e5fc615ceb5d49003e809ed7
Instruction Fuzzy Hash: 0211A1B92063189BFB208F18DD08FD27FFCFB44B04F108569A666D6151D7B4E988EB50

Function 0051B0A8 Relevance: 6.0, APIs: 4, Instructions: 50sleepCOMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,0051ACD3,?,00008000), ref: 0051B0C4
Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,0051ACD3,?,00008000), ref: 0051B0E9
QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,0051ACD3,?,00008000), ref: 0051B0F3
Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,0051ACD3,?,00008000), ref: 0051B126

Memory Dump Source

Source File: 00000000.00000002.2132574574.00000000004B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true

Associated: 00000000.00000002.2132555531.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132647663.000000000054C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132647663.0000000000572000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132705506.000000000057C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132725644.0000000000584000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b0000_file.jbxd

Similarity

API ID: CounterPerformanceQuerySleep
String ID:
API String ID: 2875609808-0
Opcode ID: 07d2eabb142c2e143853f5af9a27a922ce4a39463ad94a3ff5bbaecf88171048
Instruction ID: 354b2f89b9696f1d1ba542fd99202df6a3a33f092c0166ed29e362a3cf7bd2bc
Opcode Fuzzy Hash: 07d2eabb142c2e143853f5af9a27a922ce4a39463ad94a3ff5bbaecf88171048
Instruction Fuzzy Hash: D811AD34C0252CE7EF00AFE4E998AEEBF78FF5A310F11448AD941B2181CB305690DB51

Function 00547E14 Relevance: 6.0, APIs: 4, Instructions: 46COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 00547E33
ScreenToClient.USER32(?,?), ref: 00547E4B
ScreenToClient.USER32(?,?), ref: 00547E6F
InvalidateRect.USER32(?,?,?,?,?,?,?,?,?,?,?,?), ref: 00547E8A

Memory Dump Source

Source File: 00000000.00000002.2132574574.00000000004B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true

Associated: 00000000.00000002.2132555531.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132647663.000000000054C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132647663.0000000000572000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132705506.000000000057C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132725644.0000000000584000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b0000_file.jbxd

Similarity

API ID: ClientRectScreen$InvalidateWindow
String ID:
API String ID: 357397906-0
Opcode ID: c6a2481837df648756b5f13d8f5d0315d83204c53b8d33e44342537d3ee9d01f
Instruction ID: 32ee75ec7b8bd001b60b321b434146aff13af08620e07ec30b4333fe36f3fbc2
Opcode Fuzzy Hash: c6a2481837df648756b5f13d8f5d0315d83204c53b8d33e44342537d3ee9d01f
Instruction Fuzzy Hash: B21163B9D0020AAFDB41CFA8C8849EEBBF9FB19314F108056E911E3210D735AA54DF90

Function 00512DA7 Relevance: 6.0, APIs: 4, Instructions: 34threadwindowtimeCOMMON

Download Yara Rule

APIs

SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,?), ref: 00512DC5
GetWindowThreadProcessId.USER32(?,00000000), ref: 00512DD6
GetCurrentThreadId.KERNEL32 ref: 00512DDD
AttachThreadInput.USER32(00000000,?,00000000,00000000), ref: 00512DE4

Memory Dump Source

Source File: 00000000.00000002.2132574574.00000000004B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true

Associated: 00000000.00000002.2132555531.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132647663.000000000054C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132647663.0000000000572000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132705506.000000000057C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132725644.0000000000584000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b0000_file.jbxd

Similarity

API ID: Thread$AttachCurrentInputMessageProcessSendTimeoutWindow
String ID:
API String ID: 2710830443-0
Opcode ID: f92c384324b5691259da6ff6ca29e176f9e586d0b5748f76e26054c703d77424
Instruction ID: 8d45747dcd77ed9283082c1f5bfb62155be864ccf018ac2cb33d6a94052675df
Opcode Fuzzy Hash: f92c384324b5691259da6ff6ca29e176f9e586d0b5748f76e26054c703d77424
Instruction Fuzzy Hash: BDE092B52022287BE7201BB6EC0DFEB3E6CFFA3BA5F014015F105D10809AA0C885D6B0

Function 00548863 Relevance: 6.0, APIs: 4, Instructions: 31COMMON

Download Yara Rule

APIs

Part of subcall function 004C9639: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 004C9693
Part of subcall function 004C9639: SelectObject.GDI32(?,00000000), ref: 004C96A2
Part of subcall function 004C9639: BeginPath.GDI32(?), ref: 004C96B9
Part of subcall function 004C9639: SelectObject.GDI32(?,00000000), ref: 004C96E2

MoveToEx.GDI32(?,00000000,00000000,00000000), ref: 00548887
LineTo.GDI32(?,?,?), ref: 00548894
EndPath.GDI32(?), ref: 005488A4
StrokePath.GDI32(?), ref: 005488B2

Memory Dump Source

Source File: 00000000.00000002.2132574574.00000000004B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true

Associated: 00000000.00000002.2132555531.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132647663.000000000054C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132647663.0000000000572000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132705506.000000000057C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132725644.0000000000584000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b0000_file.jbxd

Similarity

API ID: Path$ObjectSelect$BeginCreateLineMoveStroke
String ID:
API String ID: 1539411459-0
Opcode ID: a44262ff3b1e079dc593f74001071116ccff7c8cecd135dd7949443643b40bb5
Instruction ID: e2da6e4b5a54cd356ca972d88cd5fb687d1033325cf42b1569bade630cd70a83
Opcode Fuzzy Hash: a44262ff3b1e079dc593f74001071116ccff7c8cecd135dd7949443643b40bb5
Instruction Fuzzy Hash: 80F05E3A042658FADB125F94AC0DFDE3F69AF67318F048100FA11650E2C7755516EFE9

Function 004C98B0 Relevance: 6.0, APIs: 4, Instructions: 23COMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000008), ref: 004C98CC
SetTextColor.GDI32(?,?), ref: 004C98D6
SetBkMode.GDI32(?,00000001), ref: 004C98E9
GetStockObject.GDI32(00000005), ref: 004C98F1

Memory Dump Source

Source File: 00000000.00000002.2132574574.00000000004B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true

Associated: 00000000.00000002.2132555531.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132647663.000000000054C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132647663.0000000000572000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132705506.000000000057C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132725644.0000000000584000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b0000_file.jbxd

Similarity

API ID: Color$ModeObjectStockText
String ID:
API String ID: 4037423528-0
Opcode ID: e9ca162c9bcbb7d55ff92466ecd4759765df39663cbf6274b0ab97c55654c902
Instruction ID: e6ff906e91b9ac582b706609b789c2a705ebe237f752c11a633d2eba3a25a428
Opcode Fuzzy Hash: e9ca162c9bcbb7d55ff92466ecd4759765df39663cbf6274b0ab97c55654c902
Instruction Fuzzy Hash: 08E06D35645284AAEB615B74AC09BED3F20BB6733AF04821AF6FA580E1C7715644EB10

Function 0051162B Relevance: 6.0, APIs: 4, Instructions: 22threadCOMMON

Download Yara Rule

APIs

GetCurrentThread.KERNEL32 ref: 00511634
OpenThreadToken.ADVAPI32(00000000,?,?,?,005111D9), ref: 0051163B
GetCurrentProcess.KERNEL32(00000028,?,?,?,?,005111D9), ref: 00511648
OpenProcessToken.ADVAPI32(00000000,?,?,?,005111D9), ref: 0051164F

Memory Dump Source

Source File: 00000000.00000002.2132574574.00000000004B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true

Associated: 00000000.00000002.2132555531.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132647663.000000000054C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132647663.0000000000572000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132705506.000000000057C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132725644.0000000000584000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b0000_file.jbxd

Similarity

API ID: CurrentOpenProcessThreadToken
String ID:
API String ID: 3974789173-0
Opcode ID: e9c2bab17dcb179e00dd0e818591e35e9670c664915cd0a2d8fbb9603d506e79
Instruction ID: 8c272e9d43f6949ce6c41b814deb696ac65d827ae06d392453e4da27bd1ed93a
Opcode Fuzzy Hash: e9c2bab17dcb179e00dd0e818591e35e9670c664915cd0a2d8fbb9603d506e79
Instruction Fuzzy Hash: E9E04F396022119BE7A01FA09D0DBCA3F68AFA6795F144848F245C9090D76444889B54

Function 0050D858 Relevance: 6.0, APIs: 4, Instructions: 19COMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 0050D858
GetDC.USER32(00000000), ref: 0050D862
GetDeviceCaps.GDI32(00000000,0000000C), ref: 0050D882
ReleaseDC.USER32(?), ref: 0050D8A3

Memory Dump Source

Source File: 00000000.00000002.2132574574.00000000004B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true

Associated: 00000000.00000002.2132555531.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132647663.000000000054C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132647663.0000000000572000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132705506.000000000057C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132725644.0000000000584000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b0000_file.jbxd

Similarity

API ID: CapsDesktopDeviceReleaseWindow
String ID:
API String ID: 2889604237-0
Opcode ID: 325b163d200b56451f5bc3e17cf8063f4baea0487ed85483426a0035af930bb2
Instruction ID: d3d2690288a3e2e2f6f0556e8aff88a4c9ce0e72e7166e6a15d4ba715f0c0a9f
Opcode Fuzzy Hash: 325b163d200b56451f5bc3e17cf8063f4baea0487ed85483426a0035af930bb2
Instruction Fuzzy Hash: 2FE01AB8801204DFCB819FA5D94CAADBFB1FB59314F11C459F806E7260C7388906AF50

Function 0050D86C Relevance: 6.0, APIs: 4, Instructions: 18COMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 0050D86C
GetDC.USER32(00000000), ref: 0050D876
GetDeviceCaps.GDI32(00000000,0000000C), ref: 0050D882
ReleaseDC.USER32(?), ref: 0050D8A3

Memory Dump Source

Source File: 00000000.00000002.2132574574.00000000004B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true

Associated: 00000000.00000002.2132555531.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132647663.000000000054C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132647663.0000000000572000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132705506.000000000057C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132725644.0000000000584000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b0000_file.jbxd

Similarity

API ID: CapsDesktopDeviceReleaseWindow
String ID:
API String ID: 2889604237-0
Opcode ID: f065114dd3953f9c98a7266324167f05a3a205789366e24d20e59dd1a574150b
Instruction ID: 74c0cd800c75037f92a8253099565c4c05a8cdc9142c346e8fbed1d2b191d58c
Opcode Fuzzy Hash: f065114dd3953f9c98a7266324167f05a3a205789366e24d20e59dd1a574150b
Instruction Fuzzy Hash: D0E04F78C01200DFCF909FA5D84C6ADBFB1FB58318F118049F80AE7260C7385906AF50

Function 00524D87 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 230shareCOMMON

Download Yara Rule

APIs

Part of subcall function 004B7620: _wcslen.LIBCMT ref: 004B7625

WNetUseConnectionW.MPR(00000000,?,0000002A,00000000,?,?,0000002A,?), ref: 00524ED4

Strings

*, xrefs: 00524E10
LPT, xrefs: 00524DFB

Memory Dump Source

Source File: 00000000.00000002.2132574574.00000000004B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true

Associated: 00000000.00000002.2132555531.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132647663.000000000054C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132647663.0000000000572000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132705506.000000000057C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132725644.0000000000584000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b0000_file.jbxd

Similarity

API ID: Connection_wcslen
String ID: *$LPT
API String ID: 1725874428-3443410124
Opcode ID: bdad3a12f0bf7193c2f7db583f2e2768746c01e45910d8eefc10d93a07c2e07d
Instruction ID: e90711d89864023303e625e0122502ab4b7b1b8087b2cad60186b78a9e565576
Opcode Fuzzy Hash: bdad3a12f0bf7193c2f7db583f2e2768746c01e45910d8eefc10d93a07c2e07d
Instruction Fuzzy Hash: B8919E75A002149FCB14DF54D584EAABBF5BF85308F198099E80A9F3A2C735ED85CFA1

Function 004DE27D Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 189COMMON

Download Yara Rule

APIs

__startOneArgErrorHandling.LIBCMT ref: 004DE30D

Strings

pow, xrefs: 004DE2E5, 004DE302

Memory Dump Source

Source File: 00000000.00000002.2132574574.00000000004B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true

Associated: 00000000.00000002.2132555531.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132647663.000000000054C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132647663.0000000000572000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132705506.000000000057C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132725644.0000000000584000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b0000_file.jbxd

Similarity

API ID: ErrorHandling__start
String ID: pow
API String ID: 3213639722-2276729525
Opcode ID: 19fda5a877310cfd891ec5517ffe4aa066c4ec85e240978271fd53dddd7d7d13
Instruction ID: 9d68d05010d282cbace4abd1afd2d86c87355a45ac43f9e7ceb6d16fc752a357
Opcode Fuzzy Hash: 19fda5a877310cfd891ec5517ffe4aa066c4ec85e240978271fd53dddd7d7d13
Instruction Fuzzy Hash: 2D519F61A0C24296CB11771BCD6177B3B989F10762F308D9BE4954A3E9EB3C8C85A74E

Function 00537771 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 189COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(0050569E,00000000,?,0054CC08,?,00000000,00000000), ref: 005378DD

Part of subcall function 004B6B57: _wcslen.LIBCMT ref: 004B6B6A

CharUpperBuffW.USER32(0050569E,00000000,?,0054CC08,00000000,?,00000000,00000000), ref: 0053783B

Strings

<sW, xrefs: 005377C8

Memory Dump Source

Source File: 00000000.00000002.2132574574.00000000004B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true

Associated: 00000000.00000002.2132555531.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132647663.000000000054C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132647663.0000000000572000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132705506.000000000057C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132725644.0000000000584000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b0000_file.jbxd

Similarity

API ID: BuffCharUpper$_wcslen
String ID: <sW
API String ID: 3544283678-590162820
Opcode ID: ef5362bd98b614121c3afe4ac64d44df78779296f3a77619f47cde8b20ede3c3
Instruction ID: edbbb69f5645d4ed42f6e24ff8777ca61747c3cb340a7b00f7cd9815670616f6
Opcode Fuzzy Hash: ef5362bd98b614121c3afe4ac64d44df78779296f3a77619f47cde8b20ede3c3
Instruction Fuzzy Hash: 3A615DB691411CAACF14EBA5CC91DFDBBB4BF18708F44452AF542A3091EB385A05DBB4

Function 004CE187 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 184COMMON

Download Yara Rule

Strings

#, xrefs: 004CE1B1

Memory Dump Source

Source File: 00000000.00000002.2132574574.00000000004B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true

Associated: 00000000.00000002.2132555531.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132647663.000000000054C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132647663.0000000000572000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132705506.000000000057C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132725644.0000000000584000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b0000_file.jbxd

Similarity

API ID:
String ID: #
API String ID: 0-1885708031
Opcode ID: 085fc91af9be16fcd39bd6fcd4fca4f2eea1d9aa57a1db139390954c467239f5
Instruction ID: 8c75df710e34ab09189a32ccad6b1481da631def4eabb55d7222c4f51027493f
Opcode Fuzzy Hash: 085fc91af9be16fcd39bd6fcd4fca4f2eea1d9aa57a1db139390954c467239f5
Instruction Fuzzy Hash: 1D51F1395002869FDB15DF29C082BFE7BA4FF55310F34845AE8919B2C0D7389D42CBA4

Function 004CF291 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 144sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(00000000), ref: 004CF2A2
GlobalMemoryStatusEx.KERNEL32(?), ref: 004CF2BB

Strings

@, xrefs: 004CF2AF

Memory Dump Source

Source File: 00000000.00000002.2132574574.00000000004B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true

Associated: 00000000.00000002.2132555531.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132647663.000000000054C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132647663.0000000000572000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132705506.000000000057C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132725644.0000000000584000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b0000_file.jbxd

Similarity

API ID: GlobalMemorySleepStatus
String ID: @
API String ID: 2783356886-2766056989
Opcode ID: 8629013298321022d7f36c25c86a621115c710e70ea4593bbb906d6c0db37e69
Instruction ID: 67a6e12070aab7288091217c7588e562c85ebc6f373e56f7361013bcc6ce9aea
Opcode Fuzzy Hash: 8629013298321022d7f36c25c86a621115c710e70ea4593bbb906d6c0db37e69
Instruction Fuzzy Hash: DF5157714087449BD320AF15DC86BABBBF8FB94314F81884EF1D942195EB748529CB6A

Function 00535745 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 125COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,?,00000003,?,?), ref: 005357E0
_wcslen.LIBCMT ref: 005357EC

Strings

CALLARGARRAY, xrefs: 005357E6, 005357EB

Memory Dump Source

Source File: 00000000.00000002.2132574574.00000000004B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true

Associated: 00000000.00000002.2132555531.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132647663.000000000054C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132647663.0000000000572000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132705506.000000000057C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132725644.0000000000584000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b0000_file.jbxd

Similarity

API ID: BuffCharUpper_wcslen
String ID: CALLARGARRAY
API String ID: 157775604-1150593374
Opcode ID: 332dc9ef07fbfff94456ee8c20fe6877296ff1977189a98f2cc37ae6a0b45a8a
Instruction ID: bc28a19cdcfe69704b00564b0990d93839a2067b961871eeda9f75d3986e1dcb
Opcode Fuzzy Hash: 332dc9ef07fbfff94456ee8c20fe6877296ff1977189a98f2cc37ae6a0b45a8a
Instruction Fuzzy Hash: D1419D71A002099FCB14DFA9C8859EEFFB5FF99364F20506EE505A7251E7349D81CBA0

Function 0052D0F4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 98networkCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 0052D130
InternetCrackUrlW.WININET(?,00000000,00000000,0000007C), ref: 0052D13A

Strings

|, xrefs: 0052D10B

Memory Dump Source

Source File: 00000000.00000002.2132574574.00000000004B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true

Associated: 00000000.00000002.2132555531.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132647663.000000000054C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132647663.0000000000572000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132705506.000000000057C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132725644.0000000000584000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b0000_file.jbxd

Similarity

API ID: CrackInternet_wcslen
String ID: |
API String ID: 596671847-2343686810
Opcode ID: 35b45fc33710b815c71d4993ac9fce23be38db5c9f60f60037e2faa56213d0d0
Instruction ID: 7926b0666a5ab2a1ad22da54b2102b3d1332fabb96ca7d4619814c09c19b37bb
Opcode Fuzzy Hash: 35b45fc33710b815c71d4993ac9fce23be38db5c9f60f60037e2faa56213d0d0
Instruction Fuzzy Hash: FB315E71D00219AFCF11EFA5DC85AEEBFB9FF15304F10001AF815A61A2E735AA16CB64

Function 0054356C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 96COMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?,?,?), ref: 00543621
MoveWindow.USER32(?,?,?,?,?,00000001,?,?,?), ref: 0054365C

Strings

static, xrefs: 005435BC

Memory Dump Source

Source File: 00000000.00000002.2132574574.00000000004B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true

Associated: 00000000.00000002.2132555531.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132647663.000000000054C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132647663.0000000000572000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132705506.000000000057C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132725644.0000000000584000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b0000_file.jbxd

Similarity

API ID: Window$DestroyMove
String ID: static
API String ID: 2139405536-2160076837
Opcode ID: 3f98a48380c688959293c0d1e5f270d014f25af1a6162606cbcb75dfeb8081ec
Instruction ID: 2bc5e7b9b27dfceb1dad53f9cdb3ce2cb7137ce6e7e10784ea5e0120776f5aaa
Opcode Fuzzy Hash: 3f98a48380c688959293c0d1e5f270d014f25af1a6162606cbcb75dfeb8081ec
Instruction Fuzzy Hash: 5B31AD71100204AADB149F28DC80EFB7BA9FF98728F01961DF8A597290DA34AD81D764

Function 00544537 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 95windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000027,00001132,00000000,?), ref: 0054461F
SendMessageW.USER32(?,00001105,00000000,00000000), ref: 00544634

Strings

', xrefs: 0054458E

Memory Dump Source

Source File: 00000000.00000002.2132574574.00000000004B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true

Associated: 00000000.00000002.2132555531.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132647663.000000000054C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132647663.0000000000572000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132705506.000000000057C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132725644.0000000000584000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b0000_file.jbxd

Similarity

API ID: MessageSend
String ID: '
API String ID: 3850602802-1997036262
Opcode ID: 4dc232831716e0899670ba8eda39db8f378bbd18da5932d5ed208ce089e28843
Instruction ID: 0e61634b816781015384f8fc287493af40681ffbff98b489d60aab5c8b24d1b8
Opcode Fuzzy Hash: 4dc232831716e0899670ba8eda39db8f378bbd18da5932d5ed208ce089e28843
Instruction Fuzzy Hash: 40313674A0120A9FDF14CFA9C981BEABBB5FF49304F11406AE905AB381D770A941DF90

Function 005431EF Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000143,00000000,?), ref: 0054327C
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00543287

Strings

Combobox, xrefs: 00543249

Memory Dump Source

Source File: 00000000.00000002.2132574574.00000000004B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true

Associated: 00000000.00000002.2132555531.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132647663.000000000054C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132647663.0000000000572000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132705506.000000000057C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132725644.0000000000584000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b0000_file.jbxd

Similarity

API ID: MessageSend
String ID: Combobox
API String ID: 3850602802-2096851135
Opcode ID: 9bbd6a16730b9871a20537d79f98411a6486b21a54d7b4304d72f3c9ff18f5f4
Instruction ID: 8bdf4fdd2d2a62cf79193a562ab9593a66f9d821b1a01f32cdb92c14fe12b5da
Opcode Fuzzy Hash: 9bbd6a16730b9871a20537d79f98411a6486b21a54d7b4304d72f3c9ff18f5f4
Instruction Fuzzy Hash: F611E2753042087FFF259E64DC80EFB3F6AFB98368F104129F918AB2A0D6B19D519760

Function 00543710 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 67COMMON

Download Yara Rule

APIs

Part of subcall function 004B600E: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 004B604C
Part of subcall function 004B600E: GetStockObject.GDI32(00000011), ref: 004B6060
Part of subcall function 004B600E: SendMessageW.USER32(00000000,00000030,00000000), ref: 004B606A

GetWindowRect.USER32(00000000,?), ref: 0054377A
GetSysColor.USER32(00000012), ref: 00543794

Strings

static, xrefs: 00543757

Memory Dump Source

Source File: 00000000.00000002.2132574574.00000000004B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true

Associated: 00000000.00000002.2132555531.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132647663.000000000054C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132647663.0000000000572000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132705506.000000000057C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132725644.0000000000584000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b0000_file.jbxd

Similarity

API ID: Window$ColorCreateMessageObjectRectSendStock
String ID: static
API String ID: 1983116058-2160076837
Opcode ID: 1290535b1bc7dd31903a2a4add2536f095217ec970ca103dc146ab4d6fdd990c
Instruction ID: eb95232c32804003134df9b80e69053563f4b55a51fb6a5ea0392f01e391be71
Opcode Fuzzy Hash: 1290535b1bc7dd31903a2a4add2536f095217ec970ca103dc146ab4d6fdd990c
Instruction Fuzzy Hash: A01159B2610209AFDB00DFA8CC46AEA7BB8FB09308F004915FD95E2250E735E9119B60

Function 0052CD1E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66networkCOMMON

Download Yara Rule

APIs

InternetOpenW.WININET(?,00000000,00000000,00000000,00000000), ref: 0052CD7D
InternetSetOptionW.WININET(00000000,00000032,?,00000008), ref: 0052CDA6

Strings

<local>, xrefs: 0052CD66

Memory Dump Source

Source File: 00000000.00000002.2132574574.00000000004B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true

Associated: 00000000.00000002.2132555531.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132647663.000000000054C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132647663.0000000000572000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132705506.000000000057C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132725644.0000000000584000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b0000_file.jbxd

Similarity

API ID: Internet$OpenOption
String ID: <local>
API String ID: 942729171-4266983199
Opcode ID: 4f835376581478fdc1b8a6eb1c9d054ee00982ddd7c934198156b3929d605afd
Instruction ID: f56ebce2a4dc423eb92c30b42c80571b34d4e1952c1f11ee506d6cb2c3f077c5
Opcode Fuzzy Hash: 4f835376581478fdc1b8a6eb1c9d054ee00982ddd7c934198156b3929d605afd
Instruction Fuzzy Hash: FF1106752016717AD7384B66AC48EEBBE6CFF137A4F00462AB109831C1D3709844D6F0

Function 00543429 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 64windowCOMMON

Download Yara Rule

APIs

GetWindowTextLengthW.USER32(00000000), ref: 005434AB
SendMessageW.USER32(?,000000B1,00000000,00000000), ref: 005434BA

Strings

edit, xrefs: 0054348F

Memory Dump Source

Source File: 00000000.00000002.2132574574.00000000004B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true

Associated: 00000000.00000002.2132555531.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132647663.000000000054C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132647663.0000000000572000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132705506.000000000057C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132725644.0000000000584000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b0000_file.jbxd

Similarity

API ID: LengthMessageSendTextWindow
String ID: edit
API String ID: 2978978980-2167791130
Opcode ID: 0b9b2295eecc6ac2bfc19a41146046fd487fc0b75e6d1420107d5049c52aba7b
Instruction ID: ec8b988f9bf660e0c41181063a285d5cee805824e1b600bbd3b1f05d75178477
Opcode Fuzzy Hash: 0b9b2295eecc6ac2bfc19a41146046fd487fc0b75e6d1420107d5049c52aba7b
Instruction Fuzzy Hash: 23119A71200208AAEF128E64DC48AEA3F6AFB5537CF504724F960971E0C735EC51AB60

Function 00516C86 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 56COMMON

Download Yara Rule

APIs

Part of subcall function 004B9CB3: _wcslen.LIBCMT ref: 004B9CBD

CharUpperBuffW.USER32(?,?,?), ref: 00516CB6
_wcslen.LIBCMT ref: 00516CC2

Strings

STOP, xrefs: 00516CBC, 00516CC1

Memory Dump Source

Source File: 00000000.00000002.2132574574.00000000004B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true

Associated: 00000000.00000002.2132555531.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132647663.000000000054C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132647663.0000000000572000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132705506.000000000057C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132725644.0000000000584000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b0000_file.jbxd

Similarity

API ID: _wcslen$BuffCharUpper
String ID: STOP
API String ID: 1256254125-2411985666
Opcode ID: 2c8f29b6ce7c67f6422e616c10367e11cbdd5e426ba1850deac64bb77d28e01c
Instruction ID: e898248b2f75e37aefeb70e418817529a9cebcf248ee99c218239421caf6a735
Opcode Fuzzy Hash: 2c8f29b6ce7c67f6422e616c10367e11cbdd5e426ba1850deac64bb77d28e01c
Instruction Fuzzy Hash: 4D01C4326105278BEB20AFBEDC919FF7FB5FA617187500929E85296190EB35DD80C6A0

Function 00511CDE Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 52windowCOMMON

Download Yara Rule

APIs

Part of subcall function 004B9CB3: _wcslen.LIBCMT ref: 004B9CBD

Part of subcall function 00513CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00513CCA

SendMessageW.USER32(?,000001A2,000000FF,?), ref: 00511D4C

Strings

ListBox, xrefs: 00511D16
ComboBox, xrefs: 00511CEB

Memory Dump Source

Source File: 00000000.00000002.2132574574.00000000004B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true

Associated: 00000000.00000002.2132555531.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132647663.000000000054C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132647663.0000000000572000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132705506.000000000057C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132725644.0000000000584000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b0000_file.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: 86f8e531148c2049ca72942de83ac5f8db97628886ad6660cb272b4d7156d0f6
Instruction ID: 2e6692714e61bbe4dc33507acbe1026b2f7f93ed6ef8e802d5029dad8b345299
Opcode Fuzzy Hash: 86f8e531148c2049ca72942de83ac5f8db97628886ad6660cb272b4d7156d0f6
Instruction Fuzzy Hash: 82012431601218AB9B08EBA4DC55CFE7BB8FF42354B100A0AF9266B2C1EA305D48C674

Function 00511BD8 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50windowCOMMON

Download Yara Rule

APIs

Part of subcall function 004B9CB3: _wcslen.LIBCMT ref: 004B9CBD

Part of subcall function 00513CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00513CCA

SendMessageW.USER32(?,00000180,00000000,?), ref: 00511C46

Strings

ListBox, xrefs: 00511C10
ComboBox, xrefs: 00511BE5

Memory Dump Source

Source File: 00000000.00000002.2132574574.00000000004B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true

Associated: 00000000.00000002.2132555531.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132647663.000000000054C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132647663.0000000000572000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132705506.000000000057C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132725644.0000000000584000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b0000_file.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: b4466a0e0b72e8493e2419f233efdb3fad84cbed81d3e55f6e421f561473f9bb
Instruction ID: fc6726e3c05d8f8bf1901527878e85db3c76c71944ee5b35c37697d144a362b3
Opcode Fuzzy Hash: b4466a0e0b72e8493e2419f233efdb3fad84cbed81d3e55f6e421f561473f9bb
Instruction Fuzzy Hash: CE01F77578110867DB04EB90C955DFF7FA8AF51348F10001AAA0A67281EB249E4896F9

Function 00511C5C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 49windowCOMMON

Download Yara Rule

APIs

Part of subcall function 004B9CB3: _wcslen.LIBCMT ref: 004B9CBD

Part of subcall function 00513CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00513CCA

SendMessageW.USER32(?,00000182,?,00000000), ref: 00511CC8

Strings

ListBox, xrefs: 00511C94
ComboBox, xrefs: 00511C69

Memory Dump Source

Source File: 00000000.00000002.2132574574.00000000004B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true

Associated: 00000000.00000002.2132555531.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132647663.000000000054C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132647663.0000000000572000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132705506.000000000057C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132725644.0000000000584000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b0000_file.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: ed2a7360514fd9ca0625d672659bdfb492a4b45c54d06077eb4ca60a6c72fd1f
Instruction ID: c2987ee88525ed77ff3eb7c24036f033d82e090ba52153e29db41df8210af73f
Opcode Fuzzy Hash: ed2a7360514fd9ca0625d672659bdfb492a4b45c54d06077eb4ca60a6c72fd1f
Instruction Fuzzy Hash: 0E012B7564010867DF04E791CA12EFF7FA8BF11388F10001AB90673281FA648F48D2F5

Function 004CA4D6 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 47COMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 004CA529

Part of subcall function 004B9CB3: _wcslen.LIBCMT ref: 004B9CBD

Strings

3yP, xrefs: 004CA545, 004CA54D, 004CA552
,%X, xrefs: 004CA509

Memory Dump Source

Source File: 00000000.00000002.2132574574.00000000004B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true

Associated: 00000000.00000002.2132555531.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132647663.000000000054C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132647663.0000000000572000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132705506.000000000057C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132725644.0000000000584000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b0000_file.jbxd

Similarity

API ID: Init_thread_footer_wcslen
String ID: ,%X$3yP
API String ID: 2551934079-1452829938
Opcode ID: cf43336fe3d9f9217f6b209603aa19e722d7b9a06604c59432e310c3d3ba1383
Instruction ID: 8cb16c031176cb2e98f283b833a015327e4bd6a843f64b17cdedbc5f29f5f7e8
Opcode Fuzzy Hash: cf43336fe3d9f9217f6b209603aa19e722d7b9a06604c59432e310c3d3ba1383
Instruction Fuzzy Hash: 2901F731640618A7C604F769DC67FAD3B64DB05718F50405FFA122B3C2DE58AD068A9F

Function 00511D68 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 46windowCOMMON

Download Yara Rule

APIs

Part of subcall function 004B9CB3: _wcslen.LIBCMT ref: 004B9CBD

Part of subcall function 00513CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00513CCA

SendMessageW.USER32(?,0000018B,00000000,00000000), ref: 00511DD3

Strings

ListBox, xrefs: 00511DA0
ComboBox, xrefs: 00511D75

Memory Dump Source

Source File: 00000000.00000002.2132574574.00000000004B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true

Associated: 00000000.00000002.2132555531.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132647663.000000000054C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132647663.0000000000572000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132705506.000000000057C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132725644.0000000000584000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b0000_file.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: 7d26e4eaf7b440268b62a8466cd9842ed0b8a87c943c235bedeb746d7db65885
Instruction ID: 039850bc56fbad963eb25ea80a45f799faf046e5e466d2e4b78c9ca64659e8b3
Opcode Fuzzy Hash: 7d26e4eaf7b440268b62a8466cd9842ed0b8a87c943c235bedeb746d7db65885
Instruction Fuzzy Hash: 38F0F975A5161867EB04F7A4DC51FFE7F78BF01384F040919B926672C1EA745D088274

Function 00548172 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 40processCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000020,00000000,00000000,00583018,0058305C), ref: 005481BF
CloseHandle.KERNEL32 ref: 005481D1

Strings

\0X, xrefs: 0054818A

Memory Dump Source

Source File: 00000000.00000002.2132574574.00000000004B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true

Associated: 00000000.00000002.2132555531.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132647663.000000000054C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132647663.0000000000572000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132705506.000000000057C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132725644.0000000000584000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b0000_file.jbxd

Similarity

API ID: CloseCreateHandleProcess
String ID: \0X
API String ID: 3712363035-538042867
Opcode ID: 1a043934e8598aa393d81e5f64575e8a1372fcd5d4175e0f9ca73513990576eb
Instruction ID: a808883afcd909f1abe15d229458548f29ee4953b07087ccac43fae2dd9a5637
Opcode Fuzzy Hash: 1a043934e8598aa393d81e5f64575e8a1372fcd5d4175e0f9ca73513990576eb
Instruction Fuzzy Hash: 62F054B1640300FAE3207B61EC49FB73E9CEB25B58F001425FF08F51A1D6799A04A3B9

Function 0053747E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 36COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00537493
_wcslen.LIBCMT ref: 005374B9

Strings

3, 3, 16, 1, xrefs: 00537483

Memory Dump Source

Source File: 00000000.00000002.2132574574.00000000004B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true

Associated: 00000000.00000002.2132555531.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132647663.000000000054C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132647663.0000000000572000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132705506.000000000057C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132725644.0000000000584000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b0000_file.jbxd

Similarity

API ID: _wcslen
String ID: 3, 3, 16, 1
API String ID: 176396367-3042988571
Opcode ID: e363bfd7d8d2dcc666b79d3a3a884be87ae944d4ddeafe3b266aa539f2719efe
Instruction ID: 50c8a80ea82452b7303aeaab9bb55273006fdc619f7ee3132c53735fb7450074
Opcode Fuzzy Hash: e363bfd7d8d2dcc666b79d3a3a884be87ae944d4ddeafe3b266aa539f2719efe
Instruction Fuzzy Hash: BEE02B92A14320219631137BACD197F5F89EFCD760B10182FF985C2366EAA89D9193A4

Function 00510B15 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 28windowCOMMON

Download Yara Rule

APIs

MessageBoxW.USER32(00000000,Error allocating memory.,AutoIt,00000010), ref: 00510B23

Strings

AutoIt, xrefs: 00510B17
Error allocating memory., xrefs: 00510B1C

Memory Dump Source

Source File: 00000000.00000002.2132574574.00000000004B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true

Associated: 00000000.00000002.2132555531.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132647663.000000000054C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132647663.0000000000572000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132705506.000000000057C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132725644.0000000000584000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b0000_file.jbxd

Similarity

API ID: Message
String ID: AutoIt$Error allocating memory.
API String ID: 2030045667-4017498283
Opcode ID: a4245176f22600ba975a574ec8426cbaf00639830f8b449caae2429bd9351a6d
Instruction ID: b5f4ec4da2fa04aa77d8c019c9c3690cdd20eebb79faf0a946464b173382f3f9
Opcode Fuzzy Hash: a4245176f22600ba975a574ec8426cbaf00639830f8b449caae2429bd9351a6d
Instruction Fuzzy Hash: F7E0923528531836D25426967C03FC97F849B05B18F10442FF759555C38AE9249056AD

Function 004D0D42 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22COMMON

Download Yara Rule

APIs

Part of subcall function 004CF7C9: InitializeCriticalSectionAndSpinCount.KERNEL32(?,00000000,?,004D0D71,?,?,?,004B100A), ref: 004CF7CE

IsDebuggerPresent.KERNEL32(?,?,?,004B100A), ref: 004D0D75
OutputDebugStringW.KERNEL32(ERROR : Unable to initialize critical section in CAtlBaseModule,?,?,?,004B100A), ref: 004D0D84

Strings

ERROR : Unable to initialize critical section in CAtlBaseModule, xrefs: 004D0D7F

Memory Dump Source

Source File: 00000000.00000002.2132574574.00000000004B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true

Associated: 00000000.00000002.2132555531.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132647663.000000000054C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132647663.0000000000572000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132705506.000000000057C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132725644.0000000000584000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b0000_file.jbxd

Similarity

API ID: CountCriticalDebugDebuggerInitializeOutputPresentSectionSpinString
String ID: ERROR : Unable to initialize critical section in CAtlBaseModule
API String ID: 55579361-631824599
Opcode ID: 09d4ec602ea9f0a6bb4dd149a32b211e3f7f90d00fda1c007cbfacea90b17ba7
Instruction ID: 3b98e7cffe9328c2db3a47d51c224a3482f8d69e24919277aa85e48f01bf41e6
Opcode Fuzzy Hash: 09d4ec602ea9f0a6bb4dd149a32b211e3f7f90d00fda1c007cbfacea90b17ba7
Instruction Fuzzy Hash: C5E039782007018BD3A09FB9E4147867BE5AB15749F00892FE482C7751EBF8E4489BA5

Function 004CE398 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 21COMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 004CE3D5

Strings

8%X, xrefs: 004CE3CA
0%X, xrefs: 004CE3B5

Memory Dump Source

Source File: 00000000.00000002.2132574574.00000000004B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true

Associated: 00000000.00000002.2132555531.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132647663.000000000054C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132647663.0000000000572000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132705506.000000000057C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132725644.0000000000584000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b0000_file.jbxd

Similarity

API ID: Init_thread_footer
String ID: 0%X$8%X
API String ID: 1385522511-3798396867
Opcode ID: d7f3195850f8ca137256c6705863a0ce6d4210b9d7f460b227e8e381f02e40d4
Instruction ID: 99b9ba14e8380cdd7fe55f528d94cacee78e16e74988aeeba8bb3b2fe68cf9bd
Opcode Fuzzy Hash: d7f3195850f8ca137256c6705863a0ce6d4210b9d7f460b227e8e381f02e40d4
Instruction Fuzzy Hash: 59E02635490990CBC704A75AB86CF883BD1FB16324F1021BFEC02AF6E19B387841A74D

Function 00523017 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 18COMMON

Download Yara Rule

APIs

GetTempPathW.KERNEL32(00000104,?,00000001), ref: 0052302F
GetTempFileNameW.KERNEL32(?,aut,00000000,?), ref: 00523044

Strings

aut, xrefs: 00523038

Memory Dump Source

Source File: 00000000.00000002.2132574574.00000000004B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true

Associated: 00000000.00000002.2132555531.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132647663.000000000054C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132647663.0000000000572000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132705506.000000000057C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132725644.0000000000584000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b0000_file.jbxd

Similarity

API ID: Temp$FileNamePath
String ID: aut
API String ID: 3285503233-3010740371
Opcode ID: 23c05e1711959b61d3d573749f7e19968024c0ee4682c6ca923d8078c2107607
Instruction ID: b36f16ae2513f066938f4ee2c393709df82f426fe97fd9f60b661f6ffd7a2658
Opcode Fuzzy Hash: 23c05e1711959b61d3d573749f7e19968024c0ee4682c6ca923d8078c2107607
Instruction Fuzzy Hash: 94D05E7A501328A7DA60A7A4AC0EFCB3E6CDB45754F0002A1B695E2091DAF09988DAD4

Function 0050D21C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 17timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?), ref: 0050D220

Strings

%.3d, xrefs: 0050D22B
X64, xrefs: 0050D2A8

Memory Dump Source

Source File: 00000000.00000002.2132574574.00000000004B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true

Associated: 00000000.00000002.2132555531.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132647663.000000000054C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132647663.0000000000572000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132705506.000000000057C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132725644.0000000000584000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b0000_file.jbxd

Similarity

API ID: LocalTime
String ID: %.3d$X64
API String ID: 481472006-1077770165
Opcode ID: 4e38b492d41619b5ebb33db8ca19ff6d9f016fc00a267e59b97d6fe71f82203b
Instruction ID: c8d6996d13a40d5d885920fc1fbd7a33d20557c46811e31f787e8c8c41aadb06
Opcode Fuzzy Hash: 4e38b492d41619b5ebb33db8ca19ff6d9f016fc00a267e59b97d6fe71f82203b
Instruction Fuzzy Hash: 14D0126DC0911AEACBD096D0DC49DBDBB7CBB18305F508866F80A91080E728D508AB75

Function 00542356 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON

Download Yara Rule

APIs

FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 0054236C
PostMessageW.USER32(00000000), ref: 00542373

Part of subcall function 0051E97B: Sleep.KERNEL32 ref: 0051E9F3

Strings

Shell_TrayWnd, xrefs: 00542365

Memory Dump Source

Source File: 00000000.00000002.2132574574.00000000004B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true

Associated: 00000000.00000002.2132555531.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132647663.000000000054C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132647663.0000000000572000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132705506.000000000057C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132725644.0000000000584000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b0000_file.jbxd

Similarity

API ID: FindMessagePostSleepWindow
String ID: Shell_TrayWnd
API String ID: 529655941-2988720461
Opcode ID: 12ec968d9606a9a814b3b37f27234bcbd866f8e66e5149fce36acb03d1dea20e
Instruction ID: 794f72fcf9ffcaab2199ce8ada07efede7ea93d41f659fa03a54bd82b4006484
Opcode Fuzzy Hash: 12ec968d9606a9a814b3b37f27234bcbd866f8e66e5149fce36acb03d1dea20e
Instruction Fuzzy Hash: 59D0A9363823007AE2A8B330AC0FFCA6E14AB92B04F0089027706AA0D0C8A0A8088A04

Function 00542322 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON

Download Yara Rule

APIs

FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 0054232C
PostMessageW.USER32(00000000,00000111,00000197,00000000), ref: 0054233F

Part of subcall function 0051E97B: Sleep.KERNEL32 ref: 0051E9F3

Strings

Shell_TrayWnd, xrefs: 00542325

Memory Dump Source

Source File: 00000000.00000002.2132574574.00000000004B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true

Associated: 00000000.00000002.2132555531.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132647663.000000000054C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132647663.0000000000572000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132705506.000000000057C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132725644.0000000000584000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b0000_file.jbxd

Similarity

API ID: FindMessagePostSleepWindow
String ID: Shell_TrayWnd
API String ID: 529655941-2988720461
Opcode ID: e17d564e4edc9c16db158aa1784dce9242be80f804261ab6d4248adbcf9ddc22
Instruction ID: bcfca09396664b98ae2e7d701a55f15f092c2f74b80c72b5c68556e86b5a2583
Opcode Fuzzy Hash: e17d564e4edc9c16db158aa1784dce9242be80f804261ab6d4248adbcf9ddc22
Instruction Fuzzy Hash: 60D0223A381300B7E2B8B330EC0FFCA7E14AB91B04F008902770AAE0D0C8F0A808CA00

Function 004EBDFD Relevance: 5.1, APIs: 4, Instructions: 139COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,00000009,?,00000000,00000000,?,?,?,00000000,?,?,?,?,?,00000000,?), ref: 004EBE93
GetLastError.KERNEL32 ref: 004EBEA1
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 004EBEFC

Memory Dump Source

Source File: 00000000.00000002.2132574574.00000000004B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true

Associated: 00000000.00000002.2132555531.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132647663.000000000054C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132647663.0000000000572000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132705506.000000000057C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2132725644.0000000000584000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b0000_file.jbxd

Similarity

API ID: ByteCharMultiWide$ErrorLast
String ID:
API String ID: 1717984340-0
Opcode ID: ba2ef052c081b1422f9ebc771c7dad5ebef1cc192ab0ceb0ff7068a6727f9c01
Instruction ID: 43c35a36b357a007a80041c66b31792ee119d0cae85e663d4d07b326aa0505f0
Opcode Fuzzy Hash: ba2ef052c081b1422f9ebc771c7dad5ebef1cc192ab0ceb0ff7068a6727f9c01
Instruction Fuzzy Hash: 1341F934601286AFCF218F6ACC54ABB7BA4DF41311F14416BF959973A1DB348C01DBD9

Source: Joe Sandbox View	IP Address: 34.149.100.209 34.149.100.209
Source: Joe Sandbox View	IP Address: 34.117.188.166 34.117.188.166
Source: Joe Sandbox View	IP Address: 151.101.193.91 151.101.193.91

Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache

Source: firefox.exe, 0000000E.00000003.2183532736.0000024D0C8E0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: ://www.youtube.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000E.00000003.2158789823.0000024D14B33000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2158789823.0000024D14B26000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2312879253.0000024D167E4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: 8https://www.facebook.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000E.00000003.2158789823.0000024D14B33000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2158789823.0000024D14B26000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2312879253.0000024D167E4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: 8https://www.youtube.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000E.00000003.2158789823.0000024D14B33000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2158789823.0000024D14B26000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2312879253.0000024D167E4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.facebook.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000E.00000003.2158789823.0000024D14B33000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2158789823.0000024D14B26000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2312879253.0000024D167E4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000E.00000003.2301457395.0000024D0D5CD000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000011.00000002.3317310359.000002113CE03000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000002.3318497386.00000224AA70C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000E.00000003.2301457395.0000024D0D5CD000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000011.00000002.3317310359.000002113CE03000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000002.3318497386.00000224AA70C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/ equals www.twitter.com (Twitter)
Source: firefox.exe, 0000000E.00000003.2301457395.0000024D0D5CD000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000011.00000002.3317310359.000002113CE03000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000002.3318497386.00000224AA70C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000E.00000003.2183532736.0000024D0C8E0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: moz-extension://bfdd6cf3-6cd6-4fa2-bc72-2c3d2e7d20f8/injections/js/bug1842437-www.youtube.com-performance-now-precision.js equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000E.00000003.2158135589.0000024D14BCC000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2176272014.0000024D14BCC000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2269110400.0000024D14BCC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: www.facebook.com equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000E.00000003.2158135589.0000024D14BCC000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2176272014.0000024D14BCC000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2269110400.0000024D14BCC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: www.youtube.com equals www.youtube.com (Youtube)

Source: global traffic	DNS traffic detected: DNS query: detectportal.firefox.com
Source: global traffic	DNS traffic detected: DNS query: youtube.com
Source: global traffic	DNS traffic detected: DNS query: prod.classify-client.prod.webservices.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: prod.detectportal.prod.cloudops.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: contile.services.mozilla.com
Source: global traffic	DNS traffic detected: DNS query: spocs.getpocket.com
Source: global traffic	DNS traffic detected: DNS query: content-signature-2.cdn.mozilla.net
Source: global traffic	DNS traffic detected: DNS query: prod.ads.prod.webservices.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: prod.balrog.prod.cloudops.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: prod.content-signature-chains.prod.webservices.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: example.org
Source: global traffic	DNS traffic detected: DNS query: ipv4only.arpa
Source: global traffic	DNS traffic detected: DNS query: shavar.services.mozilla.com
Source: global traffic	DNS traffic detected: DNS query: push.services.mozilla.com
Source: global traffic	DNS traffic detected: DNS query: firefox.settings.services.mozilla.com
Source: global traffic	DNS traffic detected: DNS query: telemetry-incoming.r53-2.services.mozilla.com
Source: global traffic	DNS traffic detected: DNS query: prod.remote-settings.prod.webservices.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: support.mozilla.org
Source: global traffic	DNS traffic detected: DNS query: us-west1.prod.sumo.prod.webservices.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: www.youtube.com
Source: global traffic	DNS traffic detected: DNS query: www.facebook.com
Source: global traffic	DNS traffic detected: DNS query: www.wikipedia.org
Source: global traffic	DNS traffic detected: DNS query: dyna.wikimedia.org
Source: global traffic	DNS traffic detected: DNS query: youtube-ui.l.google.com
Source: global traffic	DNS traffic detected: DNS query: star-mini.c10r.facebook.com
Source: global traffic	DNS traffic detected: DNS query: www.reddit.com
Source: global traffic	DNS traffic detected: DNS query: twitter.com
Source: global traffic	DNS traffic detected: DNS query: reddit.map.fastly.net
Source: global traffic	DNS traffic detected: DNS query: services.addons.mozilla.org
Source: global traffic	DNS traffic detected: DNS query: normandy.cdn.mozilla.net
Source: global traffic	DNS traffic detected: DNS query: normandy-cdn.services.mozilla.com

Source: unknown	HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.5:49719 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.160.144.191:443 -> 192.168.2.5:49720 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.5:49731 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.5:49748 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.5:49747 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.5:49757 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.5:49759 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.5:49780 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.149.100.209:443 -> 192.168.2.5:49781 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 151.101.193.91:443 -> 192.168.2.5:49783 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.5:49786 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.5:49789 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.5:49787 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.149.100.209:443 -> 192.168.2.5:49788 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.5:49853 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.5:49854 version: TLS 1.2

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49788
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49787
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49786
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49785
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49784
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49783
Source: unknown	Network traffic detected: HTTP traffic on port 49926 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49782
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49781
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49780
Source: unknown	Network traffic detected: HTTP traffic on port 49789 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49836 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49785 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49746 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49781 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49720 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49713 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49736 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49717 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49736
Source: unknown	Network traffic detected: HTTP traffic on port 49759 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49854
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49732
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49853
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49731
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49730
Source: unknown	Network traffic detected: HTTP traffic on port 49732 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49788 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49784 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49728 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49780 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49729
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49728
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49926
Source: unknown	Network traffic detected: HTTP traffic on port 49714 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49723
Source: unknown	Network traffic detected: HTTP traffic on port 49756 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49722
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49721
Source: unknown	Network traffic detected: HTTP traffic on port 49758 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49783 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49720
Source: unknown	Network traffic detected: HTTP traffic on port 49731 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49712 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49787 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49729 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49748 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49719 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49722 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49854 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49719
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49718
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49717
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49759
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49836
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49758
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49714
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49713
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49757
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49712
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49756
Source: unknown	Network traffic detected: HTTP traffic on port 49757 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49782 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49730 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49786 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49747 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49853 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49748
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49747
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49746
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49789

Description:	Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access, network devices, and remote desktop.Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence.
Tactics:	Defense Evasion, Initial Access, Persistence, Privilege Escalation
Data Sources:	Logon Session: Logon Session Creation, Logon Session: Logon Session Metadata, User Account: User Account Authentication
Platforms:	Azure AD, Containers, Google Workspace, IaaS, Linux, macOS, Network, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in an attempt to elevate privileges. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. Security constructs such as permission levels will often hinder access to information and use of certain techniques, so adversaries will likely need to perform privilege escalation to include use of software exploitation to circumvent those restrictions.
Tactics:	Privilege Escalation
Data Sources:	Driver: Driver Load, Process: Process Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject malicious code into process via Extra Window Memory (EWM) in order to evade process-based defenses as well as possibly elevate privileges. EWM injection is a method of executing arbitrary code in the address space of a separate live process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Process: OS API Execution
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of valid accounts, usernames, or email addresses on a system or within a compromised environment. This information can help adversaries determine which accounts exist, which can aid in follow-on behavior such as brute-forcing, spear-phishing attacks, or account takeovers (e.g., Valid Accounts ).
Tactics:	Discovery
Data Sources:	Command: Command Execution, File: File Access, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report file.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Memory Dumps

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\uninstall_ping_308046B0AF4A39CB_c06fe41f-c289-4a52-9cc3-7be4e2802015.json (copy)

C:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\uninstall_ping_308046B0AF4A39CB_c06fe41f-c289-4a52-9cc3-7be4e2802015.json.tmp

C:\Users\user\AppData\Local\Temp\mozilla-temp-files\mozilla-temp-41

C:\Users\user\AppData\Local\Temp\tmpaddon

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\ExperimentStoreData.json (copy)

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\ExperimentStoreData.json.tmp

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\addonStartup.json.lz4 (copy)

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\addonStartup.json.lz4.tmp

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\addons.json (copy)

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\addons.json.tmp

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\content-prefs.sqlite

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\crashes\store.json.mozlz4 (copy)

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\crashes\store.json.mozlz4.tmp

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\extensions.json (copy)

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\extensions.json.tmp

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\favicons.sqlite-shm

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll (copy)

Windows Analysis Report
file.exe

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems. Operating systems may contain commands to initiate a shutdown/reboot of a machine or network device. In some cases, these commands may also be used to initiate a shutdown/reboot of a remote computer or network device via Network Device CLI (e.g. `reload` ).
Tactics:	Impact
Data Sources:	Command: Command Execution, Process: Process Creation, Sensor Health: Host Status
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre